Bazel: patch rules_dotnet to avoid unit test failure

C#: Update integration tests expected output.
C#: Update global.json files for most integration tests to se .NET SDK 9.0.304.
2026-05-18 05:07:06 +02:00 · 2025-09-04 16:32:20 +02:00 · 2025-09-04 10:02:04 +02:00 · 2025-09-04 10:02:02 +02:00 · 2025-09-04 10:02:01 +02:00 · 2025-09-04 08:11:41 +02:00
5555 changed files with 199337 additions and 457708 deletions
--- a/.bazelversion
+++ b/.bazelversion
@@ -1 +1 @@
-8.4.2
+8.1.1
--- a/.gitattributes
+++ b/.gitattributes
@@ -82,6 +82,9 @@
 /csharp/paket.main.bzl linguist-generated=true
 /csharp/paket.main_extension.bzl linguist-generated=true

+# ripunzip tool
+/misc/ripunzip/ripunzip-* filter=lfs diff=lfs merge=lfs -text
+
 # swift prebuilt resources
 /swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text
 /swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text
--- a/.github/copilot-instructions.md
+++ b/.github/copilot-instructions.md
@@ -0,0 +1,4 @@
+When reviewing code:
+* do not review changes in files with `.expected` extension (they are automatically ensured to be correct).
+* in `.ql` and `.qll` files, do not try to review the code itself as you don't understand the programming language
+  well enough to make comments in these languages. You can still check for typos or comment improvements.
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -40,8 +40,3 @@ updates:
      - dependency-name: "*"
    reviewers:
      - "github/codeql-go"
-
-  - package-ecosystem: bazel
-    directory: "/"
-    schedule:
-      interval: weekly
--- a/.github/instructions/expected-files.instructions.md
+++ b/.github/instructions/expected-files.instructions.md
@@ -1,4 +0,0 @@
---
-applyTo: "**/*.expected"
---
-Ignore these files. These are generated to be correct by running the tests, and should not be edited manually.
--- a/.github/instructions/ql-files.instructions.md
+++ b/.github/instructions/ql-files.instructions.md
@@ -1,6 +0,0 @@
---
-applyTo: "**/*.ql,**/*.qll"
---
-When reviewing these QL files, do not make any comment on the code itself. You don't understand the QL programming language well enough yet. You can only make comments about the following aspects:
-* comments (lines starting with `//` or block comments enclosed in `/* ... */`): you can suggest improvements to the clarity of comments, or point out spelling mistakes
-* typos in identifiers
--- a/.github/workflows/build-ripunzip.yml
+++ b/.github/workflows/build-ripunzip.yml
@@ -0,0 +1,74 @@
+name: Build runzip
+
+on:
+  workflow_dispatch:
+    inputs:
+      ripunzip-version:
+        description: "what reference to checktout from google/runzip"
+        required: false
+        default: v2.0.2
+      openssl-version:
+        description: "what reference to checkout from openssl/openssl for Linux"
+        required: false
+        default: openssl-3.5.0
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-22.04, macos-13, windows-2022]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          repository: google/ripunzip
+          ref: ${{ inputs.ripunzip-version }}
+      # we need to avoid ripunzip dynamically linking into libssl
+      # see https://github.com/sfackler/rust-openssl/issues/183
+      - if: runner.os == 'Linux'
+        name: checkout openssl
+        uses: actions/checkout@v5
+        with:
+          repository: openssl/openssl
+          path: openssl
+          ref: ${{ inputs.openssl-version }}
+      - if: runner.os == 'Linux'
+        name: build and install openssl with fPIC
+        shell: bash
+        working-directory: openssl
+        run: |
+          ./config -fPIC --prefix=$HOME/.local --openssldir=$HOME/.local/ssl
+          make -j $(nproc)
+          make install_sw -j $(nproc)
+      - if: runner.os == 'Linux'
+        name: build (linux)
+        shell: bash
+        run: |
+          env OPENSSL_LIB_DIR=$HOME/.local/lib64 OPENSSL_INCLUDE_DIR=$HOME/.local/include OPENSSL_STATIC=yes cargo build --release
+          mv target/release/ripunzip ripunzip-linux
+      - if: runner.os == 'Windows'
+        name: build (windows)
+        shell: bash
+        run: |
+          cargo build --release
+          mv target/release/ripunzip ripunzip-windows
+      - name: build (macOS)
+        if: runner.os == 'macOS'
+        shell: bash
+        run: |
+          rustup target install x86_64-apple-darwin
+          rustup target install aarch64-apple-darwin
+          cargo build --target x86_64-apple-darwin --release
+          cargo build --target aarch64-apple-darwin --release
+          lipo -create -output ripunzip-macos \
+            -arch x86_64 target/x86_64-apple-darwin/release/ripunzip \
+            -arch arm64 target/aarch64-apple-darwin/release/ripunzip
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ripunzip-${{ runner.os }}
+          path: ripunzip-*
+      - name: Check built binary
+        shell: bash
+        run: |
+          ./ripunzip-* --version
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -34,7 +34,7 @@ jobs:
    - name: Setup dotnet
      uses: actions/setup-dotnet@v4
      with:
-        dotnet-version: 10.0.100
+        dotnet-version: 9.0.300

    - name: Checkout repository
      uses: actions/checkout@v5
--- a/.github/workflows/compile-queries.yml
+++ b/.github/workflows/compile-queries.yml
@@ -17,41 +17,9 @@ permissions:
  contents: read

 jobs:
-  detect-changes:
-    if: github.repository_owner == 'github'
-    runs-on: ubuntu-latest
-    outputs:
-      languages: ${{ steps.detect.outputs.languages }}
-    steps:
-      - uses: actions/checkout@v5
-      - name: Detect changed languages
-        id: detect
-        run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            # For PRs, detect which languages have changes
-            changed_files=$(gh pr view ${{ github.event.pull_request.number }} --json files --jq '.files.[].path')
-            languages=()
-            for lang in actions cpp csharp go java javascript python ql ruby rust swift; do
-              if echo "$changed_files" | grep -qE "^($lang/|shared/)" ; then
-                languages+=("$lang")
-              fi
-            done
-            echo "languages=$(jq -c -n '$ARGS.positional' --args "${languages[@]}")" >> $GITHUB_OUTPUT
-          else
-            # For pushes to main/rc branches, run all languages
-            echo 'languages=["actions","cpp","csharp","go","java","javascript","python","ql","ruby","rust","swift"]' >> $GITHUB_OUTPUT
-          fi
-        env:
-          GH_TOKEN: ${{ github.token }}
-
  compile-queries:
-    needs: detect-changes
-    if: github.repository_owner == 'github' && needs.detect-changes.outputs.languages != '[]'
+    if: github.repository_owner == 'github'
    runs-on: ubuntu-latest-xl
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ${{ fromJson(needs.detect-changes.outputs.languages) }}

    steps:
      - uses: actions/checkout@v5
@@ -63,16 +31,16 @@ jobs:
        id: query-cache
        uses: ./.github/actions/cache-query-compilation
        with: 
-          key: ${{ matrix.language }}-queries
+          key: all-queries
      - name: check formatting
-        run: find shared ${{ matrix.language }}/ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+        run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
      - name: compile queries - check-only
        # run with --check-only if running in a PR (github.sha != main)
        if : ${{ github.event_name == 'pull_request' }}
        shell: bash
-        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
      - name: compile queries - full
        # do full compile if running on main - this populates the cache
        if : ${{ github.event_name != 'pull_request' }}
        shell: bash
-        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
--- a/.github/workflows/csharp-qltest.yml
+++ b/.github/workflows/csharp-qltest.yml
@@ -43,14 +43,14 @@ jobs:
      - name: Setup dotnet
        uses: actions/setup-dotnet@v4
        with:
-          dotnet-version: 10.0.100
+          dotnet-version: 9.0.300
      - name: Extractor unit tests
        run: |
          dotnet tool restore
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.Cpp.Tests
        shell: bash
  stubgentest:
    runs-on: ubuntu-latest
--- a/.github/workflows/query-list.yml
+++ b/.github/workflows/query-list.yml
@@ -31,7 +31,7 @@ jobs:
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
-      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
+      # Look under the `codeql` directory, as this is where we checked out the `github/codeql` repo
      uses: ./codeql/.github/actions/fetch-codeql
    - name: Build code scanning query list
      run: |
--- a/.gitignore
+++ b/.gitignore
@@ -76,6 +76,3 @@ node_modules/
 # some upgrade/downgrade checks create these files
 **/upgrades/*/*.dbscheme.stats
 **/downgrades/*/*.dbscheme.stats
-
-# Mergetool files
-*.orig
--- a/25
+++ b/25
@@ -1,33 +1,17 @@
-# Catch-all for anything which isn't matched by a line lower down
-* @github/code-scanning-alert-coverage
-
-# CodeQL language libraries
 /actions/ @github/codeql-dynamic
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
-/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor @github/code-scanning-language-coverage
-/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor @github/code-scanning-language-coverage
+/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor
+/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor
 /go/ @github/codeql-go
-/go/codeql-tools/ @github/codeql-go @github/code-scanning-language-coverage
-/go/downgrades/ @github/codeql-go @github/code-scanning-language-coverage
-/go/extractor/ @github/codeql-go @github/code-scanning-language-coverage
-/go/extractor-smoke-test/ @github/codeql-go @github/code-scanning-language-coverage
-/go/ql/test/extractor-tests/ @github/codeql-go @github/code-scanning-language-coverage
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
-/javascript/extractor/ @github/codeql-javascript @github/code-scanning-language-coverage
 /python/ @github/codeql-python
-/python/extractor/ @github/codeql-python @github/code-scanning-language-coverage
-/ql/ @github/codeql-ql-for-ql-reviewers
 /ruby/ @github/codeql-ruby
-/ruby/extractor/ @github/codeql-ruby @github/code-scanning-language-coverage
 /rust/ @github/codeql-rust
-/rust/extractor/ @github/codeql-rust @github/code-scanning-language-coverage
-/shared/ @github/codeql-shared-libraries-reviewers
 /swift/ @github/codeql-swift
-/swift/extractor/ @github/codeql-swift @github/code-scanning-language-coverage
 /misc/codegen/ @github/codeql-swift
-/java/kotlin-extractor/ @github/codeql-kotlin @github/code-scanning-language-coverage
+/java/kotlin-extractor/ @github/codeql-kotlin
 /java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin

@@ -41,6 +25,9 @@
 /docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
 /docs/query-*-style-guide.md @github/codeql-analysis-reviewers

+# QL for QL reviewers
+/ql/ @github/codeql-ql-for-ql-reviewers
+
 # Bazel (excluding BUILD.bazel files)
 MODULE.bazel @github/codeql-ci-reviewers
 .bazelversion @github/codeql-ci-reviewers
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -10,3 +10,4 @@ members = [
    "rust/ast-generator",
    "rust/autobuild",
 ]
+exclude = ["mad-generation-build"]
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -19,16 +19,16 @@ bazel_dep(name = "rules_go", version = "0.56.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
 bazel_dep(name = "rules_python", version = "0.40.0")
-bazel_dep(name = "rules_shell", version = "0.5.0")
-bazel_dep(name = "bazel_skylib", version = "1.8.1")
+bazel_dep(name = "rules_shell", version = "0.3.0")
+bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
-bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
+bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
-bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
+bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.66.0")
+bazel_dep(name = "rules_rust", version = "0.63.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")

 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -89,8 +89,8 @@ use_repo(
    "vendor_py__cc-1.2.14",
    "vendor_py__clap-4.5.30",
    "vendor_py__regex-1.11.1",
-    "vendor_py__tree-sitter-0.24.7",
-    "vendor_py__tree-sitter-graph-0.12.0",
+    "vendor_py__tree-sitter-0.20.4",
+    "vendor_py__tree-sitter-graph-0.7.0",
 )

 # deps for ruby+rust
@@ -98,54 +98,54 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
    tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.100",
+    "vendor_ts__anyhow-1.0.99",
    "vendor_ts__argfile-0.2.1",
    "vendor_ts__chalk-ir-0.104.0",
-    "vendor_ts__chrono-0.4.42",
-    "vendor_ts__clap-4.5.48",
+    "vendor_ts__chrono-0.4.41",
+    "vendor_ts__clap-4.5.44",
    "vendor_ts__dunce-1.0.5",
    "vendor_ts__either-1.15.0",
    "vendor_ts__encoding-0.2.33",
    "vendor_ts__figment-0.10.19",
-    "vendor_ts__flate2-1.1.2",
+    "vendor_ts__flate2-1.1.0",
    "vendor_ts__glob-0.3.3",
-    "vendor_ts__globset-0.4.16",
+    "vendor_ts__globset-0.4.15",
    "vendor_ts__itertools-0.14.0",
    "vendor_ts__lazy_static-1.5.0",
    "vendor_ts__mustache-0.9.0",
    "vendor_ts__num-traits-0.2.19",
    "vendor_ts__num_cpus-1.17.0",
-    "vendor_ts__proc-macro2-1.0.101",
-    "vendor_ts__quote-1.0.41",
-    "vendor_ts__ra_ap_base_db-0.0.301",
-    "vendor_ts__ra_ap_cfg-0.0.301",
-    "vendor_ts__ra_ap_hir-0.0.301",
-    "vendor_ts__ra_ap_hir_def-0.0.301",
-    "vendor_ts__ra_ap_hir_expand-0.0.301",
-    "vendor_ts__ra_ap_hir_ty-0.0.301",
-    "vendor_ts__ra_ap_ide_db-0.0.301",
-    "vendor_ts__ra_ap_intern-0.0.301",
-    "vendor_ts__ra_ap_load-cargo-0.0.301",
-    "vendor_ts__ra_ap_parser-0.0.301",
-    "vendor_ts__ra_ap_paths-0.0.301",
-    "vendor_ts__ra_ap_project_model-0.0.301",
-    "vendor_ts__ra_ap_span-0.0.301",
-    "vendor_ts__ra_ap_stdx-0.0.301",
-    "vendor_ts__ra_ap_syntax-0.0.301",
-    "vendor_ts__ra_ap_vfs-0.0.301",
+    "vendor_ts__proc-macro2-1.0.97",
+    "vendor_ts__quote-1.0.40",
+    "vendor_ts__ra_ap_base_db-0.0.300",
+    "vendor_ts__ra_ap_cfg-0.0.300",
+    "vendor_ts__ra_ap_hir-0.0.300",
+    "vendor_ts__ra_ap_hir_def-0.0.300",
+    "vendor_ts__ra_ap_hir_expand-0.0.300",
+    "vendor_ts__ra_ap_hir_ty-0.0.300",
+    "vendor_ts__ra_ap_ide_db-0.0.300",
+    "vendor_ts__ra_ap_intern-0.0.300",
+    "vendor_ts__ra_ap_load-cargo-0.0.300",
+    "vendor_ts__ra_ap_parser-0.0.300",
+    "vendor_ts__ra_ap_paths-0.0.300",
+    "vendor_ts__ra_ap_project_model-0.0.300",
+    "vendor_ts__ra_ap_span-0.0.300",
+    "vendor_ts__ra_ap_stdx-0.0.300",
+    "vendor_ts__ra_ap_syntax-0.0.300",
+    "vendor_ts__ra_ap_vfs-0.0.300",
    "vendor_ts__rand-0.9.2",
-    "vendor_ts__rayon-1.11.0",
-    "vendor_ts__regex-1.11.3",
-    "vendor_ts__serde-1.0.228",
-    "vendor_ts__serde_json-1.0.145",
-    "vendor_ts__serde_with-3.14.1",
-    "vendor_ts__syn-2.0.106",
-    "vendor_ts__toml-0.9.7",
+    "vendor_ts__rayon-1.10.0",
+    "vendor_ts__regex-1.11.1",
+    "vendor_ts__serde-1.0.219",
+    "vendor_ts__serde_json-1.0.142",
+    "vendor_ts__serde_with-3.14.0",
+    "vendor_ts__syn-2.0.104",
+    "vendor_ts__toml-0.9.5",
    "vendor_ts__tracing-0.1.41",
    "vendor_ts__tracing-flame-0.2.0",
-    "vendor_ts__tracing-subscriber-0.3.20",
-    "vendor_ts__tree-sitter-0.25.9",
-    "vendor_ts__tree-sitter-embedded-template-0.25.0",
+    "vendor_ts__tracing-subscriber-0.3.19",
+    "vendor_ts__tree-sitter-0.24.6",
+    "vendor_ts__tree-sitter-embedded-template-0.23.2",
    "vendor_ts__tree-sitter-json-0.24.8",
    "vendor_ts__tree-sitter-ql-0.23.1",
    "vendor_ts__tree-sitter-ruby-0.23.1",
@@ -172,7 +172,7 @@ http_archive(
 )

 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
-dotnet.toolchain(dotnet_version = "10.0.100")
+dotnet.toolchain(dotnet_version = "9.0.300")
 use_repo(dotnet, "dotnet_toolchains")

 register_toolchains("@dotnet_toolchains//:all")
@@ -269,16 +269,24 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
 use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")

-ripunzip_archive = use_repo_rule("//misc/ripunzip:ripunzip.bzl", "ripunzip_archive")
+lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")

-# go to https://github.com/GoogleChrome/ripunzip/releases to find latest version and corresponding sha256s
-ripunzip_archive(
-    name = "ripunzip",
-    sha256_linux = "71482d7a7e4ea9176d5596161c49250c34b136b157c45f632b1111323fbfc0de",
-    sha256_macos_arm = "604194ab13f0aba3972995d995f11002b8fc285c8170401fcd46655065df20c9",
-    sha256_macos_intel = "65367b94fd579d93d46f2d2595cc4c9a60cfcf497e3c824f9d1a7b80fa8bd38a",
-    sha256_windows = "ac3874075def2b9e5074a3b5945005ab082cc6e689e1de658da8965bc23e643e",
-    version = "2.0.4",
+lfs_archive(
+    name = "ripunzip-linux",
+    src = "//misc/ripunzip:ripunzip-Linux.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+)
+
+lfs_archive(
+    name = "ripunzip-windows",
+    src = "//misc/ripunzip:ripunzip-Windows.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+)
+
+lfs_archive(
+    name = "ripunzip-macos",
+    src = "//misc/ripunzip:ripunzip-macOS.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )

 register_toolchains(
--- a/actions/extractor/codeql-extractor.yml
+++ b/actions/extractor/codeql-extractor.yml
@@ -1,4 +1,5 @@
 name: "actions"
+aliases: []
 display_name: "GitHub Actions"
 version: 0.0.1
 column_kind: "utf16"
@@ -7,11 +8,9 @@ build_modes:
  - none
 default_queries:
  - codeql/actions-queries
-# Actions workflows are not reported separately by the GitHub API, so we can't
-# associate them with a specific language.
+file_coverage_languages: []
 github_api_languages: []
-scc_languages:
-  - YAML
+scc_languages: []
 file_types:
  - name: workflow
    display_name: GitHub Actions workflow files
--- a/actions/extractor/tools/baseline-config.json
+++ b/actions/extractor/tools/baseline-config.json
@@ -1,10 +0,0 @@
-{
-    "paths": [
-        ".github/workflows/*.yml",
-        ".github/workflows/*.yaml",
-        ".github/reusable_workflows/**/*.yml",
-        ".github/reusable_workflows/**/*.yaml",
-        "**/action.yml",
-        "**/action.yaml"
-    ]
-}
--- a/actions/extractor/tools/configure-baseline.cmd
+++ b/actions/extractor/tools/configure-baseline.cmd
@@ -1,2 +0,0 @@
-@echo off
-type "%CODEQL_EXTRACTOR_ACTIONS_ROOT%\tools\baseline-config.json"
--- a/actions/extractor/tools/configure-baseline.sh
+++ b/actions/extractor/tools/configure-baseline.sh
@@ -1,3 +0,0 @@
-#!/bin/sh
-
-cat "$CODEQL_EXTRACTOR_ACTIONS_ROOT/tools/baseline-config.json"
--- a/actions/ql/examples/codeql-pack.lock.yml
+++ b/actions/ql/examples/codeql-pack.lock.yml
@@ -1,4 +0,0 @@
---
-lockVersion: 1.0.0
-dependencies: {}
-compiled: false
--- a/actions/ql/examples/qlpack.yml
+++ b/actions/ql/examples/qlpack.yml
@@ -1,7 +0,0 @@
-name: codeql/actions-examples
-groups:
-  - actions
-  - examples
-dependencies:
-  codeql/actions-all: ${workspace}
-warnOnImplicitThis: true
--- a/actions/ql/examples/snippets/uses_pinned_sha.ql
+++ b/actions/ql/examples/snippets/uses_pinned_sha.ql
@@ -1,12 +0,0 @@
-/**
- * @name Uses step with pinned SHA
- * @description Finds 'uses' steps where the version is a pinned SHA.
- * @id actions/examples/uses-pinned-sha
- * @tags example
- */
-
-import actions
-
-from UsesStep uses
-where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}$")
-select uses, "This 'uses' step has a pinned SHA version."
--- a/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
@@ -1,4 +1,3 @@
-ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
@@ -1,5 +1,4 @@
 ql/actions/ql/src/Debug/SyntaxError.ql
-ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
@@ -1,4 +1,3 @@
-ql/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
 ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,45 +1,3 @@
-## 0.4.26
-
-### Major Analysis Improvements
-
-* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
-
-## 0.4.25
-
-No user-facing changes.
-
-## 0.4.24
-
-No user-facing changes.
-
-## 0.4.23
-
-No user-facing changes.
-
-## 0.4.22
-
-No user-facing changes.
-
-## 0.4.21
-
-No user-facing changes.
-
-## 0.4.20
-
-No user-facing changes.
-
-## 0.4.19
-
-No user-facing changes.
-
-## 0.4.18
-
-No user-facing changes.
-
-## 0.4.17
-
-No user-facing changes.
-
 ## 0.4.16

 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.17.md
+++ b/actions/ql/lib/change-notes/released/0.4.17.md
@@ -1,3 +0,0 @@
-## 0.4.17
-
-No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.18.md
+++ b/actions/ql/lib/change-notes/released/0.4.18.md
@@ -1,3 +0,0 @@
-## 0.4.18
-
-No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.19.md
+++ b/actions/ql/lib/change-notes/released/0.4.19.md
@@ -1,3 +0,0 @@
-## 0.4.19
-
-No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.20.md
+++ b/actions/ql/lib/change-notes/released/0.4.20.md
@@ -1,3 +0,0 @@
-## 0.4.20
-
-No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.21.md
+++ b/actions/ql/lib/change-notes/released/0.4.21.md
@@ -1,3 +0,0 @@
-## 0.4.21
-
-No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.22.md
+++ b/actions/ql/lib/change-notes/released/0.4.22.md
@@ -1,3 +0,0 @@
-## 0.4.22
-
-No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.23.md
+++ b/actions/ql/lib/change-notes/released/0.4.23.md
@@ -1,3 +0,0 @@
-## 0.4.23
-
-No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.24.md
+++ b/actions/ql/lib/change-notes/released/0.4.24.md
@@ -1,3 +0,0 @@
-## 0.4.24
-
-No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.25.md
+++ b/actions/ql/lib/change-notes/released/0.4.25.md
@@ -1,3 +0,0 @@
-## 0.4.25
-
-No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.26.md
+++ b/actions/ql/lib/change-notes/released/0.4.26.md
@@ -1,5 +0,0 @@
-## 0.4.26
-
-### Major Analysis Improvements
-
-* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.26
+lastReleaseVersion: 0.4.16
--- a/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll
@@ -100,6 +100,8 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {

  predicate observeDiffInformedIncrementalMode() { any() }

+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
  Location getASelectedSinkLocation(DataFlow::Node sink) {
    result = sink.getLocation()
    or
--- a/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll
@@ -333,6 +333,8 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {

  predicate observeDiffInformedIncrementalMode() { any() }

+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
  Location getASelectedSinkLocation(DataFlow::Node sink) {
    result = sink.getLocation()
    or
--- a/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll
@@ -19,7 +19,12 @@ class CodeInjectionSink extends DataFlow::Node {
 Event getRelevantCriticalEventForSink(DataFlow::Node sink) {
  inPrivilegedContext(sink.asExpr(), result) and
  not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection")) and
-  not isGithubScriptUsingToJson(sink.asExpr())
+  // exclude cases where the sink is a JS script and the expression uses toJson
+  not exists(UsesStep script |
+    script.getCallee() = "actions/github-script" and
+    script.getArgumentExpr("script") = sink.asExpr() and
+    exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
+  )
 }

 /**
@@ -75,6 +80,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {

  predicate observeDiffInformedIncrementalMode() { any() }

+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
  Location getASelectedSinkLocation(DataFlow::Node sink) {
    result = sink.getLocation()
    or
@@ -86,38 +93,3 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {

 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
 module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
-
-/**
- * Holds if there is a code injection flow from `source` to `sink` with
- * critical severity, linked by `event`.
- */
-predicate criticalSeverityCodeInjection(
-  CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
-) {
-  CodeInjectionFlow::flowPath(source, sink) and
-  event = getRelevantCriticalEventForSink(sink.getNode()) and
-  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
-}
-
-/**
- * Holds if there is a code injection flow from `source` to `sink` with medium severity.
- */
-predicate mediumSeverityCodeInjection(
-  CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
-) {
-  CodeInjectionFlow::flowPath(source, sink) and
-  not criticalSeverityCodeInjection(source, sink, _) and
-  not isGithubScriptUsingToJson(sink.getNode().asExpr())
-}
-
-/**
- * Holds if `expr` is the `script` input to `actions/github-script` and it uses
- * `toJson`.
- */
-predicate isGithubScriptUsingToJson(Expression expr) {
-  exists(UsesStep script |
-    script.getCallee() = "actions/github-script" and
-    script.getArgumentExpr("script") = expr and
-    exists(getAToJsonReferenceExpression(expr.getExpression(), _))
-  )
-}
--- a/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll
@@ -130,6 +130,8 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {

  predicate observeDiffInformedIncrementalMode() { any() }

+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
  Location getASelectedSinkLocation(DataFlow::Node sink) {
    result = sink.getLocation()
    or
--- a/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll
@@ -184,6 +184,8 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {

  predicate observeDiffInformedIncrementalMode() { any() }

+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
  Location getASelectedSinkLocation(DataFlow::Node sink) {
    result = sink.getLocation()
    or
--- a/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll
@@ -212,6 +212,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
  }

  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }

 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */
--- a/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll
@@ -18,6 +18,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }

  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }

 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */
--- a/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll
+++ b/actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll
@@ -17,6 +17,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
  predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }

  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }

 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.26
+version: 0.4.17-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,45 +1,3 @@
-## 0.6.18
-
-No user-facing changes.
-
-## 0.6.17
-
-No user-facing changes.
-
-## 0.6.16
-
-No user-facing changes.
-
-## 0.6.15
-
-No user-facing changes.
-
-## 0.6.14
-
-No user-facing changes.
-
-## 0.6.13
-
-No user-facing changes.
-
-## 0.6.12
-
-No user-facing changes.
-
-## 0.6.11
-
-No user-facing changes.
-
-## 0.6.10
-
-No user-facing changes.
-
-## 0.6.9
-
-### Minor Analysis Improvements
-
-* Actions analysis now reports file coverage information on the CodeQL status page.
-
 ## 0.6.8

 No user-facing changes.
--- a/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
+++ b/actions/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
@@ -1,13 +0,0 @@
-/**
- * @id actions/diagnostics/successfully-extracted-files
- * @name Extracted files
- * @description List all files that were extracted.
- * @kind diagnostic
- * @tags successfully-extracted-files
- */
-
-private import codeql.Locations
-
-from File f
-where exists(f.getRelativePath())
-select f, ""
--- a/actions/ql/src/Models/CompositeActionsSinks.ql
+++ b/actions/ql/src/Models/CompositeActionsSinks.ql
@@ -26,6 +26,8 @@ private module MyConfig implements DataFlow::ConfigSig {
  }

  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }

 module MyFlow = TaintTracking::Global<MyConfig>;
--- a/actions/ql/src/Models/CompositeActionsSources.ql
+++ b/actions/ql/src/Models/CompositeActionsSources.ql
@@ -36,6 +36,8 @@ private module MyConfig implements DataFlow::ConfigSig {
  }

  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }

 module MyFlow = TaintTracking::Global<MyConfig>;
--- a/actions/ql/src/Models/CompositeActionsSummaries.ql
+++ b/actions/ql/src/Models/CompositeActionsSummaries.ql
@@ -27,6 +27,8 @@ private module MyConfig implements DataFlow::ConfigSig {
  }

  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }

 module MyFlow = TaintTracking::Global<MyConfig>;
--- a/actions/ql/src/Models/ReusableWorkflowsSinks.ql
+++ b/actions/ql/src/Models/ReusableWorkflowsSinks.ql
@@ -26,6 +26,8 @@ private module MyConfig implements DataFlow::ConfigSig {
  }

  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }

 module MyFlow = TaintTracking::Global<MyConfig>;
--- a/actions/ql/src/Models/ReusableWorkflowsSources.ql
+++ b/actions/ql/src/Models/ReusableWorkflowsSources.ql
@@ -36,6 +36,8 @@ private module MyConfig implements DataFlow::ConfigSig {
  }

  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }

 module MyFlow = TaintTracking::Global<MyConfig>;
--- a/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
+++ b/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
@@ -27,6 +27,8 @@ private module MyConfig implements DataFlow::ConfigSig {
  }

  predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }

 module MyFlow = TaintTracking::Global<MyConfig>;
--- a/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+++ b/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
@@ -20,7 +20,10 @@ import CodeInjectionFlow::PathGraph
 import codeql.actions.security.ControlChecks

 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
-where criticalSeverityCodeInjection(source, sink, event)
+where
+  CodeInjectionFlow::flowPath(source, sink) and
+  event = getRelevantCriticalEventForSink(sink.getNode()) and
+  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
 select sink.getNode(), source, sink,
  "Potential code injection in $@, which may be controlled by an external user ($@).", sink,
  sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()
--- a/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
+++ b/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
@@ -19,7 +19,15 @@ import codeql.actions.security.CodeInjectionQuery
 import CodeInjectionFlow::PathGraph

 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
-where mediumSeverityCodeInjection(source, sink)
+where
+  CodeInjectionFlow::flowPath(source, sink) and
+  inNonPrivilegedContext(sink.getNode().asExpr()) and
+  // exclude cases where the sink is a JS script and the expression uses toJson
+  not exists(UsesStep script |
+    script.getCallee() = "actions/github-script" and
+    script.getArgumentExpr("script") = sink.getNode().asExpr() and
+    exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
+  )
 select sink.getNode(), source, sink,
  "Potential code injection in $@, which may be controlled by an external user.", sink,
  sink.getNode().asExpr().(Expression).getRawExpression()
--- a/actions/ql/src/Security/CWE-275/MissingActionsPermissions.md
+++ b/actions/ql/src/Security/CWE-275/MissingActionsPermissions.md
@@ -2,8 +2,6 @@

 If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the `write` permission only to a specific types as `issues: write` or `pull-requests: write`.

-Note that this query cannot check whether the organization or repository token settings are set to read-only. However, even if they are, it is recommended to define explicit permissions (`contents: read` and `packages: read` are equivalent to the read-only default) so that (a) the actual needs of the workflow are documented, and (b) the permissions will remain restricted if the default is subsequently changed, or the workflow is copied to a different repository or organization.
-
 ## Recommendation

 Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task.
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md
@@ -32,7 +32,7 @@ jobs:

      - uses: actions/setup-node@v1
      - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install # scripts in package.json from PR would be executed here
          npm build

      - uses: completely/fakeaction@v2
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md
@@ -32,7 +32,7 @@ jobs:

      - uses: actions/setup-node@v1
      - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install # scripts in package.json from PR would be executed here
          npm build

      - uses: completely/fakeaction@v2
--- a/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md
+++ b/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md
@@ -32,7 +32,7 @@ jobs:

      - uses: actions/setup-node@v1
      - run: |
-          npm install # scripts in package.json from PR would be executed here
+          npm install # scripts in package.json from PR would be executed here
          npm build

      - uses: completely/fakeaction@v2
--- a/actions/ql/src/change-notes/released/0.6.10.md
+++ b/actions/ql/src/change-notes/released/0.6.10.md
@@ -1,3 +0,0 @@
-## 0.6.10
-
-No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.11.md
+++ b/actions/ql/src/change-notes/released/0.6.11.md
@@ -1,3 +0,0 @@
-## 0.6.11
-
-No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.12.md
+++ b/actions/ql/src/change-notes/released/0.6.12.md
@@ -1,3 +0,0 @@
-## 0.6.12
-
-No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.13.md
+++ b/actions/ql/src/change-notes/released/0.6.13.md
@@ -1,3 +0,0 @@
-## 0.6.13
-
-No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.14.md
+++ b/actions/ql/src/change-notes/released/0.6.14.md
@@ -1,3 +0,0 @@
-## 0.6.14
-
-No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.15.md
+++ b/actions/ql/src/change-notes/released/0.6.15.md
@@ -1,3 +0,0 @@
-## 0.6.15
-
-No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.16.md
+++ b/actions/ql/src/change-notes/released/0.6.16.md
@@ -1,3 +0,0 @@
-## 0.6.16
-
-No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.17.md
+++ b/actions/ql/src/change-notes/released/0.6.17.md
@@ -1,3 +0,0 @@
-## 0.6.17
-
-No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.18.md
+++ b/actions/ql/src/change-notes/released/0.6.18.md
@@ -1,3 +0,0 @@
-## 0.6.18
-
-No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.9.md
+++ b/actions/ql/src/change-notes/released/0.6.9.md
@@ -1,5 +0,0 @@
-## 0.6.9
-
-### Minor Analysis Improvements
-
-* Actions analysis now reports file coverage information on the CodeQL status page.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.18
+lastReleaseVersion: 0.6.8
--- a/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
+++ b/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
@@ -19,5 +19,5 @@ import SecretExfiltrationFlow::PathGraph
 from SecretExfiltrationFlow::PathNode source, SecretExfiltrationFlow::PathNode sink
 where SecretExfiltrationFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource.",
+  "Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource.",
  sink, sink.getNode().asExpr().(Expression).getRawExpression()
--- a/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+++ b/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
@@ -1,5 +1,5 @@
 /**
- * @name Artifact Poisoning (Path Traversal)
+ * @name Artifact Poisoning (Path Traversal).
 * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
 * @kind problem
 * @problem.severity error
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.18
+version: 0.6.9-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml
+++ b/actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml
@@ -1,18 +0,0 @@
-on:
-  push:
-  workflow_dispatch:
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.commits[11].message }}'
-    - run: echo '${{ github.event.commits[11].author.email }}'
-    - run: echo '${{ github.event.commits[11].author.name }}'
-    - run: echo '${{ github.event.head_commit.message }}'
-    - run: echo '${{ github.event.head_commit.author.email }}'
-    - run: echo '${{ github.event.head_commit.author.name }}'
-    - run: echo '${{ github.event.head_commit.committer.email }}'
-    - run: echo '${{ github.event.head_commit.committer.name }}'
-    - run: echo '${{ github.event.commits[11].committer.email }}'
-    - run: echo '${{ github.event.commits[11].committer.name }}'
--- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
+++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected
@@ -435,16 +435,6 @@ nodes
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
-| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message |
-| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email |
-| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name |
-| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
-| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email |
-| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name |
-| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email |
-| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
-| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
-| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
 | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint |
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
 | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
--- a/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
+++ b/actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected
@@ -435,16 +435,6 @@ nodes
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
-| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message |
-| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email |
-| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name |
-| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
-| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email |
-| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name |
-| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email |
-| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
-| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
-| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
 | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint |
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
 | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
@@ -729,16 +719,6 @@ subpaths
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
-| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} |
-| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} |
-| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} |
-| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
-| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} |
-| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} |
-| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} |
-| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} |
-| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} |
-| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} |
 | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} |
 | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} |
@@ -749,10 +729,6 @@ subpaths
 | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
-| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
-| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
-| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
-| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
 | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
--- a/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected
+++ b/actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected
@@ -3,4 +3,4 @@ nodes
 | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 subpaths
 #select
-| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
+| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
--- a/config/add-overlay-annotations.py
+++ b/config/add-overlay-annotations.py
@@ -177,12 +177,6 @@ def insert_overlay_caller_annotations(lines):
        out_lines.append(line)
    return out_lines

-explicitly_global = set([
-    "java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll",
-    "java/ql/lib/semmle/code/java/dispatch/DispatchFlow.qll",
-    "java/ql/lib/semmle/code/java/dispatch/ObjFlow.qll",
-    "java/ql/lib/semmle/code/java/dispatch/internal/Unification.qll",
-])

 def annotate_as_appropriate(filename, lines):
    '''
@@ -202,9 +196,6 @@ def annotate_as_appropriate(filename, lines):
        ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
         any("implements DataFlow::ConfigSig" in line for line in lines))):
        return None
-    elif filename in explicitly_global:
-        # These files are explicitly global and should not be annotated.
-        return None
    elif not any(line for line in lines if line.strip()):
        return None

--- a/config/dbscheme-fragments.json
+++ b/config/dbscheme-fragments.json
@@ -9,7 +9,6 @@
  "fragments": [
    "/*- Compilations -*/",
    "/*- External data -*/",
-    "/*- Overlay support -*/",
    "/*- Files and folders -*/",
    "/*- Diagnostic messages -*/",
    "/*- Diagnostic messages: severity -*/",
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -276,13 +276,5 @@
  "Python model summaries test extension": [
    "python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
    "python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
-  ],
-  "XML discard predicates": [
-    "javascript/ql/lib/semmle/javascript/internal/OverlayXml.qll",
-    "java/ql/lib/semmle/code/java/internal/OverlayXml.qll",
-    "go/ql/lib/semmle/go/internal/OverlayXml.qll",
-    "python/ql/lib/semmle/python/internal/OverlayXml.qll",
-    "csharp/ql/lib/semmle/code/csharp/internal/OverlayXml.qll",
-    "cpp/ql/lib/semmle/code/cpp/internal/OverlayXml.qll"
  ]
 }
--- a/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/exprs.ql
+++ b/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/exprs.ql
@@ -1,17 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_default {
-  string toString() { none() }
-}
-
-predicate isExprWithNewBuiltin(Expr expr) {
-  exists(int kind | exprs(expr, kind, _) | 394 <= kind and kind <= 396)
-}
-
-from Expr expr, int kind, int kind_new, Location location
-where
-  exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
-select expr, kind_new, location
--- a/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/old.dbscheme
+++ b/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/old.dbscheme
--- a/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties
+++ b/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties
@@ -1,4 +0,0 @@
-description: Add new builtin operations and this parameter access table
-compatibility: partial
-exprs.rel: run exprs.qlo
-param_ref_to_this.rel: delete
--- a/cpp/downgrades/1a6854060d5d3ada16c580a29f8c5ce21f3367f8/old.dbscheme
+++ b/cpp/downgrades/1a6854060d5d3ada16c580a29f8c5ce21f3367f8/old.dbscheme
--- a/cpp/downgrades/1a6854060d5d3ada16c580a29f8c5ce21f3367f8/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/1a6854060d5d3ada16c580a29f8c5ce21f3367f8/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/1a6854060d5d3ada16c580a29f8c5ce21f3367f8/upgrade.properties
+++ b/cpp/downgrades/1a6854060d5d3ada16c580a29f8c5ce21f3367f8/upgrade.properties
@@ -1,3 +0,0 @@
-description: Support expanded compilation argument lists
-compatibility: full
-compilation_expanded_args.rel: delete
--- a/cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/old.dbscheme
+++ b/cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/old.dbscheme
--- a/cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/upgrade.properties
+++ b/cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/upgrade.properties
@@ -1,2 +0,0 @@
-description: Fix decltype qualifier issue
-compatibility: full
--- a/cpp/downgrades/a42ce5fc943254097f85471b94ae2247e819104a/old.dbscheme
+++ b/cpp/downgrades/a42ce5fc943254097f85471b94ae2247e819104a/old.dbscheme
--- a/cpp/downgrades/a42ce5fc943254097f85471b94ae2247e819104a/semmlecode.dbscheme
+++ b/cpp/downgrades/a42ce5fc943254097f85471b94ae2247e819104a/semmlecode.dbscheme
--- a/cpp/downgrades/a42ce5fc943254097f85471b94ae2247e819104a/upgrade.properties
+++ b/cpp/downgrades/a42ce5fc943254097f85471b94ae2247e819104a/upgrade.properties
@@ -1,4 +0,0 @@
-description: Add databaseMetadata and overlayChangedFiles relations
-compatibility: full
-databaseMetadata.rel: delete
-overlayChangedFiles.rel: delete
--- a/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/old.dbscheme
+++ b/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/old.dbscheme
--- a/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties
+++ b/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties
@@ -1,2 +0,0 @@
-description: Remove _Decimal{32,64,128} types
-compatibility: full
--- a/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
@@ -7,10 +7,12 @@ ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
 ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
 ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
 ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
 ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
 ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
 ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
 ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
@@ -28,6 +30,7 @@ ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
 ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
 ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
 ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
 ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
 ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
 ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -40,6 +43,7 @@ ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
 ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
 ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
 ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,83 +1,3 @@
-## 7.0.0
-
-### Breaking Changes
-
-* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.
-
-### Deprecated APIs
-
-* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.
-
-### New Features
-
-* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.
-* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.
-* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.
-
-### Minor Analysis Improvements
-
-* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
-
-### Bug Fixes
-
-* Fixed a bug in the `DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return `DataFlow::Node`s with incorrect indirections. If you use `getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use `DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results.
-
-## 6.1.4
-
-No user-facing changes.
-
-## 6.1.3
-
-No user-facing changes.
-
-## 6.1.2
-
-No user-facing changes.
-
-## 6.1.1
-
-### Minor Analysis Improvements
-
-* The class `DataFlow::FieldContent` now covers both `union` and `struct`/`class` types. A new predicate `FieldContent.getAField` has been added to access the union members associated with the `FieldContent`. The old `FieldContent` has been renamed to `NonUnionFieldContent`.
-
-## 6.1.0
-
-### New Features
-
-* New predicates `getAnExpandedArgument` and `getExpandedArgument` were added to the `Compilation` class, yielding compilation arguments after expansion of response files.
-
-### Bug Fixes
-
-* Improve performance of the range analysis in cases where it would otherwise take an exorbitant amount of time.
-
-## 6.0.1
-
-No user-facing changes.
-
-## 6.0.0
-
-### Breaking Changes
-
-* The "Guards" libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been totally rewritten to recognize many more guards. The API remains unchanged, but the `GuardCondition` class now extends `Element` instead of `Expr`.
-
-### New Features
-
-* C/C++ `build-mode: none` support is now generally available.
-
-## 5.6.1
-
-No user-facing changes.
-
-## 5.6.0
-
-### Deprecated APIs
-
-* The predicate `getAContructorCall` in the class `SslContextClass` has been deprecated. Use `getAConstructorCall` instead.
-
-### New Features
-
-* Added predicates `getTransitiveNumberOfVlaDimensionStmts`, `getTransitiveVlaDimensionStmt`, and `getParentVlaDecl` to `VlaDeclStmt` for handling `VlaDeclStmt`s whose base type is defined in terms of another `VlaDeclStmt` via a `typedef`.
-
 ## 5.5.0

 ### New Features
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Paolo Tranquilli	956209f5c9	Bazel: patch `rules_dotnet` to avoid unit test failure	2025-09-04 16:32:20 +02:00
Michael Nebel	4079db755d	C#: Update integration tests expected output.	2025-09-04 10:02:04 +02:00
Michael Nebel	fff267075c	C#: Update global.json files for most integration tests to se .NET SDK 9.0.304.	2025-09-04 10:02:02 +02:00
Paolo Tranquilli	a3569f5543	Bazel: fix `codeql_csharp_binary` A `publish` directory for a C# binary contains copies of some DLLs inside localized subdirectories (e.g. `ru`). We want to ignore those, as otherwise our packaging machinery now goes haywire, with the newer version of `rules_csharp`. In any case we never shipped those.	2025-09-04 10:02:01 +02:00
Michael Nebel	589fbd35cf	C#: Update extractor to use .NET Runtime 9.0.5 and .NET SDK 9.0.300.	2025-09-04 08:11:41 +02:00
@@ -1 +1 @@
 .4.2
 .1.1