Rust: Workaround for method existing both as source and as dependency

Rust: Revert "Rust: Handle functions in dependencies not having parameters"
This reverts commit 069902888b.
2026-05-16 04:09:27 +02:00 · 2025-05-01 09:07:58 +02:00 · 2025-04-30 15:44:23 +02:00 · 2025-04-30 15:39:38 +02:00 · 2025-04-30 15:17:20 +02:00 · 2025-04-30 15:11:26 +02:00
1320 changed files with 115142 additions and 12410 deletions
--- a/.bazelversion
+++ b/.bazelversion
@@ -1 +1 @@
-8.0.0
+8.1.1
--- a/5
+++ b/5
@@ -8,12 +8,16 @@
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
 /ruby/ @github/codeql-ruby
+/rust/ @github/codeql-rust
 /swift/ @github/codeql-swift
 /misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin
 /java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin

+# Experimental CodeQL cryptography
+**/experimental/quantum/ @github/ps-codeql
+
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
 /docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
@@ -38,6 +42,7 @@ MODULE.bazel @github/codeql-ci-reviewers
 /.github/workflows/go-* @github/codeql-go
 /.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
 /.github/workflows/ruby-* @github/codeql-ruby
+/.github/workflows/rust.yml @github/codeql-rust
 /.github/workflows/swift.yml @github/codeql-swift

 # Misc
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -154,15 +154,15 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"

 [[package]]
 name = "bitflags"
-version = "2.8.0"
+version = "2.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8f68f53c83ab957f72c32642f3868eec03eb974d1fb82e453128456482613d36"
+checksum = "5c8214115b7bf84099f1309324e63141d4c5d7cc26862f97a0a857dbefe165bd"

 [[package]]
 name = "borsh"
-version = "1.5.3"
+version = "1.5.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2506947f73ad44e344215ccd6403ac2ae18cd8e046e581a441bf8d199f257f03"
+checksum = "5430e3be710b68d984d1391c854eb431a9d548640711faa54eecb1df93db91cc"
 dependencies = [
 "cfg_aliases",
 ]
@@ -224,9 +224,9 @@ dependencies = [

 [[package]]
 name = "cargo_metadata"
-version = "0.18.1"
+version = "0.19.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2d886547e41f740c616ae73108f6eb70afe6d940c7bc697cb30f13daec073037"
+checksum = "dd5eb614ed4c27c5d706420e4320fbe3216ab31fa1c33cd8246ac36dae4479ba"
 dependencies = [
 "camino",
 "cargo-platform",
@@ -275,7 +275,7 @@ version = "0.100.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4f114996bda14c0213f014a4ef31a7867dcf5f539a3900477fc6b20138e7a17b"
 dependencies = [
- "bitflags 2.8.0",
+ "bitflags 2.9.0",
 "chalk-derive",
 ]

@@ -301,7 +301,7 @@ dependencies = [
 "chalk-derive",
 "chalk-ir",
 "ena",
- "indexmap 2.7.0",
+ "indexmap 2.9.0",
 "itertools 0.12.1",
 "petgraph",
 "rustc-hash 1.1.0",
@@ -325,9 +325,9 @@ dependencies = [

 [[package]]
 name = "clap"
-version = "4.5.32"
+version = "4.5.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6088f3ae8c3608d19260cd7445411865a485688711b78b5be70d78cd96136f83"
+checksum = "d8aa86934b44c19c50f87cc2790e19f54f7a67aedb64101c2e1a2e5ecfb73944"
 dependencies = [
 "clap_builder",
 "clap_derive",
@@ -335,9 +335,9 @@ dependencies = [

 [[package]]
 name = "clap_builder"
-version = "4.5.32"
+version = "4.5.35"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22a7ef7f676155edfb82daa97f99441f3ebf4a58d5e32f295a56259f1b6facc8"
+checksum = "2414dbb2dd0695280da6ea9261e327479e9d37b0630f6b53ba2a11c60c679fd9"
 dependencies = [
 "anstream",
 "anstyle",
@@ -622,7 +622,7 @@ version = "0.14.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d248bdd43ce613d87415282f69b9bb99d947d290b10962dd6c56233312c2ad5"
 dependencies = [
- "log 0.4.25",
+ "log 0.4.27",
 ]

 [[package]]
@@ -691,9 +691,9 @@ checksum = "a246d82be1c9d791c5dfde9a2bd045fc3cbba3fa2b11ad558f27d01712f00569"

 [[package]]
 name = "equivalent"
-version = "1.0.1"
+version = "1.0.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5"
+checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"

 [[package]]
 name = "figment"
@@ -781,7 +781,7 @@ checksum = "cc6bd114ceda131d3b1d665eba35788690ad37f5916457286b32ab6fd3c438dd"
 dependencies = [
 "cfg-if",
 "libc",
- "log 0.4.25",
+ "log 0.4.27",
 "rustversion",
 "windows",
 ]
@@ -812,7 +812,7 @@ checksum = "15f1ce686646e7f1e19bf7d5533fe443a45dbfb990e00629110797578b42fb19"
 dependencies = [
 "aho-corasick",
 "bstr",
- "log 0.4.25",
+ "log 0.4.27",
 "regex-automata 0.4.9",
 "regex-syntax 0.8.5",
 ]
@@ -918,9 +918,9 @@ dependencies = [

 [[package]]
 name = "indexmap"
-version = "2.7.0"
+version = "2.9.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f"
+checksum = "cea70ddb795996207ad57735b50c5982d8844f38ba9ee5f1aedcfb708a2aa11e"
 dependencies = [
 "equivalent",
 "hashbrown 0.15.2",
@@ -939,7 +939,7 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f37dccff2791ab604f9babef0ba14fbe0be30bd368dc541e2b08d07c8aa908f3"
 dependencies = [
- "bitflags 2.8.0",
+ "bitflags 2.9.0",
 "inotify-sys",
 "libc",
 ]
@@ -979,9 +979,9 @@ dependencies = [

 [[package]]
 name = "itoa"
-version = "1.0.14"
+version = "1.0.15"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674"
+checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"

 [[package]]
 name = "jod-thread"
@@ -1033,9 +1033,9 @@ checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"

 [[package]]
 name = "libc"
-version = "0.2.169"
+version = "0.2.171"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"
+checksum = "c19937216e9d3aa9956d9bb8dfc0b0c8beb6058fc4f7a4dc4d850edf86a237d6"

 [[package]]
 name = "libredox"
@@ -1043,7 +1043,7 @@ version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
 dependencies = [
- "bitflags 2.8.0",
+ "bitflags 2.9.0",
 "libc",
 "redox_syscall",
 ]
@@ -1074,14 +1074,14 @@ version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e19e8d5c34a3e0e2223db8e060f9e8264aeeb5c5fc64a4ee9965c062211c024b"
 dependencies = [
- "log 0.4.25",
+ "log 0.4.27",
 ]

 [[package]]
 name = "log"
-version = "0.4.25"
+version = "0.4.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "04cbf5b083de1c7e0222a7a51dbfdba1cbe1c6ab0b15e29fff3f6c077fd9cd9f"
+checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"

 [[package]]
 name = "loom"
@@ -1096,12 +1096,6 @@ dependencies = [
 "tracing-subscriber",
 ]

-[[package]]
-name = "lz4_flex"
-version = "0.11.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75761162ae2b0e580d7e7c390558127e5f01b4194debd6221fd8c207fc80e3f5"
-
 [[package]]
 name = "matchers"
 version = "0.1.0"
@@ -1142,7 +1136,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd"
 dependencies = [
 "libc",
- "log 0.4.25",
+ "log 0.4.27",
 "wasi 0.11.0+wasi-snapshot-preview1",
 "windows-sys 0.52.0",
 ]
@@ -1178,13 +1172,13 @@ version = "8.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2fee8403b3d66ac7b26aee6e40a897d85dc5ce26f44da36b8b73e987cc52e943"
 dependencies = [
- "bitflags 2.8.0",
+ "bitflags 2.9.0",
 "filetime",
 "fsevent-sys",
 "inotify",
 "kqueue",
 "libc",
- "log 0.4.25",
+ "log 0.4.27",
 "mio",
 "notify-types",
 "walkdir",
@@ -1240,9 +1234,9 @@ checksum = "945462a4b81e43c4e3ba96bd7b49d834c6f61198356aa858733bc4acf3cbe62e"

 [[package]]
 name = "oorandom"
-version = "11.1.4"
+version = "11.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b410bbe7e14ab526a0e86877eb47c6996a2bd7746f027ba551028c925390e4e9"
+checksum = "d6790f58c7ff633d8771f42965289203411a5e5c68388703c06e14f24770b41e"

 [[package]]
 name = "os_str_bytes"
@@ -1331,7 +1325,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
 dependencies = [
 "fixedbitset",
- "indexmap 2.7.0",
+ "indexmap 2.9.0",
 ]

 [[package]]
@@ -1398,7 +1392,7 @@ version = "0.100.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f1651b0f7e8c3eb7c27a88f39d277e69c32bfe58e3be174d286c1a24d6a7a4d8"
 dependencies = [
- "bitflags 2.8.0",
+ "bitflags 2.9.0",
 "ra-ap-rustc_hashes",
 "ra-ap-rustc_index",
 "tracing",
@@ -1470,18 +1464,16 @@ dependencies = [

 [[package]]
 name = "ra_ap_base_db"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4baa9734d254af14fd603528ad594650dea601b1764492bd39988da38598ae67"
+checksum = "8fd761118bbafe29e2b187e694c6b8e800f2c7822bbc1d9d2db4ac21fb8b0365"
 dependencies = [
 "dashmap 5.5.3",
 "la-arena",
- "lz4_flex",
 "ra_ap_cfg",
 "ra_ap_intern",
 "ra_ap_query-group-macro",
 "ra_ap_span",
- "ra_ap_stdx",
 "ra_ap_syntax",
 "ra_ap_vfs",
 "rustc-hash 2.1.1",
@@ -1493,9 +1485,9 @@ dependencies = [

 [[package]]
 name = "ra_ap_cfg"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0ef2ba45636c5e585040c0c4bee640737a6001b08309f1a25ca78cf04abfbf90"
+checksum = "5ce74ce1af24afd86d3529dbbf5a849d026948b2d8ba51d199b6ea6db6e345b6"
 dependencies = [
 "ra_ap_intern",
 "ra_ap_tt",
@@ -1505,20 +1497,20 @@ dependencies = [

 [[package]]
 name = "ra_ap_edition"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8955c1484d5e7274f755187788ba0d51eb149f870c69cdf0d87c3b7edea20ea0"
+checksum = "f423b9fb19e3920e4c7039120d09d9c79070a26efe8ff9f787c7234b07f518c5"

 [[package]]
 name = "ra_ap_hir"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a51d7955beff2212701b149bea36d4cf2dc0f5cd129652c9bcf0cb5c0b021078"
+checksum = "dd4aa8a568b80d288b90c4fa5dc8a3cc405914d261bfd33a3761c1ba41be358d"
 dependencies = [
 "arrayvec",
 "either",
- "indexmap 2.7.0",
- "itertools 0.12.1",
+ "indexmap 2.9.0",
+ "itertools 0.14.0",
 "ra_ap_base_db",
 "ra_ap_cfg",
 "ra_ap_hir_def",
@@ -1537,23 +1529,20 @@ dependencies = [

 [[package]]
 name = "ra_ap_hir_def"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e5c97e617e4c585d24b3d4f668861452aedddfbe0262f4c53235dcea77e62f9b"
+checksum = "acb18d9378a828a23ccf87b89199db005adb67ba2a05a37d7a3fcad4d1036e66"
 dependencies = [
 "arrayvec",
- "bitflags 2.8.0",
+ "bitflags 2.9.0",
 "cov-mark",
- "dashmap 5.5.3",
 "drop_bomb",
 "either",
 "fst",
- "hashbrown 0.14.5",
- "indexmap 2.7.0",
- "itertools 0.12.1",
+ "indexmap 2.9.0",
+ "itertools 0.14.0",
 "la-arena",
 "ra-ap-rustc_abi",
- "ra-ap-rustc_hashes",
 "ra-ap-rustc_parse_format",
 "ra_ap_base_db",
 "ra_ap_cfg",
@@ -1570,21 +1559,20 @@ dependencies = [
 "salsa",
 "smallvec",
 "text-size",
+ "thin-vec",
 "tracing",
 "triomphe",
 ]

 [[package]]
 name = "ra_ap_hir_expand"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be57c0d7e3f2180dd8ea584b11447f34060eadc06f0f6d559e2a790f6e91b6c5"
+checksum = "094fa79d8f661f52cf3b7fb8b3d91c4be2ad9e71a3967d3dacd25429fa44b37d"
 dependencies = [
 "cov-mark",
 "either",
- "hashbrown 0.14.5",
- "itertools 0.12.1",
- "la-arena",
+ "itertools 0.14.0",
 "ra_ap_base_db",
 "ra_ap_cfg",
 "ra_ap_intern",
@@ -1605,24 +1593,22 @@ dependencies = [

 [[package]]
 name = "ra_ap_hir_ty"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f260f35748f3035b46a8afcdebda7cb75d95c24750105fad86101d09a9d387c8"
+checksum = "093482d200d5db421db5692e7819bbb14fb717cc8cb0f91f93cce9fde85b3df2"
 dependencies = [
 "arrayvec",
- "bitflags 2.8.0",
+ "bitflags 2.9.0",
 "chalk-derive",
 "chalk-ir",
 "chalk-recursive",
 "chalk-solve",
 "cov-mark",
- "dashmap 5.5.3",
 "either",
 "ena",
- "indexmap 2.7.0",
- "itertools 0.12.1",
+ "indexmap 2.9.0",
+ "itertools 0.14.0",
 "la-arena",
- "nohash-hasher",
 "oorandom",
 "ra-ap-rustc_abi",
 "ra-ap-rustc_index",
@@ -1647,19 +1633,18 @@ dependencies = [

 [[package]]
 name = "ra_ap_ide_db"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0426263be26e27cb55a3b9ef88b120511b66fe7d9b418a2473d6d5f3ac2fe0a6"
+checksum = "b655b92dfa9444db8129321b9217d9e4a83a58ee707aa1004a93052acfb43d57"
 dependencies = [
 "arrayvec",
- "bitflags 2.8.0",
+ "bitflags 2.9.0",
 "cov-mark",
 "crossbeam-channel",
- "dashmap 5.5.3",
 "either",
 "fst",
- "indexmap 2.7.0",
- "itertools 0.12.1",
+ "indexmap 2.9.0",
+ "itertools 0.14.0",
 "line-index",
 "memchr",
 "nohash-hasher",
@@ -1681,9 +1666,9 @@ dependencies = [

 [[package]]
 name = "ra_ap_intern"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6ea8c9615b3b0688cf557e7310dbd9432f43860c8ea766d54f4416cbecf3571"
+checksum = "b4e528496b4d4c351806bb073d3d7f6526535741b9e8801776603c924bbec624"
 dependencies = [
 "dashmap 5.5.3",
 "hashbrown 0.14.5",
@@ -1693,17 +1678,16 @@ dependencies = [

 [[package]]
 name = "ra_ap_load-cargo"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "570907e16725c13a678bfd8050ce8839af2831da042a0878b75ee8c41b0f7b0c"
+checksum = "1a97a5070b2f4b99f56683d91b2687aa0c530d8969cc5252ec2ae5644e428ffe"
 dependencies = [
 "anyhow",
 "crossbeam-channel",
- "itertools 0.12.1",
+ "itertools 0.14.0",
 "ra_ap_hir_expand",
 "ra_ap_ide_db",
 "ra_ap_intern",
- "ra_ap_paths",
 "ra_ap_proc_macro_api",
 "ra_ap_project_model",
 "ra_ap_span",
@@ -1715,9 +1699,9 @@ dependencies = [

 [[package]]
 name = "ra_ap_mbe"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e893fe03b04b30c9b5a339ac2bf39ce32ac9c05a8b50121b7d89ce658346e164"
+checksum = "b187ee5ee3fa726eeea5142242a0397e2200d77084026986a68324b9599f9046"
 dependencies = [
 "arrayvec",
 "cov-mark",
@@ -1726,19 +1710,17 @@ dependencies = [
 "ra_ap_parser",
 "ra_ap_span",
 "ra_ap_stdx",
- "ra_ap_syntax",
 "ra_ap_syntax-bridge",
 "ra_ap_tt",
 "rustc-hash 2.1.1",
 "smallvec",
- "tracing",
 ]

 [[package]]
 name = "ra_ap_parser"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6fd9a264120968b14a66b6ba756cd7f99435385b5dbc2f0a611cf3a12221c385"
+checksum = "2306e6c051e60483f3b317fac9dec6c883b7792eeb8db24ec6f39dbfa5430159"
 dependencies = [
 "drop_bomb",
 "ra-ap-rustc_lexer",
@@ -1748,20 +1730,20 @@ dependencies = [

 [[package]]
 name = "ra_ap_paths"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f47817351651e36b56ff3afc483b41600053c9cb7e67d945467c0abe93416032"
+checksum = "dcedd00499621bdd0f1fe01955c04e4b388197aa826744003afaf6cc2944bc80"
 dependencies = [
 "camino",
 ]

 [[package]]
 name = "ra_ap_proc_macro_api"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d96da3b8b9f6b813a98f5357eef303905450741f47ba90adaab8a5371b748416"
+checksum = "7a2e49b550015cd4ad152bd78d92d73594497f2e44f61273f9fed3534ad4bbbe"
 dependencies = [
- "indexmap 2.7.0",
+ "indexmap 2.9.0",
 "ra_ap_intern",
 "ra_ap_paths",
 "ra_ap_span",
@@ -1776,9 +1758,9 @@ dependencies = [

 [[package]]
 name = "ra_ap_profile"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13637377287c84f88a628e40229d271ef0081c0d683956bd99a6c8278a4f8b14"
+checksum = "87cdbd27ebe02ec21fdae3df303f194bda036a019ecef80d47e0082646f06c54"
 dependencies = [
 "cfg-if",
 "libc",
@@ -1788,13 +1770,13 @@ dependencies = [

 [[package]]
 name = "ra_ap_project_model"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "053c5207a638fc7a752c7a454bc952b28b0d02f0bf9f6d7ec785ec809579d8fa"
+checksum = "5eaa3406c891a7840d20ce615f8decca32cbc9d3654b82dcbcc3a31257ce90b9"
 dependencies = [
 "anyhow",
 "cargo_metadata",
- "itertools 0.12.1",
+ "itertools 0.14.0",
 "la-arena",
 "ra_ap_base_db",
 "ra_ap_cfg",
@@ -1814,22 +1796,20 @@ dependencies = [

 [[package]]
 name = "ra_ap_query-group-macro"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0f1a38f07b442e47a234cbe2e8fd1b8a41ff0cc5123cb1cf994c5ce20edb5bd6"
+checksum = "1fbc1748e4876a9b0ccfacfc7e2fe254f30e92ef58d98925282b3803e8b004ed"
 dependencies = [
- "heck",
 "proc-macro2",
 "quote",
- "salsa",
 "syn",
 ]

 [[package]]
 name = "ra_ap_span"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8818680c6f7da3b32cb2bb0992940b24264b1aa90203aa94812e09ab34d362d1"
+checksum = "ed1d036e738bf32a057d90698df85bcb83ed6263b5fe9fba132c99e8ec3aecaf"
 dependencies = [
 "hashbrown 0.14.5",
 "la-arena",
@@ -1843,12 +1823,12 @@ dependencies = [

 [[package]]
 name = "ra_ap_stdx"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1c10bee1b03fc48083862c13cf06bd3ed17760463ecce2734103a2f511e5ed4"
+checksum = "6e3775954ab24408f71e97079a97558078a166a4082052e83256ae4c22dae18d"
 dependencies = [
 "crossbeam-channel",
- "itertools 0.12.1",
+ "itertools 0.14.0",
 "jod-thread",
 "libc",
 "miow",
@@ -1858,14 +1838,12 @@ dependencies = [

 [[package]]
 name = "ra_ap_syntax"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92bc32f3946fc5fcbdc79e61b7e26a8c2a3a56f3ef6ab27c7d298a9e21a462f2"
+checksum = "b49b081f209a764700f688db91820a66c2ecfe5f138895d831361cf84f716691"
 dependencies = [
- "cov-mark",
 "either",
- "indexmap 2.7.0",
- "itertools 0.12.1",
+ "itertools 0.14.0",
 "ra-ap-rustc_lexer",
 "ra_ap_parser",
 "ra_ap_stdx",
@@ -1878,9 +1856,9 @@ dependencies = [

 [[package]]
 name = "ra_ap_syntax-bridge"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a42052c44c98c122c37aac476260c8f19d8fec495edc9c05835307c9ae86194d"
+checksum = "f2740bbe603d527f2cf0aaf51629de7d072694fbbaaeda8264f7591be1493d1b"
 dependencies = [
 "ra_ap_intern",
 "ra_ap_parser",
@@ -1889,14 +1867,13 @@ dependencies = [
 "ra_ap_syntax",
 "ra_ap_tt",
 "rustc-hash 2.1.1",
- "tracing",
 ]

 [[package]]
 name = "ra_ap_toolchain"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75996e70b3a0c68cd5157ba01f018964c7c6a5d7b209047d449b393139d0b57f"
+checksum = "efbff9f26f307ef958586357d1653d000861dcd3acbaf33a009651e024720c7e"
 dependencies = [
 "camino",
 "home",
@@ -1904,9 +1881,9 @@ dependencies = [

 [[package]]
 name = "ra_ap_tt"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e4ee31e93bfabe83e6720b7469db88d7ad7ec5c59a1f011efec4aa1327ffc5c"
+checksum = "0b1ce3ac14765e414fa6031fda7dc35d3492c74de225aac689ba8b8bf037e1f8"
 dependencies = [
 "arrayvec",
 "ra-ap-rustc_lexer",
@@ -1917,13 +1894,13 @@ dependencies = [

 [[package]]
 name = "ra_ap_vfs"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6aac1e277ac70bb073f40f8a3fc44e4b1bb9e4d4b1d0e0bd2f8269543560f80"
+checksum = "29427a7c27ce8ddfefb52d77c952a4588c74d0a7ab064dc627129088a90423ca"
 dependencies = [
 "crossbeam-channel",
 "fst",
- "indexmap 2.7.0",
+ "indexmap 2.9.0",
 "nohash-hasher",
 "ra_ap_paths",
 "ra_ap_stdx",
@@ -1933,9 +1910,9 @@ dependencies = [

 [[package]]
 name = "ra_ap_vfs-notify"
-version = "0.0.270"
+version = "0.0.273"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd95285146049621ee8f7a512c982a008bf036321fcc9b01a95c1ad7e6aeae57"
+checksum = "d5a0e3095b8216ecc131f38b4b0025cac324a646469a95d2670354aee7278078"
 dependencies = [
 "crossbeam-channel",
 "notify",
@@ -2005,7 +1982,7 @@ version = "0.5.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "03a862b389f93e68874fbf580b9de08dd02facb9a788ebadaf4a3fd33cf58834"
 dependencies = [
- "bitflags 2.8.0",
+ "bitflags 2.9.0",
 ]

 [[package]]
@@ -2093,10 +2070,10 @@ checksum = "2febf9acc5ee5e99d1ad0afcdbccc02d87aa3f857a1f01f825b80eacf8edfcd1"

 [[package]]
 name = "rustc_apfloat"
-version = "0.2.1+llvm-462a31f5a5ab"
-source = "git+https://github.com/redsun82/rustc_apfloat.git?rev=096d585100636bc2e9f09d7eefec38c5b334d47b#096d585100636bc2e9f09d7eefec38c5b334d47b"
+version = "0.2.2+llvm-462a31f5a5ab"
+source = "git+https://github.com/redsun82/rustc_apfloat.git?rev=32968f16ef1b082243f9bf43a3fbd65c381b3e27#32968f16ef1b082243f9bf43a3fbd65c381b3e27"
 dependencies = [
- "bitflags 1.3.2",
+ "bitflags 2.9.0",
 "smallvec",
 ]

@@ -2123,7 +2100,7 @@ dependencies = [
 "dashmap 6.1.0",
 "hashbrown 0.15.2",
 "hashlink",
- "indexmap 2.7.0",
+ "indexmap 2.9.0",
 "parking_lot",
 "portable-atomic",
 "rayon",
@@ -2176,9 +2153,9 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"

 [[package]]
 name = "semver"
-version = "1.0.24"
+version = "1.0.26"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3cb6eb87a131f756572d7fb904f6e7b68633f09cca868c5df1c4b8d1a694bbba"
+checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0"
 dependencies = [
 "serde",
 ]
@@ -2234,7 +2211,7 @@ dependencies = [
 "chrono",
 "hex",
 "indexmap 1.9.3",
- "indexmap 2.7.0",
+ "indexmap 2.9.0",
 "serde",
 "serde_derive",
 "serde_json",
@@ -2260,7 +2237,7 @@ version = "0.9.34+deprecated"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
 dependencies = [
- "indexmap 2.7.0",
+ "indexmap 2.9.0",
 "itoa",
 "ryu",
 "serde",
@@ -2345,19 +2322,25 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f18aa187839b2bdb1ad2fa35ead8c4c2976b64e4363c386d45ac0f7ee85c9233"

 [[package]]
-name = "thiserror"
-version = "1.0.69"
+name = "thin-vec"
+version = "0.2.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
+checksum = "144f754d318415ac792f9d69fc87abbbfc043ce2ef041c60f16ad828f638717d"
+
+[[package]]
+name = "thiserror"
+version = "2.0.12"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "567b8a2dae586314f7be2a752ec7474332959c6460e02bde30d702a66d488708"
 dependencies = [
 "thiserror-impl",
 ]

 [[package]]
 name = "thiserror-impl"
-version = "1.0.69"
+version = "2.0.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
+checksum = "7f7cf42b4507d8ea322120659672cf1b9dbb93f8f2d4ecfd6e51350ff5b17a1d"
 dependencies = [
 "proc-macro2",
 "quote",
@@ -2432,7 +2415,7 @@ version = "0.22.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "17b4795ff5edd201c7cd6dca065ae59972ce77d1b80fa0a84d94950ece7d1474"
 dependencies = [
- "indexmap 2.7.0",
+ "indexmap 2.9.0",
 "serde",
 "serde_spanned",
 "toml_datetime",
@@ -2488,7 +2471,7 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3"
 dependencies = [
- "log 0.4.25",
+ "log 0.4.27",
 "once_cell",
 "tracing-core",
 ]
@@ -2603,9 +2586,9 @@ checksum = "a3e5df347f0bf3ec1d670aad6ca5c6a1859cd9ea61d2113125794654ccced68f"

 [[package]]
 name = "unicode-ident"
-version = "1.0.16"
+version = "1.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a210d160f08b701c8721ba1c726c11662f877ea6b7094007e1ca9a1041945034"
+checksum = "00e2473a93778eb0bad35909dff6a10d28e63f792f16ed15e404fca9d5eeedbe"

 [[package]]
 name = "unicode-properties"
@@ -2686,7 +2669,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5f89bb38646b4f81674e8f5c3fb81b562be1fd936d84320f3264486418519c79"
 dependencies = [
 "bumpalo",
- "log 0.4.25",
+ "log 0.4.27",
 "proc-macro2",
 "quote",
 "syn",
@@ -2995,7 +2978,7 @@ version = "0.33.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3268f3d866458b787f390cf61f4bbb563b922d091359f9608842999eaee3943c"
 dependencies = [
- "bitflags 2.8.0",
+ "bitflags 2.9.0",
 ]

 [[package]]
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -14,4 +14,4 @@ members = [
 [patch.crates-io]
 # patch for build script bug preventing bazel build
 # see https://github.com/rust-lang/rustc_apfloat/pull/17
-rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "096d585100636bc2e9f09d7eefec38c5b334d47b" }
+rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "32968f16ef1b082243f9bf43a3fbd65c381b3e27" }
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -75,7 +75,7 @@ use_repo(
    "vendor_ts__argfile-0.2.1",
    "vendor_ts__chalk-ir-0.100.0",
    "vendor_ts__chrono-0.4.40",
-    "vendor_ts__clap-4.5.32",
+    "vendor_ts__clap-4.5.35",
    "vendor_ts__dunce-1.0.5",
    "vendor_ts__either-1.15.0",
    "vendor_ts__encoding-0.2.33",
@@ -90,22 +90,22 @@ use_repo(
    "vendor_ts__num_cpus-1.16.0",
    "vendor_ts__proc-macro2-1.0.94",
    "vendor_ts__quote-1.0.40",
-    "vendor_ts__ra_ap_base_db-0.0.270",
-    "vendor_ts__ra_ap_cfg-0.0.270",
-    "vendor_ts__ra_ap_hir-0.0.270",
-    "vendor_ts__ra_ap_hir_def-0.0.270",
-    "vendor_ts__ra_ap_hir_expand-0.0.270",
-    "vendor_ts__ra_ap_hir_ty-0.0.270",
-    "vendor_ts__ra_ap_ide_db-0.0.270",
-    "vendor_ts__ra_ap_intern-0.0.270",
-    "vendor_ts__ra_ap_load-cargo-0.0.270",
-    "vendor_ts__ra_ap_parser-0.0.270",
-    "vendor_ts__ra_ap_paths-0.0.270",
-    "vendor_ts__ra_ap_project_model-0.0.270",
-    "vendor_ts__ra_ap_span-0.0.270",
-    "vendor_ts__ra_ap_stdx-0.0.270",
-    "vendor_ts__ra_ap_syntax-0.0.270",
-    "vendor_ts__ra_ap_vfs-0.0.270",
+    "vendor_ts__ra_ap_base_db-0.0.273",
+    "vendor_ts__ra_ap_cfg-0.0.273",
+    "vendor_ts__ra_ap_hir-0.0.273",
+    "vendor_ts__ra_ap_hir_def-0.0.273",
+    "vendor_ts__ra_ap_hir_expand-0.0.273",
+    "vendor_ts__ra_ap_hir_ty-0.0.273",
+    "vendor_ts__ra_ap_ide_db-0.0.273",
+    "vendor_ts__ra_ap_intern-0.0.273",
+    "vendor_ts__ra_ap_load-cargo-0.0.273",
+    "vendor_ts__ra_ap_parser-0.0.273",
+    "vendor_ts__ra_ap_paths-0.0.273",
+    "vendor_ts__ra_ap_project_model-0.0.273",
+    "vendor_ts__ra_ap_span-0.0.273",
+    "vendor_ts__ra_ap_stdx-0.0.273",
+    "vendor_ts__ra_ap_syntax-0.0.273",
+    "vendor_ts__ra_ap_vfs-0.0.273",
    "vendor_ts__rand-0.9.0",
    "vendor_ts__rayon-1.10.0",
    "vendor_ts__regex-1.11.1",
--- a/actions/extractor/tools/autobuild-impl.ps1
+++ b/actions/extractor/tools/autobuild-impl.ps1
@@ -1,27 +1,34 @@
-if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
-    Write-Output 'Path filters set. Passing them through to the JavaScript extractor.' 
-} else {
-    Write-Output 'No path filters set. Using the default filters.'
-    # Note: We're adding the `reusable_workflows` subdirectories to proactively
-    # record workflows that were called cross-repo, check them out locally,
-    # and enable an interprocedural analysis across the workflow files.
-    # These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
-    $DefaultPathFilters = @(
-        'exclude:**/*',
-        'include:.github/workflows/*.yml',
-        'include:.github/workflows/*.yaml',
-        'include:.github/reusable_workflows/**/*.yml',
-        'include:.github/reusable_workflows/**/*.yaml',
-        'include:**/action.yml',
-        'include:**/action.yaml'
-    )
+# Note: We're adding the `reusable_workflows` subdirectories to proactively
+# record workflows that were called cross-repo, check them out locally,
+# and enable an interprocedural analysis across the workflow files.
+# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
+$DefaultPathFilters = @(
+    'exclude:**/*',
+    'include:.github/workflows/*.yml',
+    'include:.github/workflows/*.yaml',
+    'include:.github/reusable_workflows/**/*.yml',
+    'include:.github/reusable_workflows/**/*.yaml',
+    'include:**/action.yml',
+    'include:**/action.yaml'
+)

+if ($null -ne $env:LGTM_INDEX_FILTERS) {
+    Write-Output 'LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor.'
+    # Begin with the default path inclusions only,
+    # followed by the user-provided filters.
+    # If the user provided `paths`, those patterns override the default inclusions
+    # (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
+    # If the user provided `paths-ignore`, those patterns are excluded.
+    $PathFilters = ($DefaultPathFilters -join "`n") + "`n" + $env:LGTM_INDEX_FILTERS
+    $env:LGTM_INDEX_FILTERS = $PathFilters
+} else {
+    Write-Output 'LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor.'
    $env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
 }

 # Find the JavaScript extractor directory via `codeql resolve extractor`.
 $CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &"$CodeQL" resolve extractor --language javascript
 if ($LASTEXITCODE -ne 0) {
    throw 'Failed to resolve JavaScript extractor.'
 }
@@ -40,7 +47,7 @@ $env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTI
 $env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
 $env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE

-&$JavaScriptAutoBuild
+&"$JavaScriptAutoBuild"
 if ($LASTEXITCODE -ne 0) {
    throw "JavaScript autobuilder failed."
 }
--- a/actions/extractor/tools/autobuild.cmd
+++ b/actions/extractor/tools/autobuild.cmd
@@ -1,3 +1,4 @@
@echo off
 rem All of the work is done in the PowerShell script
-powershell.exe %~dp0autobuild-impl.ps1
+echo "Running PowerShell script at '%~dp0autobuild-impl.ps1'"
+powershell.exe -File "%~dp0autobuild-impl.ps1"
--- a/actions/extractor/tools/autobuild.sh
+++ b/actions/extractor/tools/autobuild.sh
@@ -17,16 +17,28 @@ include:**/action.yaml
 END
 )

-if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
-    echo "Path filters set. Passing them through to the JavaScript extractor."
+if [ -n "${LGTM_INDEX_FILTERS:-}" ]; then
+    echo "LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor."
+    # Begin with the default path inclusions only,
+    # followed by the user-provided filters.
+    # If the user provided `paths`, those patterns override the default inclusions
+    # (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
+    # If the user provided `paths-ignore`, those patterns are excluded.
+    PATH_FILTERS="$(cat << END
+${DEFAULT_PATH_FILTERS}
+${LGTM_INDEX_FILTERS}
+END
+)"
+    LGTM_INDEX_FILTERS="${PATH_FILTERS}"
+    export LGTM_INDEX_FILTERS
 else
-    echo "No path filters set. Using the default filters."
+    echo "LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor."
    LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
    export LGTM_INDEX_FILTERS
 fi

 # Find the JavaScript extractor directory via `codeql resolve extractor`.
-CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
+CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$("${CODEQL_DIST}/codeql" resolve extractor --language javascript)"
 export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT

 echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
@@ -42,4 +54,4 @@ env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGN
    CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
    CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
    CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
-    ${JAVASCRIPT_AUTO_BUILD}
+    "${JAVASCRIPT_AUTO_BUILD}"
--- a/actions/ql/integration-tests/filters-default/actions.ql
+++ b/actions/ql/integration-tests/filters-default/actions.ql
@@ -0,0 +1,5 @@
+import actions
+
+from AstNode n
+where n instanceof Workflow or n instanceof CompositeAction
+select n
--- a/actions/ql/integration-tests/filters/actions.default-filters.expected
+++ b/actions/ql/integration-tests/filters/actions.default-filters.expected
@@ -0,0 +1,6 @@
+| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
+| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
+| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
+| src/action.yml:1:1:11:32 | name: ' ... action' |
+| src/excluded/action.yml:1:1:11:32 | name: ' ... action' |
+| src/included/action.yml:1:1:11:32 | name: ' ... action' |
--- a/actions/ql/integration-tests/filters/actions.paths-and-paths-ignore.expected
+++ b/actions/ql/integration-tests/filters/actions.paths-and-paths-ignore.expected
@@ -0,0 +1,2 @@
+| src/included/action.yml:1:1:11:32 | name: ' ... action' |
+| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |
--- a/actions/ql/integration-tests/filters/actions.paths-ignore-only.expected
+++ b/actions/ql/integration-tests/filters/actions.paths-ignore-only.expected
@@ -0,0 +1,5 @@
+| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
+| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
+| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
+| src/action.yml:1:1:11:32 | name: ' ... action' |
+| src/included/action.yml:1:1:11:32 | name: ' ... action' |
--- a/actions/ql/integration-tests/filters/actions.paths-only.expected
+++ b/actions/ql/integration-tests/filters/actions.paths-only.expected
@@ -0,0 +1,2 @@
+| src/included/action.yml:1:1:11:32 | name: ' ... action' |
+| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |
--- a/actions/ql/integration-tests/filters/actions.ql
+++ b/actions/ql/integration-tests/filters/actions.ql
@@ -0,0 +1,5 @@
+import actions
+
+from AstNode n
+where n instanceof Workflow or n instanceof CompositeAction
+select n
--- a/actions/ql/integration-tests/filters/codeql-config.paths-and-paths-ignore.yml
+++ b/actions/ql/integration-tests/filters/codeql-config.paths-and-paths-ignore.yml
@@ -0,0 +1,4 @@
+paths:
+  - 'included'
+paths-ignore:
+  - 'excluded'
--- a/actions/ql/integration-tests/filters/codeql-config.paths-ignore-only.yml
+++ b/actions/ql/integration-tests/filters/codeql-config.paths-ignore-only.yml
@@ -0,0 +1,2 @@
+paths-ignore:
+  - 'excluded'
--- a/actions/ql/integration-tests/filters/codeql-config.paths-only.yml
+++ b/actions/ql/integration-tests/filters/codeql-config.paths-only.yml
@@ -0,0 +1,2 @@
+paths:
+  - 'included'
--- a/actions/ql/integration-tests/filters/source_archive.default-filters.expected
+++ b/actions/ql/integration-tests/filters/source_archive.default-filters.expected
@@ -0,0 +1,6 @@
+src/.github/action.yaml
+src/.github/actions/action-name/action.yml
+src/.github/workflows/workflow.yml
+src/action.yml
+src/excluded/action.yml
+src/included/action.yml
--- a/actions/ql/integration-tests/filters/source_archive.paths-and-paths-ignore.expected
+++ b/actions/ql/integration-tests/filters/source_archive.paths-and-paths-ignore.expected
@@ -0,0 +1,3 @@
+src/included/action.yml
+src/included/not-an-action.yml
+src/included/unreachable-workflow.yml
--- a/actions/ql/integration-tests/filters/source_archive.paths-ignore-only.expected
+++ b/actions/ql/integration-tests/filters/source_archive.paths-ignore-only.expected
@@ -0,0 +1,5 @@
+src/.github/action.yaml
+src/.github/actions/action-name/action.yml
+src/.github/workflows/workflow.yml
+src/action.yml
+src/included/action.yml
--- a/actions/ql/integration-tests/filters/source_archive.paths-only.expected
+++ b/actions/ql/integration-tests/filters/source_archive.paths-only.expected
@@ -0,0 +1,3 @@
+src/included/action.yml
+src/included/not-an-action.yml
+src/included/unreachable-workflow.yml
--- a/actions/ql/integration-tests/filters/src/.github/action.yaml
+++ b/actions/ql/integration-tests/filters/src/.github/action.yaml
@@ -0,0 +1,11 @@
+name: 'A composite action'
+description: 'Do something'
+runs:
+  using: "composite"
+  steps:
+    - name: Print
+      run: echo "Hello world"
+      shell: bash
+
+    - name: Checkout
+      uses: actions/checkout@v4
--- a/actions/ql/integration-tests/filters/src/.github/actions/action-name/action.yml
+++ b/actions/ql/integration-tests/filters/src/.github/actions/action-name/action.yml
@@ -0,0 +1,11 @@
+name: 'A composite action'
+description: 'Do something'
+runs:
+  using: "composite"
+  steps:
+    - name: Print
+      run: echo "Hello world"
+      shell: bash
+
+    - name: Checkout
+      uses: actions/checkout@v4
--- a/actions/ql/integration-tests/filters/src/.github/unreachable-workflow.yml
+++ b/actions/ql/integration-tests/filters/src/.github/unreachable-workflow.yml
@@ -0,0 +1,12 @@
+name: An unreachable workflow
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  job:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
--- a/actions/ql/integration-tests/filters/src/.github/workflows/workflow.yml
+++ b/actions/ql/integration-tests/filters/src/.github/workflows/workflow.yml
@@ -0,0 +1,12 @@
+name: A workflow
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  job:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
--- a/actions/ql/integration-tests/filters/src/action.yml
+++ b/actions/ql/integration-tests/filters/src/action.yml
@@ -0,0 +1,11 @@
+name: 'A composite action'
+description: 'Do something'
+runs:
+  using: "composite"
+  steps:
+    - name: Print
+      run: echo "Hello world"
+      shell: bash
+
+    - name: Checkout
+      uses: actions/checkout@v4
--- a/actions/ql/integration-tests/filters/src/excluded/action.yml
+++ b/actions/ql/integration-tests/filters/src/excluded/action.yml
@@ -0,0 +1,11 @@
+name: 'A composite action'
+description: 'Do something'
+runs:
+  using: "composite"
+  steps:
+    - name: Print
+      run: echo "Hello world"
+      shell: bash
+
+    - name: Checkout
+      uses: actions/checkout@v4
--- a/actions/ql/integration-tests/filters/src/excluded/unreachable-workflow.yml
+++ b/actions/ql/integration-tests/filters/src/excluded/unreachable-workflow.yml
@@ -0,0 +1,12 @@
+name: An unreachable workflow
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  job:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
--- a/actions/ql/integration-tests/filters/src/included/action.yml
+++ b/actions/ql/integration-tests/filters/src/included/action.yml
@@ -0,0 +1,11 @@
+name: 'A composite action'
+description: 'Do something'
+runs:
+  using: "composite"
+  steps:
+    - name: Print
+      run: echo "Hello world"
+      shell: bash
+
+    - name: Checkout
+      uses: actions/checkout@v4
--- a/actions/ql/integration-tests/filters/src/included/not-an-action.yml
+++ b/actions/ql/integration-tests/filters/src/included/not-an-action.yml
@@ -0,0 +1 @@
+name: 'Not an action, just a YAML file'
--- a/actions/ql/integration-tests/filters/src/included/unreachable-workflow.yml
+++ b/actions/ql/integration-tests/filters/src/included/unreachable-workflow.yml
@@ -0,0 +1,12 @@
+name: An unreachable workflow
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  job:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
--- a/actions/ql/integration-tests/filters/src/unreachable-workflow.yml
+++ b/actions/ql/integration-tests/filters/src/unreachable-workflow.yml
@@ -0,0 +1,12 @@
+name: An unreachable workflow
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  job:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
--- a/actions/ql/integration-tests/filters/test.py
+++ b/actions/ql/integration-tests/filters/test.py
@@ -0,0 +1,18 @@
+import pytest
+
+@pytest.mark.ql_test(expected=".default-filters.expected")
+def test_default_filters(codeql, actions, check_source_archive):
+    check_source_archive.expected_suffix = ".default-filters.expected"
+    codeql.database.create(source_root="src")
+
+@pytest.mark.ql_test(expected=".paths-only.expected")
+def test_config_paths_only(codeql, actions):
+    codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-only.yml")
+
+@pytest.mark.ql_test(expected=".paths-ignore-only.expected")
+def test_config_paths_ignore_only(codeql, actions):
+    codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-ignore-only.yml")
+
+@pytest.mark.ql_test(expected=".paths-and-paths-ignore.expected")
+def test_config_paths_and_paths_ignore(codeql, actions):
+    codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-and-paths-ignore.yml")
--- a/actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected
@@ -0,0 +1 @@
+
--- a/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
@@ -0,0 +1,17 @@
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
@@ -0,0 +1,27 @@
+ql/actions/ql/src/Debug/SyntaxError.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
+ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
+ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
@@ -0,0 +1,23 @@
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
--- a/actions/ql/integration-tests/query-suite/not_included_in_qls.expected
+++ b/actions/ql/integration-tests/query-suite/not_included_in_qls.expected
@@ -0,0 +1,17 @@
+ql/actions/ql/src/Debug/partial.ql
+ql/actions/ql/src/Models/CompositeActionsSinks.ql
+ql/actions/ql/src/Models/CompositeActionsSources.ql
+ql/actions/ql/src/Models/CompositeActionsSummaries.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
+ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
+ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
+ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
+ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
+ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
+ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
+ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
+ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
+ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql
--- a/actions/ql/integration-tests/query-suite/test.py
+++ b/actions/ql/integration-tests/query-suite/test.py
@@ -0,0 +1,14 @@
+import runs_on
+import pytest
+from query_suites import *
+
+well_known_query_suites = ['actions-code-quality.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
+
+@runs_on.posix
+@pytest.mark.parametrize("query_suite", well_known_query_suites)
+def test(codeql, actions, check_query_suite, query_suite):
+    check_query_suite(query_suite)
+
+@runs_on.posix
+def test_not_included_queries(codeql, actions, check_queries_not_included):
+    check_queries_not_included('actions', well_known_query_suites)
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,11 @@
+## 0.4.8
+
+No user-facing changes.
+
+## 0.4.7
+
+No user-facing changes.
+
 ## 0.4.6

 ### Bug Fixes
--- a/actions/ql/lib/change-notes/released/0.4.7.md
+++ b/actions/ql/lib/change-notes/released/0.4.7.md
@@ -0,0 +1,3 @@
+## 0.4.7
+
+No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.8.md
+++ b/actions/ql/lib/change-notes/released/0.4.8.md
@@ -0,0 +1,3 @@
+## 0.4.8
+
+No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.6
+lastReleaseVersion: 0.4.8
--- a/actions/ql/lib/codeql/actions/config/Config.qll
+++ b/actions/ql/lib/codeql/actions/config/Config.qll
@@ -154,3 +154,13 @@ predicate untrustedGitCommandDataModel(string cmd_regex, string flag) {
 predicate untrustedGhCommandDataModel(string cmd_regex, string flag) {
  Extensions::untrustedGhCommandDataModel(cmd_regex, flag)
 }
+
+/**
+ * MaD models for permissions needed by actions
+ * Fields:
+ *    - action: action name, e.g. `actions/checkout`
+ *    - permission: permission name, e.g. `contents: read`
+ */
+predicate actionsPermissionsDataModel(string action, string permission) {
+  Extensions::actionsPermissionsDataModel(action, permission)
+}
--- a/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
+++ b/actions/ql/lib/codeql/actions/config/ConfigExtensions.qll
@@ -77,3 +77,14 @@ extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag)
 * Holds for gh commands that may introduce untrusted data
 */
 extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag);
+
+/**
+ * Holds if `action` needs `permission` to run.
+ * - 'action' is the name of the action without any version information.
+ *   E.g. for the action selector `actions/checkout@v2`, `action` is `actions/checkout`.
+ * - `permission` is of the form `scope-name: read|write`, for example `contents: read`.
+ * - see https://github.com/actions/checkout?tab=readme-ov-file#recommended-permissions
+ *   for an example of recommended permissions.
+ * - see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token for documentation of token permissions.
+ */
+extensible predicate actionsPermissionsDataModel(string action, string permission);
--- a/actions/ql/lib/ext/config/actions_permissions.yml
+++ b/actions/ql/lib/ext/config/actions_permissions.yml
@@ -0,0 +1,37 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: actionsPermissionsDataModel
+    data:
+      - ["actions/checkout", "contents: read"]
+      - ["actions/setup-node", "contents: read"]
+      - ["actions/setup-python", "contents: read"]
+      - ["actions/setup-java", "contents: read"]
+      - ["actions/setup-go", "contents: read"]
+      - ["actions/setup-dotnet", "contents: read"]
+      - ["actions/labeler", "contents: read"]
+      - ["actions/labeler", "pull-requests: write"]
+      - ["actions/attest", "id-token: write"]
+      - ["actions/attest", "attestations: write"]
+      # No permissions needed for actions/add-to-project
+      - ["actions/dependency-review-action", "contents: read"]
+      - ["actions/attest-sbom", "id-token: write"]
+      - ["actions/attest-sbom", "attestations: write"]
+      - ["actions/stale", "contents: write"]
+      - ["actions/stale", "issues: write"]
+      - ["actions/stale", "pull-requests: write"]
+      - ["actions/attest-build-provenance", "id-token: write"]
+      - ["actions/attest-build-provenance", "attestations: write"]
+      - ["actions/jekyll-build-pages", "contents: read"]
+      - ["actions/jekyll-build-pages", "pages: write"]
+      - ["actions/jekyll-build-pages", "id-token: write"]
+      - ["actions/publish-action", "contents: write"]
+      - ["actions/versions-package-tools", "contents: read"]      
+      - ["actions/versions-package-tools", "actions: read"]
+      - ["actions/reusable-workflows", "contents: read"]      
+      - ["actions/reusable-workflows", "actions: read"]
+      # TODO: Add permissions for actions/download-artifact
+      # TODO: Add permissions for actions/upload-artifact
+      # TODO: Add permissions for actions/cache
+
+      
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.6
+version: 0.4.9-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,29 @@
+## 0.6.0
+
+### Breaking Changes
+
+* The following queries have been removed from the `security-and-quality` suite.
+  They are not intended to produce user-facing
+  alerts describing vulnerabilities.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/composite-action-sinks`
+  * `actions/composite-action-sources`
+  * `actions/composite-action-summaries`
+  * `actions/reusable-workflow-sinks`
+    (renamed from `actions/reusable-wokflow-sinks`)
+  * `actions/reusable-workflow-sources`
+  * `actions/reusable-workflow-summaries`
+
+### Bug Fixes
+
+* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
+
+## 0.5.4
+
+### Bug Fixes
+
+* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
+
 ## 0.5.3

 ### Bug Fixes
--- a/actions/ql/src/Models/ReusableWorkflowsSinks.ql
+++ b/actions/ql/src/Models/ReusableWorkflowsSinks.ql
@@ -5,7 +5,7 @@
 * @problem.severity warning
 * @security-severity 9.3
 * @precision high
- * @id actions/reusable-wokflow-sinks
+ * @id actions/reusable-workflow-sinks
 * @tags actions
 *       model-generator
 *       external/cwe/cwe-020
--- a/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md
+++ b/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md
@@ -109,7 +109,7 @@ An attacker could craft a malicious artifact that writes dangerous environment v

 ### Exploitation

-An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
+An attacker would be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.

 ## References

--- a/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+++ b/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
@@ -1,5 +1,5 @@
 /**
- * @name Use of a known vulnerable action.
+ * @name Use of a known vulnerable action
 * @description The workflow is using an action with known vulnerabilities.
 * @kind problem
 * @problem.severity error
--- a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
@@ -1,6 +1,6 @@
 /**
 * @name Workflow does not contain permissions
- * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
+ * @description Workflows should contain explicit permissions to restrict the scope of the default GITHUB_TOKEN.
 * @kind problem
 * @security-severity 5.0
 * @problem.severity warning
@@ -14,7 +14,19 @@

 import actions

-from Job job
+Step stepInJob(Job job) { result = job.(LocalJob).getAStep() }
+
+string jobNeedsPermission(Job job) {
+  actionsPermissionsDataModel(stepInJob(job).(UsesStep).getCallee(), result)
+}
+
+/** Gets a suggestion for the minimal token permissions for `job`, as a JSON string. */
+string permissionsForJob(Job job) {
+  result =
+    "{" + concat(string permission | permission = jobNeedsPermission(job) | permission, ", ") + "}"
+}
+
+from Job job, string permissions
 where
  not exists(job.getPermissions()) and
  not exists(job.getEnclosingWorkflow().getPermissions()) and
@@ -22,5 +34,8 @@ where
  exists(Event e |
    e = job.getATriggerEvent() and
    not e.getName() = "workflow_call"
-  )
-select job, "Actions Job or Workflow does not set permissions"
+  ) and
+  permissions = permissionsForJob(job)
+select job,
+  "Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: "
+    + permissions
--- a/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+++ b/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
@@ -3,6 +3,7 @@
 * @description All organization and repository secrets are passed to the workflow runner.
 * @kind problem
 * @precision high
+ * @security-severity 5.0
 * @problem.severity warning
 * @id actions/excessive-secrets-exposure
 * @tags actions
--- a/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md
+++ b/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md
@@ -2,11 +2,11 @@

 ## Description

-Secrets derived from other secrets are not know to the workflow runner and therefore not masked unless explicitly registered.
+Secrets derived from other secrets are not known to the workflow runner, and therefore are not masked unless explicitly registered.

 ## Recommendations

-Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow since these read values will not be masked by the workflow runner.
+Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow, since these read values will not be masked by the workflow runner.

 ## Examples

--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in trusted context
+ * @name Checkout of untrusted code in a privileged context
 * @description Privileged workflows have read/write access to the base repository and access to secrets.
 *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
 *              that is able to push to the base repository and to access secrets.
--- a/actions/ql/src/change-notes/released/0.5.4.md
+++ b/actions/ql/src/change-notes/released/0.5.4.md
@@ -0,0 +1,5 @@
+## 0.5.4
+
+### Bug Fixes
+
+* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
--- a/actions/ql/src/change-notes/released/0.6.0.md
+++ b/actions/ql/src/change-notes/released/0.6.0.md
@@ -0,0 +1,19 @@
+## 0.6.0
+
+### Breaking Changes
+
+* The following queries have been removed from the `security-and-quality` suite.
+  They are not intended to produce user-facing
+  alerts describing vulnerabilities.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/composite-action-sinks`
+  * `actions/composite-action-sources`
+  * `actions/composite-action-summaries`
+  * `actions/reusable-workflow-sinks`
+    (renamed from `actions/reusable-wokflow-sinks`)
+  * `actions/reusable-workflow-sources`
+  * `actions/reusable-workflow-summaries`
+
+### Bug Fixes
+
+* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.3
+lastReleaseVersion: 0.6.0
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.5.3
+version: 0.6.1-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml
+++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml
@@ -0,0 +1,13 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v2
+    - uses: actions/jekyll-build-pages
+
+
--- a/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml
+++ b/actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml
@@ -0,0 +1,10 @@
+on:
+  workflow_call:
+  workflow_dispatch:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/add-to-project@v2
--- a/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected
+++ b/actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected
@@ -1,3 +1,5 @@
-| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions |
-| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions Job or Workflow does not set permissions |
-| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions Job or Workflow does not set permissions |
+| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
+| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
+| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
+| .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
+| .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
--- a/config/sync-files.py
+++ b/config/sync-files.py
@@ -58,7 +58,19 @@ def file_checksum(filename):
    with open(filename, 'rb') as file_handle:
        return hashlib.sha1(file_handle.read()).hexdigest()

-def check_group(group_name, files, master_file_picker, emit_error):
+def accept_prefix(line1, line2):
+    suffix = line2.removeprefix(line1)
+    return not suffix or suffix.lstrip().startswith("//")
+
+def equivalent_lines(lines1, lines2):
+    if len(lines1) != len(lines2):
+        return False
+    for line1, line2 in zip(lines1, lines2):
+        if not accept_prefix(line1, line2) and not accept_prefix(line2, line1):
+            return False
+    return True
+
+def check_group(group_name, files, master_file_picker, emit_error, accept_prefix):
    extant_files = [f for f in files if path.isfile(f)]
    if len(extant_files) == 0:
        emit_error(__file__, 0, "No files found from group '" + group_name + "'.")
@@ -70,11 +82,23 @@ def check_group(group_name, files, master_file_picker, emit_error):
        return

    checksums = {file_checksum(f) for f in extant_files}
-
-    if len(checksums) == 1 and len(extant_files) == len(files):
+    same_lengths = len(extant_files) == len(files)
+    if len(checksums) == 1 and same_lengths:
        # All files are present and identical.
        return

+    # In this case we also consider files indentical, if
+    # (1) The group only containts two files.
+    # (2) The lines of one file are the same as the lines of another file
+    # modulo comments.
+    if accept_prefix and same_lengths and len(extant_files) == 2:
+        with open(extant_files[0], 'r') as f1:
+            file1_lines = [l.strip('\n\r') for l in f1.readlines()]
+        with open(extant_files[1], 'r') as f2:
+            file2_lines = [l.strip('\n\r') for l in f2.readlines()]
+        if equivalent_lines(file1_lines, file2_lines):
+            return
+
    master_file = master_file_picker(extant_files)
    if master_file is None:
        emit_error(__file__, 0,
@@ -139,9 +163,10 @@ def sync_identical_files(emit_error):
        raise Exception("Bad command line or file not found")
    chdir_repo_root()
    load_if_exists('.', 'config/identical-files.json')
-    file_groups.update(csharp_test_files())
+    for group_name, files in csharp_test_files().items():
+        check_group(group_name, files, master_file_picker, emit_error, True)
    for group_name, files in file_groups.items():
-        check_group(group_name, files, master_file_picker, emit_error)
+        check_group(group_name, files, master_file_picker, emit_error, False)

 def main():
    sync_identical_files(emit_local_error)
--- a/cpp/downgrades/0f0a390468a5eb43d1dc72937c028070b106bf53/old.dbscheme
+++ b/cpp/downgrades/0f0a390468a5eb43d1dc72937c028070b106bf53/old.dbscheme
--- a/cpp/downgrades/0f0a390468a5eb43d1dc72937c028070b106bf53/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/0f0a390468a5eb43d1dc72937c028070b106bf53/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/0f0a390468a5eb43d1dc72937c028070b106bf53/upgrade.properties
+++ b/cpp/downgrades/0f0a390468a5eb43d1dc72937c028070b106bf53/upgrade.properties
@@ -0,0 +1,3 @@
+description: Add a new predicate `isVla()` to the `ArrayType` class
+compatibility: full
+type_is_vla.rel: delete
--- a/cpp/downgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/aggregate_array_init.ql
+++ b/cpp/downgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/aggregate_array_init.ql
@@ -0,0 +1,11 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class AggregateLiteral extends Expr, @aggregateliteral {
+  override string toString() { none() }
+}
+
+from AggregateLiteral aggregate, Expr initializer, int element_index, int position
+where aggregate_array_init(aggregate, initializer, element_index, position, _)
+select aggregate, initializer, element_index, position
--- a/cpp/downgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/aggregate_field_init.ql
+++ b/cpp/downgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/aggregate_field_init.ql
@@ -0,0 +1,15 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class AggregateLiteral extends Expr, @aggregateliteral {
+  override string toString() { none() }
+}
+
+class MemberVariable extends @membervariable {
+  string toString() { none() }
+}
+
+from AggregateLiteral aggregate, Expr initializer, MemberVariable field, int position
+where aggregate_field_init(aggregate, initializer, field, position, _)
+select aggregate, initializer, field, position
--- a/cpp/downgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/old.dbscheme
+++ b/cpp/downgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/old.dbscheme
--- a/cpp/downgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/upgrade.properties
+++ b/cpp/downgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/upgrade.properties
@@ -0,0 +1,4 @@
+description: add `hasDesignator` predicate to `ArrayOrVectorAggregateLiteral` and `ClassAggregateLiteral`
+compatibility: backwards
+aggregate_array_init.rel: run aggregate_array_init.qlo
+aggregate_field_init.rel: run aggregate_field_init.qlo
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/decltypes.ql
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/decltypes.ql
@@ -0,0 +1,11 @@
+class Type extends @type {
+  string toString() { none() }
+}
+
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+from Type decltype, Expr expr, Type basetype, boolean parentheses
+where decltypes(decltype, expr, _, basetype, parentheses)
+select decltype, expr, basetype, parentheses
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/derivedtypes.ql
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/derivedtypes.ql
@@ -0,0 +1,19 @@
+class Type extends @type {
+  string toString() { none() }
+}
+
+predicate derivedType(Type type, string name, int kind, Type type_id) {
+  derivedtypes(type, name, kind, type_id)
+}
+
+predicate typeTransformation(Type type, string name, int kind, Type type_id) {
+  type_operators(type, _, _, type_id) and
+  name = "" and
+  kind = 3 // @type_with_specifiers
+}
+
+from Type type, string name, int kind, Type type_id
+where
+  derivedType(type, name, kind, type_id) or
+  typeTransformation(type, name, kind, type_id)
+select type, name, kind, type_id
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/old.dbscheme
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/old.dbscheme
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/upgrade.properties
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/upgrade.properties
@@ -0,0 +1,5 @@
+description: Support C23 typeof and typeof_unqual
+compatibility: backwards
+decltypes.rel: run decltypes.qlo
+derivedtypes.rel: run derivedtypes.qlo
+type_operators.rel: delete
--- a/cpp/ql/integration-tests/query-suite/cpp-code-quality.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-code-quality.qls.expected
@@ -0,0 +1 @@
+
--- a/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
@@ -0,0 +1,60 @@
+ql/cpp/ql/src/Critical/DoubleFree.ql
+ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
+ql/cpp/ql/src/Critical/NewFreeMismatch.ql
+ql/cpp/ql/src/Critical/OverflowStatic.ql
+ql/cpp/ql/src/Critical/UseAfterFree.ql
+ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
+ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
+ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
+ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
+ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
+ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
+ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
+ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+ql/cpp/ql/src/Summary/LinesOfCode.ql
+ql/cpp/ql/src/Summary/LinesOfUserCode.ql
+ql/cpp/ql/src/Telemetry/CompilerErrors.ql
+ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
+ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
+ql/cpp/ql/src/Telemetry/MissingIncludes.ql
+ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
--- a/cpp/ql/integration-tests/query-suite/cpp-security-and-quality.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-security-and-quality.qls.expected
@@ -0,0 +1,181 @@
+ql/cpp/ql/src/Best Practices/BlockWithTooManyStatements.ql
+ql/cpp/ql/src/Best Practices/ComplexCondition.ql
+ql/cpp/ql/src/Best Practices/Exceptions/AccidentalRethrow.ql
+ql/cpp/ql/src/Best Practices/Exceptions/CatchingByValue.ql
+ql/cpp/ql/src/Best Practices/Exceptions/LeakyCatch.ql
+ql/cpp/ql/src/Best Practices/Exceptions/ThrowingPointers.ql
+ql/cpp/ql/src/Best Practices/GuardedFree.ql
+ql/cpp/ql/src/Best Practices/Hiding/DeclarationHidesParameter.ql
+ql/cpp/ql/src/Best Practices/Hiding/DeclarationHidesVariable.ql
+ql/cpp/ql/src/Best Practices/Hiding/LocalVariableHidesGlobalVariable.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/EmptyBlock.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/Slicing.ql
+ql/cpp/ql/src/Best Practices/RuleOfTwo.ql
+ql/cpp/ql/src/Best Practices/SloppyGlobal.ql
+ql/cpp/ql/src/Best Practices/SwitchLongCase.ql
+ql/cpp/ql/src/Best Practices/Unused Entities/UnusedLocals.ql
+ql/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticFunctions.ql
+ql/cpp/ql/src/Best Practices/Unused Entities/UnusedStaticVariables.ql
+ql/cpp/ql/src/Best Practices/UseOfGoto.ql
+ql/cpp/ql/src/Critical/DeadCodeGoto.ql
+ql/cpp/ql/src/Critical/DoubleFree.ql
+ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
+ql/cpp/ql/src/Critical/LargeParameter.ql
+ql/cpp/ql/src/Critical/MissingCheckScanf.ql
+ql/cpp/ql/src/Critical/NewArrayDeleteMismatch.ql
+ql/cpp/ql/src/Critical/NewDeleteArrayMismatch.ql
+ql/cpp/ql/src/Critical/NewFreeMismatch.ql
+ql/cpp/ql/src/Critical/OverflowStatic.ql
+ql/cpp/ql/src/Critical/SizeCheck.ql
+ql/cpp/ql/src/Critical/SizeCheck2.ql
+ql/cpp/ql/src/Critical/UseAfterFree.ql
+ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
+ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
+ql/cpp/ql/src/Documentation/CommentedOutCode.ql
+ql/cpp/ql/src/Documentation/FixmeComments.ql
+ql/cpp/ql/src/Documentation/UncommentedFunction.ql
+ql/cpp/ql/src/Header Cleanup/Cleanup-DuplicateIncludeGuard.ql
+ql/cpp/ql/src/Likely Bugs/AmbiguouslySignedBitField.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BadCheckOdd.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BitwiseSignCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonPrecedence.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/FloatComparison.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/PointlessComparison.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/PointlessSelfComparison.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/UnsignedGEZero.ql
+ql/cpp/ql/src/Likely Bugs/ContinueInFalseLoop.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/ArrayArgSizeMismatch.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/ImplicitDowncastFromBitfield.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/LossyFunctionResultCast.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/LossyPointerCast.ql
+ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
+ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Format/TooManyFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/InconsistentCallOnResult.ql
+ql/cpp/ql/src/Likely Bugs/InconsistentCheckReturnNull.ql
+ql/cpp/ql/src/Likely Bugs/Leap Year/Adding365DaysPerYear.ql
+ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql
+ql/cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/AssignWhereCompareMeant.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/CompareWhereAssignMeant.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/DubiousNullCheck.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/ExprHasNoEffect.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/FutileConditional.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/MissingEnumCaseInSwitch.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/ShortCircuitBitMask.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/UsingStrcpyAsBoolean.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/inconsistentLoopDirection.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnCstrOfLocalStdString.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/StackAddressEscapes.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
+ql/cpp/ql/src/Likely Bugs/NestedLoopSameVar.ql
+ql/cpp/ql/src/Likely Bugs/OO/IncorrectConstructorDelegation.ql
+ql/cpp/ql/src/Likely Bugs/OO/NonVirtualDestructorInBaseClass.ql
+ql/cpp/ql/src/Likely Bugs/OO/ThrowInDestructor.ql
+ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
+ql/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
+ql/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
+ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
+ql/cpp/ql/src/Likely Bugs/ReturnConstType.ql
+ql/cpp/ql/src/Likely Bugs/ReturnConstTypeMember.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooManyArguments.ql
+ql/cpp/ql/src/Likely Bugs/UseInOwnInitializer.ql
+ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+ql/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+ql/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql
+ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
+ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+ql/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
+ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+ql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
+ql/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql
+ql/cpp/ql/src/Summary/LinesOfCode.ql
+ql/cpp/ql/src/Summary/LinesOfUserCode.ql
+ql/cpp/ql/src/Telemetry/CompilerErrors.ql
+ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
+ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
+ql/cpp/ql/src/Telemetry/MissingIncludes.ql
+ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 32.ql
+ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 35.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 71.1.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 79.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 82.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 88.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 89.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 95.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 97.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 107.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 114.ql
+ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 145.ql
+ql/cpp/ql/src/jsf/4.17 Types/AV Rule 148.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 166.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 196.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 197.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 201.ql
--- a/cpp/ql/integration-tests/query-suite/cpp-security-extended.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-security-extended.qls.expected
@@ -0,0 +1,97 @@
+ql/cpp/ql/src/Best Practices/Likely Errors/CommaBeforeMisleadingIndentation.ql
+ql/cpp/ql/src/Best Practices/Likely Errors/OffsetUseBeforeRangeCheck.ql
+ql/cpp/ql/src/Critical/DoubleFree.ql
+ql/cpp/ql/src/Critical/IncorrectCheckScanf.ql
+ql/cpp/ql/src/Critical/MissingCheckScanf.ql
+ql/cpp/ql/src/Critical/NewFreeMismatch.ql
+ql/cpp/ql/src/Critical/OverflowStatic.ql
+ql/cpp/ql/src/Critical/SizeCheck.ql
+ql/cpp/ql/src/Critical/SizeCheck2.ql
+ql/cpp/ql/src/Critical/UseAfterFree.ql
+ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
+ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
+ql/cpp/ql/src/Likely Bugs/Format/NonConstantFormat.ql
+ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/IncorrectNotOperatorUsage.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/StrncpyFlippedArgs.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToStrncat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousSizeof.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UnsafeUseOfStrcat.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/UsingExpiredStackAddress.ql
+ql/cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql
+ql/cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql
+ql/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql
+ql/cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
+ql/cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.ql
+ql/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+ql/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+ql/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+ql/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+ql/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+ql/cpp/ql/src/Security/CWE/CWE-119/OverrunWriteProductFlow.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+ql/cpp/ql/src/Security/CWE/CWE-193/InvalidPointerDeref.ql
+ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql
+ql/cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+ql/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+ql/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+ql/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
+ql/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
+ql/cpp/ql/src/Security/CWE/CWE-570/IncorrectAllocationErrorHandling.ql
+ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/DangerousUseOfCin.ql
+ql/cpp/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+ql/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/OpenCallMissingModeArgument.ql
+ql/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+ql/cpp/ql/src/Security/CWE/CWE-807/TaintedCondition.ql
+ql/cpp/ql/src/Security/CWE/CWE-843/TypeConfusion.ql
+ql/cpp/ql/src/Summary/LinesOfCode.ql
+ql/cpp/ql/src/Summary/LinesOfUserCode.ql
+ql/cpp/ql/src/Telemetry/CompilerErrors.ql
+ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
+ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
+ql/cpp/ql/src/Telemetry/MissingIncludes.ql
+ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
--- a/cpp/ql/integration-tests/query-suite/not_included_in_qls.expected
+++ b/cpp/ql/integration-tests/query-suite/not_included_in_qls.expected
@@ -0,0 +1,447 @@
+ql/cpp/ql/src/AlertSuppression.ql
+ql/cpp/ql/src/Architecture/FeatureEnvy.ql
+ql/cpp/ql/src/Architecture/General Class-Level Information/ClassHierarchies.ql
+ql/cpp/ql/src/Architecture/General Class-Level Information/HubClasses.ql
+ql/cpp/ql/src/Architecture/General Class-Level Information/InheritanceDepthDistribution.ql
+ql/cpp/ql/src/Architecture/General Namespace-Level Information/CyclicNamespaces.ql
+ql/cpp/ql/src/Architecture/General Namespace-Level Information/GlobalNamespaceClasses.ql
+ql/cpp/ql/src/Architecture/General Namespace-Level Information/NamespaceDependencies.ql
+ql/cpp/ql/src/Architecture/General Top-Level Information/GeneralStatistics.ql
+ql/cpp/ql/src/Architecture/InappropriateIntimacy.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyDependencies.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/ClassesWithManyFields.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/ComplexFunctions.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/CyclomaticComplexity.ql
+ql/cpp/ql/src/Architecture/Refactoring Opportunities/FunctionsWithManyParameters.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/JapaneseEraDate.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsNumbers.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/MagicConstantsString.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/MagicNumbersUseConstant.ql
+ql/cpp/ql/src/Best Practices/Magic Constants/MagicStringsUseConstant.ql
+ql/cpp/ql/src/Best Practices/NVI.ql
+ql/cpp/ql/src/Best Practices/NVIHub.ql
+ql/cpp/ql/src/Best Practices/RuleOfThree.ql
+ql/cpp/ql/src/Best Practices/Unused Entities/UnusedIncludes.ql
+ql/cpp/ql/src/Critical/DeadCodeCondition.ql
+ql/cpp/ql/src/Critical/DeadCodeFunction.ql
+ql/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
+ql/cpp/ql/src/Critical/DescriptorNeverClosed.ql
+ql/cpp/ql/src/Critical/FileMayNotBeClosed.ql
+ql/cpp/ql/src/Critical/FileNeverClosed.ql
+ql/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
+ql/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
+ql/cpp/ql/src/Critical/InitialisationNotRun.ql
+ql/cpp/ql/src/Critical/LateNegativeTest.ql
+ql/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
+ql/cpp/ql/src/Critical/MemoryNeverFreed.ql
+ql/cpp/ql/src/Critical/MissingNegativityTest.ql
+ql/cpp/ql/src/Critical/MissingNullTest.ql
+ql/cpp/ql/src/Critical/NotInitialised.ql
+ql/cpp/ql/src/Critical/OverflowCalculated.ql
+ql/cpp/ql/src/Critical/OverflowDestination.ql
+ql/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
+ql/cpp/ql/src/Critical/ReturnValueIgnored.ql
+ql/cpp/ql/src/Critical/Unused.ql
+ql/cpp/ql/src/Diagnostics/Internal/ExtractionErrors.ql
+ql/cpp/ql/src/Documentation/DocumentApi.ql
+ql/cpp/ql/src/Documentation/TodoComments.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 03/ExitNonterminatingLoop.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 03/LoopBounds.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 04/Recursion.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 05/HeapMemory.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 07/ThreadSafety.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/AvoidNestedSemaphores.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/AvoidSemaphores.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/OutOfOrderLocks.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 09/ReleaseLocksWhenAcquired.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowGoto.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 11/SimpleControlFlowJmp.ql
+ql/cpp/ql/src/JPL_C/LOC-2/Rule 12/EnumInitialization.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/ExternDeclsInHeader.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFile.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeFunction.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 13/LimitedScopeLocalHidesGlobal.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 14/CheckingReturnValues.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 15/CheckingParameterValues.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsConstant.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsDensity.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsNonBoolean.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 16/UseOfAssertionsSideEffect.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 17/BasicIntTypes.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 18/CompoundExpressions.ql
+ql/cpp/ql/src/JPL_C/LOC-3/Rule 19/NoBooleanSideEffects.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUse.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUseIfdef.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUsePartial.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 20/PreprocessorUseUndisciplined.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 21/MacroInBlock.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 22/UseOfUndef.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 23/MismatchedIfdefs.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 24/MultipleStmtsPerLine.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 24/MultipleVarDeclsPerLine.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 25/FunctionSizeLimits.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 26/DeclarationPointerNesting.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 27/PointerDereferenceInStmt.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 28/HiddenPointerDereferenceMacro.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 28/HiddenPointerIndirectionTypedef.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 29/NonConstFunctionPointer.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 30/FunctionPointerConversions.ql
+ql/cpp/ql/src/JPL_C/LOC-4/Rule 31/IncludesFirst.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/ComparisonWithCancelingSubExpr.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/ConversionChangesSign.ql
+ql/cpp/ql/src/Likely Bugs/Conversion/NonzeroValueCastToPointer.ql
+ql/cpp/ql/src/Likely Bugs/JapaneseEra/ConstructorOrMethodWithExactEraDate.ql
+ql/cpp/ql/src/Likely Bugs/JapaneseEra/StructWithExactEraDate.ql
+ql/cpp/ql/src/Likely Bugs/Leap Year/UnsafeArrayForDaysOfYear.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/BoolValueInBitOp.ql
+ql/cpp/ql/src/Likely Bugs/Likely Typos/LogicalExprCouldBeSimplified.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/ImproperNullTermination.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/NtohlArrayNoBound.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/More64BitWaste.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/NonPortablePrintf.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/Padding/Suboptimal64BitType.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/PotentialBufferOverflow.ql
+ql/cpp/ql/src/Likely Bugs/Memory Management/SuspiciousCallToMemset.ql
+ql/cpp/ql/src/Likely Bugs/OO/NonVirtualDestructor.ql
+ql/cpp/ql/src/Likely Bugs/OO/SelfAssignmentCheck.ql
+ql/cpp/ql/src/Likely Bugs/OO/VirtualCallInStructor.ql
+ql/cpp/ql/src/Likely Bugs/ShortLoopVarName.ql
+ql/cpp/ql/src/Metrics/Classes/CAfferentCoupling.ql
+ql/cpp/ql/src/Metrics/Classes/CEfferentCoupling.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadBugs.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadDifficulty.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadEffort.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadLength.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadVocabulary.ql
+ql/cpp/ql/src/Metrics/Classes/CHalsteadVolume.ql
+ql/cpp/ql/src/Metrics/Classes/CInheritanceDepth.ql
+ql/cpp/ql/src/Metrics/Classes/CLackOfCohesionCK.ql
+ql/cpp/ql/src/Metrics/Classes/CLackOfCohesionHS.ql
+ql/cpp/ql/src/Metrics/Classes/CLinesOfCode.ql
+ql/cpp/ql/src/Metrics/Classes/CNumberOfFields.ql
+ql/cpp/ql/src/Metrics/Classes/CNumberOfFunctions.ql
+ql/cpp/ql/src/Metrics/Classes/CNumberOfStatements.ql
+ql/cpp/ql/src/Metrics/Classes/CPercentageOfComplexCode.ql
+ql/cpp/ql/src/Metrics/Classes/CResponse.ql
+ql/cpp/ql/src/Metrics/Classes/CSizeOfAPI.ql
+ql/cpp/ql/src/Metrics/Classes/CSpecialisation.ql
+ql/cpp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
+ql/cpp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
+ql/cpp/ql/src/Metrics/External/FileCompilationDisplayStrings.ql
+ql/cpp/ql/src/Metrics/External/FileCompilationSourceLinks.ql
+ql/cpp/ql/src/Metrics/Files/AutogeneratedLOC.ql
+ql/cpp/ql/src/Metrics/Files/ConditionalSegmentConditions.ql
+ql/cpp/ql/src/Metrics/Files/ConditionalSegmentLines.ql
+ql/cpp/ql/src/Metrics/Files/FAfferentCoupling.ql
+ql/cpp/ql/src/Metrics/Files/FCommentRatio.ql
+ql/cpp/ql/src/Metrics/Files/FCyclomaticComplexity.ql
+ql/cpp/ql/src/Metrics/Files/FDirectIncludes.ql
+ql/cpp/ql/src/Metrics/Files/FEfferentCoupling.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadBugs.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadDifficulty.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadEffort.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadLength.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadVocabulary.ql
+ql/cpp/ql/src/Metrics/Files/FHalsteadVolume.ql
+ql/cpp/ql/src/Metrics/Files/FLines.ql
+ql/cpp/ql/src/Metrics/Files/FLinesOfCode.ql
+ql/cpp/ql/src/Metrics/Files/FLinesOfCommentedOutCode.ql
+ql/cpp/ql/src/Metrics/Files/FLinesOfComments.ql
+ql/cpp/ql/src/Metrics/Files/FMacroRatio.ql
+ql/cpp/ql/src/Metrics/Files/FNumberOfClasses.ql
+ql/cpp/ql/src/Metrics/Files/FNumberOfTests.ql
+ql/cpp/ql/src/Metrics/Files/FTimeInFrontend.ql
+ql/cpp/ql/src/Metrics/Files/FTodoComments.ql
+ql/cpp/ql/src/Metrics/Files/FTransitiveIncludes.ql
+ql/cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.ql
+ql/cpp/ql/src/Metrics/Files/FunctionLength.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfFunctions.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfGlobals.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfParameters.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfPublicFunctions.ql
+ql/cpp/ql/src/Metrics/Files/NumberOfPublicGlobals.ql
+ql/cpp/ql/src/Metrics/Functions/FunCyclomaticComplexity.ql
+ql/cpp/ql/src/Metrics/Functions/FunIterationNestingDepth.ql
+ql/cpp/ql/src/Metrics/Functions/FunLinesOfCode.ql
+ql/cpp/ql/src/Metrics/Functions/FunLinesOfComments.ql
+ql/cpp/ql/src/Metrics/Functions/FunNumberOfCalls.ql
+ql/cpp/ql/src/Metrics/Functions/FunNumberOfParameters.ql
+ql/cpp/ql/src/Metrics/Functions/FunNumberOfStatements.ql
+ql/cpp/ql/src/Metrics/Functions/FunPercentageOfComments.ql
+ql/cpp/ql/src/Metrics/Functions/StatementNestingDepth.ql
+ql/cpp/ql/src/Metrics/Internal/ASTConsistency.ql
+ql/cpp/ql/src/Metrics/Internal/CallableDisplayStrings.ql
+ql/cpp/ql/src/Metrics/Internal/CallableExtents.ql
+ql/cpp/ql/src/Metrics/Internal/CallableSourceLinks.ql
+ql/cpp/ql/src/Metrics/Internal/DiagnosticsSumElapsedTimes.ql
+ql/cpp/ql/src/Metrics/Internal/IRConsistency.ql
+ql/cpp/ql/src/Metrics/Internal/IncludeResolutionStatus.ql
+ql/cpp/ql/src/Metrics/Internal/ReftypeDisplayStrings.ql
+ql/cpp/ql/src/Metrics/Internal/ReftypeSourceLinks.ql
+ql/cpp/ql/src/Metrics/Namespaces/AbstractNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/ConcreteNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/HighAfferentCouplingNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/HighDistanceFromMainLineNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/HighEfferentCouplingNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/StableNamespaces.ql
+ql/cpp/ql/src/Metrics/Namespaces/UnstableNamespaces.ql
+ql/cpp/ql/src/Microsoft/CallWithNullSAL.ql
+ql/cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql
+ql/cpp/ql/src/Microsoft/InconsistentSAL.ql
+ql/cpp/ql/src/PointsTo/Debug.ql
+ql/cpp/ql/src/PointsTo/PreparedStagedPointsTo.ql
+ql/cpp/ql/src/PointsTo/Stats.ql
+ql/cpp/ql/src/PointsTo/TaintedFormatStrings.ql
+ql/cpp/ql/src/Power of 10/Rule 1/UseOfGoto.ql
+ql/cpp/ql/src/Power of 10/Rule 1/UseOfJmp.ql
+ql/cpp/ql/src/Power of 10/Rule 1/UseOfRecursion.ql
+ql/cpp/ql/src/Power of 10/Rule 2/BoundedLoopIterations.ql
+ql/cpp/ql/src/Power of 10/Rule 2/ExitPermanentLoop.ql
+ql/cpp/ql/src/Power of 10/Rule 3/DynamicAllocAfterInit.ql
+ql/cpp/ql/src/Power of 10/Rule 4/FunctionTooLong.ql
+ql/cpp/ql/src/Power of 10/Rule 4/OneStmtPerLine.ql
+ql/cpp/ql/src/Power of 10/Rule 5/AssertionDensity.ql
+ql/cpp/ql/src/Power of 10/Rule 5/AssertionSideEffect.ql
+ql/cpp/ql/src/Power of 10/Rule 5/ConstantAssertion.ql
+ql/cpp/ql/src/Power of 10/Rule 5/NonBooleanAssertion.ql
+ql/cpp/ql/src/Power of 10/Rule 6/GlobalCouldBeStatic.ql
+ql/cpp/ql/src/Power of 10/Rule 6/VariableScopeTooLarge.ql
+ql/cpp/ql/src/Power of 10/Rule 7/CheckArguments.ql
+ql/cpp/ql/src/Power of 10/Rule 7/CheckReturnValues.ql
+ql/cpp/ql/src/Power of 10/Rule 8/AvoidConditionalCompilation.ql
+ql/cpp/ql/src/Power of 10/Rule 8/PartialMacro.ql
+ql/cpp/ql/src/Power of 10/Rule 8/RestrictPreprocessor.ql
+ql/cpp/ql/src/Power of 10/Rule 8/UndisciplinedMacro.ql
+ql/cpp/ql/src/Power of 10/Rule 9/FunctionPointer.ql
+ql/cpp/ql/src/Power of 10/Rule 9/HiddenPointerIndirection.ql
+ql/cpp/ql/src/Power of 10/Rule 9/PointerNesting.ql
+ql/cpp/ql/src/Security/CWE/CWE-020/CountUntrustedDataToExternalAPI.ql
+ql/cpp/ql/src/Security/CWE/CWE-020/IRCountUntrustedDataToExternalAPI.ql
+ql/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
+ql/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+ql/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+ql/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+ql/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
+ql/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
+ql/cpp/ql/src/Security/CWE/CWE-764/TwiceLocked.ql
+ql/cpp/ql/src/Security/CWE/CWE-764/UnreleasedLock.ql
+ql/cpp/ql/src/Security/CWE/CWE-835/InfiniteLoopWithUnsatisfiableExitCondition.ql
+ql/cpp/ql/src/definitions.ql
+ql/cpp/ql/src/experimental/Best Practices/UselessTest.ql
+ql/cpp/ql/src/experimental/Best Practices/WrongUintAccess.ql
+ql/cpp/ql/src/experimental/Likely Bugs/ArrayAccessProductFlow.ql
+ql/cpp/ql/src/experimental/Likely Bugs/DerefNullResult.ql
+ql/cpp/ql/src/experimental/Likely Bugs/RedundantNullCheckParam.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-020/LateCheckOfFunctionArgument.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-020/NoCheckBeforeUnsafePutUser.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-078/WordexpTainted.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-1126/DeclarationOfVariableWithUnnecessarilyWideScope.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-120/MemoryUnsafeFunctionScan.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-1240/CustomCryptographicPrimitive.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-190/AllocMultiplicationOverflow.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-190/IfStatementAdditionOverflow.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-273/PrivilegeDroppingOutoforder.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-285/PamAuthorization.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-295/CurlSSL.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-359/PrivateCleartextWrite.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-362/double-fetch.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-369/DivideByZeroUsingReturnValue.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-401/MemoryLeakOnFailedCallToRealloc.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-409/DecompressionBombs.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-415/DoubleFree.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-670/DangerousUseSSL_shutdown.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-675/DoubleRelease.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementAfterRefactoringTheCode.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-691/InsufficientControlFlowManagementWhenUsingBitOperations.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-703/FindIncorrectlyUsedExceptions.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-754/ImproperCheckReturnValueScanf.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-758/UndefinedOrImplementationDefinedBehavior.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBitwiseOrLogicalOperations.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-783/OperatorPrecedenceLogicErrorWhenUseBoolType.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-787/UnsignedToSignedPointerArith.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-788/AccessOfMemoryLocationAfterEndOfBufferUsingStrlen.ql
+ql/cpp/ql/src/experimental/Security/CWE/CWE-805/BufferAccessWithIncorrectLengthValue.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakEncryption.ql
+ql/cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithmSize.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/KnownAsymmetricKeyGeneration.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql
+ql/cpp/ql/src/experimental/cryptography/inventory/new_models/UnknownAsymmetricKeyGeneration.ql
+ql/cpp/ql/src/external/examples/filters/BumpMetricBy10.ql
+ql/cpp/ql/src/external/examples/filters/EditDefectMessage.ql
+ql/cpp/ql/src/external/examples/filters/ExcludeGeneratedCode.ql
+ql/cpp/ql/src/filters/ClassifyFiles.ql
+ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 1.ql
+ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 2.ql
+ql/cpp/ql/src/jsf/3.02 Code Size and Complexity/AV Rule 3.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 11.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 12.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 13.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 14.ql
+ql/cpp/ql/src/jsf/4.04 Environment/AV Rule 9.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 17.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 18.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 19.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 20.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 21.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 22.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 23.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 24.ql
+ql/cpp/ql/src/jsf/4.05 Libraries/AV Rule 25.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 26.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 27.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 28.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 29.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 30.ql
+ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 31.ql
+ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 33.ql
+ql/cpp/ql/src/jsf/4.07 Header Files/AV Rule 39.ql
+ql/cpp/ql/src/jsf/4.08 Implementation Files/AV Rule 40.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 41.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 42.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 43.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 44.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 45.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 46.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 47.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 48.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 49.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 50.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 51.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 52.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 53.1.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 53.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 54.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 57.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 58.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 59.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 60.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 61.ql
+ql/cpp/ql/src/jsf/4.09 Style/AV Rule 63.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 68.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 69.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 70.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 71.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 73.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 74.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 75.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 76.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 77.1.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 78.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 81.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 85.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 88.1.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 94.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 96.ql
+ql/cpp/ql/src/jsf/4.10 Classes/AV Rule 97.1.ql
+ql/cpp/ql/src/jsf/4.11 Namespaces/AV Rule 99.ql
+ql/cpp/ql/src/jsf/4.12 Templates/AV Rule 104.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 108.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 110.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 111.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 113.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 115.ql
+ql/cpp/ql/src/jsf/4.13 Functions/AV Rule 119.ql
+ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 126.ql
+ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 127.ql
+ql/cpp/ql/src/jsf/4.14 Comments/AV Rule 133.ql
+ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 135.ql
+ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 138.ql
+ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 139.ql
+ql/cpp/ql/src/jsf/4.15 Declarations and Definitions/AV Rule 140.ql
+ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 142.ql
+ql/cpp/ql/src/jsf/4.16 Initialization/AV Rule 143.ql
+ql/cpp/ql/src/jsf/4.17 Types/AV Rule 147.ql
+ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 149.ql
+ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 150.ql
+ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 151.1.ql
+ql/cpp/ql/src/jsf/4.18 Constants/AV Rule 151.ql
+ql/cpp/ql/src/jsf/4.19 Variables/AV Rule 152.ql
+ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 153.ql
+ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 154.ql
+ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 155.ql
+ql/cpp/ql/src/jsf/4.20 Unions and Bit Fields/AV Rule 156.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 157.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 158.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 159.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 160.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 162.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 163.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 164.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 165.ql
+ql/cpp/ql/src/jsf/4.21 Operators/AV Rule 168.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 170.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 171.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 173.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 175.ql
+ql/cpp/ql/src/jsf/4.22 Pointers and References/AV Rule 176.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 178.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 179.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 180.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 181.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 182.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 184.ql
+ql/cpp/ql/src/jsf/4.23 Type Conversions/AV Rule 185.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 186.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 187.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 188.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 189.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 190.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 191.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 192.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 193.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 194.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 195.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 198.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 199.ql
+ql/cpp/ql/src/jsf/4.24 Control Flow Structures/AV Rule 200.ql
+ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 202.ql
+ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 204.1.ql
+ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 204.ql
+ql/cpp/ql/src/jsf/4.25 Expressions/AV Rule 205.ql
+ql/cpp/ql/src/jsf/4.26 Memory Allocation/AV Rule 206.ql
+ql/cpp/ql/src/jsf/4.26 Memory Allocation/AV Rule 207.ql
+ql/cpp/ql/src/jsf/4.27 Fault Handling/AV Rule 208.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 209.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 210.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 212.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 213.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 214.ql
+ql/cpp/ql/src/jsf/4.28 Portable Code/AV Rule 215.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql
+ql/cpp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql
--- a/cpp/ql/integration-tests/query-suite/test.py
+++ b/cpp/ql/integration-tests/query-suite/test.py
@@ -0,0 +1,14 @@
+import runs_on
+import pytest
+from query_suites import *
+
+well_known_query_suites = ['cpp-code-quality.qls', 'cpp-security-and-quality.qls', 'cpp-security-extended.qls', 'cpp-code-scanning.qls']
+
+@runs_on.posix
+@pytest.mark.parametrize("query_suite", well_known_query_suites)
+def test(codeql, cpp, check_query_suite, query_suite):
+    check_query_suite(query_suite)
+
+@runs_on.posix
+def test_not_included_queries(codeql, cpp, check_queries_not_included):
+    check_queries_not_included('cpp', well_known_query_suites)
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,19 @@
+## 4.3.0
+
+### New Features
+
+* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
+* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.
+* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
+* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
+
+## 4.2.0
+
+### New Features
+
+* Calling conventions explicitly specified on function declarations (`__cdecl`, `__stdcall`, `__fastcall`, etc.)  are now represented as specifiers of those declarations.
+* A new class `CallingConventionSpecifier` extending the `Specifier` class was introduced, which represents explicitly specified calling conventions.
+
 ## 4.1.0

 ### New Features
--- a/cpp/ql/lib/change-notes/released/4.2.0.md
+++ b/cpp/ql/lib/change-notes/released/4.2.0.md
@@ -0,0 +1,6 @@
+## 4.2.0
+
+### New Features
+
+* Calling conventions explicitly specified on function declarations (`__cdecl`, `__stdcall`, `__fastcall`, etc.)  are now represented as specifiers of those declarations.
+* A new class `CallingConventionSpecifier` extending the `Specifier` class was introduced, which represents explicitly specified calling conventions.
--- a/cpp/ql/lib/change-notes/released/4.3.0.md
+++ b/cpp/ql/lib/change-notes/released/4.3.0.md
@@ -0,0 +1,8 @@
+## 4.3.0
+
+### New Features
+
+* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
+* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.
+* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
+* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.1.0
+lastReleaseVersion: 4.3.0
--- a/cpp/ql/lib/ext/generated/empty.model.yml
+++ b/cpp/ql/lib/ext/generated/empty.model.yml
@@ -0,0 +1,5 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: []
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.1.0
+version: 4.3.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -16,6 +16,7 @@ dependencies:
  codeql/xml: ${workspace}
 dataExtensions:
  - ext/*.model.yml
+  - ext/generated/*.model.yml
  - ext/deallocation/*.model.yml
  - ext/allocation/*.model.yml
 warnOnImplicitThis: true
--- a/cpp/ql/lib/semmle/code/cpp/Print.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Print.qll
@@ -176,6 +176,30 @@ private class DecltypeDumpType extends DumpType, Decltype {
  }
 }

+private class TypeofDumpType extends DumpType, TypeofType {
+  override string getTypeSpecifier() { result = this.getBaseType().(DumpType).getTypeSpecifier() }
+
+  override string getDeclaratorPrefix() {
+    result = this.getBaseType().(DumpType).getDeclaratorPrefix()
+  }
+
+  override string getDeclaratorSuffix() {
+    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
+  }
+}
+
+private class IntrinsicTransformedDumpType extends DumpType, IntrinsicTransformedType {
+  override string getTypeSpecifier() { result = this.getBaseType().(DumpType).getTypeSpecifier() }
+
+  override string getDeclaratorPrefix() {
+    result = this.getBaseType().(DumpType).getDeclaratorPrefix()
+  }
+
+  override string getDeclaratorSuffix() {
+    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
+  }
+}
+
 private class PointerIshDumpType extends DerivedDumpType {
  PointerIshDumpType() {
    this instanceof PointerType or
--- a/cpp/ql/lib/semmle/code/cpp/Specifier.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Specifier.qll
@@ -97,6 +97,18 @@ class AccessSpecifier extends Specifier {
  override string getAPrimaryQlClass() { result = "AccessSpecifier" }
 }

+/**
+ * A C/C++ calling convention specifier: `cdecl`, `fastcall`, `stdcall`, `thiscall`,
+ * `vectorcall`, or `clrcall`.
+ */
+class CallingConventionSpecifier extends Specifier {
+  CallingConventionSpecifier() {
+    this.hasName(["cdecl", "fastcall", "stdcall", "thiscall", "vectorcall", "clrcall"])
+  }
+
+  override string getAPrimaryQlClass() { result = "CallingConventionSpecifier" }
+}
+
 /**
 * An attribute introduced by GNU's `__attribute__((name))` syntax,
 * Microsoft's `__declspec(name)` syntax, Microsoft's `[name]` syntax, the
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -92,8 +92,9 @@ class Type extends Locatable, @type {
  /**
   * Gets this type after typedefs have been resolved.
   *
-   * The result of this predicate will be the type itself, except in the case of a TypedefType or a Decltype,
-   * in which case the result will be type which results from (possibly recursively) resolving typedefs.
+   * The result of this predicate will be the type itself, except in the case of a TypedefType, a Decltype,
+   * or a TypeofType, in which case the result will be type which results from (possibly recursively)
+   * resolving typedefs.
   */
  pragma[nomagic]
  Type getUnderlyingType() { result = this }
@@ -1117,18 +1118,20 @@ class DerivedType extends Type, @derivedtype {
 * decltype(a) b;
 * ```
 */
-class Decltype extends Type, @decltype {
+class Decltype extends Type {
+  Decltype() { decltypes(underlyingElement(this), _, 0, _, _) }
+
  override string getAPrimaryQlClass() { result = "Decltype" }

  /**
-   * The expression whose type is being obtained by this decltype.
+   * Gets the expression whose type is being obtained by this decltype.
   */
-  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _) }
+  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _, _) }

  /**
-   * The type immediately yielded by this decltype.
+   * Gets the type immediately yielded by this decltype.
   */
-  Type getBaseType() { decltypes(underlyingElement(this), _, unresolveElement(result), _) }
+  Type getBaseType() { decltypes(underlyingElement(this), _, _, unresolveElement(result), _) }

  /**
   * Whether an extra pair of parentheses around the expression would change the semantics of this decltype.
@@ -1142,7 +1145,7 @@ class Decltype extends Type, @decltype {
   * ```
   * Please consult the C++11 standard for more details.
   */
-  predicate parenthesesWouldChangeMeaning() { decltypes(underlyingElement(this), _, _, true) }
+  predicate parenthesesWouldChangeMeaning() { decltypes(underlyingElement(this), _, _, _, true) }

  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }

@@ -1183,6 +1186,215 @@ class Decltype extends Type, @decltype {
  }
 }

+/**
+ * An instance of the C23 `typeof` or `typeof_unqual` operator. For example:
+ * ```
+ * int a;
+ * typeof(a) b;
+ * typeof_unqual(const int) b;
+ * ```
+ */
+class TypeofType extends Type {
+  TypeofType() {
+    decltypes(underlyingElement(this), _, 1, _, _) or
+    type_operators(underlyingElement(this), _, 0, _)
+  }
+
+  /**
+   * Gets the type immediately yielded by this typeof.
+   */
+  Type getBaseType() {
+    decltypes(underlyingElement(this), _, _, unresolveElement(result), _)
+    or
+    type_operators(underlyingElement(this), _, _, unresolveElement(result))
+  }
+
+  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
+
+  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
+
+  override Type stripType() { result = this.getBaseType().stripType() }
+
+  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
+
+  override string toString() { result = "typeof(...)" }
+
+  override string getName() { none() }
+
+  override int getSize() { result = this.getBaseType().getSize() }
+
+  override int getAlignment() { result = this.getBaseType().getAlignment() }
+
+  override int getPointerIndirectionLevel() {
+    result = this.getBaseType().getPointerIndirectionLevel()
+  }
+
+  override string explain() {
+    result = "typeof resulting in {" + this.getBaseType().explain() + "}"
+  }
+
+  override predicate involvesReference() { this.getBaseType().involvesReference() }
+
+  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
+
+  override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() }
+
+  override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConstBelow() }
+
+  override Specifier internal_getAnAdditionalSpecifier() {
+    result = this.getBaseType().getASpecifier()
+  }
+}
+
+/**
+ * An instance of the C23 `typeof` or `typeof_unqual` operator taking an expression
+ * as its argument. For example:
+ * ```
+ * int a;
+ * typeof(a) b;
+ * ```
+ */
+class TypeofExprType extends TypeofType {
+  TypeofExprType() { decltypes(underlyingElement(this), _, 1, _, _) }
+
+  override string getAPrimaryQlClass() { result = "TypeofExprType" }
+
+  /**
+   * Gets the expression whose type is being obtained by this typeof.
+   */
+  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _, _) }
+
+  override Location getLocation() { result = this.getExpr().getLocation() }
+}
+
+/**
+ * A type obtained by C23 `typeof` or `typeof_unqual` operator taking a type as its
+ * argument. For example:
+ * ```
+ * typeof_unqual(const int) b;
+ * ```
+ */
+class TypeofTypeType extends TypeofType {
+  TypeofTypeType() { type_operators(underlyingElement(this), _, 0, _) }
+
+  /**
+   * Gets the expression whose type is being obtained by this typeof.
+   */
+  Type getType() { type_operators(underlyingElement(this), unresolveElement(result), _, _) }
+
+  override string getAPrimaryQlClass() { result = "TypeofTypeType" }
+
+  override string toString() { result = "typeof(...)" }
+}
+
+/**
+ * A type obtained by applying a type transforming intrinsic. For example:
+ * ```
+ * __make_unsigned(int) x;
+ * ```
+ */
+class IntrinsicTransformedType extends Type {
+  int intrinsic;
+
+  IntrinsicTransformedType() {
+    type_operators(underlyingElement(this), _, intrinsic, _) and
+    intrinsic in [1 .. 19]
+  }
+
+  override string getAPrimaryQlClass() { result = "IntrinsicTransformedType" }
+
+  override string toString() { result = this.getIntrinsicName() + "(...)" }
+
+  /**
+   * Gets the type immediately yielded by this transformation.
+   */
+  Type getBaseType() { type_operators(underlyingElement(this), _, _, unresolveElement(result)) }
+
+  /**
+   * Gets the type that is transformed.
+   */
+  Type getType() { type_operators(underlyingElement(this), unresolveElement(result), _, _) }
+
+  /**
+   * Gets the name of the intrinsic used to transform the type.
+   */
+  string getIntrinsicName() {
+    intrinsic = 1 and result = "__underlying_type"
+    or
+    intrinsic = 2 and result = "__bases"
+    or
+    intrinsic = 3 and result = "__direct_bases"
+    or
+    intrinsic = 4 and result = "__add_lvalue_reference"
+    or
+    intrinsic = 5 and result = "__add_pointer"
+    or
+    intrinsic = 6 and result = "__add_rvalue_reference"
+    or
+    intrinsic = 7 and result = "__decay"
+    or
+    intrinsic = 8 and result = "__make_signed"
+    or
+    intrinsic = 9 and result = "__make_unsigned"
+    or
+    intrinsic = 10 and result = "__remove_all_extents"
+    or
+    intrinsic = 11 and result = "__remove_const"
+    or
+    intrinsic = 12 and result = "__remove_cv"
+    or
+    intrinsic = 13 and result = "__remove_cvref"
+    or
+    intrinsic = 14 and result = "__remove_extent"
+    or
+    intrinsic = 15 and result = "__remove_pointer"
+    or
+    intrinsic = 16 and result = "__remove_reference_t"
+    or
+    intrinsic = 17 and result = "__remove_restrict"
+    or
+    intrinsic = 18 and result = "__remove_volatile"
+    or
+    intrinsic = 19 and result = "__remove_reference"
+  }
+
+  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
+
+  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
+
+  override Type stripType() { result = this.getBaseType().stripType() }
+
+  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
+
+  override string getName() { none() }
+
+  override int getSize() { result = this.getBaseType().getSize() }
+
+  override int getAlignment() { result = this.getBaseType().getAlignment() }
+
+  override int getPointerIndirectionLevel() {
+    result = this.getBaseType().getPointerIndirectionLevel()
+  }
+
+  override string explain() {
+    result =
+      "application of " + this.getIntrinsicName() + " resulting in {" + this.getBaseType().explain()
+        + "}"
+  }
+
+  override predicate involvesReference() { this.getBaseType().involvesReference() }
+
+  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
+
+  override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() }
+
+  override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConstBelow() }
+
+  override Specifier internal_getAnAdditionalSpecifier() {
+    result = this.getBaseType().getASpecifier()
+  }
+}
+
 /**
 * A C/C++ pointer type. See 4.9.1.
 * ```
@@ -1369,6 +1581,11 @@ class ArrayType extends DerivedType {
  override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() } // No such thing as a const array type

  override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConst() }
+
+  /**
+   * Holds if this array is a variable-length array (VLA).
+   */
+  predicate isVla() { type_is_vla(underlyingElement(this)) }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
+++ b/cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll
@@ -465,7 +465,7 @@ private predicate isFunctionConstructedFrom(Function f, Function templateFunc) {
 }

 /** Gets the fully templated version of `f`. */
-private Function getFullyTemplatedFunction(Function f) {
+Function getFullyTemplatedFunction(Function f) {
  not f.isFromUninstantiatedTemplate(_) and
  (
    exists(Class c, Class templateClass, int i |
@@ -559,12 +559,15 @@ private string getTypeName(Type t, boolean needsSpace) {

 /**
 * Gets a type name for the `n`'th parameter of `f` without any template
- * arguments. The result may be a string representing a type for which the
- * typedefs have been resolved.
+ * arguments.
+ *
+ * If `canonical = false` then the result may be a string representing a type
+ * for which the typedefs have been resolved. If `canonical = true` then the
+ * result will be a string representing a type without resolving `typedefs`.
 */
 bindingset[f]
 pragma[inline_late]
-string getParameterTypeWithoutTemplateArguments(Function f, int n) {
+string getParameterTypeWithoutTemplateArguments(Function f, int n, boolean canonical) {
  exists(string s, string base, string specifiers, Type t |
    t = f.getParameter(n).getType() and
    // The name of the string can either be the possibly typedefed name
@@ -572,14 +575,19 @@ string getParameterTypeWithoutTemplateArguments(Function f, int n) {
    // `getTypeName(t, _)` is almost equal to `t.resolveTypedefs().getName()`,
    // except that `t.resolveTypedefs()` doesn't have a result when the
    // resulting type doesn't appear in the database.
-    s = [t.getName(), getTypeName(t, _)] and
+    (
+      s = t.getName() and canonical = true
+      or
+      s = getTypeName(t, _) and canonical = false
+    ) and
    parseAngles(s, base, _, specifiers) and
    result = base + specifiers
  )
  or
  f.isVarargs() and
  n = f.getNumberOfParameters() and
-  result = "..."
+  result = "..." and
+  canonical = true
 }

 /**
@@ -590,7 +598,7 @@ private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remain
  exists(Function templateFunction |
    templateFunction = getFullyTemplatedFunction(f) and
    remaining = templateFunction.getNumberOfTemplateArguments() and
-    result = getParameterTypeWithoutTemplateArguments(templateFunction, n)
+    result = getParameterTypeWithoutTemplateArguments(templateFunction, n, _)
  )
  or
  exists(string mid, TypeTemplateParameter tp, Function templateFunction |
@@ -627,7 +635,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
 }

 /** Gets the string representation of the `i`'th parameter of `c`. */
-private string getParameterTypeName(Function c, int i) {
+string getParameterTypeName(Function c, int i) {
  result = getTypeNameWithoutClassTemplates(c, i, 0)
 }

--- a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
@@ -310,6 +310,8 @@ class Expr extends StmtParent, @expr {
    or
    exists(Decltype d | d.getExpr() = this.getParentWithConversions*())
    or
+    exists(TypeofExprType t | t.getExpr() = this.getParentWithConversions*())
+    or
    exists(ConstexprIfStmt constIf |
      constIf.getControllingExpr() = this.getParentWithConversions*()
    )
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll
@@ -213,7 +213,24 @@ class ClassAggregateLiteral extends AggregateLiteral {
  Expr getFieldExpr(Field field, int position) {
    field = classType.getAField() and
    aggregate_field_init(underlyingElement(this), unresolveElement(result), unresolveElement(field),
-      position)
+      position, _)
+  }
+
+  /**
+   * Holds if the `position`-th initialization of `field` in this aggregate initializer
+   * uses a designated (e.g., `.x = ...`) rather than a positional initializer.
+   *
+   * For example, in:
+   * ```c
+   * struct S { int x, y; };
+   * struct S s = { .x = 1, 2 };
+   * ```
+   * - `.x = 1` is a designated initializer, therefore `hasDesignator(x, 0)` holds.
+   * - `2` is a positional initializer for `s.y`, therefore `hasDesignator(y, 1)` does not hold.
+   */
+  predicate hasDesignator(Field field, int position) {
+    field = classType.getAField() and
+    aggregate_field_init(underlyingElement(this), _, unresolveElement(field), position, true)
  }

  /**
@@ -304,7 +321,24 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
   * - `a.getElementExpr(0, 2)` gives `789`.
   */
  Expr getElementExpr(int elementIndex, int position) {
-    aggregate_array_init(underlyingElement(this), unresolveElement(result), elementIndex, position)
+    aggregate_array_init(underlyingElement(this), unresolveElement(result), elementIndex, position,
+      _)
+  }
+
+  /**
+   * Holds if the `position`-th initialization of the array element at `elementIndex`
+   * in this aggregate initializer uses a designated (e.g., `[0] = ...`) rather than
+   * a positional initializer.
+   *
+   * For example, in:
+   * ```c
+   * int x[] = { [0] = 1, 2 };
+   * ```
+   * - `[0] = 1` is a designated initializer, therefore `hasDesignator(0, 0)` holds.
+   * - `2` is a positional initializer for `x[1]`, therefore `hasDesignator(1, 1)` does not hold.
+   */
+  predicate hasDesignator(int elementIndex, int position) {
+    aggregate_array_init(underlyingElement(this), _, elementIndex, position, true)
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImplSpecific.qll
@@ -31,4 +31,6 @@ module CppDataFlow implements InputSig<Location> {
  predicate viableImplInCallContext = Private::viableImplInCallContext/2;

  predicate neverSkipInPathGraph = Private::neverSkipInPathGraph/1;
+
+  int defaultFieldFlowBranchLimit() { result = 3 }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -371,7 +371,7 @@ private class PrimaryArgumentNode extends ArgumentNode, OperandNode {
  PrimaryArgumentNode() { exists(CallInstruction call | op = call.getAnArgumentOperand()) }

  override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-    op = call.getArgumentOperand(pos.(DirectPosition).getIndex())
+    op = call.getArgumentOperand(pos.(DirectPosition).getArgumentIndex())
  }
 }

@@ -410,8 +410,16 @@ class ParameterPosition = Position;
 class ArgumentPosition = Position;

 abstract class Position extends TPosition {
+  /** Gets a textual representation of this position. */
  abstract string toString();

+  /**
+   * Gets the argument index of this position. The qualifier of a call has
+   * argument index `-1`.
+   */
+  abstract int getArgumentIndex();
+
+  /** Gets the indirection index of this position. */
  abstract int getIndirectionIndex();
 }

@@ -428,7 +436,7 @@ class DirectPosition extends Position, TDirectPosition {
    result = index.toString()
  }

-  int getIndex() { result = index }
+  override int getArgumentIndex() { result = index }

  final override int getIndirectionIndex() { result = 0 }
 }
@@ -445,16 +453,29 @@ class IndirectionPosition extends Position, TIndirectionPosition {
    else result = repeatStars(indirectionIndex) + argumentIndex.toString()
  }

-  int getArgumentIndex() { result = argumentIndex }
+  override int getArgumentIndex() { result = argumentIndex }

  final override int getIndirectionIndex() { result = indirectionIndex }
 }

 newtype TPosition =
-  TDirectPosition(int argumentIndex) { exists(any(CallInstruction c).getArgument(argumentIndex)) } or
+  TDirectPosition(int argumentIndex) {
+    exists(any(CallInstruction c).getArgument(argumentIndex))
+    or
+    // Handle the rare case where there is a function definition but no call to
+    // the function.
+    exists(any(Cpp::Function f).getParameter(argumentIndex))
+  } or
  TIndirectionPosition(int argumentIndex, int indirectionIndex) {
    Ssa::hasIndirectOperand(any(CallInstruction call).getArgumentOperand(argumentIndex),
      indirectionIndex)
+    or
+    // Handle the rare case where there is a function definition but no call to
+    // the function.
+    exists(Cpp::Function f, Cpp::Parameter p |
+      p = f.getParameter(argumentIndex) and
+      indirectionIndex = [1 .. Ssa::getMaxIndirectionsForType(p.getUnspecifiedType()) - 1]
+    )
  }

 private newtype TReturnKind =
@@ -501,6 +522,15 @@ class ReturnKind extends TReturnKind {

  /** Gets a textual representation of this return kind. */
  abstract string toString();
+
+  /** Holds if this `ReturnKind` is generated from a `return` statement. */
+  abstract predicate isNormalReturn();
+
+  /**
+   * Holds if this `ReturnKind` is generated from a write to the parameter with
+   * index `argumentIndex`
+   */
+  abstract predicate isIndirectReturn(int argumentIndex);
 }

 /**
@@ -514,6 +544,10 @@ class NormalReturnKind extends ReturnKind, TNormalReturnKind {
  override int getIndirectionIndex() { result = indirectionIndex }

  override string toString() { result = "indirect return" }
+
+  override predicate isNormalReturn() { any() }
+
+  override predicate isIndirectReturn(int argumentIndex) { none() }
 }

 /**
@@ -528,6 +562,10 @@ private class IndirectReturnKind extends ReturnKind, TIndirectReturnKind {
  override int getIndirectionIndex() { result = indirectionIndex }

  override string toString() { result = "indirect outparam[" + argumentIndex.toString() + "]" }
+
+  override predicate isNormalReturn() { none() }
+
+  override predicate isIndirectReturn(int argumentIndex_) { argumentIndex_ = argumentIndex }
 }

 /** A data flow node that occurs as the result of a `ReturnStmt`. */
@@ -1614,8 +1652,6 @@ predicate validParameterAliasStep(Node node1, Node node2) {
  )
 }

-private predicate isTopLevel(Cpp::Stmt s) { any(Function f).getBlock().getAStmt() = s }
-
 private Cpp::Stmt getAChainedBranch(Cpp::IfStmt s) {
  result = s.getThen()
  or
@@ -1646,11 +1682,9 @@ private Instruction getAnInstruction(Node n) {
 }

 private newtype TDataFlowSecondLevelScope =
-  TTopLevelIfBranch(Cpp::Stmt s) {
-    exists(Cpp::IfStmt ifstmt | s = getAChainedBranch(ifstmt) and isTopLevel(ifstmt))
-  } or
+  TTopLevelIfBranch(Cpp::Stmt s) { s = getAChainedBranch(_) } or
  TTopLevelSwitchCase(Cpp::SwitchCase s) {
-    exists(Cpp::SwitchStmt switchstmt | s = switchstmt.getASwitchCase() and isTopLevel(switchstmt))
+    exists(Cpp::SwitchStmt switchstmt | s = switchstmt.getASwitchCase())
  }

 /**
@@ -1834,7 +1868,47 @@ module IteratorFlow {

  private module IteratorSsa = SsaImpl::Make<Location, SsaInput>;

-  private class Def extends IteratorSsa::DefinitionExt {
+  private module DataFlowIntegrationInput implements IteratorSsa::DataFlowIntegrationInputSig {
+    private import codeql.util.Void
+
+    class Expr extends Instruction {
+      Expr() {
+        exists(IRBlock bb, int i |
+          SsaInput::variableRead(bb, i, _, true) and
+          this = bb.getInstruction(i)
+        )
+      }
+
+      predicate hasCfgNode(SsaInput::BasicBlock bb, int i) { bb.getInstruction(i) = this }
+    }
+
+    predicate ssaDefHasSource(IteratorSsa::WriteDefinition def) { none() }
+
+    predicate allowFlowIntoUncertainDef(IteratorSsa::UncertainWriteDefinition def) { any() }
+
+    class Guard extends Void {
+      predicate controlsBranchEdge(
+        SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch
+      ) {
+        none()
+      }
+    }
+
+    predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, boolean branch) {
+      none()
+    }
+
+    predicate supportBarrierGuardsOnPhiEdges() { none() }
+  }
+
+  private module DataFlowIntegrationImpl =
+    IteratorSsa::DataFlowIntegration<DataFlowIntegrationInput>;
+
+  private class IteratorSynthNode extends DataFlowIntegrationImpl::SsaNode {
+    IteratorSynthNode() { not this.asDefinition() instanceof IteratorSsa::WriteDefinition }
+  }
+
+  private class Def extends IteratorSsa::Definition {
    final override Location getLocation() { result = this.getImpl().getLocation() }

    /**
@@ -1842,7 +1916,7 @@ module IteratorFlow {
     * and is a definition (or use) of the variable `sv`.
     */
    predicate hasIndexInBlock(IRBlock block, int index, SourceVariable sv) {
-      super.definesAt(sv, block, index, _)
+      super.definesAt(sv, block, index)
    }

    private Ssa::DefImpl getImpl() {
@@ -1859,46 +1933,15 @@ module IteratorFlow {
    int getIndirectionIndex() { result = this.getImpl().getIndirectionIndex() }
  }

-  private class PhiNode extends IteratorSsa::DefinitionExt {
-    PhiNode() {
-      this instanceof IteratorSsa::PhiNode or
-      this instanceof IteratorSsa::PhiReadNode
-    }
-
-    SsaIteratorNode getNode() { result.getIteratorFlowNode() = this }
-  }
-
-  cached
-  private module IteratorSsaCached {
-    cached
-    predicate adjacentDefRead(IRBlock bb1, int i1, SourceVariable sv, IRBlock bb2, int i2) {
-      IteratorSsa::adjacentDefReadExt(_, sv, bb1, i1, bb2, i2)
-      or
-      exists(PhiNode phi |
-        IteratorSsa::lastRefRedefExt(_, sv, bb1, i1, phi) and
-        phi.definesAt(sv, bb2, i2, _)
-      )
-    }
-
-    cached
-    Node getAPriorDefinition(IteratorSsa::DefinitionExt next) {
-      exists(IRBlock bb, int i, SourceVariable sv, IteratorSsa::DefinitionExt def |
-        IteratorSsa::lastRefRedefExt(pragma[only_bind_into](def), pragma[only_bind_into](sv),
-          pragma[only_bind_into](bb), pragma[only_bind_into](i), next) and
-        nodeToDefOrUse(result, sv, bb, i, _)
-      )
-    }
-  }
-
  /** The set of nodes necessary for iterator flow. */
-  class IteratorFlowNode instanceof PhiNode {
+  class IteratorFlowNode instanceof IteratorSynthNode {
    /** Gets a textual representation of this node. */
    string toString() { result = super.toString() }

    /** Gets the type of this node. */
    DataFlowType getType() {
      exists(Ssa::SourceVariable sv |
-        super.definesAt(sv, _, _, _) and
+        super.getSourceVariable() = sv and
        result = sv.getType()
      )
    }
@@ -1910,60 +1953,33 @@ module IteratorFlow {
    Location getLocation() { result = super.getBasicBlock().getLocation() }
  }

-  private import IteratorSsaCached
-
-  private predicate defToNode(Node node, Def def, boolean uncertain) {
-    (
-      nodeHasOperand(node, def.getValue().asOperand(), def.getIndirectionIndex())
-      or
-      nodeHasInstruction(node, def.getValue().asInstruction(), def.getIndirectionIndex())
-    ) and
-    uncertain = false
+  private predicate defToNode(Node node, Def def) {
+    nodeHasOperand(node, def.getValue().asOperand(), def.getIndirectionIndex())
+    or
+    nodeHasInstruction(node, def.getValue().asInstruction(), def.getIndirectionIndex())
  }

-  private predicate nodeToDefOrUse(
-    Node node, SourceVariable sv, IRBlock bb, int i, boolean uncertain
-  ) {
-    exists(Def def |
-      def.hasIndexInBlock(bb, i, sv) and
-      defToNode(node, def, uncertain)
+  bindingset[result, v]
+  pragma[inline_late]
+  private DataFlowIntegrationImpl::Node fromDfNode(Node n, SourceVariable v) {
+    result = n.(SsaIteratorNode).getIteratorFlowNode()
+    or
+    exists(Ssa::UseImpl use, IRBlock bb, int i |
+      result.(DataFlowIntegrationImpl::ExprNode).getExpr().hasCfgNode(bb, i) and
+      use.hasIndexInBlock(bb, i, v) and
+      use.getNode() = n
    )
    or
-    useToNode(bb, i, sv, node) and
-    uncertain = false
-  }
-
-  private predicate useToNode(IRBlock bb, int i, SourceVariable sv, Node nodeTo) {
-    exists(PhiNode phi |
-      phi.definesAt(sv, bb, i, _) and
-      nodeTo = phi.getNode()
-    )
-    or
-    exists(Ssa::UseImpl use |
-      use.hasIndexInBlock(bb, i, sv) and
-      nodeTo = use.getNode()
-    )
+    defToNode(n, result.(DataFlowIntegrationImpl::SsaDefinitionNode).getDefinition())
  }

  /**
   * Holds if `nodeFrom` flows to `nodeTo` in a single step.
   */
  predicate localFlowStep(Node nodeFrom, Node nodeTo) {
-    exists(
-      Node nFrom, SourceVariable sv, IRBlock bb1, int i1, IRBlock bb2, int i2, boolean uncertain
-    |
-      adjacentDefRead(bb1, i1, sv, bb2, i2) and
-      nodeToDefOrUse(nFrom, sv, bb1, i1, uncertain) and
-      useToNode(bb2, i2, sv, nodeTo)
-    |
-      if uncertain = true
-      then
-        nodeFrom =
-          [
-            nFrom,
-            getAPriorDefinition(any(IteratorSsa::DefinitionExt next | next.definesAt(sv, bb1, i1, _)))
-          ]
-      else nFrom = nodeFrom
+    exists(SourceVariable v |
+      nodeFrom != nodeTo and
+      DataFlowIntegrationImpl::localFlowStep(v, fromDfNode(nodeFrom, v), fromDfNode(nodeTo, v), _)
    )
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -1445,7 +1445,7 @@ private class ExplicitParameterInstructionNode extends AbstractExplicitParameter
  ExplicitParameterInstructionNode() { exists(instr.getParameter()) }

  override predicate isSourceParameterOf(Function f, ParameterPosition pos) {
-    f.getParameter(pos.(DirectPosition).getIndex()) = instr.getParameter()
+    f.getParameter(pos.(DirectPosition).getArgumentIndex()) = instr.getParameter()
  }

  override string toStringImpl() { result = instr.getParameter().toString() }
@@ -1460,7 +1460,7 @@ class ThisParameterInstructionNode extends AbstractExplicitParameterNode,
  ThisParameterInstructionNode() { instr.getIRVariable() instanceof IRThisVariable }

  override predicate isSourceParameterOf(Function f, ParameterPosition pos) {
-    pos.(DirectPosition).getIndex() = -1 and
+    pos.(DirectPosition).getArgumentIndex() = -1 and
    instr.getEnclosingFunction() = f
  }

@@ -1494,7 +1494,7 @@ private class DirectBodyLessParameterNode extends AbstractExplicitParameterNode,

  override predicate isSourceParameterOf(Function f, ParameterPosition pos) {
    this.getFunction() = f and
-    f.getParameter(pos.(DirectPosition).getIndex()) = p
+    f.getParameter(pos.(DirectPosition).getArgumentIndex()) = p
  }

  override Parameter getParameter() { result = p }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll
@@ -1069,7 +1069,7 @@ module BarrierGuard<guardChecksNodeSig/3 guardChecksNode> {

 bindingset[result, v]
 pragma[inline_late]
-DataFlowIntegrationImpl::Node fromDfNode(Node n, SourceVariable v) {
+private DataFlowIntegrationImpl::Node fromDfNode(Node n, SourceVariable v) {
  result = n.(SsaSynthNode).getSynthNode()
  or
  exists(UseImpl use, IRBlock bb, int i |
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll
@@ -229,11 +229,11 @@ private module SpeculativeTaintFlow {
      not exists(DataFlowDispatch::viableCallable(call)) and
      src.(DataFlowPrivate::ArgumentNode).argumentOf(call, argpos)
    |
-      not argpos.(DirectPosition).getIndex() = -1 and
+      not argpos.(DirectPosition).getArgumentIndex() = -1 and
      sink.(PostUpdateNode)
          .getPreUpdateNode()
          .(DataFlowPrivate::ArgumentNode)
-          .argumentOf(call, any(DirectPosition qualpos | qualpos.getIndex() = -1))
+          .argumentOf(call, any(DirectPosition qualpos | qualpos.getArgumentIndex() = -1))
      or
      sink.(DataFlowPrivate::OutNode).getCall() = call
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
@@ -16,6 +16,10 @@ private predicate isDeeplyConst(Type t) {
  or
  isDeeplyConst(t.(Decltype).getBaseType())
  or
+  isDeeplyConst(t.(TypeofType).getBaseType())
+  or
+  isDeeplyConst(t.(IntrinsicTransformedType).getBaseType())
+  or
  isDeeplyConst(t.(ReferenceType).getBaseType())
  or
  exists(SpecifiedType specType | specType = t |
@@ -36,6 +40,10 @@ private predicate isDeeplyConstBelow(Type t) {
  or
  isDeeplyConstBelow(t.(Decltype).getBaseType())
  or
+  isDeeplyConstBelow(t.(TypeofType).getBaseType())
+  or
+  isDeeplyConstBelow(t.(IntrinsicTransformedType).getBaseType())
+  or
  isDeeplyConst(t.(PointerType).getBaseType())
  or
  isDeeplyConst(t.(ReferenceType).getBaseType())
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .0.0
 .1.1