Merge pull request #16489 from github/release-prep/2.17.3

Release preparation for version 2.17.3

.bazelrc

@@ -1,4 +1,12 @@
 common --enable_platform_specific_config
+common --enable_bzlmod
+# because we use --override_module with `%workspace%`, the lock file is not stable
+common --lockfile_mode=off
+
+# when building from this repository in isolation, the internal repository will not be found at ..
+# where `MODULE.bazel` looks for it. The following will get us past the module loading phase, so
+# that we can build things that do not rely on that
+common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
 
 build --repo_env=CC=clang --repo_env=CXX=clang++
 
@@ -6,4 +14,11 @@ build:linux --cxxopt=-std=c++20
 build:macos --cxxopt=-std=c++20 --cpu=darwin_x86_64
 build:windows --cxxopt=/std:c++20 --cxxopt=/Zc:preprocessor
 
+# this requires developer mode, but is required to have pack installer functioning
+startup --windows_enable_symlinks
+common --enable_runfiles
+
+common --registry=file:///%workspace%/misc/bazel/registry
+common --registry=https://bcr.bazel.build
+
 try-import %workspace%/local.bazelrc

.bazelrc.internal

@@ -0,0 +1,4 @@
+# this file should contain bazel settings required to build things from `semmle-code`
+
+common --registry=file:///%workspace%/ql/misc/bazel/registry
+common --registry=https://bcr.bazel.build

.bazelversion

@@ -1 +1 @@
-6.3.1
+7.1.0

.gitattributes

@@ -67,10 +67,9 @@ go/extractor/opencsv/CSVReader.java -text
 # for those testing dbscheme files.
 */ql/lib/upgrades/initial/*.dbscheme -text
 
-# Generated test files - these are synced from the standard JavaScript libraries using
-# `javascript/ql/experimental/adaptivethreatmodeling/test/update_endpoint_test_files.py`.
-javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.js linguist-generated=true -merge
-javascript/ql/experimental/adaptivethreatmodeling/test/endpoint_large_scale/autogenerated/**/*.ts linguist-generated=true -merge
-
 # Auto-generated modeling for Python
 python/ql/lib/semmle/python/frameworks/data/internal/subclass-capture/*.yml linguist-generated=true
+
+# auto-generated bazel lock file
+ruby/extractor/cargo-bazel-lock.json linguist-generated=true
+ruby/extractor/cargo-bazel-lock.json -merge

.github/labeler.yml

@@ -15,12 +15,12 @@ Java:
   - change-notes/**/*java.*
 
 JS:
-  - any: [ 'javascript/**/*', '!javascript/ql/experimental/adaptivethreatmodeling/**/*' ]
+  - any: [ 'javascript/**/*' ]
   - change-notes/**/*javascript*
 
 Kotlin:
   - java/kotlin-extractor/**/*
-  - java/ql/test/kotlin/**/*
+  - java/ql/test-kotlin*/**/*
 
 Python:
   - python/**/*
@@ -46,6 +46,3 @@ documentation:
 # Since these are all shared files that need to be synced, just pick _one_ copy of each.
 "DataFlow Library":
   - "shared/dataflow/**/*"
-
-"ATM":
-  - javascript/ql/experimental/adaptivethreatmodeling/**/*

.github/workflows/buildifier.yml

@@ -0,0 +1,28 @@
+name: Check bazel formatting
+
+on:
+  pull_request:
+    paths:
+      - "**.bazel"
+      - "**.bzl"
+    branches:
+      - main
+      - "rc/*"
+
+permissions:
+  contents: read
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Check bazel formatting
+        uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
+        with:
+          extra_args: >
+            buildifier --all-files 2>&1 ||
+            (
+              echo -e "In order to format all bazel files, please run:\n  bazel run //misc/bazel:buildifier"; exit 1
+            )

.github/workflows/check-change-note.yml

@@ -1,5 +1,8 @@
 name: Check change note
 
+permissions:
+  pull-requests: read
+
 on:
   pull_request_target:
     types: [labeled, unlabeled, opened, synchronize, reopened, ready_for_review]

.github/workflows/check-implicit-this.yml

@@ -9,6 +9,9 @@ on:
       - main
       - "rc/*"
 
+permissions:
+  contents: read
+
 jobs:
   check:
     runs-on: ubuntu-latest

.github/workflows/check-qldoc.yml

@@ -10,6 +10,9 @@ on:
       - main
       - "rc/*"
 
+permissions:
+  contents: read
+
 jobs:
   qldoc:
     runs-on: ubuntu-latest

.github/workflows/check-query-ids.yml

@@ -11,6 +11,9 @@ on:
       - "rc/*"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   check:
     name: Check query IDs

.github/workflows/close-stale.yml

@@ -5,6 +5,9 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions:
+  issues: write
+
 jobs:
   stale:
     if: github.repository == 'github/codeql'

.github/workflows/compile-queries.yml

@@ -8,8 +8,12 @@ on:
       - "codeql-cli-*"
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   compile-queries:
+    if: github.repository_owner == 'github'
     runs-on: ubuntu-latest-xl
 
     steps:
@@ -24,7 +28,7 @@ jobs:
         with: 
           key: all-queries
       - name: check formatting
-        run: find */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+        run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
       - name: compile queries - check-only
         # run with --check-only if running in a PR (github.sha != main)
         if : ${{ github.event_name == 'pull_request' }}

.github/workflows/cpp-swift-analysis.yml

@@ -0,0 +1,55 @@
+name: "Code scanning - C++"
+
+on:
+  push:
+    branches:
+      - main
+      - 'rc/*'
+  pull_request:
+    branches:
+      - main
+      - 'rc/*'
+    paths:
+      - 'swift/**'
+      - '.github/codeql/**'
+      - '.github/workflows/cpp-swift-analysis.yml'
+  schedule:
+    - cron: '0 9 * * 1'
+
+jobs:
+  CodeQL-Build:
+
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+      pull-requests: read
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@main
+      # Override language selection by uncommenting this and choosing your languages
+      with:
+        languages: cpp
+        config-file: ./.github/codeql/codeql-config.yml
+  
+    - name: "[Ubuntu] Remove GCC 13 from runner image"
+      shell: bash
+      run: |
+        sudo rm -f /etc/apt/sources.list.d/ubuntu-toolchain-r-ubuntu-test-jammy.list
+        sudo apt-get update
+        sudo apt-get install -y --allow-downgrades libc6=2.35-* libc6-dev=2.35-* libstdc++6=12.3.0-* libgcc-s1=12.3.0-*
+
+    - name: "Build Swift extractor using Bazel"
+      run: |
+        bazel clean --expunge
+        bazel run //swift:create-extractor-pack --nouse_action_cache --noremote_accept_cached --noremote_upload_local_results --spawn_strategy=local --features=-layering_check
+        bazel shutdown
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@main

.github/workflows/csharp-qltest.yml

@@ -25,6 +25,9 @@ defaults:
   run:
     working-directory: csharp
 
+permissions:
+  contents: read
+
 jobs:
   qlupgrade:
     runs-on: ubuntu-latest
@@ -46,6 +49,7 @@ jobs:
            xargs codeql execute upgrades testdb
           diff -q testdb/semmlecode.csharp.dbscheme downgrades/initial/semmlecode.csharp.dbscheme
   qltest:
+    if: github.repository_owner == 'github'
     runs-on: ubuntu-latest-xl
     strategy:
       fail-fast: false

.github/workflows/csv-coverage-metrics.yml

@@ -14,6 +14,10 @@ on:
       - ".github/workflows/csv-coverage-metrics.yml"
       - ".github/actions/fetch-codeql/action.yml"
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   publish-java:
     runs-on: ubuntu-latest

.github/workflows/csv-coverage-pr-artifacts.yml

@@ -19,6 +19,10 @@ on:
       - main
       - "rc/*"
 
+permissions:
+  contents: read
+  pull-requests: read
+
 jobs:
   generate:
     name: Generate framework coverage artifacts

.github/workflows/csv-coverage-pr-comment.yml

@@ -6,6 +6,10 @@ on:
     types:
       - completed
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   check:
     name: Check framework coverage differences and comment

.github/workflows/csv-coverage-timeseries.yml

@@ -3,6 +3,9 @@ name: Build framework coverage timeseries reports
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/csv-coverage-update.yml

@@ -5,6 +5,10 @@ on:
   schedule:
     - cron: "0 0 * * *"
 
+permissions:
+  contents: write
+  pull-requests: write
+
 jobs:
   update:
     name: Update framework coverage report

.github/workflows/csv-coverage.yml

@@ -7,6 +7,9 @@ on:
         description: "github/codeql repo SHA used for looking up the CSV models"
         required: false
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/fast-forward.yml

@@ -7,13 +7,14 @@ name: Fast-forward tracking branch for selected CodeQL version
 on:
   workflow_dispatch:
 
+permissions:
+  contents: write
+
 jobs:
   fast-forward:
     name: Fast-forward tracking branch for selected CodeQL version
     runs-on: ubuntu-latest
     if: github.repository == 'github/codeql'
-    permissions:
-      contents: write
     env:
       BRANCH_NAME: 'lgtm.com'
     steps:

.github/workflows/go-tests-other-os.yml

@@ -7,76 +7,26 @@ on:
       - .github/workflows/go-tests-other-os.yml
       - .github/actions/**
       - codeql-workspace.yml
-env:
-  GO_VERSION: '~1.21.0'
+
+permissions:
+  contents: read
+
 jobs:
   test-mac:
     name: Test MacOS
     runs-on: macos-latest
     steps:
-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
       - name: Check out code
         uses: actions/checkout@v4
-
-      - name: Set up CodeQL CLI
-        uses: ./.github/actions/fetch-codeql
-
-      - name: Enable problem matchers in repository
-        shell: bash
-        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
-
-      - name: Build
-        run: |
-          cd go
-          make
-
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: go-qltest
-      - name: Test
-        run: |
-          cd go
-          make test cache="${{ steps.query-cache.outputs.cache-dir }}"
+      - name: Run tests
+        uses: ./go/actions/test
 
   test-win:
+    if: github.repository_owner == 'github'
     name: Test Windows
     runs-on: windows-latest-xl
     steps:
-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
       - name: Check out code
         uses: actions/checkout@v4
-
-      - name: Set up CodeQL CLI
-        uses: ./.github/actions/fetch-codeql
-
-      - name: Enable problem matchers in repository
-        shell: bash
-        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
-
-      - name: Build
-        run: |
-          cd go
-          make
-
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: go-qltest
-
-      - name: Test
-        run: |
-          cd go
-          make test cache="${{ steps.query-cache.outputs.cache-dir }}"
+      - name: Run tests
+        uses: ./go/actions/test

.github/workflows/go-tests.yml

@@ -15,57 +15,19 @@ on:
       - .github/workflows/go-tests.yml
       - .github/actions/**
       - codeql-workspace.yml
-env:
-  GO_VERSION: '~1.21.0'
+
+permissions:
+  contents: read
+
 jobs:
   test-linux:
+    if: github.repository_owner == 'github'
     name: Test Linux (Ubuntu)
     runs-on: ubuntu-latest-xl
     steps:
-      - name: Set up Go ${{ env.GO_VERSION }}
-        uses: actions/setup-go@v5
-        with:
-          go-version: ${{ env.GO_VERSION }}
-        id: go
-
       - name: Check out code
         uses: actions/checkout@v4
-
-      - name: Set up CodeQL CLI
-        uses: ./.github/actions/fetch-codeql
-
-      - name: Enable problem matchers in repository
-        shell: bash
-        run: 'find .github/problem-matchers -name \*.json -exec echo "::add-matcher::{}" \;'
-
-      - name: Build
-        run: |
-          cd go
-          make
-
-      - name: Check that all Go code is autoformatted
-        run: |
-          cd go
-          make check-formatting
-
-      - name: Compile qhelp files to markdown
-        run: |
-          cd go
-          env QHELP_OUT_DIR=qhelp-out make qhelp-to-markdown
-
-      - name: Upload qhelp markdown
-        uses: actions/upload-artifact@v3
+      - name: Run tests
+        uses: ./go/actions/test
         with:
-          name: qhelp-markdown
-          path: go/qhelp-out/**/*.md
-
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: go-qltest
-
-      - name: Test
-        run: |
-          cd go
-          make test cache="${{ steps.query-cache.outputs.cache-dir }}"
+          run-code-checks: true

.github/workflows/labeler.yml

@@ -2,11 +2,12 @@ name: "Pull Request Labeler"
 on:
 - pull_request_target
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   triage:
-    permissions:
-      contents: read
-      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/labeler@v4

.github/workflows/mad_regenerate-models.yml

@@ -11,6 +11,9 @@ on:
       - ".github/workflows/mad_regenerate-models.yml"
       - ".github/actions/fetch-codeql/action.yml"
 
+permissions:
+  contents: read
+
 jobs:
   regenerate-models:
     runs-on: ubuntu-latest

.github/workflows/qhelp-pr-preview.yml

@@ -77,7 +77,7 @@ jobs:
           done < "${RUNNER_TEMP}/paths.txt" >> comment_body.txt
           exit "${EXIT_CODE}"
 
-      - if: always()
+      - if: ${{ !cancelled() }}
         uses: actions/upload-artifact@v3
         with:
           name: comment

.github/workflows/ql-for-ql-build.yml

@@ -9,8 +9,13 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+  security-events: write
+
 jobs:
   analyze:
+    if: github.repository_owner == 'github'
     runs-on: ubuntu-latest-xl
     steps:
       ### Build the queries ###
@@ -19,7 +24,7 @@ jobs:
           fetch-depth: 0
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@main
         with:
           languages: javascript # does not matter
       - uses: ./.github/actions/os-version
@@ -65,7 +70,7 @@ jobs:
             exclude:*/ql/lib/upgrades/
             exclude:java/ql/integration-tests
       - name: Upload sarif to code-scanning
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@main
         with:
           sarif_file: ql-for-ql.sarif
           category: ql-for-ql

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -11,6 +11,10 @@ on:
       - ql/ql/src/ql.dbscheme
   workflow_dispatch:
 
+permissions:
+  contents: read
+  security-events: read
+
 jobs:
   measure:
     env:
@@ -25,7 +29,7 @@ jobs:
 
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@main
         with:
           languages: javascript # does not matter
       - uses: ./.github/actions/os-version

.github/workflows/ql-for-ql-tests.yml

@@ -17,6 +17,9 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   qltest:
     runs-on: ubuntu-latest
@@ -24,7 +27,7 @@ jobs:
       - uses: actions/checkout@v4
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@main
         with:
           languages: javascript # does not matter
       - uses: ./.github/actions/os-version
@@ -69,7 +72,7 @@ jobs:
           echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
       - name: Find codeql
         id: find-codeql
-        uses: github/codeql-action/init@v2
+        uses: github/codeql-action/init@main
         with:
           languages: javascript # does not matter
       - uses: ./.github/actions/os-version

.github/workflows/query-list.yml

@@ -13,6 +13,9 @@ on:
       - '.github/actions/fetch-codeql/action.yml'
       - 'misc/scripts/generate-code-scanning-query-list.py'
 
+permissions:
+  contents: read
+
 jobs:
   build:
 

.github/workflows/ruby-build.yml

@@ -32,6 +32,9 @@ defaults:
   run:
     working-directory: ruby
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -48,9 +51,11 @@ jobs:
         run: |
           brew install gnu-tar
           echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
-      - name: Install cargo-cross
-        if: runner.os == 'Linux'
-        run: cargo install cross --version 0.2.5
+      - name: Prepare Windows
+        if: runner.os == 'Windows'
+        shell: powershell
+        run: |
+          git config --global core.longpaths true
       - uses: ./.github/actions/os-version
         id: os_version
       - name: Cache entire extractor
@@ -79,16 +84,8 @@ jobs:
       - name: Run tests
         if: steps.cache-extractor.outputs.cache-hit != 'true'
         run: cd extractor && cargo test --verbose
-      # On linux, build the extractor via cross in a centos7 container.
-      # This ensures we don't depend on glibc > 2.17.
-      - name: Release build (linux)
-        if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os == 'Linux'
-        run: |
-          cd extractor
-          cross build --release
-          mv target/x86_64-unknown-linux-gnu/release/codeql-extractor-ruby target/release/
-      - name: Release build (windows and macos)
-        if: steps.cache-extractor.outputs.cache-hit != 'true' && runner.os != 'Linux'
+      - name: Release build
+        if: steps.cache-extractor.outputs.cache-hit != 'true'
         run: cd extractor && cargo build --release
       - name: Generate dbscheme
         if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
@@ -111,6 +108,7 @@ jobs:
             ruby/extractor/target/release/codeql-extractor-ruby.exe
           retention-days: 1
   compile-queries:
+    if: github.repository_owner == 'github'
     runs-on: ubuntu-latest-xl
     steps:
       - uses: actions/checkout@v4
@@ -119,7 +117,7 @@ jobs:
       - name: Cache compilation cache
         id: query-cache
         uses: ./.github/actions/cache-query-compilation
-        with: 
+        with:
           key: ruby-build
       - name: Build Query Pack
         run: |
@@ -231,54 +229,3 @@ jobs:
         shell: bash
         run: |
           codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
-
-  # This is a copy of the 'test' job that runs in a centos7 container.
-  # This tests that the extractor works correctly on systems with an old glibc.
-  test-centos7:
-    defaults:
-      run:
-        working-directory: ${{ github.workspace }}
-    strategy:
-      fail-fast: false
-    runs-on: ubuntu-latest
-    container:
-      image: centos:centos7
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    needs: [package]
-    steps:
-      - name: Install gh cli
-        run: |
-          yum-config-manager --add-repo https://cli.github.com/packages/rpm/gh-cli.repo
-          # fetch-codeql requires unzip and jq
-          # jq is available in epel-release (https://docs.fedoraproject.org/en-US/epel/)
-          yum install -y gh unzip epel-release
-          yum install -y jq
-      - uses: actions/checkout@v3
-      - name: Fetch CodeQL
-        uses: ./.github/actions/fetch-codeql
-
-      # Due to a bug in Actions, we can't use runner.temp in the run blocks here.
-      # https://github.com/actions/runner/issues/2185
-
-      - name: Download Ruby bundle
-        uses: actions/download-artifact@v3
-        with:
-          name: codeql-ruby-bundle
-          path: ${{ runner.temp }}
-      - name: Unzip Ruby bundle
-        shell: bash
-        run: unzip -q -d "$RUNNER_TEMP"/ruby-bundle "$RUNNER_TEMP"/codeql-ruby-bundle.zip
-
-      - name: Run QL test
-        shell: bash
-        run: |
-          codeql test run --search-path "$RUNNER_TEMP"/ruby-bundle --additional-packs "$RUNNER_TEMP"/ruby-bundle ruby/ql/test/library-tests/ast/constants/
-      - name: Create database
-        shell: bash
-        run: |
-          codeql database create --search-path "$RUNNER_TEMP"/ruby-bundle --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
-      - name: Analyze database
-        shell: bash
-        run: |
-          codeql database analyze --search-path "$RUNNER_TEMP"/ruby-bundle --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls

.github/workflows/ruby-dataset-measure.yml

@@ -17,6 +17,9 @@ on:
       - .github/workflows/ruby-dataset-measure.yml
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   measure:
     env:

.github/workflows/ruby-qltest.yml

@@ -29,6 +29,9 @@ defaults:
   run:
     working-directory: ruby
 
+permissions:
+  contents: read
+
 jobs:
   qlupgrade:
     runs-on: ubuntu-latest
@@ -50,6 +53,7 @@ jobs:
            xargs codeql execute upgrades testdb
           diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
   qltest:
+    if: github.repository_owner == 'github'
     runs-on: ubuntu-latest-xl
     strategy:
       fail-fast: false

.github/workflows/swift.yml

@@ -6,6 +6,7 @@ on:
       - "swift/**"
       - "misc/bazel/**"
       - "misc/codegen/**"
+      - "shared/**"
       - "*.bazel*"
       - .github/workflows/swift.yml
       - .github/actions/**
@@ -22,10 +23,12 @@ on:
       - "swift/**"
       - "misc/bazel/**"
       - "misc/codegen/**"
+      - "shared/**"
       - "*.bazel*"
       - .github/workflows/swift.yml
       - .github/actions/**
       - codeql-workspace.yml
+      - .pre-commit-config.yaml
       - "!**/*.md"
       - "!**/*.qhelp"
     branches:
@@ -33,40 +36,47 @@ on:
       - rc/*
       - codeql-cli-*
 
+permissions:
+  contents: read
+
 jobs:
   # not using a matrix as you cannot depend on a specific job in a matrix, and we want to start linux checks
   # without waiting for the macOS build
   build-and-test-macos:
+    if: github.repository_owner == 'github'
     runs-on: macos-12-xl
     steps:
       - uses: actions/checkout@v4
       - uses: ./swift/actions/build-and-test
   build-and-test-linux:
+    if: github.repository_owner == 'github'
     runs-on: ubuntu-latest-xl
     steps:
       - uses: actions/checkout@v4
       - uses: ./swift/actions/build-and-test
   qltests-linux:
+    if: github.repository_owner == 'github'
     needs: build-and-test-linux
     runs-on: ubuntu-latest-xl
     steps:
       - uses: actions/checkout@v4
       - uses: ./swift/actions/run-ql-tests
   qltests-macos:
-    if : ${{ github.event_name == 'pull_request' }}
+    if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
     needs: build-and-test-macos
     runs-on: macos-12-xl
     steps:
       - uses: actions/checkout@v4
       - uses: ./swift/actions/run-ql-tests
   integration-tests-linux:
+    if: github.repository_owner == 'github'
     needs: build-and-test-linux
     runs-on: ubuntu-latest-xl
     steps:
       - uses: actions/checkout@v4
       - uses: ./swift/actions/run-integration-tests
   integration-tests-macos:
-    if : ${{ github.event_name == 'pull_request' }}
+    if: ${{ github.repository_owner == 'github' && github.event_name == 'pull_request' }}
     needs: build-and-test-macos
     runs-on: macos-12-xl
     timeout-minutes: 60

.github/workflows/sync-files.yml

@@ -10,6 +10,9 @@ on:
       - main
       - 'rc/*'
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     runs-on: ubuntu-latest

.github/workflows/tree-sitter-extractor-test.yml

@@ -23,6 +23,9 @@ defaults:
   run:
     working-directory: shared/tree-sitter-extractor
 
+permissions:
+  contents: read
+
 jobs:
   test:
     runs-on: ubuntu-latest

.github/workflows/validate-change-notes.yml

@@ -15,6 +15,9 @@ on:
       - ".github/workflows/validate-change-notes.yml"
       - ".github/actions/fetch-codeql/action.yml"
 
+permissions:
+  contents: read
+
 jobs:
   check-change-note:
     runs-on: ubuntu-latest

.gitignore

@@ -39,6 +39,9 @@
 # local bazel options
 /local.bazelrc
 
+# generated cmake directory
+/.bazel-cmake
+
 # CLion project files
 /.clwb
 

.lfsconfig

@@ -0,0 +1,5 @@
+[lfs]
+# codeql is publicly forked by many users, and we don't want any LFS file polluting their working
+# copies. We therefore exclude everything by default.
+# For files required by bazel builds, use rules in `misc/bazel/lfs.bzl` to download them on demand.
+fetchinclude = /nothing

.pre-commit-config.yaml

@@ -20,13 +20,23 @@ repos:
       - id: autopep8
         files: ^misc/codegen/.*\.py
 
-  - repo: https://github.com/warchant/pre-commit-buildifier
-    rev: 0.0.2
-    hooks:
-      - id: buildifier
-
   - repo: local
     hooks:
+      - id: buildifier
+        name: Format bazel files
+        files: \.(bazel|bzl)
+        language: system
+        entry: bazel run //misc/bazel:buildifier
+        pass_filenames: false
+
+#      DISABLED: can be enabled by copying this config and installing `pre-commit` with `--config` on the copy
+#      - id: go-gen
+#        name: Check checked in generated files in go
+#        files: ^go/.*
+#        language: system
+#        entry: bazel run //go:gen
+#        pass_filenames: false
+
       - id: codeql-format
         name: Fix QL file formatting
         files: \.qll?$

CODEOWNERS

@@ -1,4 +1,5 @@
 /cpp/ @github/codeql-c-analysis
+/cpp/autobuilder/ @github/codeql-c-extractor
 /csharp/ @github/codeql-csharp
 /go/ @github/codeql-go
 /java/ @github/codeql-java
@@ -11,9 +12,6 @@
 /java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
-# ML-powered queries
-/javascript/ql/experimental/adaptivethreatmodeling/ @github/codeql-ml-powered-queries-reviewers
-
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
 /docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
@@ -25,6 +23,7 @@
 
 # Bazel (excluding BUILD.bazel files)
 WORKSPACE.bazel @github/codeql-ci-reviewers
+MODULE.bazel @github/codeql-ci-reviewers
 .bazelversion @github/codeql-ci-reviewers
 .bazelrc @github/codeql-ci-reviewers
 **/*.bzl @github/codeql-ci-reviewers
@@ -35,9 +34,7 @@ WORKSPACE.bazel @github/codeql-ci-reviewers
 
 # Workflows
 /.github/workflows/ @github/codeql-ci-reviewers
-/.github/workflows/atm-* @github/codeql-ml-powered-queries-reviewers
 /.github/workflows/go-* @github/codeql-go
-/.github/workflows/js-ml-tests.yml @github/codeql-ml-powered-queries-reviewers
 /.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
 /.github/workflows/ruby-* @github/codeql-ruby
 /.github/workflows/swift.yml @github/codeql-swift

CONTRIBUTING.md

@@ -4,6 +4,8 @@ We welcome contributions to our CodeQL libraries and queries. Got an idea for a
 
 There is lots of useful documentation to help you write queries, ranging from information about query file structure to tutorials for specific target languages. For more information on the documentation available, see [CodeQL queries](https://codeql.github.com/docs/writing-codeql-queries/codeql-queries) on [codeql.github.com](https://codeql.github.com).
 
+Note that the CodeQL for Visual Studio Code documentation has been migrated to https://docs.github.com/en/code-security/codeql-for-vs-code/, but you can still contribute to it via a different repository. For more information, see [Contributing to GitHub Docs documentation](https://docs.github.com/en/contributing)."
+
 ## Change notes
 
 Any nontrivial user-visible change to a query pack or library pack should have a change note. For details on how to add a change note for your change, see [this guide](docs/change-notes.md).
@@ -43,7 +45,7 @@ If you have an idea for a query that you would like to share with other CodeQL u
 
 3. **Formatting**
 
-    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/about-codeql-for-visual-studio-code).
+    - The queries and libraries must be autoformatted, for example using the "Format Document" command in [CodeQL for Visual Studio Code](https://docs.github.com/en/code-security/codeql-for-vs-code/).
 
     If you prefer, you can either:
     1. install the [pre-commit framework](https://pre-commit.com/) and install the configured hooks on this repo via `pre-commit install`, or

MODULE.bazel

@@ -0,0 +1,62 @@
+module(
+    name = "codeql",
+    version = "0.0",
+)
+
+# this points to our internal repository when `codeql` is checked out as a submodule thereof
+# when building things from `codeql` independently this is stubbed out in `.bazelrc`
+bazel_dep(name = "semmle_code", version = "0.0")
+local_path_override(
+    module_name = "semmle_code",
+    path = "..",
+)
+
+# see https://registry.bazel.build/ for a list of available packages
+
+bazel_dep(name = "platforms", version = "0.0.9")
+bazel_dep(name = "rules_go", version = "0.47.0")
+bazel_dep(name = "rules_pkg", version = "0.10.1")
+bazel_dep(name = "rules_nodejs", version = "6.0.3")
+bazel_dep(name = "rules_python", version = "0.31.0")
+bazel_dep(name = "bazel_skylib", version = "1.5.0")
+bazel_dep(name = "abseil-cpp", version = "20240116.0", repo_name = "absl")
+bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
+bazel_dep(name = "fmt", version = "10.0.0")
+bazel_dep(name = "gazelle", version = "0.36.0")
+
+bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
+
+pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
+pip.parse(
+    hub_name = "codegen_deps",
+    python_version = "3.11",
+    requirements_lock = "//misc/codegen:requirements_lock.txt",
+)
+use_repo(pip, "codegen_deps")
+
+swift_deps = use_extension("//swift/third_party:load.bzl", "swift_deps")
+
+# following list can be kept in sync with `bazel mod tidy`
+use_repo(
+    swift_deps,
+    "binlog",
+    "picosha2",
+    "swift_prebuilt_darwin_x86_64",
+    "swift_prebuilt_linux",
+    "swift_toolchain_linux",
+    "swift_toolchain_macos",
+)
+
+node = use_extension("@rules_nodejs//nodejs:extensions.bzl", "node")
+node.toolchain(
+    name = "nodejs",
+    node_version = "18.15.0",
+)
+use_repo(node, "nodejs", "nodejs_toolchains")
+
+go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
+go_sdk.download(version = "1.22.2")
+
+register_toolchains(
+    "@nodejs_toolchains//:all",
+)

README.md

@@ -4,7 +4,7 @@ This open source repository contains the standard CodeQL libraries and queries t
 
 ## How do I learn CodeQL and run queries?
 
-There is [extensive documentation](https://codeql.github.com/docs/) on getting started with writing CodeQL using the [CodeQL extension for Visual Studio Code](https://codeql.github.com/docs/codeql-for-visual-studio-code/) and the [CodeQL CLI](https://codeql.github.com/docs/codeql-cli/).
+There is extensive documentation about the [CodeQL language](https://codeql.github.com/docs/), writing CodeQL using the [CodeQL extension for Visual Studio Code](https://docs.github.com/en/code-security/codeql-for-vs-code/) and using the [CodeQL CLI](https://docs.github.com/en/code-security/codeql-cli).
 
 ## Contributing
 

WORKSPACE.bazel

@@ -1,12 +1,2 @@
-# Please notice that any bazel targets and definitions in this repository are currently experimental
-# and for internal use only.
-
-workspace(name = "codeql")
-
-load("//misc/bazel:workspace.bzl", "codeql_workspace")
-
-codeql_workspace()
-
-load("//misc/bazel:workspace_deps.bzl", "codeql_workspace_deps")
-
-codeql_workspace_deps()
+# please use MODULE.bazel to add dependencies
+# this empty file is required by internal repositories, don't remove it

codeql-workspace.yml

@@ -6,20 +6,11 @@ provide:
   - "*/ql/consistency-queries/qlpack.yml"
   - "*/ql/automodel/src/qlpack.yml"
   - "*/ql/automodel/test/qlpack.yml"
+  - "python/extractor/qlpack.yml"
   - "shared/**/qlpack.yml"
   - "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml"
   - "go/ql/config/legacy-support/qlpack.yml"
   - "go/build/codeql-extractor-go/codeql-extractor.yml"
-  - "javascript/ql/experimental/adaptivethreatmodeling/lib/qlpack.yml"
-  # This pack is explicitly excluded from the workspace since most users
-  # will want to use a version of this pack from the package cache. Internal
-  # users can uncomment the following line and place a custom ML model
-  # in the corresponding pack to test a custom ML model within their local
-  # checkout.
-  # - "javascript/ql/experimental/adaptivethreatmodeling/model/qlpack.yml"
-  - "javascript/ql/experimental/adaptivethreatmodeling/modelbuilding/qlpack.yml"
-  - "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml"
-  - "javascript/ql/experimental/adaptivethreatmodeling/test/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/lib/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/src/qlpack.yml"
   - "csharp/ql/campaigns/Solorigate/test/qlpack.yml"
@@ -27,7 +18,6 @@ provide:
   - "misc/suite-helpers/qlpack.yml"
   - "ruby/extractor-pack/codeql-extractor.yml"
   - "swift/extractor-pack/codeql-extractor.yml"
-  - "swift/integration-tests/qlpack.yml"
   - "ql/extractor-pack/codeql-extractor.yml"
   - ".github/codeql/extensions/**/codeql-pack.yml"
 

config/identical-files.json

@@ -88,123 +88,46 @@
   "IR Instruction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Instruction.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Instruction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/Instruction.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Instruction.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Instruction.qll"
   ],
   "IR IRBlock": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRBlock.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRBlock.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IRBlock.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRBlock.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRBlock.qll"
   ],
   "IR IRVariable": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRVariable.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRVariable.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IRVariable.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRVariable.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRVariable.qll"
   ],
   "IR IRFunction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRFunction.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRFunction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IRFunction.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRFunction.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRFunction.qll"
   ],
   "IR Operand": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/Operand.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/Operand.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/Operand.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/Operand.qll"
-  ],
-  "IR IRType": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRType.qll",
-    "csharp/ql/src/experimental/ir/implementation/IRType.qll"
-  ],
-  "IR IRConfiguration": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/IRConfiguration.qll",
-    "csharp/ql/src/experimental/ir/implementation/IRConfiguration.qll"
-  ],
-  "IR UseSoundEscapeAnalysis": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/UseSoundEscapeAnalysis.qll",
-    "csharp/ql/src/experimental/ir/implementation/UseSoundEscapeAnalysis.qll"
-  ],
-  "IR IRFunctionBase": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/IRFunctionBase.qll",
-    "csharp/ql/src/experimental/ir/implementation/internal/IRFunctionBase.qll"
-  ],
-  "IR Operand Tag": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/OperandTag.qll",
-    "csharp/ql/src/experimental/ir/implementation/internal/OperandTag.qll"
-  ],
-  "IR TInstruction": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TInstruction.qll",
-    "csharp/ql/src/experimental/ir/implementation/internal/TInstruction.qll"
-  ],
-  "IR TIRVariable": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TIRVariable.qll",
-    "csharp/ql/src/experimental/ir/implementation/internal/TIRVariable.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/Operand.qll"
   ],
   "IR IR": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IR.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IR.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IR.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IR.qll"
   ],
   "IR IRConsistency": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/IRConsistency.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/IRConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/IRConsistency.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/IRConsistency.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/IRConsistency.qll"
   ],
   "IR PrintIR": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/PrintIR.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/PrintIR.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/PrintIR.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/PrintIR.qll"
-  ],
-  "IR IntegerConstant": [
-    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerConstant.qll",
-    "csharp/ql/src/experimental/ir/internal/IntegerConstant.qll"
-  ],
-  "IR IntegerInteval": [
-    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerInterval.qll",
-    "csharp/ql/src/experimental/ir/internal/IntegerInterval.qll"
-  ],
-  "IR IntegerPartial": [
-    "cpp/ql/lib/semmle/code/cpp/ir/internal/IntegerPartial.qll",
-    "csharp/ql/src/experimental/ir/internal/IntegerPartial.qll"
-  ],
-  "IR Overlap": [
-    "cpp/ql/lib/semmle/code/cpp/ir/internal/Overlap.qll",
-    "csharp/ql/src/experimental/ir/internal/Overlap.qll"
-  ],
-  "IR EdgeKind": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/EdgeKind.qll",
-    "csharp/ql/src/experimental/ir/implementation/EdgeKind.qll"
-  ],
-  "IR MemoryAccessKind": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/MemoryAccessKind.qll",
-    "csharp/ql/src/experimental/ir/implementation/MemoryAccessKind.qll"
-  ],
-  "IR TempVariableTag": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/TempVariableTag.qll",
-    "csharp/ql/src/experimental/ir/implementation/TempVariableTag.qll"
-  ],
-  "IR Opcode": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/Opcode.qll",
-    "csharp/ql/src/experimental/ir/implementation/Opcode.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/PrintIR.qll"
   ],
   "IR SSAConsistency": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConsistency.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConsistency.qll"
   ],
   "C++ IR InstructionImports": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/InstructionImports.qll",
@@ -252,8 +175,7 @@
   ],
   "SSA AliasAnalysis": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll"
   ],
   "SSA PrintAliasAnalysis": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
@@ -268,44 +190,28 @@
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingImports.qll"
   ],
-  "IR SSA SimpleSSA": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SimpleSSA.qll"
-  ],
-  "IR AliasConfiguration (unaliased_ssa)": [
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasConfiguration.qll"
-  ],
   "IR SSA SSAConstruction": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/SSAConstruction.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/SSAConstruction.qll"
   ],
   "IR SSA PrintSSA": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintSSA.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintSSA.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintSSA.qll"
   ],
   "IR ValueNumberInternal": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingInternal.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingInternal.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/internal/ValueNumberingInternal.qll"
   ],
   "C++ IR ValueNumber": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/ValueNumbering.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/gvn/ValueNumbering.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/ValueNumbering.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/ValueNumbering.qll"
   ],
   "C++ IR PrintValueNumbering": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/gvn/PrintValueNumbering.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll",
-    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll",
-    "csharp/ql/src/experimental/ir/implementation/raw/gvn/PrintValueNumbering.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/PrintValueNumbering.qll"
+    "cpp/ql/lib/semmle/code/cpp/ir/implementation/aliased_ssa/gvn/PrintValueNumbering.qll"
   ],
   "C++ IR ConstantAnalysis": [
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/constant/ConstantAnalysis.qll",
@@ -333,38 +239,6 @@
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
     "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
   ],
-  "C# IR InstructionImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/InstructionImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/InstructionImports.qll"
-  ],
-  "C# IR IRImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRImports.qll"
-  ],
-  "C# IR IRBlockImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRBlockImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRBlockImports.qll"
-  ],
-  "C# IR IRFunctionImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRFunctionImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRFunctionImports.qll"
-  ],
-  "C# IR IRVariableImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/IRVariableImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/IRVariableImports.qll"
-  ],
-  "C# IR OperandImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/OperandImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/OperandImports.qll"
-  ],
-  "C# IR PrintIRImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/internal/PrintIRImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/PrintIRImports.qll"
-  ],
-  "C# IR ValueNumberingImports": [
-    "csharp/ql/src/experimental/ir/implementation/raw/gvn/internal/ValueNumberingImports.qll",
-    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/gvn/internal/ValueNumberingImports.qll"
-  ],
   "C# ControlFlowReachability": [
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
@@ -377,13 +251,6 @@
     "cpp/ql/src/Security/CWE/CWE-020/SafeExternalAPIFunction.qll",
     "cpp/ql/src/Security/CWE/CWE-020/ir/SafeExternalAPIFunction.qll"
   ],
-  "XML": [
-    "cpp/ql/lib/semmle/code/cpp/XML.qll",
-    "csharp/ql/lib/semmle/code/csharp/XML.qll",
-    "java/ql/lib/semmle/code/xml/XML.qll",
-    "javascript/ql/lib/semmle/javascript/XML.qll",
-    "python/ql/lib/semmle/python/xml/XML.qll"
-  ],
   "DuplicationProblems.inc.qhelp": [
     "cpp/ql/src/Metrics/Files/DuplicationProblems.inc.qhelp",
     "javascript/ql/src/Metrics/DuplicationProblems.inc.qhelp",
@@ -431,13 +298,6 @@
     "java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.qhelp",
     "java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp"
   ],
-  "IDE Contextual Queries": [
-    "cpp/ql/lib/IDEContextual.qll",
-    "csharp/ql/lib/IDEContextual.qll",
-    "java/ql/lib/IDEContextual.qll",
-    "javascript/ql/lib/IDEContextual.qll",
-    "python/ql/lib/analysis/IDEContextual.qll"
-  ],
   "CryptoAlgorithms Python/JS/Ruby": [
     "javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll",
     "python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll",
@@ -502,7 +362,7 @@
     "java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll"
   ],
   "Python model summaries test extension": [
-    "python/ql/test/experimental/dataflow/model-summaries/InlineTaintTest.ext.yml",
-    "python/ql/test/experimental/dataflow/model-summaries/NormalDataflowTest.ext.yml"
+    "python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
+    "python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
   ]
-}
+}

cpp/BUILD.bazel

@@ -1,4 +1,4 @@
-load("@rules_pkg//:mappings.bzl", "pkg_filegroup")
+load("@rules_pkg//pkg:mappings.bzl", "pkg_filegroup")
 
 package(default_visibility = ["//visibility:public"])
 

cpp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -203,6 +203,8 @@ namespace Semmle.Autobuild.Cpp.Tests
         public IList<DiagnosticMessage> Diagnostics { get; } = new List<DiagnosticMessage>();
 
         public void AddEntry(DiagnosticMessage message) => this.Diagnostics.Add(message);
+
+        public void Dispose() { }
     }
 
     /// <summary>
@@ -250,12 +252,7 @@ namespace Semmle.Autobuild.Cpp.Tests
             EndCallbackIn.Add(s);
         }
 
-        CppAutobuilder CreateAutoBuilder(bool isWindows,
-            string? buildless = null, string? solution = null, string? buildCommand = null, string? ignoreErrors = null,
-            string? msBuildArguments = null, string? msBuildPlatform = null, string? msBuildConfiguration = null, string? msBuildTarget = null,
-            string? dotnetArguments = null, string? dotnetVersion = null, string? vsToolsVersion = null,
-            string? nugetRestore = null, string? allSolutions = null,
-            string cwd = @"C:\Project")
+        CppAutobuilder CreateAutoBuilder(bool isWindows, string? dotnetVersion = null, string cwd = @"C:\Project")
         {
             string codeqlUpperLanguage = Language.Cpp.UpperCaseName;
             Actions.GetEnvironmentVariable[$"CODEQL_AUTOBUILDER_{codeqlUpperLanguage}_NO_INDEXING"] = "false";
@@ -265,22 +262,7 @@ namespace Semmle.Autobuild.Cpp.Tests
             Actions.GetEnvironmentVariable[$"CODEQL_EXTRACTOR_{codeqlUpperLanguage}_DIAGNOSTIC_DIR"] = "";
             Actions.GetEnvironmentVariable["CODEQL_JAVA_HOME"] = @"C:\codeql\tools\java";
             Actions.GetEnvironmentVariable["CODEQL_PLATFORM"] = "win64";
-            Actions.GetEnvironmentVariable["SEMMLE_DIST"] = @"C:\odasa";
-            Actions.GetEnvironmentVariable["SEMMLE_JAVA_HOME"] = @"C:\odasa\tools\java";
-            Actions.GetEnvironmentVariable["SEMMLE_PLATFORM_TOOLS"] = @"C:\odasa\tools";
-            Actions.GetEnvironmentVariable["LGTM_INDEX_VSTOOLS_VERSION"] = vsToolsVersion;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_ARGUMENTS"] = msBuildArguments;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_PLATFORM"] = msBuildPlatform;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_CONFIGURATION"] = msBuildConfiguration;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_MSBUILD_TARGET"] = msBuildTarget;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_DOTNET_ARGUMENTS"] = dotnetArguments;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_DOTNET_VERSION"] = dotnetVersion;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_BUILD_COMMAND"] = buildCommand;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_SOLUTION"] = solution;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_IGNORE_ERRORS"] = ignoreErrors;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_BUILDLESS"] = buildless;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_ALL_SOLUTIONS"] = allSolutions;
-            Actions.GetEnvironmentVariable["LGTM_INDEX_NUGET_RESTORE"] = nugetRestore;
+            Actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_OPTION_DOTNET_VERSION"] = dotnetVersion;
             Actions.GetEnvironmentVariable["ProgramFiles(x86)"] = isWindows ? @"C:\Program Files (x86)" : null;
             Actions.GetCurrentDirectory = cwd;
             Actions.IsWindows = isWindows;

cpp/autobuilder/Semmle.Autobuild.Cpp/CppAutobuilder.cs

@@ -26,9 +26,6 @@ namespace Semmle.Autobuild.Cpp
 
         public override BuildScript GetBuildScript()
         {
-            if (Options.BuildCommand != null)
-                return new BuildCommandRule((_, f) => f(null)).Analyse(this, false);
-
             return
                 // First try MSBuild
                 new MsBuildRule().Analyse(this, true) |

cpp/autobuilder/Semmle.Autobuild.Cpp/Program.cs

@@ -1,5 +1,7 @@
 using System;
+
 using Semmle.Autobuild.Shared;
+using Semmle.Util;
 
 namespace Semmle.Autobuild.Cpp
 {
@@ -15,7 +17,7 @@ namespace Semmle.Autobuild.Cpp
                 try
                 {
                     Console.WriteLine("CodeQL C++ autobuilder");
-                    var builder = new CppAutobuilder(actions, options);
+                    using var builder = new CppAutobuilder(actions, options);
                     return builder.AttemptBuild();
                 }
                 catch (InvalidEnvironmentException ex)

cpp/downgrades/298438feb146335af824002589cd6d4e96e5dbf9/exprparents.ql

@@ -0,0 +1,19 @@
+class Element extends @element {
+  string toString() { none() }
+}
+
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Stmt extends @stmt {
+  string toString() { none() }
+}
+
+predicate isStmtWithInitializer(Stmt stmt) { exists(int kind | stmts(stmt, kind, _) | kind = 29) }
+
+from Expr child, int index, int index_new, Element parent
+where
+  exprparents(child, index, parent) and
+  if isStmtWithInitializer(parent) then index_new = index - 1 else index_new = index
+select child, index_new, parent

cpp/downgrades/298438feb146335af824002589cd6d4e96e5dbf9/for_initialization.ql

@@ -0,0 +1,9 @@
+class Stmt extends @stmt {
+  string toString() { none() }
+}
+
+from Stmt f, Stmt i
+where
+  for_initialization(f, i) and
+  f instanceof @stmt_for
+select f, i

cpp/downgrades/298438feb146335af824002589cd6d4e96e5dbf9/stmtparents.ql

@@ -0,0 +1,20 @@
+class Element extends @element {
+  string toString() { none() }
+}
+
+class Stmt extends @stmt {
+  string toString() { none() }
+}
+
+predicate isStmtWithInitializer(Stmt stmt) { exists(int kind | stmts(stmt, kind, _) | kind = 29) }
+
+from Stmt child, int index, int index_new, Element parent
+where
+  stmtparents(child, index, parent) and
+  (
+    not isStmtWithInitializer(parent)
+    or
+    index > 0
+  ) and
+  if isStmtWithInitializer(parent) then index_new = index - 1 else index_new = index
+select child, index_new, parent

cpp/downgrades/298438feb146335af824002589cd6d4e96e5dbf9/upgrade.properties

@@ -0,0 +1,5 @@
+description: Support C++20 range-based for initializers
+compatibility: partial
+exprparents.rel: run exprparents.qlo
+stmtparents.rel: run stmtparents.qlo
+for_initialization.rel: run for_initialization.qlo

cpp/downgrades/BUILD.bazel

@@ -1,4 +1,4 @@
-load("@rules_pkg//:mappings.bzl", "pkg_files", "strip_prefix")
+load("@rules_pkg//pkg:mappings.bzl", "pkg_files", "strip_prefix")
 
 pkg_files(
     name = "downgrades",

cpp/downgrades/aa7ff0ab32cd4674f6ab731d32fea64116997b05/exprs.ql

@@ -0,0 +1,13 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location_expr {
+  string toString() { none() }
+}
+
+from Expr expr, int kind, int kind_new, Location loc
+where
+  exprs(expr, kind, loc) and
+  if kind = 363 then kind_new = 1 else kind_new = kind
+select expr, kind_new, loc

cpp/downgrades/aa7ff0ab32cd4674f6ab731d32fea64116997b05/upgrade.properties

@@ -0,0 +1,4 @@
+description: Introduce re-use expressions
+compatibility: partial
+expr_reuse.rel: delete
+exprs.rel: run exprs.qlo

cpp/downgrades/abfce5c170f93e281948f7689ece373464fdaf87/expr_reuse.ql

@@ -0,0 +1,7 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+from Expr reuse, Expr original
+where expr_reuse(reuse, original, _)
+select reuse, original

cpp/downgrades/abfce5c170f93e281948f7689ece373464fdaf87/expr_types.ql

@@ -0,0 +1,22 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Type extends @type {
+  string toString() { none() }
+}
+
+predicate existingType(Expr expr, Type type, int value_category) {
+  expr_types(expr, type, value_category)
+}
+
+predicate reuseType(Expr reuse, Type type, int value_category) {
+  exists(Expr original |
+    expr_reuse(reuse, original, value_category) and
+    expr_types(original, type, _)
+  )
+}
+
+from Expr expr, Type type, int value_category
+where existingType(expr, type, value_category) or reuseType(expr, type, value_category)
+select expr, type, value_category

cpp/downgrades/abfce5c170f93e281948f7689ece373464fdaf87/upgrade.properties

@@ -0,0 +1,4 @@
+description: Add value category to expr_reuse table
+compatibility: full
+expr_reuse.rel: run expr_reuse.qlo
+expr_types.rel: run expr_types.qlo

cpp/ql/lib/BUILD.bazel

@@ -1,4 +1,4 @@
-load("@rules_pkg//:mappings.bzl", "pkg_files")
+load("@rules_pkg//pkg:mappings.bzl", "pkg_files")
 
 package(default_visibility = ["//cpp:__pkg__"])
 

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,63 @@
+## 0.13.1
+
+No user-facing changes.
+
+## 0.13.0
+
+### Breaking Changes
+
+* Deleted the deprecated `GlobalValueNumberingImpl.qll` implementation.
+
+### New Features
+
+* Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See `dataflow/ExternalFlow.qll` for documentation and specification of the model format, and `models/implementations/ZMQ.qll` for a simple example of models. Importing models from `.yml` is not yet supported.
+
+### Minor Analysis Improvements
+
+* Source models have been added for the standard library function `getc` (and variations).
+* Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
+* Parameters of functions without definitions now have `ParameterNode`s.
+* The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.
+
+## 0.12.11
+
+No user-facing changes.
+
+## 0.12.10
+
+### New Features
+
+* Added a `TaintInheritingContent` class that can be extended to model taint flowing from a qualifier to a field.
+* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant. 
+* Added a predicate `GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant.
+* Added a predicate `GuardCondition.comparesLt/4` to query whether an expression is compared to a constant. 
+* Added a predicate `GuardCondition.ensuresLt/4` to query whether a basic block is guarded by an expression being less than a constant.
+* Added a predicate `GuardCondition.valueControls` to query whether a basic block is guarded by a particular `case` of a `switch` statement.
+
+### Minor Analysis Improvements
+
+* Added destructors for temporary objects with extended lifetimes to the intermediate representation.
+
+## 0.12.9
+
+No user-facing changes.
+
+## 0.12.8
+
+No user-facing changes.
+
+## 0.12.7
+
+### Minor Analysis Improvements
+
+* Added destructors for named objects to the intermediate representation.
+
+## 0.12.6
+
+### New Features
+
+* A `getInitialization` predicate was added to the `RangeBasedForStmt` class that yields the C++20-style initializer of the range-based `for` statement when it exists.
+
 ## 0.12.5
 
 ### New Features

cpp/ql/lib/IDEContextual.qll

@@ -3,6 +3,7 @@
  */
 
 import semmle.files.FileSystem
+private import codeql.util.FileSystem
 
 /**
  * Returns the `File` matching the given source file name as encoded by the VS
@@ -10,13 +11,5 @@ import semmle.files.FileSystem
  */
 cached
 File getFileBySourceArchiveName(string name) {
-  // The name provided for a file in the source archive by the VS Code extension
-  // has some differences from the absolute path in the database:
-  // 1. colons are replaced by underscores
-  // 2. there's a leading slash, even for Windows paths: "C:/foo/bar" ->
-  //    "/C_/foo/bar"
-  // 3. double slashes in UNC prefixes are replaced with a single slash
-  // We can handle 2 and 3 together by unconditionally adding a leading slash
-  // before replacing double slashes.
-  name = ("/" + result.getAbsolutePath().replaceAll(":", "_")).replaceAll("//", "/")
+  result = IdeContextual<File>::getFileBySourceArchiveName(name)
 }

cpp/ql/lib/change-notes/released/0.12.10.md

@@ -0,0 +1,14 @@
+## 0.12.10
+
+### New Features
+
+* Added a `TaintInheritingContent` class that can be extended to model taint flowing from a qualifier to a field.
+* Added a predicate `GuardCondition.comparesEq/4` to query whether an expression is compared to a constant. 
+* Added a predicate `GuardCondition.ensuresEq/4` to query whether a basic block is guarded by an expression being equal to a constant.
+* Added a predicate `GuardCondition.comparesLt/4` to query whether an expression is compared to a constant. 
+* Added a predicate `GuardCondition.ensuresLt/4` to query whether a basic block is guarded by an expression being less than a constant.
+* Added a predicate `GuardCondition.valueControls` to query whether a basic block is guarded by a particular `case` of a `switch` statement.
+
+### Minor Analysis Improvements
+
+* Added destructors for temporary objects with extended lifetimes to the intermediate representation.

cpp/ql/lib/change-notes/released/0.12.11.md

@@ -0,0 +1,3 @@
+## 0.12.11
+
+No user-facing changes.

cpp/ql/lib/change-notes/released/0.12.6.md

@@ -0,0 +1,5 @@
+## 0.12.6
+
+### New Features
+
+* A `getInitialization` predicate was added to the `RangeBasedForStmt` class that yields the C++20-style initializer of the range-based `for` statement when it exists.

cpp/ql/lib/change-notes/released/0.12.7.md

@@ -0,0 +1,5 @@
+## 0.12.7
+
+### Minor Analysis Improvements
+
+* Added destructors for named objects to the intermediate representation.

cpp/ql/lib/change-notes/released/0.12.8.md

@@ -0,0 +1,3 @@
+## 0.12.8
+
+No user-facing changes.

cpp/ql/lib/change-notes/released/0.12.9.md

@@ -0,0 +1,3 @@
+## 0.12.9
+
+No user-facing changes.

cpp/ql/lib/change-notes/released/0.13.0.md

@@ -0,0 +1,16 @@
+## 0.13.0
+
+### Breaking Changes
+
+* Deleted the deprecated `GlobalValueNumberingImpl.qll` implementation.
+
+### New Features
+
+* Models-as-Data support has been added for C/C++. This feature allows flow sources, sinks and summaries to be expressed in compact strings as an alternative to modelling each source / sink / summary with explicit QL. See `dataflow/ExternalFlow.qll` for documentation and specification of the model format, and `models/implementations/ZMQ.qll` for a simple example of models. Importing models from `.yml` is not yet supported.
+
+### Minor Analysis Improvements
+
+* Source models have been added for the standard library function `getc` (and variations).
+* Source, sink and flow models for the ZeroMQ (ZMQ) networking library have been added.
+* Parameters of functions without definitions now have `ParameterNode`s.
+* The alias analysis used internally by various libraries has been improved to answer alias questions more conservatively. As a result, some queries may report fewer false positives.

cpp/ql/lib/change-notes/released/0.13.1.md

@@ -0,0 +1,3 @@
+## 0.13.1
+
+No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.12.5
+lastReleaseVersion: 0.13.1

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.12.5
+version: 0.13.1
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -7,8 +7,11 @@ library: true
 upgrades: upgrades
 dependencies:
   codeql/dataflow: ${workspace}
+  codeql/mad: ${workspace}
   codeql/rangeanalysis: ${workspace}
   codeql/ssa: ${workspace}
+  codeql/typeflow: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}
+  codeql/xml: ${workspace}
 warnOnImplicitThis: true

cpp/ql/lib/semmle/code/cpp/Enclosing.qll

@@ -60,4 +60,6 @@ Element exprEnclosingElement(Expr e) {
       )
     else result = de.getDeclaration()
   )
+  or
+  result.(Stmt).getAnImplicitDestructorCall() = e
 }

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -309,9 +309,12 @@ class ExprNode extends AstNode {
   override AstNode getChildInternal(int childIndex) {
     result.getAst() = expr.getChild(childIndex)
     or
+    childIndex = max(int index | exists(expr.getChild(index)) or index = 0) + 1 and
+    result.getAst() = expr.(ConditionDeclExpr).getInitializingExpr()
+    or
     exists(int destructorIndex |
       result.getAst() = expr.getImplicitDestructorCall(destructorIndex) and
-      childIndex = destructorIndex + max(int index | exists(expr.getChild(index)) or index = 0) + 1
+      childIndex = destructorIndex + max(int index | exists(expr.getChild(index)) or index = 0) + 2
     )
   }
 
@@ -361,6 +364,8 @@ class ConversionNode extends ExprNode {
     childIndex = 0 and
     result.getAst() = conv.getExpr() and
     conv.getExpr() instanceof Conversion
+    or
+    result.getAst() = expr.getImplicitDestructorCall(childIndex - 1)
   }
 }
 
@@ -458,6 +463,25 @@ class StmtNode extends AstNode {
   }
 }
 
+/**
+ * A node representing a child of a `Stmt` that is itself a `Stmt`.
+ */
+class ChildStmtNode extends StmtNode {
+  Stmt childStmt;
+
+  ChildStmtNode() { exists(Stmt parent | parent.getAChild() = childStmt and childStmt = ast) }
+
+  override BaseAstNode getChildInternal(int childIndex) {
+    result = super.getChildInternal(childIndex)
+    or
+    exists(int destructorIndex |
+      result.getAst() = childStmt.getImplicitDestructorCall(destructorIndex) and
+      childIndex =
+        destructorIndex + max(int index | exists(childStmt.getChild(index)) or index = 0) + 1
+    )
+  }
+}
+
 /**
  * A node representing a `DeclStmt`.
  */
@@ -669,6 +693,13 @@ class FunctionNode extends FunctionOrGlobalOrNamespaceVariableNode {
 private string getChildAccessorWithoutConversions(Locatable parent, Element child) {
   shouldPrintDeclaration(getAnEnclosingDeclaration(parent)) and
   (
+    exists(Stmt s, int i | s.getChild(i) = parent |
+      exists(int n |
+        s.getChild(i).(Stmt).getImplicitDestructorCall(n) = child and
+        result = "getImplicitDestructorCall(" + n + ")"
+      )
+    )
+    or
     exists(Stmt s | s = parent |
       namedStmtChildPredicates(s, child, result)
       or
@@ -686,6 +717,8 @@ private string getChildAccessorWithoutConversions(Locatable parent, Element chil
       not namedExprChildPredicates(expr, child, _) and
       exists(int n | expr.getChild(n) = child and result = "getChild(" + n + ")")
       or
+      expr.(ConditionDeclExpr).getInitializingExpr() = child and result = "getInitializingExpr()"
+      or
       exists(int n |
         expr.getImplicitDestructorCall(n) = child and
         result = "getImplicitDestructorCall(" + n + ")"
@@ -735,7 +768,9 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
     or
     s.(ForStmt).getStmt() = e and pred = "getStmt()"
     or
-    s.(RangeBasedForStmt).getChild(0) = e and pred = "getChild(0)"
+    s.(RangeBasedForStmt).getInitialization() = e and pred = "getInitialization()"
+    or
+    s.(RangeBasedForStmt).getChild(1) = e and pred = "getChild(1)"
     or
     s.(RangeBasedForStmt).getBeginEndDeclaration() = e and pred = "getBeginEndDeclaration()"
     or
@@ -743,7 +778,7 @@ private predicate namedStmtChildPredicates(Locatable s, Element e, string pred)
     or
     s.(RangeBasedForStmt).getUpdate() = e and pred = "getUpdate()"
     or
-    s.(RangeBasedForStmt).getChild(4) = e and pred = "getChild(4)"
+    s.(RangeBasedForStmt).getChild(5) = e and pred = "getChild(5)"
     or
     s.(RangeBasedForStmt).getStmt() = e and pred = "getStmt()"
     or
@@ -835,7 +870,11 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(OverloadedArrayExpr).getArrayOffset() = ele and pred = "getArrayOffset()"
     or
-    expr.(OverloadedPointerDereferenceExpr).getExpr() = ele and pred = "getExpr()"
+    // OverloadedPointerDereferenceExpr::getExpr/0 also considers qualifiers, which are already handled above for all Call classes.
+    not expr.(OverloadedPointerDereferenceExpr).getQualifier() =
+      expr.(OverloadedPointerDereferenceExpr).getExpr() and
+    expr.(OverloadedPointerDereferenceExpr).getExpr() = ele and
+    pred = "getExpr()"
     or
     expr.(CommaExpr).getLeftOperand() = ele and pred = "getLeftOperand()"
     or
@@ -851,7 +890,7 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(DeleteOrDeleteArrayExpr).getDestructorCall() = ele and pred = "getDestructorCall()"
     or
-    expr.(DeleteOrDeleteArrayExpr).getExpr() = ele and pred = "getExpr()"
+    expr.(DeleteOrDeleteArrayExpr).getExprWithReuse() = ele and pred = "getExprWithReuse()"
     or
     expr.(DestructorFieldDestruction).getExpr() = ele and pred = "getExpr()"
     or

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -234,7 +234,16 @@ class VariableDeclarationEntry extends DeclarationEntry, @var_decl {
    * int f(int y) { return y; }
    * ```
    */
-  override string getName() { var_decls(underlyingElement(this), _, _, result, _) and result != "" }
+  override string getName() {
+    exists(string name |
+      var_decls(underlyingElement(this), _, _, name, _) and
+      (
+        name != "" and result = name
+        or
+        name = "" and result = this.getVariable().(LocalVariable).getName()
+      )
+    )
+  }
 
   /**
    * Gets the type of the variable which is being declared or defined.
@@ -581,6 +590,33 @@ class TemplateVariable extends Variable {
   Variable getAnInstantiation() { result.isConstructedFrom(this) }
 }
 
+/**
+ * A variable that is an instantiation of a template. For example
+ * the instantiation `myTemplateVariable<int>` in the following code:
+ * ```
+ * template<class T>
+ * T myTemplateVariable;
+ *
+ * void caller(int i) {
+ *   myTemplateVariable<int> = i;
+ * }
+ * ```
+ */
+class VariableTemplateInstantiation extends Variable {
+  TemplateVariable tv;
+
+  VariableTemplateInstantiation() { tv.getAnInstantiation() = this }
+
+  override string getAPrimaryQlClass() { result = "VariableTemplateInstantiation" }
+
+  /**
+   * Gets the variable template from which this instantiation was instantiated.
+   *
+   * Example: For `int x<int>`, returns `T x`.
+   */
+  TemplateVariable getTemplate() { result = tv }
+}
+
 /**
  * A non-static local variable or parameter that is not part of an
  * uninstantiated template. Uninstantiated templates are purely syntax, and

cpp/ql/lib/semmle/code/cpp/XML.qll

@@ -3,305 +3,67 @@
  */
 
 import semmle.files.FileSystem
+private import codeql.xml.Xml
 
-private class TXmlLocatable =
-  @xmldtd or @xmlelement or @xmlattribute or @xmlnamespace or @xmlcomment or @xmlcharacters;
+private module Input implements InputSig<File, Location> {
+  class XmlLocatableBase = @xmllocatable or @xmlnamespaceable;
 
-/** An XML element that has a location. */
-class XmlLocatable extends @xmllocatable, TXmlLocatable {
-  /** Gets the source location for this element. */
-  Location getLocation() { xmllocations(this, result) }
+  predicate xmllocations_(XmlLocatableBase e, Location loc) { xmllocations(e, loc) }
 
-  /**
-   * Holds if this element is at the specified location.
-   * The location spans column `startcolumn` of line `startline` to
-   * column `endcolumn` of line `endline` in file `filepath`.
-   * For more information, see
-   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
-   */
-  predicate hasLocationInfo(
-    string filepath, int startline, int startcolumn, int endline, int endcolumn
+  class XmlParentBase = @xmlparent;
+
+  class XmlNamespaceableBase = @xmlnamespaceable;
+
+  class XmlElementBase = @xmlelement;
+
+  class XmlFileBase = File;
+
+  predicate xmlEncoding_(XmlFileBase f, string enc) { xmlEncoding(f, enc) }
+
+  class XmlDtdBase = @xmldtd;
+
+  predicate xmlDTDs_(XmlDtdBase e, string root, string publicId, string systemId, XmlFileBase file) {
+    xmlDTDs(e, root, publicId, systemId, file)
+  }
+
+  predicate xmlElements_(
+    XmlElementBase e, string name, XmlParentBase parent, int idx, XmlFileBase file
   ) {
-    exists(File f, Location l | l = this.getLocation() |
-      locations_default(l, f, startline, startcolumn, endline, endcolumn) and
-      filepath = f.getAbsolutePath()
-    )
+    xmlElements(e, name, parent, idx, file)
   }
 
-  /** Gets a textual representation of this element. */
-  string toString() { none() } // overridden in subclasses
-}
+  class XmlAttributeBase = @xmlattribute;
 
-/**
- * An `XmlParent` is either an `XmlElement` or an `XmlFile`,
- * both of which can contain other elements.
- */
-class XmlParent extends @xmlparent {
-  XmlParent() {
-    // explicitly restrict `this` to be either an `XmlElement` or an `XmlFile`;
-    // the type `@xmlparent` currently also includes non-XML files
-    this instanceof @xmlelement or xmlEncoding(this, _)
+  predicate xmlAttrs_(
+    XmlAttributeBase e, XmlElementBase elementid, string name, string value, int idx,
+    XmlFileBase file
+  ) {
+    xmlAttrs(e, elementid, name, value, idx, file)
   }
 
-  /**
-   * Gets a printable representation of this XML parent.
-   * (Intended to be overridden in subclasses.)
-   */
-  string getName() { none() } // overridden in subclasses
+  class XmlNamespaceBase = @xmlnamespace;
 
-  /** Gets the file to which this XML parent belongs. */
-  XmlFile getFile() { result = this or xmlElements(this, _, _, _, result) }
-
-  /** Gets the child element at a specified index of this XML parent. */
-  XmlElement getChild(int index) { xmlElements(result, _, this, index, _) }
-
-  /** Gets a child element of this XML parent. */
-  XmlElement getAChild() { xmlElements(result, _, this, _, _) }
-
-  /** Gets a child element of this XML parent with the given `name`. */
-  XmlElement getAChild(string name) { xmlElements(result, _, this, _, _) and result.hasName(name) }
-
-  /** Gets a comment that is a child of this XML parent. */
-  XmlComment getAComment() { xmlComments(result, _, this, _) }
-
-  /** Gets a character sequence that is a child of this XML parent. */
-  XmlCharacters getACharactersSet() { xmlChars(result, _, this, _, _, _) }
-
-  /** Gets the depth in the tree. (Overridden in XmlElement.) */
-  int getDepth() { result = 0 }
-
-  /** Gets the number of child XML elements of this XML parent. */
-  int getNumberOfChildren() { result = count(XmlElement e | xmlElements(e, _, this, _, _)) }
-
-  /** Gets the number of places in the body of this XML parent where text occurs. */
-  int getNumberOfCharacterSets() { result = count(int pos | xmlChars(_, _, this, pos, _, _)) }
-
-  /**
-   * Gets the result of appending all the character sequences of this XML parent from
-   * left to right, separated by a space.
-   */
-  string allCharactersString() {
-    result =
-      concat(string chars, int pos | xmlChars(_, chars, this, pos, _, _) | chars, " " order by pos)
+  predicate xmlNs_(XmlNamespaceBase e, string prefixName, string uri, XmlFileBase file) {
+    xmlNs(e, prefixName, uri, file)
   }
 
-  /** Gets the text value contained in this XML parent. */
-  string getTextValue() { result = this.allCharactersString() }
+  predicate xmlHasNs_(XmlNamespaceableBase e, XmlNamespaceBase ns, XmlFileBase file) {
+    xmlHasNs(e, ns, file)
+  }
 
-  /** Gets a printable representation of this XML parent. */
-  string toString() { result = this.getName() }
-}
+  class XmlCommentBase = @xmlcomment;
 
-/** An XML file. */
-class XmlFile extends XmlParent, File {
-  XmlFile() { xmlEncoding(this, _) }
+  predicate xmlComments_(XmlCommentBase e, string text, XmlParentBase parent, XmlFileBase file) {
+    xmlComments(e, text, parent, file)
+  }
 
-  /** Gets a printable representation of this XML file. */
-  override string toString() { result = this.getName() }
+  class XmlCharactersBase = @xmlcharacters;
 
-  /** Gets the name of this XML file. */
-  override string getName() { result = File.super.getAbsolutePath() }
-
-  /** Gets the encoding of this XML file. */
-  string getEncoding() { xmlEncoding(this, result) }
-
-  /** Gets the XML file itself. */
-  override XmlFile getFile() { result = this }
-
-  /** Gets a top-most element in an XML file. */
-  XmlElement getARootElement() { result = this.getAChild() }
-
-  /** Gets a DTD associated with this XML file. */
-  XmlDtd getADtd() { xmlDTDs(result, _, _, _, this) }
-}
-
-/**
- * An XML document type definition (DTD).
- *
- * Example:
- *
- * ```
- * <!ELEMENT person (firstName, lastName?)>
- * <!ELEMENT firstName (#PCDATA)>
- * <!ELEMENT lastName (#PCDATA)>
- * ```
- */
-class XmlDtd extends XmlLocatable, @xmldtd {
-  /** Gets the name of the root element of this DTD. */
-  string getRoot() { xmlDTDs(this, result, _, _, _) }
-
-  /** Gets the public ID of this DTD. */
-  string getPublicId() { xmlDTDs(this, _, result, _, _) }
-
-  /** Gets the system ID of this DTD. */
-  string getSystemId() { xmlDTDs(this, _, _, result, _) }
-
-  /** Holds if this DTD is public. */
-  predicate isPublic() { not xmlDTDs(this, _, "", _, _) }
-
-  /** Gets the parent of this DTD. */
-  XmlParent getParent() { xmlDTDs(this, _, _, _, result) }
-
-  override string toString() {
-    this.isPublic() and
-    result = this.getRoot() + " PUBLIC '" + this.getPublicId() + "' '" + this.getSystemId() + "'"
-    or
-    not this.isPublic() and
-    result = this.getRoot() + " SYSTEM '" + this.getSystemId() + "'"
+  predicate xmlChars_(
+    XmlCharactersBase e, string text, XmlParentBase parent, int idx, int isCDATA, XmlFileBase file
+  ) {
+    xmlChars(e, text, parent, idx, isCDATA, file)
   }
 }
 
-/**
- * An XML element in an XML file.
- *
- * Example:
- *
- * ```
- * <manifest xmlns:android="http://schemas.android.com/apk/res/android"
- *           package="com.example.exampleapp" android:versionCode="1">
- * </manifest>
- * ```
- */
-class XmlElement extends @xmlelement, XmlParent, XmlLocatable {
-  /** Holds if this XML element has the given `name`. */
-  predicate hasName(string name) { name = this.getName() }
-
-  /** Gets the name of this XML element. */
-  override string getName() { xmlElements(this, result, _, _, _) }
-
-  /** Gets the XML file in which this XML element occurs. */
-  override XmlFile getFile() { xmlElements(this, _, _, _, result) }
-
-  /** Gets the parent of this XML element. */
-  XmlParent getParent() { xmlElements(this, _, result, _, _) }
-
-  /** Gets the index of this XML element among its parent's children. */
-  int getIndex() { xmlElements(this, _, _, result, _) }
-
-  /** Holds if this XML element has a namespace. */
-  predicate hasNamespace() { xmlHasNs(this, _, _) }
-
-  /** Gets the namespace of this XML element, if any. */
-  XmlNamespace getNamespace() { xmlHasNs(this, result, _) }
-
-  /** Gets the index of this XML element among its parent's children. */
-  int getElementPositionIndex() { xmlElements(this, _, _, result, _) }
-
-  /** Gets the depth of this element within the XML file tree structure. */
-  override int getDepth() { result = this.getParent().getDepth() + 1 }
-
-  /** Gets an XML attribute of this XML element. */
-  XmlAttribute getAnAttribute() { result.getElement() = this }
-
-  /** Gets the attribute with the specified `name`, if any. */
-  XmlAttribute getAttribute(string name) { result.getElement() = this and result.getName() = name }
-
-  /** Holds if this XML element has an attribute with the specified `name`. */
-  predicate hasAttribute(string name) { exists(this.getAttribute(name)) }
-
-  /** Gets the value of the attribute with the specified `name`, if any. */
-  string getAttributeValue(string name) { result = this.getAttribute(name).getValue() }
-
-  /** Gets a printable representation of this XML element. */
-  override string toString() { result = this.getName() }
-}
-
-/**
- * An attribute that occurs inside an XML element.
- *
- * Examples:
- *
- * ```
- * package="com.example.exampleapp"
- * android:versionCode="1"
- * ```
- */
-class XmlAttribute extends @xmlattribute, XmlLocatable {
-  /** Gets the name of this attribute. */
-  string getName() { xmlAttrs(this, _, result, _, _, _) }
-
-  /** Gets the XML element to which this attribute belongs. */
-  XmlElement getElement() { xmlAttrs(this, result, _, _, _, _) }
-
-  /** Holds if this attribute has a namespace. */
-  predicate hasNamespace() { xmlHasNs(this, _, _) }
-
-  /** Gets the namespace of this attribute, if any. */
-  XmlNamespace getNamespace() { xmlHasNs(this, result, _) }
-
-  /** Gets the value of this attribute. */
-  string getValue() { xmlAttrs(this, _, _, result, _, _) }
-
-  /** Gets a printable representation of this XML attribute. */
-  override string toString() { result = this.getName() + "=" + this.getValue() }
-}
-
-/**
- * A namespace used in an XML file.
- *
- * Example:
- *
- * ```
- * xmlns:android="http://schemas.android.com/apk/res/android"
- * ```
- */
-class XmlNamespace extends XmlLocatable, @xmlnamespace {
-  /** Gets the prefix of this namespace. */
-  string getPrefix() { xmlNs(this, result, _, _) }
-
-  /** Gets the URI of this namespace. */
-  string getUri() { xmlNs(this, _, result, _) }
-
-  /** Holds if this namespace has no prefix. */
-  predicate isDefault() { this.getPrefix() = "" }
-
-  override string toString() {
-    this.isDefault() and result = this.getUri()
-    or
-    not this.isDefault() and result = this.getPrefix() + ":" + this.getUri()
-  }
-}
-
-/**
- * A comment in an XML file.
- *
- * Example:
- *
- * ```
- * <!-- This is a comment. -->
- * ```
- */
-class XmlComment extends @xmlcomment, XmlLocatable {
-  /** Gets the text content of this XML comment. */
-  string getText() { xmlComments(this, result, _, _) }
-
-  /** Gets the parent of this XML comment. */
-  XmlParent getParent() { xmlComments(this, _, result, _) }
-
-  /** Gets a printable representation of this XML comment. */
-  override string toString() { result = this.getText() }
-}
-
-/**
- * A sequence of characters that occurs between opening and
- * closing tags of an XML element, excluding other elements.
- *
- * Example:
- *
- * ```
- * <content>This is a sequence of characters.</content>
- * ```
- */
-class XmlCharacters extends @xmlcharacters, XmlLocatable {
-  /** Gets the content of this character sequence. */
-  string getCharacters() { xmlChars(this, result, _, _, _, _) }
-
-  /** Gets the parent of this character sequence. */
-  XmlParent getParent() { xmlChars(this, _, result, _, _, _) }
-
-  /** Holds if this character sequence is CDATA. */
-  predicate isCDATA() { xmlChars(this, _, _, _, 1, _) }
-
-  /** Gets a printable representation of this XML character sequence. */
-  override string toString() { result = this.getCharacters() }
-}
+import Make<File, Location, Input>

cpp/ql/lib/semmle/code/cpp/controlflow/SubBasicBlocks.qll

@@ -1,6 +1,6 @@
 // NOTE: There are two copies of this file, and they must be kept identical:
 // - semmle/code/cpp/controlflow/SubBasicBlocks.qll
-// - semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll
+// - semmle/code/cpp/dataflow/internal/SubBasicBlocks.qll [now DEPRECATED]
 //
 // The second one is a private copy of the `SubBasicBlocks` library for
 // internal use by the data flow library. Having an extra copy prevents

cpp/ql/lib/semmle/code/cpp/controlflow/internal/CFG.qll

@@ -637,8 +637,10 @@ private predicate straightLineSparse(Node scope, int i, Node ni, Spec spec) {
     any(RangeBasedForStmt for |
       i = -1 and ni = for and spec.isAt()
       or
+      i = 0 and ni = for.getInitialization() and spec.isAround()
+      or
       exists(DeclStmt s | s.getADeclaration() = for.getRangeVariable() |
-        i = 0 and ni = s and spec.isAround()
+        i = 1 and ni = s and spec.isAround()
       )
       or
       exists(DeclStmt s |
@@ -649,22 +651,22 @@ private predicate straightLineSparse(Node scope, int i, Node ni, Spec spec) {
         // DeclStmt in that case.
         exists(s.getADeclaration())
       |
-        i = 1 and ni = s and spec.isAround()
+        i = 2 and ni = s and spec.isAround()
       )
       or
-      i = 2 and ni = for.getCondition() and spec.isBefore()
+      i = 3 and ni = for.getCondition() and spec.isBefore()
       or
-      i = 3 and /* BARRIER */ ni = for and spec.isBarrier()
+      i = 4 and /* BARRIER */ ni = for and spec.isBarrier()
       or
       exists(DeclStmt declStmt | declStmt.getADeclaration() = for.getVariable() |
-        i = 4 and ni = declStmt and spec.isAfter()
+        i = 5 and ni = declStmt and spec.isAfter()
       )
       or
-      i = 5 and ni = for.getStmt() and spec.isAround()
+      i = 6 and ni = for.getStmt() and spec.isAround()
       or
-      i = 6 and ni = for.getUpdate() and spec.isAround()
+      i = 7 and ni = for.getUpdate() and spec.isAround()
       or
-      i = 7 and ni = for.getCondition() and spec.isBefore()
+      i = 8 and ni = for.getCondition() and spec.isBefore()
     )
   or
   scope =

cpp/ql/lib/semmle/code/cpp/dataflow/DataFlow.qll

@@ -28,6 +28,6 @@ import cpp
 deprecated module DataFlow {
   private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific
   private import codeql.dataflow.DataFlow
-  import DataFlowMake<CppOldDataFlow>
+  import DataFlowMake<Location, CppOldDataFlow>
   import semmle.code.cpp.dataflow.internal.DataFlowImpl1
 }

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -0,0 +1,556 @@
+/**
+ * INTERNAL use only. This is an experimental API subject to change without notice.
+ *
+ * Provides classes and predicates for dealing with flow models specified in CSV format.
+ *
+ * The CSV specification has the following columns:
+ * - Sources:
+ *   `namespace; type; subtypes; name; signature; ext; output; kind`
+ * - Sinks:
+ *   `namespace; type; subtypes; name; signature; ext; input; kind`
+ * - Summaries:
+ *   `namespace; type; subtypes; name; signature; ext; input; output; kind`
+ *
+ * The interpretation of a row is similar to API-graphs with a left-to-right
+ * reading.
+ * 1. The `namespace` column selects a namespace.
+ * 2. The `type` column selects a type within that namespace.
+ * 3. The `subtypes` is a boolean that indicates whether to jump to an
+ *    arbitrary subtype of that type. Set this to `false` if leaving the `type`
+ *    blank (for example, a free function).
+ * 4. The `name` column optionally selects a specific named member of the type.
+ * 5. The `signature` column optionally restricts the named member. If
+ *    `signature` is blank then no such filtering is done. The format of the
+ *    signature is a comma-separated list of types enclosed in parentheses. The
+ *    types can be short names or fully qualified names (mixing these two options
+ *    is not allowed within a single signature).
+ * 6. The `ext` column specifies additional API-graph-like edges. Currently
+ *    there is only one valid value: "".
+ * 7. The `input` column specifies how data enters the element selected by the
+ *    first 6 columns, and the `output` column specifies how data leaves the
+ *    element selected by the first 6 columns. An `input` can be either:
+ *    - "": Selects a write to the selected element in case this is a field.
+ *    - "Argument[n]": Selects an argument in a call to the selected element.
+ *      The arguments are zero-indexed, and `-1` specifies the qualifier object,
+ *      that is, `*this`.
+ *      - one or more "*" can be added in front of the argument index to indicate
+ *        indirection, for example, `Argument[*0]` indicates the first indirection
+ *        of the 0th argument.
+ *      - `n1..n2` syntax can be used to indicate a range of arguments, inclusive
+ *        at both ends. One or more "*"s can be added in front of the whole range
+ *        to indicate that every argument in the range is indirect, for example
+ *        `*0..1` is the first indirection of both arguments 0 and 1.
+ *    - "ReturnValue": Selects a value being returned by the selected element.
+ *      One or more "*" can be added as an argument to indicate indirection, for
+ *      example, "ReturnValue[*]" indicates the first indirection of the return
+ *      value.
+ *
+ *    An `output` can be either:
+ *    - "": Selects a read of a selected field.
+ *    - "Argument[n]": Selects the post-update value of an argument in a call to
+ *      the selected element. That is, the value of the argument after the call
+ *      returns. The arguments are zero-indexed, and `-1` specifies the qualifier
+ *      object, that is, `*this`.
+ *      - one or more "*" can be added in front of the argument index to indicate
+ *        indirection, for example, `Argument[*0]` indicates the first indirection
+ *        of the 0th argument.
+ *      - `n1..n2` syntax can be used to indicate a range of arguments, inclusive
+ *        at both ends. One or more "*"s can be added in front of the whole range
+ *        to indicate that every argument in the range is indirect, for example
+ *        `*0..1` is the first indirection of both arguments 0 and 1.
+ *    - "Parameter[n]": Selects the value of a parameter of the selected element.
+ *      The syntax is the same as for "Argument", for example "Parameter[0]",
+ *      "Parameter[*0]", "Parameter[0..2]" etc.
+ *    - "ReturnValue": Selects a value being returned by the selected element.
+ *      One or more "*" can be added as an argument to indicate indirection, for
+ *      example, "ReturnValue[*]" indicates the first indirection of the return
+ *      value.
+ * 8. The `kind` column is a tag that can be referenced from QL to determine to
+ *    which classes the interpreted elements should be added. For example, for
+ *    sources "remote" indicates a default remote flow source, and for summaries
+ *    "taint" indicates a default additional taint step and "value" indicates a
+ *    globally applicable value-preserving step.
+ */
+
+import cpp
+private import new.DataFlow
+private import internal.FlowSummaryImpl
+private import internal.FlowSummaryImpl::Public
+private import internal.FlowSummaryImpl::Private
+private import internal.FlowSummaryImpl::Private::External
+private import codeql.mad.ModelValidation as SharedModelVal
+private import codeql.util.Unit
+
+/**
+ * A unit class for adding additional source model rows.
+ *
+ * Extend this class to add additional source definitions.
+ */
+class SourceModelCsv extends Unit {
+  /** Holds if `row` specifies a source definition. */
+  abstract predicate row(string row);
+}
+
+/**
+ * A unit class for adding additional sink model rows.
+ *
+ * Extend this class to add additional sink definitions.
+ */
+class SinkModelCsv extends Unit {
+  /** Holds if `row` specifies a sink definition. */
+  abstract predicate row(string row);
+}
+
+/**
+ * A unit class for adding additional summary model rows.
+ *
+ * Extend this class to add additional flow summary definitions.
+ */
+class SummaryModelCsv extends Unit {
+  /** Holds if `row` specifies a summary definition. */
+  abstract predicate row(string row);
+}
+
+/** Holds if `row` is a source model. */
+predicate sourceModel(string row) { any(SourceModelCsv s).row(row) }
+
+/** Holds if `row` is a sink model. */
+predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
+
+/** Holds if `row` is a summary model. */
+predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
+
+/** Holds if a source model exists for the given parameters. */
+predicate sourceModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string output, string kind, string provenance
+) {
+  exists(string row |
+    sourceModel(row) and
+    row.splitAt(";", 0) = namespace and
+    row.splitAt(";", 1) = type and
+    row.splitAt(";", 2) = subtypes.toString() and
+    subtypes = [true, false] and
+    row.splitAt(";", 3) = name and
+    row.splitAt(";", 4) = signature and
+    row.splitAt(";", 5) = ext and
+    row.splitAt(";", 6) = output and
+    row.splitAt(";", 7) = kind
+  ) and
+  provenance = "manual"
+}
+
+/** Holds if a sink model exists for the given parameters. */
+predicate sinkModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string kind, string provenance
+) {
+  exists(string row |
+    sinkModel(row) and
+    row.splitAt(";", 0) = namespace and
+    row.splitAt(";", 1) = type and
+    row.splitAt(";", 2) = subtypes.toString() and
+    subtypes = [true, false] and
+    row.splitAt(";", 3) = name and
+    row.splitAt(";", 4) = signature and
+    row.splitAt(";", 5) = ext and
+    row.splitAt(";", 6) = input and
+    row.splitAt(";", 7) = kind
+  ) and
+  provenance = "manual"
+}
+
+/** Holds if a summary model exists for the given parameters. */
+predicate summaryModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string output, string kind, string provenance
+) {
+  exists(string row |
+    summaryModel(row) and
+    row.splitAt(";", 0) = namespace and
+    row.splitAt(";", 1) = type and
+    row.splitAt(";", 2) = subtypes.toString() and
+    subtypes = [true, false] and
+    row.splitAt(";", 3) = name and
+    row.splitAt(";", 4) = signature and
+    row.splitAt(";", 5) = ext and
+    row.splitAt(";", 6) = input and
+    row.splitAt(";", 7) = output and
+    row.splitAt(";", 8) = kind
+  ) and
+  provenance = "manual"
+}
+
+private predicate relevantNamespace(string namespace) {
+  sourceModel(namespace, _, _, _, _, _, _, _, _) or
+  sinkModel(namespace, _, _, _, _, _, _, _, _) or
+  summaryModel(namespace, _, _, _, _, _, _, _, _, _)
+}
+
+private predicate namespaceLink(string shortns, string longns) {
+  relevantNamespace(shortns) and
+  relevantNamespace(longns) and
+  longns.prefix(longns.indexOf("::")) = shortns
+}
+
+private predicate canonicalNamespace(string namespace) {
+  relevantNamespace(namespace) and not namespaceLink(_, namespace)
+}
+
+private predicate canonicalNamespaceLink(string namespace, string subns) {
+  canonicalNamespace(namespace) and
+  (subns = namespace or namespaceLink(namespace, subns))
+}
+
+/**
+ * Holds if CSV framework coverage of `namespace` is `n` api endpoints of the
+ * kind `(kind, part)`.
+ */
+predicate modelCoverage(string namespace, int namespaces, string kind, string part, int n) {
+  namespaces = strictcount(string subns | canonicalNamespaceLink(namespace, subns)) and
+  (
+    part = "source" and
+    n =
+      strictcount(string subns, string type, boolean subtypes, string name, string signature,
+        string ext, string output, string provenance |
+        canonicalNamespaceLink(namespace, subns) and
+        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance)
+      )
+    or
+    part = "sink" and
+    n =
+      strictcount(string subns, string type, boolean subtypes, string name, string signature,
+        string ext, string input, string provenance |
+        canonicalNamespaceLink(namespace, subns) and
+        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance)
+      )
+    or
+    part = "summary" and
+    n =
+      strictcount(string subns, string type, boolean subtypes, string name, string signature,
+        string ext, string input, string output, string provenance |
+        canonicalNamespaceLink(namespace, subns) and
+        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance)
+      )
+  )
+}
+
+/** Provides a query predicate to check the CSV data for validation errors. */
+module CsvValidation {
+  private string getInvalidModelInput() {
+    exists(string pred, AccessPath input, string part |
+      sinkModel(_, _, _, _, _, _, input, _, _) and pred = "sink"
+      or
+      summaryModel(_, _, _, _, _, _, input, _, _, _) and pred = "summary"
+    |
+      (
+        invalidSpecComponent(input, part) and
+        not part = "" and
+        not (part = "Argument" and pred = "sink") and
+        not parseArg(part, _)
+        or
+        part = input.getToken(_) and
+        parseParam(part, _)
+      ) and
+      result = "Unrecognized input specification \"" + part + "\" in " + pred + " model."
+    )
+  }
+
+  private string getInvalidModelOutput() {
+    exists(string pred, string output, string part |
+      sourceModel(_, _, _, _, _, _, output, _, _) and pred = "source"
+      or
+      summaryModel(_, _, _, _, _, _, _, output, _, _) and pred = "summary"
+    |
+      invalidSpecComponent(output, part) and
+      not part = "" and
+      not (part = ["Argument", "Parameter"] and pred = "source") and
+      result = "Unrecognized output specification \"" + part + "\" in " + pred + " model."
+    )
+  }
+
+  private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
+    predicate summaryKind(string kind) { summaryModel(_, _, _, _, _, _, _, _, kind, _) }
+
+    predicate sinkKind(string kind) { sinkModel(_, _, _, _, _, _, _, kind, _) }
+
+    predicate sourceKind(string kind) { sourceModel(_, _, _, _, _, _, _, kind, _) }
+  }
+
+  private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
+
+  private string getInvalidModelSubtype() {
+    exists(string pred, string row |
+      sourceModel(row) and pred = "source"
+      or
+      sinkModel(row) and pred = "sink"
+      or
+      summaryModel(row) and pred = "summary"
+    |
+      exists(string b |
+        b = row.splitAt(";", 2) and
+        not b = ["true", "false"] and
+        result = "Invalid boolean \"" + b + "\" in " + pred + " model."
+      )
+    )
+  }
+
+  private string getInvalidModelColumnCount() {
+    exists(string pred, string row, int expect |
+      sourceModel(row) and expect = 8 and pred = "source"
+      or
+      sinkModel(row) and expect = 8 and pred = "sink"
+      or
+      summaryModel(row) and expect = 9 and pred = "summary"
+    |
+      exists(int cols |
+        cols = 1 + max(int n | exists(row.splitAt(";", n))) and
+        cols != expect and
+        result =
+          "Wrong number of columns in " + pred + " model row, expected " + expect + ", got " + cols +
+            "."
+      )
+    )
+  }
+
+  private string getInvalidModelSignature() {
+    exists(string pred, string namespace, string type, string name, string signature, string ext |
+      sourceModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "source"
+      or
+      sinkModel(namespace, type, _, name, signature, ext, _, _, _) and pred = "sink"
+      or
+      summaryModel(namespace, type, _, name, signature, ext, _, _, _, _) and pred = "summary"
+    |
+      not namespace.regexpMatch("[a-zA-Z0-9_\\.]+") and
+      result = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
+      or
+      not type.regexpMatch("[a-zA-Z0-9_<>,\\+]+") and
+      result = "Dubious type \"" + type + "\" in " + pred + " model."
+      or
+      not name.regexpMatch("[a-zA-Z0-9_<>,]*") and
+      result = "Dubious member name \"" + name + "\" in " + pred + " model."
+      or
+      not signature.regexpMatch("|\\([a-zA-Z0-9_<>\\.\\+\\*,\\[\\]]*\\)") and
+      result = "Dubious signature \"" + signature + "\" in " + pred + " model."
+      or
+      not ext.regexpMatch("|Attribute") and
+      result = "Unrecognized extra API graph element \"" + ext + "\" in " + pred + " model."
+    )
+  }
+
+  /** Holds if some row in a CSV-based flow model appears to contain typos. */
+  query predicate invalidModelRow(string msg) {
+    msg =
+      [
+        getInvalidModelSignature(), getInvalidModelInput(), getInvalidModelOutput(),
+        getInvalidModelSubtype(), getInvalidModelColumnCount(), KindVal::getInvalidModelKind()
+      ]
+  }
+}
+
+private predicate elementSpec(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext
+) {
+  sourceModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
+  sinkModel(namespace, type, subtypes, name, signature, ext, _, _, _) or
+  summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _)
+}
+
+private string paramsStringPart(Function c, int i) {
+  i = -1 and result = "(" and exists(c)
+  or
+  exists(int n, string p | c.getParameter(n).getType().toString() = p |
+    i = 2 * n and result = p
+    or
+    i = 2 * n - 1 and result = "," and n != 0
+  )
+  or
+  i = 2 * c.getNumberOfParameters() and result = ")"
+}
+
+/**
+ * Gets a parenthesized string containing all parameter types of this callable, separated by a comma.
+ *
+ * Returns the empty string if the callable has no parameters.
+ * Parameter types are represented by their type erasure.
+ */
+cached
+private string paramsString(Function c) {
+  result = concat(int i | | paramsStringPart(c, i) order by i)
+}
+
+bindingset[func]
+private predicate matchesSignature(Function func, string signature) {
+  signature = "" or
+  paramsString(func) = signature
+}
+
+/**
+ * Gets the element in module `namespace` that satisfies the following properties:
+ * 1. If the element is a member of a class-like type, then the class-like type has name `type`
+ * 2. If `subtypes = true` and the element is a member of a class-like type, then overrides of the element
+ *    are also returned.
+ * 3. The element has name `name`
+ * 4. If `signature` is non-empty, then the element has a list of parameter types described by `signature`.
+ *
+ * NOTE: `namespace` is currently not used (since we don't properly extract modules yet).
+ */
+pragma[nomagic]
+private Element interpretElement0(
+  string namespace, string type, boolean subtypes, string name, string signature
+) {
+  elementSpec(namespace, type, subtypes, name, signature, _) and
+  (
+    // Non-member functions
+    exists(Function func |
+      func.hasQualifiedName(namespace, name) and
+      type = "" and
+      matchesSignature(func, signature) and
+      subtypes = false and
+      not exists(func.getDeclaringType()) and
+      result = func
+    )
+    or
+    // Member functions
+    exists(Class namedClass, Class classWithMethod, Function method |
+      classWithMethod = method.getClassAndName(name) and
+      namedClass.hasQualifiedName(namespace, type) and
+      matchesSignature(method, signature) and
+      result = method
+    |
+      // member declared in the named type or a subtype of it
+      subtypes = true and
+      classWithMethod = namedClass.getADerivedClass*()
+      or
+      // member declared directly in the named type
+      subtypes = false and
+      classWithMethod = namedClass
+    )
+    or
+    // Member variables
+    signature = "" and
+    exists(Class namedClass, Class classWithMember, MemberVariable member |
+      member.getName() = name and
+      member = classWithMember.getAMember() and
+      namedClass.hasQualifiedName(namespace, type) and
+      result = member
+    |
+      // field declared in the named type or a subtype of it (or an extension of any)
+      subtypes = true and
+      classWithMember = namedClass.getADerivedClass*()
+      or
+      // field declared directly in the named type (or an extension of it)
+      subtypes = false and
+      classWithMember = namedClass
+    )
+    or
+    // Global or namespace variables
+    signature = "" and
+    type = "" and
+    subtypes = false and
+    result = any(GlobalOrNamespaceVariable v | v.hasQualifiedName(namespace, name))
+  )
+}
+
+/** Gets the source/sink/summary element corresponding to the supplied parameters. */
+Element interpretElement(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext
+) {
+  elementSpec(namespace, type, subtypes, name, signature, ext) and
+  exists(Element e | e = interpretElement0(namespace, type, subtypes, name, signature) |
+    ext = "" and result = e
+  )
+}
+
+cached
+private module Cached {
+  /**
+   * Holds if `node` is specified as a source with the given kind in a CSV flow
+   * model.
+   */
+  cached
+  predicate sourceNode(DataFlow::Node node, string kind) {
+    exists(SourceSinkInterpretationInput::InterpretNode n |
+      isSourceNode(n, kind, _) and n.asNode() = node // TODO
+    )
+  }
+
+  /**
+   * Holds if `node` is specified as a sink with the given kind in a CSV flow
+   * model.
+   */
+  cached
+  predicate sinkNode(DataFlow::Node node, string kind) {
+    exists(SourceSinkInterpretationInput::InterpretNode n |
+      isSinkNode(n, kind, _) and n.asNode() = node // TODO
+    )
+  }
+}
+
+import Cached
+
+private predicate interpretSummary(
+  Function f, string input, string output, string kind, string provenance
+) {
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext
+  |
+    summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance) and
+    f = interpretElement(namespace, type, subtypes, name, signature, ext)
+  )
+}
+
+// adapter class for converting Mad summaries to `SummarizedCallable`s
+private class SummarizedCallableAdapter extends SummarizedCallable {
+  SummarizedCallableAdapter() { interpretSummary(this, _, _, _, _) }
+
+  private predicate relevantSummaryElementManual(string input, string output, string kind) {
+    exists(Provenance provenance |
+      interpretSummary(this, input, output, kind, provenance) and
+      provenance.isManual()
+    )
+  }
+
+  private predicate relevantSummaryElementGenerated(string input, string output, string kind) {
+    exists(Provenance provenance |
+      interpretSummary(this, input, output, kind, provenance) and
+      provenance.isGenerated()
+    )
+  }
+
+  override predicate propagatesFlow(
+    string input, string output, boolean preservesValue, string model
+  ) {
+    exists(string kind |
+      this.relevantSummaryElementManual(input, output, kind)
+      or
+      not this.relevantSummaryElementManual(_, _, _) and
+      this.relevantSummaryElementGenerated(input, output, kind)
+    |
+      if kind = "value" then preservesValue = true else preservesValue = false
+    ) and
+    model = "" // TODO
+  }
+
+  override predicate hasProvenance(Provenance provenance) {
+    interpretSummary(this, _, _, _, provenance)
+  }
+}
+
+// adapter class for converting Mad neutrals to `NeutralCallable`s
+private class NeutralCallableAdapter extends NeutralCallable {
+  string kind;
+  string provenance_;
+
+  NeutralCallableAdapter() {
+    // Neutral models have not been implemented for CPP.
+    none() and
+    exists(this) and
+    exists(kind) and
+    exists(provenance_)
+  }
+
+  override string getKind() { result = kind }
+
+  override predicate hasProvenance(Provenance provenance) { provenance = provenance_ }
+}

cpp/ql/lib/semmle/code/cpp/dataflow/TaintTracking.qll

@@ -29,6 +29,6 @@ deprecated module TaintTracking {
   private import semmle.code.cpp.dataflow.internal.DataFlowImplSpecific
   private import semmle.code.cpp.dataflow.internal.TaintTrackingImplSpecific
   private import codeql.dataflow.TaintTracking
-  import TaintFlowMake<CppOldDataFlow, CppOldTaintTracking>
+  import TaintFlowMake<Location, CppOldDataFlow, CppOldTaintTracking>
   import semmle.code.cpp.dataflow.internal.tainttracking1.TaintTrackingImpl
 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/AddressFlow.qll

@@ -1,4 +1,6 @@
 /**
+ * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
+ *
  * Provides a local analysis for identifying where a variable address
  * is effectively taken. Array-like offsets are allowed to pass through but
  * not field-like offsets.

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowDispatch.qll

@@ -1,3 +1,7 @@
+/**
+ * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
+ */
+
 private import cpp
 private import DataFlowPrivate
 private import DataFlowUtil

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -1,3 +1,8 @@
+/**
+ * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
+ */
+
+private import semmle.code.cpp.Location
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImpl
-import MakeImpl<CppOldDataFlow>
+import MakeImpl<Location, CppOldDataFlow>

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl1.qll

@@ -263,9 +263,10 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2) {
+  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2)
+    any(Configuration config).isAdditionalFlowStep(node1, node2) and
+    model = ""
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -285,6 +286,8 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
+  int accessPathLimit() { result = 5 }
+
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -263,9 +263,10 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2) {
+  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2)
+    any(Configuration config).isAdditionalFlowStep(node1, node2) and
+    model = ""
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -285,6 +286,8 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
+  int accessPathLimit() { result = 5 }
+
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -263,9 +263,10 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2) {
+  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2)
+    any(Configuration config).isAdditionalFlowStep(node1, node2) and
+    model = ""
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -285,6 +286,8 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
+  int accessPathLimit() { result = 5 }
+
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -263,9 +263,10 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2) {
+  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2)
+    any(Configuration config).isAdditionalFlowStep(node1, node2) and
+    model = ""
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -285,6 +286,8 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
+  int accessPathLimit() { result = 5 }
+
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplCommon.qll

@@ -1,3 +1,8 @@
+/**
+ * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
+ */
+
+private import semmle.code.cpp.Location
 private import DataFlowImplSpecific
 private import codeql.dataflow.internal.DataFlowImplCommon
-import MakeImplCommon<CppOldDataFlow>
+import MakeImplCommon<Location, CppOldDataFlow>

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplConsistency.qll

@@ -1,4 +1,6 @@
 /**
+ * DEPRECATED: Use `semmle.code.cpp.dataflow.new.DataFlow` instead.
+ *
  * Provides consistency queries for checking invariants in the language-specific
  * data-flow classes and predicates.
  */
@@ -8,7 +10,7 @@ private import DataFlowImplSpecific
 private import TaintTrackingImplSpecific
 private import codeql.dataflow.internal.DataFlowImplConsistency
 
-private module Input implements InputSig<CppOldDataFlow> {
+private module Input implements InputSig<Location, CppOldDataFlow> {
   predicate argHasPostUpdateExclude(Private::ArgumentNode n) {
     // Is the null pointer (or something that's not really a pointer)
     exists(n.asExpr().getValue())
@@ -24,4 +26,4 @@ private module Input implements InputSig<CppOldDataFlow> {
   }
 }
 
-module Consistency = MakeConsistency<CppOldDataFlow, CppOldTaintTracking, Input>;
+module Consistency = MakeConsistency<Location, CppOldDataFlow, CppOldTaintTracking, Input>;

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -263,9 +263,10 @@ deprecated private module Config implements FullStateConfigSig {
 
   predicate isBarrierOut(Node node, FlowState state) { none() }
 
-  predicate isAdditionalFlowStep(Node node1, Node node2) {
+  predicate isAdditionalFlowStep(Node node1, Node node2, string model) {
     singleConfiguration() and
-    any(Configuration config).isAdditionalFlowStep(node1, node2)
+    any(Configuration config).isAdditionalFlowStep(node1, node2) and
+    model = ""
   }
 
   predicate isAdditionalFlowStep(Node node1, FlowState state1, Node node2, FlowState state2) {
@@ -285,6 +286,8 @@ deprecated private module Config implements FullStateConfigSig {
 
   int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
 
+  int accessPathLimit() { result = 5 }
+
   FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
 
   predicate sourceGrouping(Node source, string sourceGroup) {