C++: Upgrade all 5 queries to code scanning (even cpp/implicit-function-declaration, for testing purposes).

.pre-commit-config.yaml

@@ -7,9 +7,9 @@ repos:
     rev: v3.2.0
     hooks:
       - id: trailing-whitespace
-        exclude: /test([^/]*)/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
       - id: end-of-file-fixer
-        exclude: Cargo.lock$|/test([^/]*)/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: Cargo.lock$|/test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
     rev: v17.0.6

MODULE.bazel

@@ -242,7 +242,6 @@ use_repo(
     "kotlin-compiler-2.2.0-Beta1",
     "kotlin-compiler-2.2.20-Beta2",
     "kotlin-compiler-2.3.0",
-    "kotlin-compiler-2.3.20",
     "kotlin-compiler-embeddable-1.8.0",
     "kotlin-compiler-embeddable-1.9.0-Beta",
     "kotlin-compiler-embeddable-1.9.20-Beta",
@@ -253,7 +252,6 @@ use_repo(
     "kotlin-compiler-embeddable-2.2.0-Beta1",
     "kotlin-compiler-embeddable-2.2.20-Beta2",
     "kotlin-compiler-embeddable-2.3.0",
-    "kotlin-compiler-embeddable-2.3.20",
     "kotlin-stdlib-1.8.0",
     "kotlin-stdlib-1.9.0-Beta",
     "kotlin-stdlib-1.9.20-Beta",
@@ -264,7 +262,6 @@ use_repo(
     "kotlin-stdlib-2.2.0-Beta1",
     "kotlin-stdlib-2.2.20-Beta2",
     "kotlin-stdlib-2.3.0",
-    "kotlin-stdlib-2.3.20",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")

actions/ql/lib/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 0.4.33
-
-No user-facing changes.
-
 ## 0.4.32
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.33.md

@@ -1,3 +0,0 @@
-## 0.4.33
-
-No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.33
+lastReleaseVersion: 0.4.32

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.33
+version: 0.4.33-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 0.6.25
-
-No user-facing changes.
-
 ## 0.6.24
 
 No user-facing changes.

actions/ql/src/change-notes/released/0.6.25.md

@@ -1,3 +0,0 @@
-## 0.6.25
-
-No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.25
+lastReleaseVersion: 0.6.24

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.25
+version: 0.6.25-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/ql/lib/CHANGELOG.md

@@ -1,23 +1,3 @@
-## 9.0.0
-
-### Breaking Changes
-
-* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
-
-### New Features
-
-* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
-* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
-* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
-* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
-* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
-* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
-
-### Minor Analysis Improvements
-
-* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
-* Added dataflow through members initialized via non-static data member initialization (NSDMI).
-
 ## 8.0.3
 
 No user-facing changes.

cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.

cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
+* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.

cpp/ql/lib/change-notes/2026-03-24-field-init.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
+* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.

cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md

@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.

cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added dataflow through members initialized via non-static data member initialization (NSDMI).

cpp/ql/lib/change-notes/2026-03-31-http-flow-sources.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.

cpp/ql/lib/change-notes/2026-03-31-meson.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.

cpp/ql/lib/change-notes/released/9.0.0.md

@@ -1,19 +0,0 @@
-## 9.0.0
-
-### Breaking Changes
-
-* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
-
-### New Features
-
-* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
-* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
-* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
-* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
-* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
-* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
-
-### Minor Analysis Improvements
-
-* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
-* Added dataflow through members initialized via non-static data member initialization (NSDMI).

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 9.0.0
+lastReleaseVersion: 8.0.3

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 9.0.0
+version: 8.0.4-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/src/CHANGELOG.md

@@ -1,17 +1,3 @@
-## 1.6.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
-
-### Minor Analysis Improvements
-
-* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
-* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
-* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
-* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
-* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
-
 ## 1.5.15
 
 No user-facing changes.

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 8.1
- * @precision medium
+ * @precision high
  * @id cpp/integer-multiplication-cast-to-long
  * @tags reliability
  *       security

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @problem.severity error
  * @security-severity 7.5
- * @precision medium
+ * @precision high
  * @id cpp/wrong-type-format-argument
  * @tags reliability
  *       correctness

cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql

@@ -5,10 +5,11 @@
  * may lead to unpredictable behavior.
  * @kind problem
  * @problem.severity warning
- * @precision medium
+ * @precision high
  * @id cpp/implicit-function-declaration
  * @tags correctness
  *       maintainability
+ *       security
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 7.8
- * @precision medium
+ * @precision high
  * @tags reliability
  *       security
  *       external/cwe/cwe-190

cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 8.8
- * @precision medium
+ * @precision high
  * @id cpp/suspicious-add-sizeof
  * @tags security
  *       external/cwe/cwe-468

cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md

@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).

cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.

cpp/ql/src/change-notes/2026-03-30-warning-diagnostics.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.

cpp/ql/src/change-notes/released/1.6.0.md

@@ -1,13 +0,0 @@
-## 1.6.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
-
-### Minor Analysis Improvements
-
-* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
-* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
-* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
-* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
-* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.0
+lastReleaseVersion: 1.5.15

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.0
+version: 1.5.16-dev
 groups:
   - cpp
   - queries

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.7.64
-
-No user-facing changes.
-
 ## 1.7.63
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.64.md

@@ -1,3 +0,0 @@
-## 1.7.64
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.64
+lastReleaseVersion: 1.7.63

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.64
+version: 1.7.64-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.7.64
-
-No user-facing changes.
-
 ## 1.7.63
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.64.md

@@ -1,3 +0,0 @@
-## 1.7.64
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.64
+lastReleaseVersion: 1.7.63

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.64
+version: 1.7.64-dev
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,13 +1,3 @@
-## 5.4.12
-
-### Minor Analysis Improvements
-
-* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
-* The `cs/log-forging` query no longer treats arguments to extension methods with
-  source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
-  through extension method bodies, reducing false positives when extension methods
-  sanitize input internally.
-
 ## 5.4.11
 
 No user-facing changes.

csharp/ql/lib/change-notes/2026-03-19-fix-log-forging-extension-methods.md

@@ -1,8 +1,6 @@
-## 5.4.12
-
-### Minor Analysis Improvements
-
-* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
+---
+category: minorAnalysis
+---
 * The `cs/log-forging` query no longer treats arguments to extension methods with
   source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
   through extension method bodies, reducing false positives when extension methods

csharp/ql/lib/change-notes/2026-03-26-expanded-assignments.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.12
+lastReleaseVersion: 5.4.11

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.12
+version: 5.4.12-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/CHANGELOG.md

@@ -1,14 +1,3 @@
-## 1.7.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
-* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
-
-### Major Analysis Improvements
-
-* The `cs/constant-condition` query has been simplified. The query no longer reports trivially constant conditions as they were found to generally be intentional. As a result, it should now produce fewer false positives. Additionally, the simplification means that it now reports all the results that `cs/constant-comparison` used to report, and as consequence, that query has been deleted.
-
 ## 1.6.6
 
 No user-facing changes.

csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md

@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).

csharp/ql/src/change-notes/2026-03-31-constantcondition-simplify.md

@@ -1,10 +1,4 @@
-## 1.7.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
-* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
-
-### Major Analysis Improvements
-
+---
+category: majorAnalysis
+---
 * The `cs/constant-condition` query has been simplified. The query no longer reports trivially constant conditions as they were found to generally be intentional. As a result, it should now produce fewer false positives. Additionally, the simplification means that it now reports all the results that `cs/constant-comparison` used to report, and as consequence, that query has been deleted.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.0
+lastReleaseVersion: 1.6.6

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.0
+version: 1.6.7-dev
 groups:
   - csharp
   - queries

docs/codeql/reusables/supported-versions-compilers.rst

@@ -21,7 +21,7 @@
    Java,"Java 7 to 26 [6]_","javac (OpenJDK and Oracle JDK),
 
    Eclipse compiler for Java (ECJ) [7]_",``.java``
-   Kotlin,"Kotlin 1.8.0 to 2.3.2\ *x*","kotlinc",``.kt``
+   Kotlin,"Kotlin 1.8.0 to 2.3.0\ *x*","kotlinc",``.kt``
    JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [8]_"
    Python [9]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13",Not applicable,``.py``
    Ruby [10]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"

go/extractor/registries/registryproxy_test.go

@@ -75,59 +75,3 @@ func TestParseRegistryConfigsMultiple(t *testing.T) {
 		t.Fatalf("Expected `URL` to be `https://proxy.example.com/mod`, but got `%s`", second.URL)
 	}
 }
-
-func TestParseRegistryConfigsMultipleGitSources(t *testing.T) {
-	multiple := parseRegistryConfigsSuccess(t, "[{ \"type\": \"git_source\", \"url\": \"https://github.com/github\" }, { \"type\": \"git_source\", \"url\": \"https://go.googlesource.com/go\" }]")
-
-	if len(multiple) != 2 {
-		t.Fatalf("Expected `parseRegistryConfigs` to return two configurations, but got %d.", len(multiple))
-	}
-
-	first := multiple[0]
-
-	if first.Type != "git_source" {
-		t.Fatalf("Expected `Type` to be `git_source`, but got `%s`", first.Type)
-	}
-
-	if first.URL != "https://github.com/github" {
-		t.Fatalf("Expected `URL` to be `https://github.com/github`, but got `%s`", first.URL)
-	}
-
-	second := multiple[1]
-
-	if second.Type != "git_source" {
-		t.Fatalf("Expected `Type` to be `git_source`, but got `%s`", second.Type)
-	}
-
-	if second.URL != "https://go.googlesource.com/go" {
-		t.Fatalf("Expected `URL` to be `https://go.googlesource.com/go`, but got `%s`", second.URL)
-	}
-}
-
-func TestParseRegistryConfigsMultipleGoProxyServers(t *testing.T) {
-	multiple := parseRegistryConfigsSuccess(t, "[{ \"type\": \"goproxy_server\", \"url\": \"https://proxy.example.com/mod\" }, { \"type\": \"goproxy_server\", \"url\": \"https://goproxy.io\" }]")
-
-	if len(multiple) != 2 {
-		t.Fatalf("Expected `parseRegistryConfigs` to return two configurations, but got %d.", len(multiple))
-	}
-
-	first := multiple[0]
-
-	if first.Type != "goproxy_server" {
-		t.Fatalf("Expected `Type` to be `goproxy_server`, but got `%s`", first.Type)
-	}
-
-	if first.URL != "https://proxy.example.com/mod" {
-		t.Fatalf("Expected `URL` to be `https://proxy.example.com/mod`, but got `%s`", first.URL)
-	}
-
-	second := multiple[1]
-
-	if second.Type != "goproxy_server" {
-		t.Fatalf("Expected `Type` to be `goproxy_server`, but got `%s`", second.Type)
-	}
-
-	if second.URL != "https://goproxy.io" {
-		t.Fatalf("Expected `URL` to be `https://goproxy.io`, but got `%s`", second.URL)
-	}
-}

go/ql/consistency-queries/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.0.47
-
-No user-facing changes.
-
 ## 1.0.46
 
 No user-facing changes.

go/ql/consistency-queries/change-notes/released/1.0.47.md

@@ -1,3 +0,0 @@
-## 1.0.47
-
-No user-facing changes.

go/ql/consistency-queries/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.47
+lastReleaseVersion: 1.0.46

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.47
+version: 1.0.47-dev
 groups:
   - go
   - queries

go/ql/lib/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 7.0.5
-
-No user-facing changes.
-
 ## 7.0.4
 
 No user-facing changes.

go/ql/lib/change-notes/released/7.0.5.md

@@ -1,3 +0,0 @@
-## 7.0.5
-
-No user-facing changes.

go/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.0.5
+lastReleaseVersion: 7.0.4

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.0.5
+version: 7.0.5-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/src/CHANGELOG.md

@@ -1,10 +1,3 @@
-## 1.6.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `go/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
-* The `@security-severity` metadata of `go/html-template-escaping-bypass-xss`, `go/reflected-xss` and `go/stored-xss` has been increased from 6.1 (medium) to 7.8 (high).
-
 ## 1.5.10
 
 No user-facing changes.

go/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md

@@ -1,6 +1,5 @@
-## 1.6.0
-
-### Query Metadata Changes
-
+---
+category: queryMetadata
+---
 * The `@security-severity` metadata of `go/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
 * The `@security-severity` metadata of `go/html-template-escaping-bypass-xss`, `go/reflected-xss` and `go/stored-xss` has been increased from 6.1 (medium) to 7.8 (high).

go/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.0
+lastReleaseVersion: 1.5.10

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.0
+version: 1.5.11-dev
 groups:
   - go
   - queries

java/kotlin-extractor/dev/wrapper.py

@@ -27,7 +27,7 @@ import shutil
 import io
 import os
 
-DEFAULT_VERSION = "2.3.20"
+DEFAULT_VERSION = "2.3.10"
 
 
 def options():

java/kotlin-extractor/src/main/kotlin/utils/GetByFqName.kt

@@ -1,6 +1,3 @@
-// referenceClass, referenceFunctions, referenceProperties are deprecated since Kotlin 2.3.20
-@file:Suppress("DEPRECATION")
-
 package com.github.codeql.utils
 
 import org.jetbrains.kotlin.backend.common.extensions.IrPluginContext

java/kotlin-extractor/versions.bzl

@@ -10,7 +10,6 @@ VERSIONS = [
     "2.2.0-Beta1",
     "2.2.20-Beta2",
     "2.3.0",
-    "2.3.20",
 ]
 
 def _version_to_tuple(v):

java/ql/integration-tests/kotlin/all-platforms/annotation-id-consistency/PrintAst.expected

@@ -281,12 +281,7 @@ test.kt:
 #   40|   11: [Class] HasKotlinDeprecatedAnnotationUsedByJava
 #-----|     -3: (Annotations)
 #   40|       1: [Annotation] Deprecated
-#    0|         1: [Annotation] ReplaceWith
-#    0|           1: [StringLiteral] ""
-#    0|           2: [ArrayInit] {...}
-#    0|         2: [VarAccess] DeprecationLevel.WARNING
-#    0|           -1: [TypeAccess] DeprecationLevel
-#   40|         3: [StringLiteral] "Kotlin deprecation message 1"
+#   40|         1: [StringLiteral] "Kotlin deprecation message 1"
 #   40|     1: [Constructor] HasKotlinDeprecatedAnnotationUsedByJava
 #   40|       5: [BlockStmt] { ... }
 #   40|         0: [SuperConstructorInvocationStmt] super(...)
@@ -303,12 +298,7 @@ test.kt:
 #   46|   13: [Class] HasKotlinDeprecatedAnnotationUsedByKotlin
 #-----|     -3: (Annotations)
 #   46|       1: [Annotation] Deprecated
-#    0|         1: [Annotation] ReplaceWith
-#    0|           1: [StringLiteral] ""
-#    0|           2: [ArrayInit] {...}
-#    0|         2: [VarAccess] DeprecationLevel.WARNING
-#    0|           -1: [TypeAccess] DeprecationLevel
-#   46|         3: [StringLiteral] "Kotlin deprecation message 2"
+#   46|         1: [StringLiteral] "Kotlin deprecation message 2"
 #   46|     1: [Constructor] HasKotlinDeprecatedAnnotationUsedByKotlin
 #   46|       5: [BlockStmt] { ... }
 #   46|         0: [SuperConstructorInvocationStmt] super(...)

java/ql/integration-tests/kotlin/all-platforms/diagnostics/kotlin-version-too-new/diagnostics.expected

@@ -1,5 +1,5 @@
 {
-  "markdownMessage": "The Kotlin version installed (`999.999.999`) is too recent for this version of CodeQL. Install a version lower than 2.3.30.",
+  "markdownMessage": "The Kotlin version installed (`999.999.999`) is too recent for this version of CodeQL. Install a version lower than 2.3.20.",
   "severity": "error",
   "source": {
     "extractorName": "java",

java/ql/lib/CHANGELOG.md

@@ -1,12 +1,3 @@
-## 9.0.3
-
-### Minor Analysis Improvements
-
-* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.
-* The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`), HMAC-based algorithms (`HMACSHA1`, `HMACSHA256`, `HMACSHA384`, `HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. This will reduce the number of false positives for this query.
-* The first argument of the method `getInstance` of `java.security.Signature` is now modeled as a sink for `java/potentially-weak-cryptographic-algorithm`, `java/weak-cryptographic-algorithm` and `java/rsa-without-oaep`. This will increase the number of alerts for these queries.
-* Kotlin versions up to 2.3.20 are now supported.
-
 ## 9.0.2
 
 No user-facing changes.

java/ql/lib/change-notes/2026-03-27-add-ec-to-secure-algorithms.md

@@ -1,8 +1,5 @@
-## 9.0.3
-
-### Minor Analysis Improvements
-
-* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.
+---
+category: minorAnalysis
+---
 * The `java/potentially-weak-cryptographic-algorithm` query no longer flags Elliptic Curve algorithms (`EC`, `ECDSA`, `ECDH`, `EdDSA`, `Ed25519`, `Ed448`, `XDH`, `X25519`, `X448`), HMAC-based algorithms (`HMACSHA1`, `HMACSHA256`, `HMACSHA384`, `HMACSHA512`), or PBKDF2 key derivation as potentially insecure. These are modern, secure algorithms recommended by NIST and other standards bodies. This will reduce the number of false positives for this query.
 * The first argument of the method `getInstance` of `java.security.Signature` is now modeled as a sink for `java/potentially-weak-cryptographic-algorithm`, `java/weak-cryptographic-algorithm` and `java/rsa-without-oaep`. This will increase the number of alerts for these queries.
-* Kotlin versions up to 2.3.20 are now supported.

java/ql/lib/change-notes/2026-03-28-tainted-arithmetic-bounds-check.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `java/tainted-arithmetic` query no longer flags arithmetic expressions that are used directly as an operand of a comparison in `if`-condition bounds-checking patterns. For example, `if (off + len > array.length)` is now recognized as a bounds check rather than a potentially vulnerable computation, reducing false positives.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 9.0.3
+lastReleaseVersion: 9.0.2

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 9.0.3
+version: 9.0.3-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/src/CHANGELOG.md

@@ -1,10 +1,3 @@
-## 1.11.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `java/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
-* The `@security-severity` metadata of `java/android/webview-addjavascriptinterface`, `java/android/websettings-javascript-enabled` and `java/xss` has been increased from 6.1 (medium) to 7.8 (high).
-
 ## 1.10.11
 
 No user-facing changes.

java/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md

@@ -1,6 +1,5 @@
-## 1.11.0
-
-### Query Metadata Changes
-
+---
+category: queryMetadata
+---
 * The `@security-severity` metadata of `java/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
 * The `@security-severity` metadata of `java/android/webview-addjavascriptinterface`, `java/android/websettings-javascript-enabled` and `java/xss` has been increased from 6.1 (medium) to 7.8 (high).

java/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.11.0
+lastReleaseVersion: 1.10.11

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.11.0
+version: 1.10.12-dev
 groups:
   - java
   - queries

javascript/ql/lib/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 2.6.27
-
-No user-facing changes.
-
 ## 2.6.26
 
 No user-facing changes.

javascript/ql/lib/change-notes/released/2.6.27.md

@@ -1,3 +0,0 @@
-## 2.6.27
-
-No user-facing changes.

javascript/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.6.27
+lastReleaseVersion: 2.6.26

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.6.27
+version: 2.6.27-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/src/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 2.3.7
-
-No user-facing changes.
-
 ## 2.3.6
 
 No user-facing changes.

javascript/ql/src/change-notes/released/2.3.7.md

@@ -1,3 +0,0 @@
-## 2.3.7
-
-No user-facing changes.

javascript/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.3.7
+lastReleaseVersion: 2.3.6

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.3.7
+version: 2.3.7-dev
 groups:
   - javascript
   - queries

misc/suite-helpers/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.0.47
-
-No user-facing changes.
-
 ## 1.0.46
 
 No user-facing changes.

misc/suite-helpers/change-notes/released/1.0.47.md

@@ -1,3 +0,0 @@
-## 1.0.47
-
-No user-facing changes.

misc/suite-helpers/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.47
+lastReleaseVersion: 1.0.46

misc/suite-helpers/qlpack.yml

@@ -1,4 +1,4 @@
 name: codeql/suite-helpers
-version: 1.0.47
+version: 1.0.47-dev
 groups: shared
 warnOnImplicitThis: true

python/ql/lib/CHANGELOG.md

@@ -1,9 +1,3 @@
-## 7.0.4
-
-### Bug Fixes
-
-- Fixed the resolution of relative imports such as `from . import helper` inside namespace packages (directories without an `__init__.py` file), which previously did not work correctly, leading to missing flow.
-
 ## 7.0.3
 
 No user-facing changes.

python/ql/lib/change-notes/2026-03-11-fix-unresolved-relative-imports.md

@@ -1,5 +1,5 @@
-## 7.0.4
-
-### Bug Fixes
+---
+category: fix
+---
 
 - Fixed the resolution of relative imports such as `from . import helper` inside namespace packages (directories without an `__init__.py` file), which previously did not work correctly, leading to missing flow.

python/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.0.4
+lastReleaseVersion: 7.0.3