Fix QL-for-QL alerts

Fix generic creation/init/use flow barrier logic: the barrier was previously cipher-specific inside a generic module, and other instances would therefore get no re-init barrier.

.bazelrc

@@ -11,6 +11,8 @@ build --compilation_mode opt
 common --override_module=semmle_code=%workspace%/misc/bazel/semmle_code_stub
 
 build --repo_env=CC=clang --repo_env=CXX=clang++
+# Disable Android SDK auto-detection (we don't use it, and rules_android has Bazel 9 compatibility issues)
+build --repo_env=ANDROID_HOME=
 
 # print test output, like sembuild does.
 # Set to `errors` if this is too verbose.
@@ -34,7 +36,7 @@ common --@rules_dotnet//dotnet/settings:strict_deps=false
 common --@rules_rust//rust/toolchain/channel=nightly
 
 # Reduce this eventually to empty, once we've fixed all our usages of java, and https://github.com/bazel-contrib/rules_go/issues/4193 is fixed
-common --incompatible_autoload_externally="+@rules_java,+@rules_shell"
+common --incompatible_autoload_externally="+@rules_cc,+@rules_java,+@rules_shell"
 
 build --java_language_version=17
 build --tool_java_language_version=17

.bazelversion

@@ -1 +1 @@
-8.4.2
+9.0.0

MODULE.bazel

@@ -15,20 +15,22 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "1.0.0")
-bazel_dep(name = "rules_go", version = "0.56.1")
+bazel_dep(name = "rules_cc", version = "0.2.16")
+bazel_dep(name = "rules_go", version = "0.59.0")
+bazel_dep(name = "rules_java", version = "9.0.3")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
-bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
+bazel_dep(name = "rules_nodejs", version = "6.7.3")
 bazel_dep(name = "rules_python", version = "0.40.0")
 bazel_dep(name = "rules_shell", version = "0.5.0")
 bazel_dep(name = "bazel_skylib", version = "1.8.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
-bazel_dep(name = "rules_kotlin", version = "2.2.0-codeql.1")
-bazel_dep(name = "gazelle", version = "0.40.0")
+bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
+bazel_dep(name = "gazelle", version = "0.47.0")
 bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.66.0")
+bazel_dep(name = "rules_rust", version = "0.68.1.codeql.1")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -41,7 +43,7 @@ RUST_EDITION = "2024"
 # a nightly toolchain is required to enable experimental_use_cc_common_link, which we require internally
 # we prefer to run the same version as internally, even if experimental_use_cc_common_link is not really
 # required in this repo
-RUST_VERSION = "nightly/2025-08-01"
+RUST_VERSION = "nightly/2026-01-22"
 
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -53,26 +55,26 @@ rust.toolchain(
     ],
     # generated by buildutils-internal/scripts/fill-rust-sha256s.py (internal repo)
     sha256s = {
-        "2025-08-01/rustc-nightly-x86_64-unknown-linux-gnu.tar.xz": "9bbeaf5d3fc7247d31463a9083aa251c995cc50662c8219e7a2254d76a72a9a4",
-        "2025-08-01/rustc-nightly-x86_64-apple-darwin.tar.xz": "c9ea539a8eff0d5d162701f99f9e1aabe14dd0dfb420d62362817a5d09219de7",
-        "2025-08-01/rustc-nightly-aarch64-apple-darwin.tar.xz": "ae83feebbc39cfd982e4ecc8297731fe79c185173aee138467b334c5404b3773",
-        "2025-08-01/rustc-nightly-x86_64-pc-windows-msvc.tar.xz": "9f170c30d802a349be60cf52ec46260802093cb1013ad667fc0d528b7b10152f",
-        "2025-08-01/clippy-nightly-x86_64-unknown-linux-gnu.tar.xz": "9ae5f3cd8f557c4f6df522597c69d14398cf604cfaed2b83e767c4b77a7eaaf6",
-        "2025-08-01/clippy-nightly-x86_64-apple-darwin.tar.xz": "983cb9ee0b6b968188e04ab2d33743d54764b2681ce565e1b3f2b9135c696a3e",
-        "2025-08-01/clippy-nightly-aarch64-apple-darwin.tar.xz": "ed2219dbc49d088225e1b7c5c4390fa295066e071fddaa2714018f6bb39ddbf0",
-        "2025-08-01/clippy-nightly-x86_64-pc-windows-msvc.tar.xz": "911f40ab5cbdd686f40e00965271fe47c4805513a308ed01f30eafb25b448a50",
-        "2025-08-01/cargo-nightly-x86_64-unknown-linux-gnu.tar.xz": "106463c284e48e4904c717471eeec2be5cc83a9d2cae8d6e948b52438cad2e69",
-        "2025-08-01/cargo-nightly-x86_64-apple-darwin.tar.xz": "6ad35c40efc41a8c531ea43235058347b6902d98a9693bf0aed7fc16d5590cef",
-        "2025-08-01/cargo-nightly-aarch64-apple-darwin.tar.xz": "dd28c365e9d298abc3154c797720ad36a0058f131265c9978b4c8e4e37012c8a",
-        "2025-08-01/cargo-nightly-x86_64-pc-windows-msvc.tar.xz": "7b431286e12d6b3834b038f078389a00cac73f351e8c3152b2504a3c06420b3b",
-        "2025-08-01/llvm-tools-nightly-x86_64-unknown-linux-gnu.tar.xz": "e342e305d7927cc288d386983b2bc253cfad3776b113386e903d0b302648ef47",
-        "2025-08-01/llvm-tools-nightly-x86_64-apple-darwin.tar.xz": "e44dd3506524d85c37b3a54bcc91d01378fd2c590b2db5c5974d12f05c1b84d1",
-        "2025-08-01/llvm-tools-nightly-aarch64-apple-darwin.tar.xz": "0c1b5f46dd81be4a9227b10283a0fcaa39c14fea7e81aea6fd6d9887ff6cdc41",
-        "2025-08-01/llvm-tools-nightly-x86_64-pc-windows-msvc.tar.xz": "423e5fd11406adccbc31b8456ceb7375ce055cdf45e90d2c3babeb2d7f58383f",
-        "2025-08-01/rust-std-nightly-x86_64-unknown-linux-gnu.tar.xz": "3c0ceb46a252647a1d4c7116d9ccae684fa5e42aaf3296419febd2c962c3b41d",
-        "2025-08-01/rust-std-nightly-x86_64-apple-darwin.tar.xz": "3be416003cab10f767390a753d1d16ae4d26c7421c03c98992cf1943e5b0efe8",
-        "2025-08-01/rust-std-nightly-aarch64-apple-darwin.tar.xz": "4046ac0ef951cb056b5028a399124f60999fa37792eab69d008d8d7965f389b4",
-        "2025-08-01/rust-std-nightly-x86_64-pc-windows-msvc.tar.xz": "191ed9d8603c3a4fe5a7bbbc2feb72049078dae2df3d3b7d5dedf3abbf823e6e",
+        "2026-01-22/rustc-nightly-x86_64-unknown-linux-gnu.tar.xz": "88db619323cc1321630d124efa51ed02fabc5e020f08cfa0eda2c0ac1afbe69a",
+        "2026-01-22/rustc-nightly-x86_64-apple-darwin.tar.xz": "08484da3fa38db56f93629aeabdc0ae9ff8ed9704c0792d35259cbc849b3f54c",
+        "2026-01-22/rustc-nightly-aarch64-apple-darwin.tar.xz": "a39c0b21b7058e364ea1bd43144e42e4bf1efade036b2e82455f2afce194ee81",
+        "2026-01-22/rustc-nightly-x86_64-pc-windows-msvc.tar.xz": "d00248ee9850dbb6932b2578e32ff74fc7c429854c1aa071066ca31b65385a3b",
+        "2026-01-22/clippy-nightly-x86_64-unknown-linux-gnu.tar.xz": "70656a0ce994ffff16d5a35a7b170a0acd41e9bb54a589c96ed45bf97b094a4d",
+        "2026-01-22/clippy-nightly-x86_64-apple-darwin.tar.xz": "fe242519fa961522734733009705aec3c2d9a20cc57291f2aa614e5e6262c88f",
+        "2026-01-22/clippy-nightly-aarch64-apple-darwin.tar.xz": "38bb226363ec97c9722edf966cd58774a683e19fd2ff2a6030094445d51e06f9",
+        "2026-01-22/clippy-nightly-x86_64-pc-windows-msvc.tar.xz": "6da9b4470beea67abfebf046f141eee0d2a8db7c7a9e4e2294478734fd477228",
+        "2026-01-22/cargo-nightly-x86_64-unknown-linux-gnu.tar.xz": "99004e9d10c43a01499642f53bb3184d41137a95d65bfb217098840a9e79e892",
+        "2026-01-22/cargo-nightly-x86_64-apple-darwin.tar.xz": "6e021394cf8d8400ac6cfdfcef24e4d74f988e91eb8028b36de3a64ce3502990",
+        "2026-01-22/cargo-nightly-aarch64-apple-darwin.tar.xz": "4b2494cb69ab64132cddbc411a38ea9f1105e54d6f986e43168d54f79510c673",
+        "2026-01-22/cargo-nightly-x86_64-pc-windows-msvc.tar.xz": "c36613cf57407212d10d37b76e49a60ff42336e953cdff9e177283f530a83fc1",
+        "2026-01-22/llvm-tools-nightly-x86_64-unknown-linux-gnu.tar.xz": "0b123c5027dbd833aae6845ffe9bd07d309bf798746a7176aadaea68fbcbd05d",
+        "2026-01-22/llvm-tools-nightly-x86_64-apple-darwin.tar.xz": "a47864491ad5619158c950ab7570fb6e487d5117338585c27334d45824b406d8",
+        "2026-01-22/llvm-tools-nightly-aarch64-apple-darwin.tar.xz": "db9bc826d6e2e7e914505d50157682e516ceb90357e83d77abddc32c2d962f41",
+        "2026-01-22/llvm-tools-nightly-x86_64-pc-windows-msvc.tar.xz": "ffaa406932b2fe62e01dad61cf4ed34860a5d2a6f9306ca340d79e630d930039",
+        "2026-01-22/rust-std-nightly-x86_64-unknown-linux-gnu.tar.xz": "e9c0d5e06e18a4b509391b3088f29293e310cdc8ccc865be8fa3f09733326925",
+        "2026-01-22/rust-std-nightly-x86_64-apple-darwin.tar.xz": "25d75995cee679a4828ca9fe48c5a31a67c3b0846018440ef912e5a6208f53f6",
+        "2026-01-22/rust-std-nightly-aarch64-apple-darwin.tar.xz": "e4132bf3f2eed4684c86756a02315bcf481c23e675e3e25630fc604c9cb4594c",
+        "2026-01-22/rust-std-nightly-x86_64-pc-windows-msvc.tar.xz": "961bb535ef95ae8a5fa4e224cb94aff190f155c45a9bcf7a53e184b024aa41b1",
     },
     versions = [RUST_VERSION],
 )
@@ -188,6 +190,15 @@ pip.parse(
 )
 use_repo(pip, "codegen_deps")
 
+python = use_extension("@rules_python//python/extensions:python.bzl", "python")
+python.toolchain(
+    is_default = True,
+    python_version = "3.12",
+)
+use_repo(python, "python_3_12", "python_versions")
+
+register_toolchains("@python_versions//3.12:all")
+
 swift_deps = use_extension("//swift/third_party:load.bzl", "swift_deps")
 
 # following list can be kept in sync with `bazel mod tidy`

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.28
+version: 0.4.29-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.20
+version: 0.6.21-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/ql/lib/change-notes/2026-02-06-UncheckedLeapYearAfterModification_Refactor.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Refactored the "Year field changed using an arithmetic operation without checking for leap year" query (`cpp/leap-year/unchecked-after-arithmetic-year-modification`) to address large numbers of false positive results.

cpp/ql/lib/change-notes/2026-02-14-must-flow-fix.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* The `allowInterproceduralFlow` predicate of must-flow data flow configurations now correctly handles direct recursion.

cpp/ql/lib/change-notes/2026-02-14-must-flow.md

@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* `MustFlow`, the inter-procedural must-flow data flow analysis library, has been re-worked to use parameterized modules. Like in the case of data flow and taint tracking, instead of extending the `MustFlowConfiguration` class, the user should now implement a module with the `MustFlow::ConfigSig` signature, and instantiate the `MustFlow::Global` parameterized module with the implemented module.

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 7.1.1
+version: 7.1.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/commons/DateTime.qll

@@ -14,7 +14,9 @@ class PackedTimeType extends Type {
   }
 }
 
-private predicate timeType(string typeName) { typeName = ["_SYSTEMTIME", "SYSTEMTIME", "tm"] }
+private predicate timeType(string typeName) {
+  typeName = ["_SYSTEMTIME", "SYSTEMTIME", "tm", "TIME_FIELDS", "_TIME_FIELDS", "PTIME_FIELDS"]
+}
 
 /**
  * A type that is used to represent times and dates in an 'unpacked' form, that is,
@@ -95,3 +97,24 @@ class StructTmMonthFieldAccess extends MonthFieldAccess {
 class StructTmYearFieldAccess extends YearFieldAccess {
   StructTmYearFieldAccess() { this.getTarget().getName() = "tm_year" }
 }
+
+/**
+ * A `DayFieldAccess` for the `TIME_FIELDS` struct.
+ */
+class TimeFieldsDayFieldAccess extends DayFieldAccess {
+  TimeFieldsDayFieldAccess() { this.getTarget().getName() = "Day" }
+}
+
+/**
+ * A `MonthFieldAccess` for the `TIME_FIELDS` struct.
+ */
+class TimeFieldsMonthFieldAccess extends MonthFieldAccess {
+  TimeFieldsMonthFieldAccess() { this.getTarget().getName() = "Month" }
+}
+
+/**
+ * A `YearFieldAccess` for the `TIME_FIELDS` struct.
+ */
+class TimeFieldsYearFieldAccess extends YearFieldAccess {
+  TimeFieldsYearFieldAccess() { this.getTarget().getName() = "Year" }
+}

cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll

@@ -34,6 +34,38 @@ private string getSingleLocationFilePath(@element e) {
     macroinvocations(e, _, loc, _)
     or
     preprocdirects(e, _, loc)
+    or
+    diagnostics(e, _, _, _, _, loc)
+    or
+    usings(e, _, loc, _)
+    or
+    static_asserts(e, _, _, loc, _)
+    or
+    derivations(e, _, _, _, loc)
+    or
+    frienddecls(e, _, _, loc)
+    or
+    comments(e, _, loc)
+    or
+    exprs(e, _, loc)
+    or
+    stmts(e, _, loc)
+    or
+    initialisers(e, _, _, loc)
+    or
+    attributes(e, _, _, _, loc)
+    or
+    attribute_args(e, _, _, _, loc)
+    or
+    namequalifiers(e, _, _, loc)
+    or
+    enumconstants(e, _, _, _, _, loc)
+    or
+    type_mentions(e, _, loc, _)
+    or
+    lambda_capture(e, _, _, _, _, _, loc)
+    or
+    concept_templates(e, _, loc)
   |
     result = getLocationFilePath(loc)
   )

cpp/ql/lib/semmle/code/cpp/ir/dataflow/MustFlow.qll

@@ -8,81 +8,143 @@ private import cpp
 private import semmle.code.cpp.ir.IR
 
 /**
- * A configuration of a data flow analysis that performs must-flow analysis. This is different
- * from `DataFlow.qll` which performs may-flow analysis (i.e., it finds paths where the source _may_
- * flow to the sink).
- *
- * Like in `DataFlow.qll`, each use of the `MustFlow.qll` library must define its own unique extension
- * of this abstract class. To create a configuration, extend this class with a subclass whose
- * characteristic predicate is a unique singleton string and override `isSource`, `isSink` (and
- * `isAdditionalFlowStep` if additional steps are required).
+ * Provides an inter-procedural must-flow data flow analysis.
  */
-abstract class MustFlowConfiguration extends string {
-  bindingset[this]
-  MustFlowConfiguration() { any() }
-
+module MustFlow {
   /**
-   * Holds if `source` is a relevant data flow source.
+   * An input configuration of a data flow analysis that performs must-flow analysis. This is different
+   * from `DataFlow.qll` which performs may-flow analysis (i.e., it finds paths where the source _may_
+   * flow to the sink).
    */
-  abstract predicate isSource(Instruction source);
+  signature module ConfigSig {
+    /**
+     * Holds if `source` is a relevant data flow source.
+     */
+    predicate isSource(Instruction source);
 
-  /**
-   * Holds if `sink` is a relevant data flow sink.
-   */
-  abstract predicate isSink(Operand sink);
+    /**
+     * Holds if `sink` is a relevant data flow sink.
+     */
+    predicate isSink(Operand sink);
 
-  /**
-   * Holds if data flow through `instr` is prohibited.
-   */
-  predicate isBarrier(Instruction instr) { none() }
+    /**
+     * Holds if data flow through `instr` is prohibited.
+     */
+    default predicate isBarrier(Instruction instr) { none() }
 
-  /**
-   * Holds if the additional flow step from `node1` to `node2` must be taken
-   * into account in the analysis.
-   */
-  predicate isAdditionalFlowStep(Operand node1, Instruction node2) { none() }
+    /**
+     * Holds if the additional flow step from `node1` to `node2` must be taken
+     * into account in the analysis.
+     */
+    default predicate isAdditionalFlowStep(Operand node1, Instruction node2) { none() }
 
-  /** Holds if this configuration allows flow from arguments to parameters. */
-  predicate allowInterproceduralFlow() { any() }
-
-  /**
-   * Holds if data must flow from `source` to `sink` for this configuration.
-   *
-   * The corresponding paths are generated from the end-points and the graph
-   * included in the module `PathGraph`.
-   */
-  final predicate hasFlowPath(MustFlowPathNode source, MustFlowPathSink sink) {
-    this.isSource(source.getInstruction()) and
-    source.getASuccessor*() = sink
+    /** Holds if this configuration allows flow from arguments to parameters. */
+    default predicate allowInterproceduralFlow() { any() }
   }
-}
 
-/** Holds if `node` flows from a source. */
-pragma[nomagic]
-private predicate flowsFromSource(Instruction node, MustFlowConfiguration config) {
-  not config.isBarrier(node) and
-  (
-    config.isSource(node)
-    or
-    exists(Instruction mid |
-      step(mid, node, config) and
-      flowsFromSource(mid, pragma[only_bind_into](config))
-    )
-  )
-}
+  /**
+   * Constructs a global must-flow computation.
+   */
+  module Global<ConfigSig Config> {
+    import Config
 
-/** Holds if `node` flows to a sink. */
-pragma[nomagic]
-private predicate flowsToSink(Instruction node, MustFlowConfiguration config) {
-  flowsFromSource(node, pragma[only_bind_into](config)) and
-  (
-    config.isSink(node.getAUse())
-    or
-    exists(Instruction mid |
-      step(node, mid, config) and
-      flowsToSink(mid, pragma[only_bind_into](config))
-    )
-  )
+    /**
+     * Holds if data must flow from `source` to `sink`.
+     *
+     * The corresponding paths are generated from the end-points and the graph
+     * included in the module `PathGraph`.
+     */
+    predicate flowPath(PathNode source, PathSink sink) {
+      isSource(source.getInstruction()) and
+      source.getASuccessor*() = sink
+    }
+
+    /** Holds if `node` flows from a source. */
+    pragma[nomagic]
+    private predicate flowsFromSource(Instruction node) {
+      not isBarrier(node) and
+      (
+        isSource(node)
+        or
+        exists(Instruction mid |
+          step(mid, node) and
+          flowsFromSource(mid)
+        )
+      )
+    }
+
+    /** Holds if `node` flows to a sink. */
+    pragma[nomagic]
+    private predicate flowsToSink(Instruction node) {
+      flowsFromSource(node) and
+      (
+        isSink(node.getAUse())
+        or
+        exists(Instruction mid |
+          step(node, mid) and
+          flowsToSink(mid)
+        )
+      )
+    }
+
+    /** Holds if `nodeFrom` flows to `nodeTo`. */
+    private predicate step(Instruction nodeFrom, Instruction nodeTo) {
+      Cached::localStep(nodeFrom, nodeTo)
+      or
+      allowInterproceduralFlow() and
+      Cached::flowThroughCallable(nodeFrom, nodeTo)
+      or
+      isAdditionalFlowStep(nodeFrom.getAUse(), nodeTo)
+    }
+
+    private newtype TLocalPathNode =
+      MkLocalPathNode(Instruction n) {
+        flowsToSink(n) and
+        (
+          isSource(n)
+          or
+          exists(PathNode mid | step(mid.getInstruction(), n))
+        )
+      }
+
+    /** A `Node` that is in a path from a source to a sink. */
+    class PathNode extends TLocalPathNode {
+      Instruction n;
+
+      PathNode() { this = MkLocalPathNode(n) }
+
+      /** Gets the underlying node. */
+      Instruction getInstruction() { result = n }
+
+      /** Gets a textual representation of this node. */
+      string toString() { result = n.getAst().toString() }
+
+      /** Gets the location of this element. */
+      Location getLocation() { result = n.getLocation() }
+
+      /** Gets a successor node, if any. */
+      PathNode getASuccessor() { step(this.getInstruction(), result.getInstruction()) }
+    }
+
+    private class PathSink extends PathNode {
+      PathSink() { isSink(this.getInstruction().getAUse()) }
+    }
+
+    /**
+     * Provides the query predicates needed to include a graph in a path-problem query.
+     */
+    module PathGraph {
+      private predicate reach(PathNode n) { n instanceof PathSink or reach(n.getASuccessor()) }
+
+      /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
+      query predicate edges(PathNode a, PathNode b) { a.getASuccessor() = b and reach(b) }
+
+      /** Holds if `n` is a node in the graph of data flow path explanations. */
+      query predicate nodes(PathNode n, string key, string val) {
+        reach(n) and key = "semmle.label" and val = n.toString()
+      }
+    }
+  }
 }
 
 cached
@@ -102,7 +164,7 @@ private module Cached {
     not f.isVirtual() and
     call.getPositionalArgument(n) = instr and
     f = call.getStaticCallTarget() and
-    getEnclosingNonVirtualFunctionInitializeParameter(init, f) and
+    isEnclosingNonVirtualFunctionInitializeParameter(init, f) and
     init.getParameter().getIndex() = pragma[only_bind_into](pragma[only_bind_out](n))
   }
 
@@ -111,7 +173,7 @@ private module Cached {
    * corresponding initialization instruction that receives the value of `instr` in `f`.
    */
   pragma[noinline]
-  private predicate getPositionalArgumentInitParam(
+  private predicate isPositionalArgumentInitParam(
     CallInstruction call, Instruction instr, InitializeParameterInstruction init, Function f
   ) {
     exists(int n |
@@ -126,18 +188,18 @@ private module Cached {
    * `instr` in `f`.
    */
   pragma[noinline]
-  private predicate getThisArgumentInitParam(
+  private predicate isThisArgumentInitParam(
     CallInstruction call, Instruction instr, InitializeParameterInstruction init, Function f
   ) {
     not f.isVirtual() and
     call.getStaticCallTarget() = f and
-    getEnclosingNonVirtualFunctionInitializeParameter(init, f) and
+    isEnclosingNonVirtualFunctionInitializeParameter(init, f) and
     call.getThisArgument() = instr and
     init.getIRVariable() instanceof IRThisVariable
   }
 
   /** Holds if `f` is the enclosing non-virtual function of `init`. */
-  private predicate getEnclosingNonVirtualFunctionInitializeParameter(
+  private predicate isEnclosingNonVirtualFunctionInitializeParameter(
     InitializeParameterInstruction init, Function f
   ) {
     not f.isVirtual() and
@@ -145,7 +207,7 @@ private module Cached {
   }
 
   /** Holds if `f` is the enclosing non-virtual function of `init`. */
-  private predicate getEnclosingNonVirtualFunctionInitializeIndirection(
+  private predicate isEnclosingNonVirtualFunctionInitializeIndirection(
     InitializeIndirectionInstruction init, Function f
   ) {
     not f.isVirtual() and
@@ -153,15 +215,16 @@ private module Cached {
   }
 
   /**
-   * Holds if `instr` is an argument (or argument indirection) to a call, and
-   * `succ` is the corresponding initialization instruction in the call target.
+   * Holds if `argument` is an argument (or argument indirection) to a call, and
+   * `parameter` is the corresponding initialization instruction in the call target.
    */
-  private predicate flowThroughCallable(Instruction argument, Instruction parameter) {
+  cached
+  predicate flowThroughCallable(Instruction argument, Instruction parameter) {
     // Flow from an argument to a parameter
     exists(CallInstruction call, InitializeParameterInstruction init | init = parameter |
-      getPositionalArgumentInitParam(call, argument, init, call.getStaticCallTarget())
+      isPositionalArgumentInitParam(call, argument, init, call.getStaticCallTarget())
       or
-      getThisArgumentInitParam(call, argument, init, call.getStaticCallTarget())
+      isThisArgumentInitParam(call, argument, init, call.getStaticCallTarget())
     )
     or
     // Flow from argument indirection to parameter indirection
@@ -170,7 +233,7 @@ private module Cached {
     |
       init = parameter and
       read.getPrimaryInstruction() = call and
-      getEnclosingNonVirtualFunctionInitializeIndirection(init, call.getStaticCallTarget())
+      isEnclosingNonVirtualFunctionInitializeIndirection(init, call.getStaticCallTarget())
     |
       exists(int n |
         read.getSideEffectOperand().getAnyDef() = argument and
@@ -205,92 +268,10 @@ private module Cached {
   }
 
   cached
-  predicate step(Instruction nodeFrom, Instruction nodeTo) {
+  predicate localStep(Instruction nodeFrom, Instruction nodeTo) {
     exists(Operand mid |
       instructionToOperandStep(nodeFrom, mid) and
       operandToInstructionStep(mid, nodeTo)
     )
-    or
-    flowThroughCallable(nodeFrom, nodeTo)
-  }
-}
-
-/**
- * Gets the enclosing callable of `n`. Unlike `n.getEnclosingCallable()`, this
- * predicate ensures that joins go from `n` to the result instead of the other
- * way around.
- */
-pragma[inline]
-private IRFunction getEnclosingCallable(Instruction n) {
-  pragma[only_bind_into](result) = pragma[only_bind_out](n).getEnclosingIRFunction()
-}
-
-/** Holds if `nodeFrom` flows to `nodeTo`. */
-private predicate step(Instruction nodeFrom, Instruction nodeTo, MustFlowConfiguration config) {
-  exists(config) and
-  Cached::step(pragma[only_bind_into](nodeFrom), pragma[only_bind_into](nodeTo)) and
-  (
-    config.allowInterproceduralFlow()
-    or
-    getEnclosingCallable(nodeFrom) = getEnclosingCallable(nodeTo)
-  )
-  or
-  config.isAdditionalFlowStep(nodeFrom.getAUse(), nodeTo)
-}
-
-private newtype TLocalPathNode =
-  MkLocalPathNode(Instruction n, MustFlowConfiguration config) {
-    flowsToSink(n, config) and
-    (
-      config.isSource(n)
-      or
-      exists(MustFlowPathNode mid | step(mid.getInstruction(), n, config))
-    )
-  }
-
-/** A `Node` that is in a path from a source to a sink. */
-class MustFlowPathNode extends TLocalPathNode {
-  Instruction n;
-
-  MustFlowPathNode() { this = MkLocalPathNode(n, _) }
-
-  /** Gets the underlying node. */
-  Instruction getInstruction() { result = n }
-
-  /** Gets a textual representation of this node. */
-  string toString() { result = n.getAst().toString() }
-
-  /** Gets the location of this element. */
-  Location getLocation() { result = n.getLocation() }
-
-  /** Gets a successor node, if any. */
-  MustFlowPathNode getASuccessor() {
-    step(this.getInstruction(), result.getInstruction(), this.getConfiguration())
-  }
-
-  /** Gets the associated configuration. */
-  MustFlowConfiguration getConfiguration() { this = MkLocalPathNode(_, result) }
-}
-
-private class MustFlowPathSink extends MustFlowPathNode {
-  MustFlowPathSink() { this.getConfiguration().isSink(this.getInstruction().getAUse()) }
-}
-
-/**
- * Provides the query predicates needed to include a graph in a path-problem query.
- */
-module PathGraph {
-  private predicate reach(MustFlowPathNode n) {
-    n instanceof MustFlowPathSink or reach(n.getASuccessor())
-  }
-
-  /** Holds if `(a,b)` is an edge in the graph of data flow path explanations. */
-  query predicate edges(MustFlowPathNode a, MustFlowPathNode b) {
-    a.getASuccessor() = b and reach(b)
-  }
-
-  /** Holds if `n` is a node in the graph of data flow path explanations. */
-  query predicate nodes(MustFlowPathNode n, string key, string val) {
-    reach(n) and key = "semmle.label" and val = n.toString()
   }
 }

cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -552,34 +552,47 @@ private module BoundsEstimate {
   private float nrOfBoundsPhiGuard(RangeSsaDefinition def, StackVariable v) {
     // If we have
     //
+    //   if (x < c) { e1 } else { e2 }
+    //   e3
+    //
+    // then `{ e1 }` and `{ e2 }` are both guard phi nodes guarded by `x < c`.
+    // The range analysis propagates bounds on `x` into both branches, filtered
+    // by the condition. In this case all lower bounds flow to `{ e1 }` and only
+    // lower bounds that are smaller than `c` flow to `{ e2 }`.
+    //
+    // The largest number of bounds possible for `e3` is the number of bounds on `x` plus
+    // one. This happens when all bounds flow from `x` to `e1` to `e3` and the
+    // bound `c` can flow to `e2` to `e3`.
+    //
+    // We want to optimize our bounds estimate for `e3`, as that is the estimate
+    // that can continue propagating forward. We don't know how the existing
+    // bounds will be split between the different branches. That depends on
+    // whether the range analysis is tracking lower bounds or upper bounds, and
+    // on the meaning of the condition.
+    //
+    // As a heuristic we divide the number of bounds on `x` by 2 to "average"
+    // the effect of the condition and add 1 to account for the bound from the
+    // condition itself. This will approximate estimates inside the branches,
+    // but will give a good estimate after the branches are merged.
+    //
+    // This also handles cases such as this one
+    //
     //   if (x < c) { e1 }
-    //   e2
+    //   e3
     //
-    // then `e2` is both a guard phi node (guarded by `x < c`) and a normal
-    // phi node (control is merged after the `if` statement).
-    //
-    // Assume `x` has `n` bounds. Then `n` bounds are propagated to the guard
-    // phi node `{ e1 }` and, since `{ e1 }` is input to `e2` as a normal phi
-    // node, `n` bounds are propagated to `e2`. If we also propagate the `n`
-    // bounds to `e2` as a guard phi node, then we square the number of
-    // bounds.
-    //
-    // However in practice `x < c` is going to cut down the number of bounds:
-    // The tracked bounds can't flow to both branches as that would require
-    // them to simultaneously be greater and smaller than `c`. To approximate
-    // this better, the contribution from a guard phi node that is also a
-    // normal phi node is 1.
-    exists(def.getAPhiInput(v)) and
-    isGuardPhiWithBound(def, v, _) and
-    result = 1
-    or
-    not exists(def.getAPhiInput(v)) and
-    // If there's different `access`es, then they refer to the same variable
-    // with the same lower bounds. Hence adding these guards make no sense (the
-    // implementation will take the union, but they'll be removed by
-    // deduplication). Hence we use `max` as an approximation.
-    result =
-      max(VariableAccess access | isGuardPhiWithBound(def, v, access) | nrOfBoundsExpr(access))
+    // where `e3` is both a guard phi node (guarded by `x < c`) and a normal
+    // phi node (control is merged after the `if` statement). Here half of the
+    // bounds flow into the branch and then to `e3` as a normal phi node and the
+    // "other" half flow from the condition to `e3` as a guard phi node.
+    exists(float varBounds |
+      // If there's different `access`es, then they refer to the same
+      // variable with the same lower bounds. Hence adding these guards makes no
+      // sense (the implementation will take the union, but they'll be removed by
+      // deduplication). Hence we use `max` as an approximation.
+      varBounds =
+        max(VariableAccess access | isGuardPhiWithBound(def, v, access) | nrOfBoundsExpr(access)) and
+      result = (varBounds + 1) / 2
+    )
     or
     def.isPhiNode(v) and
     not isGuardPhiWithBound(def, v, _) and
@@ -2180,6 +2193,16 @@ module SimpleRangeAnalysisInternal {
 
   /** Gets the estimate of the number of bounds for `e`. */
   float estimateNrOfBounds(Expr e) { result = BoundsEstimate::nrOfBoundsExpr(e) }
+
+  /** Counts the numbers of lower bounds that are computed internally for `e`. */
+  float countNrOfLowerBounds(Expr e) {
+    result = strictcount(float lb | lb = getLowerBoundsImpl(e) | lb)
+  }
+
+  /** Counts the numbers of upper bounds that are computed internally for `e`. */
+  float countNrOfUpperBounds(Expr e) {
+    result = strictcount(float ub | ub = getUpperBoundsImpl(e) | ub)
+  }
 }
 
 /** Provides predicates for debugging the simple range analysis library. */
@@ -2208,7 +2231,7 @@ private module Debug {
    */
   predicate countGetLowerBoundsImpl(Expr e, int n) {
     e = getRelevantLocatable() and
-    n = strictcount(float lb | lb = getLowerBoundsImpl(e) | lb)
+    n = SimpleRangeAnalysisInternal::countNrOfLowerBounds(e)
   }
 
   float debugNrOfBounds(Expr e) {

cpp/ql/src/Likely Bugs/Leap Year/LeapYear.qll

@@ -308,3 +308,37 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C
 
 module PossibleYearArithmeticOperationCheckFlow =
   TaintTracking::Global<PossibleYearArithmeticOperationCheckConfig>;
+
+/**
+ * A time conversion function where either
+ * 1) an incorrect leap year date would result in an error that can be checked from the return value or
+ * 2) an incorrect leap year date is auto corrected (no checks required)
+ */
+class TimeConversionFunction extends Function {
+  boolean autoLeapYearCorrecting;
+
+  TimeConversionFunction() {
+    autoLeapYearCorrecting = false and
+    (
+      this.getName() =
+        [
+          "FileTimeToSystemTime", "SystemTimeToFileTime", "SystemTimeToTzSpecificLocalTime",
+          "SystemTimeToTzSpecificLocalTimeEx", "TzSpecificLocalTimeToSystemTime",
+          "TzSpecificLocalTimeToSystemTimeEx", "RtlLocalTimeToSystemTime",
+          "RtlTimeToSecondsSince1970", "_mkgmtime", "SetSystemTime", "VarUdateFromDate", "from_tm"
+        ]
+      or
+      // Matches all forms of GetDateFormat, e.g. GetDateFormatA/W/Ex
+      this.getName().matches("GetDateFormat%")
+    )
+    or
+    autoLeapYearCorrecting = true and
+    this.getName() =
+      ["mktime", "_mktime32", "_mktime64", "SystemTimeToVariantTime", "VariantTimeToSystemTime"]
+  }
+
+  /**
+   * Holds if the function is expected to auto convert a bad leap year date.
+   */
+  predicate isAutoLeapYearCorrecting() { autoLeapYearCorrecting = true }
+}

cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql

@@ -1,7 +1,7 @@
 /**
  * @name Year field changed using an arithmetic operation without checking for leap year
  * @description A field that represents a year is being modified by an arithmetic operation, but no proper check for leap years can be detected afterwards.
- * @kind problem
+ * @kind path-problem
  * @problem.severity warning
  * @id cpp/leap-year/unchecked-after-arithmetic-year-modification
  * @precision medium
@@ -11,49 +11,844 @@
 
 import cpp
 import LeapYear
+import semmle.code.cpp.controlflow.IRGuards
 
-from Variable var, LeapYearFieldAccess yfa
-where
-  exists(VariableAccess va |
-    yfa.getQualifier() = va and
-    var.getAnAccess() = va and
-    // The year is modified with an arithmetic operation. Avoid values that are likely false positives
-    yfa.isModifiedByArithmeticOperationNotForNormalization() and
-    // Avoid false positives
-    not (
-      // If there is a local check for leap year after the modification
-      exists(LeapYearFieldAccess yfacheck |
-        yfacheck.getQualifier() = var.getAnAccess() and
-        yfacheck.isUsedInCorrectLeapYearCheck() and
-        yfacheck.getBasicBlock() = yfa.getBasicBlock().getASuccessor*()
-      )
+/**
+ * Functions whose operations should never be considered a
+ * source or sink of a dangerous leap year operation.
+ * The general concept is to add conversion functions
+ * that convert one time type to another. Often
+ * other ignorable operation heuristics will filter these,
+ * but some cases, the simplest approach is to simply filter
+ * the function entirely.
+ * Note that flow through these functions should still be allowed
+ * we just cannot start or end flow from an operation to a
+ * year assignment in one of these functions.
+ */
+class IgnorableFunction extends Function {
+  IgnorableFunction() {
+    // arithmetic in known time conversion functions may look like dangerous operations
+    // we assume all known time conversion functions are safe.
+    this instanceof TimeConversionFunction
+    or
+    // Helper utility in postgres with string time conversions
+    this.getName() = "DecodeISO8601Interval"
+    or
+    // helper utility for date conversions in qtbase
+    this.getName() = "adjacentDay"
+    or
+    // Windows API function that does timezone conversions
+    this.getName().matches("%SystemTimeToTzSpecificLocalTime%")
+    or
+    // Windows APIs that do time conversions
+    this.getName().matches("%localtime%\\_s%")
+    or
+    // Windows APIs that do time conversions
+    this.getName().matches("%SpecificLocalTimeToSystemTime%")
+    or
+    // postgres function for diffing timestamps, date for leap year
+    // is not applicable.
+    this.getName().toLowerCase().matches("%timestamp%age%")
+    or
+    // Reading byte streams often involves operations of some base, but that's
+    // not a real source of leap year issues.
+    this.getName().toLowerCase().matches("%read%bytes%")
+    or
+    // A postgres function for local time conversions
+    // conversion operations (from one time structure to another) are generally ignorable
+    this.getName() = "localsub"
+    or
+    // Indication of a calendar not applicable to
+    // gregorian leap year, e.g., Hijri, Persian, Hebrew
+    this.getName().toLowerCase().matches("%hijri%")
+    or
+    this.getFile().getBaseName().toLowerCase().matches("%hijri%")
+    or
+    this.getName().toLowerCase().matches("%persian%")
+    or
+    this.getFile().getBaseName().toLowerCase().matches("%persian%")
+    or
+    this.getName().toLowerCase().matches("%hebrew%")
+    or
+    this.getFile().getBaseName().toLowerCase().matches("%hebrew%")
+    or
+    // misc. from string/char converters heuristic
+    this.getName()
+        .toLowerCase()
+        .matches(["%char%to%", "%string%to%", "%from%char%", "%from%string%"])
+    or
+    // boost's gregorian.cpp has year manipulations that are checked in complex ways.
+    // ignore the entire file as a source or sink.
+    this.getFile().getAbsolutePath().toLowerCase().matches("%boost%gregorian.cpp%")
+  }
+}
+
+/**
+ * The set of expressions which are ignorable; either because they seem to not be part of a year mutation,
+ * or because they seem to be a conversion pattern of mapping date scalars.
+ */
+abstract class IgnorableOperation extends Expr { }
+
+class IgnorableExprRem extends IgnorableOperation instanceof RemExpr { }
+
+/**
+ * An operation with 10, 100, 1000, 10000 as an operand is often a sign of conversion
+ * or atoi.
+ */
+class IgnorableExpr10MultipleComponent extends IgnorableOperation {
+  IgnorableExpr10MultipleComponent() {
+    this.(Operation).getAnOperand().getValue().toInt() in [10, 100, 1000, 10000]
+    or
+    exists(AssignOperation a | a.getRValue() = this |
+      a.getRValue().getValue().toInt() in [10, 100, 1000, 10000]
+    )
+  }
+}
+
+/**
+ * An operation involving a sub expression with char literal `48`, ignore as a likely string conversion. For example: `X - '0'`
+ */
+class IgnorableExpr48Mapping extends IgnorableOperation {
+  IgnorableExpr48Mapping() {
+    this.(SubExpr).getRightOperand().getValue().toInt() = 48
+    or
+    exists(AssignSubExpr e | e.getRValue() = this | e.getRValue().getValue().toInt() = 48)
+  }
+}
+
+/**
+ * A binary or arithmetic operation whereby one of the components is textual or a string.
+ */
+class IgnorableCharLiteralArithmetic extends IgnorableOperation {
+  IgnorableCharLiteralArithmetic() {
+    this.(BinaryArithmeticOperation).getAnOperand() instanceof TextLiteral
+    or
+    this instanceof TextLiteral and
+    any(AssignArithmeticOperation arith).getRValue() = this
+  }
+}
+
+/**
+ * Constants often used in date conversions (from one date data type to another)
+ * Numerous examples exist, like 1900 or 2000 that convert years from one
+ * representation to another.
+ * Also '0' is sometimes observed as an atoi style conversion.
+ */
+bindingset[c]
+predicate isLikelyConversionConstant(int c) {
+  exists(int i | i = c.abs() |
+    i =
+      [
+        146097, // days in 400-year Gregorian cycle
+        36524, // days in 100-year Gregorian subcycle
+        1461, // days in 4-year cycle (incl. 1 leap)
+        32044, // Fliegel-van Flandern JDN epoch shift
+        1721425, // JDN of 0001-01-01 (Gregorian)
+        1721119, // alt epoch offset
+        2400000, // MJD -> JDN conversion
+        2400001, // alt MJD -> JDN conversion
+        2141, // fixed-point month/day extraction
+        65536, // observed in some conversions
+        7834, // observed in some conversions
+        256, // observed in some conversions
+        292275056, // qdatetime.h Qt Core year range first year constant
+        292278994, // qdatetime.h Qt Core year range last year constant
+        1601, // Windows FILETIME epoch start year
+        1970, // Unix epoch start year
+        70, // Unix epoch start year short form
+        1899, // Observed in uses with 1900 to address off by one scenarios
+        1900, // Used when converting a 2 digit year
+        2000, // Used when converting a 2 digit year
+        1400, // Hijri base year, used when converting a 2 digit year
+        1980, // FAT filesystem epoch start year
+        227013, // constant observed for Hirji year conversion, and Hirji years are not applicable for gregorian leap year
+        10631, // constant observed for Hirji year conversion, and Hirji years are not applicable for gregorian leap year,
+        80, // 1980/01/01 is the start of the epoch on DOS
+        0
+      ]
+  )
+}
+
+/**
+ * An `isLikelyConversionConstant` constant indicates conversion that is ignorable, e.g.,
+ * julian to gregorian conversion or conversions from linux time structs
+ * that start at 1900, etc.
+ */
+class IgnorableConstantArithmetic extends IgnorableOperation {
+  IgnorableConstantArithmetic() {
+    exists(int i | isLikelyConversionConstant(i) |
+      this.(Operation).getAnOperand().getValue().toInt() = i
       or
-      // If there is a data flow from the variable that was modified to a function that seems to check for leap year
-      exists(VariableAccess source, ChecksForLeapYearFunctionCall fc |
-        source = var.getAnAccess() and
-        LeapYearCheckFlow::flow(DataFlow::exprNode(source), DataFlow::exprNode(fc.getAnArgument()))
-      )
-      or
-      // If there is a data flow from the field that was modified to a function that seems to check for leap year
-      exists(VariableAccess vacheck, YearFieldAccess yfacheck, ChecksForLeapYearFunctionCall fc |
-        vacheck = var.getAnAccess() and
-        yfacheck.getQualifier() = vacheck and
-        LeapYearCheckFlow::flow(DataFlow::exprNode(yfacheck), DataFlow::exprNode(fc.getAnArgument()))
-      )
-      or
-      // If there is a successor or predecessor that sets the month = 1
-      exists(MonthFieldAccess mfa, AssignExpr ae |
-        mfa.getQualifier() = var.getAnAccess() and
-        mfa.isModified() and
-        (
-          mfa.getBasicBlock() = yfa.getBasicBlock().getASuccessor*() or
-          yfa.getBasicBlock() = mfa.getBasicBlock().getASuccessor+()
-        ) and
-        ae = mfa.getEnclosingElement() and
-        ae.getAnOperand().getValue().toInt() = 1
+      exists(AssignArithmeticOperation a | this = a.getRValue() |
+        a.getRValue().getValue().toInt() = i
       )
     )
+  }
+}
+
+// If a unary minus assume it is some sort of conversion
+class IgnorableUnaryMinus extends IgnorableOperation {
+  IgnorableUnaryMinus() {
+    this instanceof UnaryMinusExpr
+    or
+    this.(Operation).getAnOperand() instanceof UnaryMinusExpr
+  }
+}
+
+/**
+ * An argument to a function is ignorable if the function that is called is an ignored function
+ */
+class OperationAsArgToIgnorableFunction extends IgnorableOperation {
+  OperationAsArgToIgnorableFunction() {
+    exists(Call c |
+      c.getAnArgument().getAChild*() = this and
+      c.getTarget() instanceof IgnorableFunction
+    )
+  }
+}
+
+/**
+ * A binary operation on two literals means the result is constant/known
+ * and the operation is basically ignorable (it's not a real operation but
+ * probably one visual simplicity what it means).
+ */
+class ConstantBinaryArithmeticOperation extends IgnorableOperation, BinaryArithmeticOperation {
+  ConstantBinaryArithmeticOperation() {
+    this.getLeftOperand() instanceof Literal and
+    this.getRightOperand() instanceof Literal
+  }
+}
+
+class IgnorableBinaryBitwiseOperation extends IgnorableOperation instanceof BinaryBitwiseOperation {
+}
+
+class IgnorableUnaryBitwiseOperation extends IgnorableOperation instanceof UnaryBitwiseOperation { }
+
+class IgnorableAssignmentBitwiseOperation extends IgnorableOperation instanceof AssignBitwiseOperation
+{ }
+
+/**
+ * An arithmetic operation where one of the operands is a pointer or char type, ignore it
+ */
+class IgnorablePointerOrCharArithmetic extends IgnorableOperation {
+  IgnorablePointerOrCharArithmetic() {
+    this instanceof BinaryArithmeticOperation and
+    exists(Expr op | op = this.(BinaryArithmeticOperation).getAnOperand() |
+      op.getUnspecifiedType() instanceof PointerType
+      or
+      op.getUnspecifiedType() instanceof CharType
+      or
+      // Operations on calls to functions that accept char or char*
+      op.(Call).getAnArgument().getUnspecifiedType().stripType() instanceof CharType
+      or
+      // Operations on calls to functions named like "strlen", "wcslen", etc
+      // NOTE: workaround for cases where the wchar_t type is not a char, but an unsigned short
+      // unclear if there is a best way to filter cases like these out based on type info.
+      op.(Call).getTarget().getName().matches("%len%")
+    )
+    or
+    exists(AssignArithmeticOperation a | a.getRValue() = this |
+      exists(Expr op | op = a.getAnOperand() |
+        op.getUnspecifiedType() instanceof PointerType
+        or
+        op.getUnspecifiedType() instanceof CharType
+        or
+        // Operations on calls to functions that accept char or char*
+        op.(Call).getAnArgument().getUnspecifiedType().stripType() instanceof CharType
+      )
+      or
+      // Operations on calls to functions named like "strlen", "wcslen", etc
+      // for example `strlen(foo) + bar`
+      this.(BinaryArithmeticOperation).getAnOperand().(Call).getTarget().getName().matches("%len%")
+    )
+  }
+}
+
+/**
+ * Holds for an expression that is an add or similar operation that could flow to a Year field.
+ */
+predicate isOperationSourceCandidate(Expr e) {
+  not e instanceof IgnorableOperation and
+  exists(Function f |
+    f = e.getEnclosingFunction() and
+    not f instanceof IgnorableFunction
+  ) and
+  (
+    e instanceof SubExpr
+    or
+    e instanceof AddExpr
+    or
+    e instanceof CrementOperation
+    or
+    e instanceof AssignSubExpr
+    or
+    e instanceof AssignAddExpr
   )
-select yfa,
-  "Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found.",
-  yfa.getTarget(), yfa.getTarget().toString(), var, var.toString()
+}
+
+/**
+ * A data flow that tracks an ignorable operation (such as a bitwise operation) to an operation source, so we may disqualify it.
+ */
+module IgnorableOperationToOperationSourceCandidateConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof IgnorableOperation }
+
+  predicate isSink(DataFlow::Node n) { isOperationSourceCandidate(n.asExpr()) }
+
+  // looking for sources and sinks in the same function
+  DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureEqualSourceSinkCallContext
+  }
+}
+
+module IgnorableOperationToOperationSourceCandidateFlow =
+  TaintTracking::Global<IgnorableOperationToOperationSourceCandidateConfig>;
+
+/**
+ * The set of all expressions which is a candidate expression and also does not flow from to to some ignorable expression (eg. bitwise op)
+ * ```
+ * a = something <<< 2;
+ * myDate.year = a + 1;        // invalid
+ * ...
+ * a = someDate.year + 1;
+ * myDate.year = a;            // valid
+ * ```
+ */
+class OperationSource extends Expr {
+  OperationSource() {
+    isOperationSourceCandidate(this) and
+    // If the candidate came from an ignorable operation, ignore the candidate
+    // NOTE: we cannot easily flow the candidate to an ignorable operation as that can
+    // be tricky in practice, e.g., a mod operation on a year would be part of a leap year check
+    // but a mod operation ending in a year is more indicative of something to ignore (a conversion)
+    not exists(IgnorableOperationToOperationSourceCandidateFlow::PathNode sink |
+      sink.getNode().asExpr() = this and
+      sink.isSink()
+    )
+  }
+}
+
+class YearFieldAssignmentNode extends DataFlow::Node {
+  YearFieldAccess access;
+
+  YearFieldAssignmentNode() {
+    exists(Function f |
+      f = this.getEnclosingCallable().getUnderlyingCallable() and not f instanceof IgnorableFunction
+    ) and
+    (
+      this.asDefinition().(Assignment).getLValue() = access
+      or
+      this.asDefinition().(CrementOperation).getOperand() = access
+      or
+      exists(Call c | c.getAnArgument() = access and this.asDefiningArgument() = access)
+      or
+      exists(Call c, AddressOfExpr aoe |
+        c.getAnArgument() = aoe and
+        aoe.getOperand() = access and
+        this.asDefiningArgument() = aoe
+      )
+    )
+  }
+
+  YearFieldAccess getYearFieldAccess() { result = access }
+}
+
+/**
+ * A DataFlow configuration for identifying flows from an identified source
+ * to the Year field of a date object.
+ */
+module OperationToYearAssignmentConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof OperationSource }
+
+  predicate isSink(DataFlow::Node n) {
+    n instanceof YearFieldAssignmentNode and
+    not isYearModifiedWithCheck(n) and
+    not isControlledByMonthEqualityCheckNonFebruary(n.asExpr())
+  }
+
+  predicate isBarrier(DataFlow::Node n) {
+    exists(ArrayExpr arr | arr.getArrayOffset() = n.asExpr())
+    or
+    n.getType().getUnspecifiedType() instanceof PointerType
+    or
+    n.getType().getUnspecifiedType() instanceof CharType
+    or
+    // If a type resembles "string" ignore flow (likely string conversion, currently ignored)
+    n.getType().getUnspecifiedType().stripType().getName().toLowerCase().matches("%string%")
+    or
+    n.asExpr() instanceof IgnorableOperation
+    or
+    // Flowing into variables that indicate likely non-gregorian years are barriers
+    // e.g., names similar to hijri, persian, lunar, chinese, hebrew, etc.
+    exists(Variable v |
+      v.getName()
+          .toLowerCase()
+          .matches(["%hijri%", "%persian%", "%lunar%", "%chinese%", "%hebrew%"]) and
+      v.getAnAccess() = [n.asIndirectExpr(), n.asExpr()]
+    )
+    or
+    isLeapYearCheckSink(n)
+    or
+    // this is a bit of a hack to address cases where a year is normalized and checked, but the
+    // normalized year is never itself assigned to the final year struct
+    //    isLeapYear(getCivilYear(year))
+    //    struct.year = year
+    // This is assuming a user would have done this all on one line though.
+    // setting a variable for the conversion and passing that separately would be more difficult to track
+    // considering this approach good enough for current observed false positives
+    exists(Expr arg |
+      isLeapYearCheckCall(_, arg) and arg.getAChild*() = [n.asExpr(), n.asIndirectExpr()]
+    )
+    or
+    // If as the flow progresses, the value holding a dangerous operation result
+    // is apparently being passed by address to some function, it is more than likely
+    // intended to be modified, and therefore, the definition is killed.
+    exists(Call c | c.getAnArgument().(AddressOfExpr).getAnOperand() = n.asIndirectExpr())
+  }
+
+  /** Block flow out of an operation source to get the "closest" operation to the sink */
+  predicate isBarrierIn(DataFlow::Node n) { isSource(n) }
+
+  predicate isBarrierOut(DataFlow::Node n) { isSink(n) }
+}
+
+module OperationToYearAssignmentFlow = TaintTracking::Global<OperationToYearAssignmentConfig>;
+
+predicate isLeapYearCheckSink(DataFlow::Node sink) {
+  exists(LeapYearGuardCondition lgc |
+    lgc.checkedYearAccess() = [sink.asExpr(), sink.asIndirectExpr()]
+  )
+  or
+  isLeapYearCheckCall(_, [sink.asExpr(), sink.asIndirectExpr()])
+}
+
+predicate yearAssignmentToCheckCommonSteps(DataFlow::Node node1, DataFlow::Node node2) {
+  // flow from a YearFieldAccess to the qualifier
+  node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier*()
+  or
+  // getting the 'access' can be tricky at definitions (assignments especially)
+  // as dataflow uses asDefinition not asExpr.
+  // the YearFieldAssignmentNode holds the access in these cases
+  node1.(YearFieldAssignmentNode).getYearFieldAccess().getQualifier() = node2.asExpr()
+  or
+  // flow from a year access qualifier to a year field
+  exists(YearFieldAccess yfa | node2.asExpr() = yfa and node1.asExpr() = yfa.getQualifier())
+  or
+  node1.(YearFieldAssignmentNode).getYearFieldAccess().getQualifier() = node2.asExpr()
+  or
+  // Pass through any intermediate struct
+  exists(Assignment a |
+    a.getRValue() = node1.asExpr() and
+    node2.asExpr() = a.getLValue().(YearFieldAccess).getQualifier*()
+  )
+  or
+  // in cases of t.year = x and the value of x is checked, but the year t.year isn't directly checked
+  // flow from a year assignment node to an RHS if it is an assignment
+  // e.g.,
+  //    t.year = x;
+  //    isLeapYear(x);
+  //    --> at this point there is no flow of t.year to a check, but only its raw value
+  // To detect the flow of 'x' to the isLeapYear check,
+  // flow from t.year to 'x' (at assignment, t.year = x, flow to the RHS to track use-use flow of x)
+  exists(YearFieldAssignmentNode yfan |
+    node1 = yfan and
+    node2.asExpr() = yfan.asDefinition().(Assignment).getRValue()
+  )
+}
+
+/**
+ * A flow configuration from a Year field access to some Leap year check or guard
+ */
+module YearAssignmentToLeapYearCheckConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { source instanceof YearFieldAssignmentNode }
+
+  predicate isSink(DataFlow::Node sink) { isLeapYearCheckSink(sink) }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    yearAssignmentToCheckCommonSteps(node1, node2)
+  }
+
+  /**
+   * Enforcing the check must occur in the same call context as the source,
+   * i.e., do not return from the source function and check in a caller.
+   */
+  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+}
+
+module YearAssignmentToLeapYearCheckFlow =
+  TaintTracking::Global<YearAssignmentToLeapYearCheckConfig>;
+
+/** Does there exist a flow from the given YearFieldAccess to a Leap Year check or guard? */
+predicate isYearModifiedWithCheck(YearFieldAssignmentNode n) {
+  exists(YearAssignmentToLeapYearCheckFlow::PathNode src |
+    src.isSource() and
+    src.getNode() = n
+  )
+  or
+  // If the time flows to a time conversion whose value/result is checked,
+  // assume the leap year is being handled.
+  exists(YearAssignmentToCheckedTimeConversionFlow::PathNode timeQualSrc |
+    timeQualSrc.isSource() and
+    timeQualSrc.getNode() = n
+  )
+}
+
+/**
+ * An expression which checks the value of a Month field `a->month == 1`.
+ */
+class MonthEqualityCheck extends EqualityOperation {
+  MonthEqualityCheck() { this.getAnOperand() instanceof MonthFieldAccess }
+
+  Expr getExprCompared() {
+    exists(Expr e |
+      e = this.getAnOperand() and
+      not e instanceof MonthFieldAccess and
+      result = e
+    )
+  }
+}
+
+final class FinalMonthEqualityCheck = MonthEqualityCheck;
+
+class MonthEqualityCheckGuard extends GuardCondition, FinalMonthEqualityCheck { }
+
+/**
+ * Verifies if the expression is guarded by a check on the Month property of a date struct, that is NOT February.
+ */
+bindingset[e]
+pragma[inline_late]
+predicate isControlledByMonthEqualityCheckNonFebruary(Expr e) {
+  exists(MonthEqualityCheckGuard monthGuard, Expr compared |
+    monthGuard.controls(e.getBasicBlock(), true) and
+    compared = monthGuard.getExprCompared() and
+    not compared.getValue().toInt() = 2
+  )
+}
+
+/**
+ * Flow from a year field access to a time conversion function
+ * that auto converts feb29 in non-leap year, or through a conversion function that doesn't
+ * auto convert to a sanity check guard of the result for error conditions.
+ */
+module YearAssignmentToCheckedTimeConversionConfig implements DataFlow::StateConfigSig {
+  // Flow state tracks if flow goes through a known time conversion function
+  // see `TimeConversionFunction`.
+  // A valid check with a time conversion function is either the case:
+  // 1) the year flows into a time conversion function, and the time conversion function's result is checked or
+  // 2) the year flows into a time conversion function that auto corrects for leap year, so no check is necessary.
+  class FlowState = boolean;
+
+  predicate isSource(DataFlow::Node source, FlowState state) {
+    source instanceof YearFieldAssignmentNode and
+    state = false
+  }
+
+  predicate isSink(DataFlow::Node sink, FlowState state) {
+    // Case 1: Flow through a time conversion function that requires a check,
+    // and we have arrived at a guard, implying the result was checked for possible error, including leap year error.
+    // state = true indicates the flow went through a time conversion function
+    state = true and
+    (
+      exists(IfStmt ifs | ifs.getCondition().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()])
+      or
+      exists(ConditionalExpr ce |
+        ce.getCondition().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()]
+      )
+      or
+      exists(Loop l | l.getCondition().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()])
+    )
+    or
+    // Case 2: Flow through a time conversion function that auto corrects for leap year, so no check is necessary.
+    // state true or false, as flowing through a time conversion function is not necessary in this instance.
+    state in [true, false] and
+    exists(Call c, TimeConversionFunction f |
+      f.isAutoLeapYearCorrecting() and
+      c.getTarget() = f and
+      c.getAnArgument().getAChild*() = [sink.asExpr(), sink.asIndirectExpr()]
+    )
+  }
+
+  predicate isAdditionalFlowStep(
+    DataFlow::Node node1, FlowState state1, DataFlow::Node node2, FlowState state2
+  ) {
+    state1 in [true, false] and
+    state2 = true and
+    exists(Call c |
+      c.getTarget() instanceof TimeConversionFunction and
+      c.getAnArgument().getAChild*() = [node1.asExpr(), node1.asIndirectExpr()] and
+      node2.asExpr() = c
+    )
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    yearAssignmentToCheckCommonSteps(node1, node2)
+  }
+
+  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+}
+
+module YearAssignmentToCheckedTimeConversionFlow =
+  DataFlow::GlobalWithState<YearAssignmentToCheckedTimeConversionConfig>;
+
+/**
+ * Finds flow from a parameter of a function to a leap year check.
+ * This is necessary to handle for scenarios like this:
+ *
+ *    year = DANGEROUS_OP // source
+ *    isLeap = isLeapYear(year);
+ *    // logic based on isLeap
+ *    struct.year = year; // sink
+ *
+ * In this case, we may flow a dangerous op to a year assignment, failing
+ * to barrier the flow through a leap year check, as the leap year check
+ * is nested, and dataflow does not progress down into the check and out.
+ * Instead, the point of this flow is to detect isLeapYear's argument
+ * is checked for leap year, making the isLeapYear call a barrier for
+ * the dangerous flow if we flow through the parameter identified to
+ * be checked.
+ */
+module ParameterToLeapYearCheckConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { exists(source.asParameter()) }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(LeapYearGuardCondition lgc |
+      lgc.checkedYearAccess() = [sink.asExpr(), sink.asIndirectExpr()]
+    )
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    // flow from a YearFieldAccess to the qualifier
+    node2.asExpr() = node1.asExpr().(YearFieldAccess).getQualifier*()
+    or
+    // flow from a year access qualifier to a year field
+    exists(YearFieldAccess yfa | node2.asExpr() = yfa and node1.asExpr() = yfa.getQualifier())
+  }
+
+  /**
+   * Enforcing the check must occur in the same call context as the source,
+   * i.e., do not return from the source function and check in a caller.
+   */
+  DataFlow::FlowFeature getAFeature() { result instanceof DataFlow::FeatureHasSourceCallContext }
+}
+
+// NOTE: I do not believe taint flow is necessary here as we should
+// be flowing directyly from some parameter to a leap year check.
+module ParameterToLeapYearCheckFlow = DataFlow::Global<ParameterToLeapYearCheckConfig>;
+
+predicate isLeapYearCheckCall(Call c, Expr arg) {
+  exists(ParameterToLeapYearCheckFlow::PathNode src, Function f, int i |
+    src.isSource() and
+    f.getParameter(i) = src.getNode().asParameter() and
+    c.getTarget() = f and
+    c.getArgument(i) = arg
+  )
+}
+
+class LeapYearGuardCondition extends GuardCondition {
+  Expr yearSinkDiv4;
+  Expr yearSinkDiv100;
+  Expr yearSinkDiv400;
+
+  LeapYearGuardCondition() {
+    exists(
+      LogicalAndExpr andExpr, LogicalOrExpr orExpr, GuardCondition div4Check,
+      GuardCondition div100Check, GuardCondition div400Check, GuardValue gv
+    |
+      // canonical case:
+      // form: `(year % 4 == 0) && (year % 100 != 0 || year % 400 == 0)`
+      //    `!((year % 4 == 0) && (year % 100 != 0 || year % 400 == 0))`
+      //    `!(year % 4) && (year % 100 || !(year % 400))`
+      // Also accepting `((year & 3) == 0) && (year % 100 != 0 || year % 400 == 0)`
+      // and `(year % 4 == 0) && (year % 100 > 0 || year % 400 == 0)`
+      this = andExpr and
+      andExpr.hasOperands(div4Check, orExpr) and
+      orExpr.hasOperands(div100Check, div400Check) and
+      (
+        // year % 4 == 0
+        exists(RemExpr e |
+          div4Check.comparesEq(e, 0, true, gv) and
+          e.getRightOperand().getValue().toInt() = 4 and
+          yearSinkDiv4 = e.getLeftOperand()
+        )
+        or
+        // year & 3 == 0
+        exists(BitwiseAndExpr e |
+          div4Check.comparesEq(e, 0, true, gv) and
+          e.getRightOperand().getValue().toInt() = 3 and
+          yearSinkDiv4 = e.getLeftOperand()
+        )
+      ) and
+      exists(RemExpr e |
+        // year % 100 != 0 or year % 100 > 0
+        (
+          div100Check.comparesEq(e, 0, false, gv) or
+          div100Check.comparesLt(e, 1, false, gv)
+        ) and
+        e.getRightOperand().getValue().toInt() = 100 and
+        yearSinkDiv100 = e.getLeftOperand()
+      ) and
+      // year % 400 == 0
+      exists(RemExpr e |
+        div400Check.comparesEq(e, 0, true, gv) and
+        e.getRightOperand().getValue().toInt() = 400 and
+        yearSinkDiv400 = e.getLeftOperand()
+      )
+      or
+      // Inverted logic case:
+      //  `year % 4 != 0 || (year % 100 == 0 && year % 400 != 0)`
+      // or `year & 3 != 0 || (year % 100 == 0 && year % 400 != 0)`
+      // also accepting `year % 4 > 0 || (year % 100 == 0 && year % 400 > 0)`
+      this = orExpr and
+      orExpr.hasOperands(div4Check, andExpr) and
+      andExpr.hasOperands(div100Check, div400Check) and
+      (
+        // year % 4 != 0 or year % 4 > 0
+        exists(RemExpr e |
+          (
+            div4Check.comparesEq(e, 0, false, gv)
+            or
+            div4Check.comparesLt(e, 1, false, gv)
+          ) and
+          e.getRightOperand().getValue().toInt() = 4 and
+          yearSinkDiv4 = e.getLeftOperand()
+        )
+        or
+        // year & 3 != 0
+        exists(BitwiseAndExpr e |
+          div4Check.comparesEq(e, 0, false, gv) and
+          e.getRightOperand().getValue().toInt() = 3 and
+          yearSinkDiv4 = e.getLeftOperand()
+        )
+      ) and
+      // year % 100 == 0
+      exists(RemExpr e |
+        div100Check.comparesEq(e, 0, true, gv) and
+        e.getRightOperand().getValue().toInt() = 100 and
+        yearSinkDiv100 = e.getLeftOperand()
+      ) and
+      // year % 400 != 0 or year % 400 > 0
+      exists(RemExpr e |
+        (
+          div400Check.comparesEq(e, 0, false, gv)
+          or
+          div400Check.comparesLt(e, 1, false, gv)
+        ) and
+        e.getRightOperand().getValue().toInt() = 400 and
+        yearSinkDiv400 = e.getLeftOperand()
+      )
+    )
+  }
+
+  Expr getYearSinkDiv4() { result = yearSinkDiv4 }
+
+  Expr getYearSinkDiv100() { result = yearSinkDiv100 }
+
+  Expr getYearSinkDiv400() { result = yearSinkDiv400 }
+
+  /**
+   * Gets the variable access that is used in all 3 components of the leap year check
+   * e.g., see getYearSinkDiv4/100/400..
+   * If a field access is used, the qualifier and the field access are both returned
+   * in checked condition.
+   * NOTE: if the year is not checked using the same access in all 3 components, no result is returned.
+   * The typical case observed is a consistent variable access is used. If not, this may indicate a bug.
+   * We could check more accurately with a dataflow analysis, but this is likely sufficient for now.
+   */
+  VariableAccess checkedYearAccess() {
+    exists(Variable var |
+      (
+        this.getYearSinkDiv4().getAChild*() = var.getAnAccess() and
+        this.getYearSinkDiv100().getAChild*() = var.getAnAccess() and
+        this.getYearSinkDiv400().getAChild*() = var.getAnAccess() and
+        result = var.getAnAccess() and
+        (
+          result = this.getYearSinkDiv4().getAChild*() or
+          result = this.getYearSinkDiv100().getAChild*() or
+          result = this.getYearSinkDiv400().getAChild*()
+        )
+      )
+    )
+  }
+}
+
+/**
+ * A difficult case to detect is if a year modification is tied to a month or day modification
+ * and the month or day is safe for leap year.
+ *    e.g.,
+ *          year++;
+ *          month = 1;
+ *          // alternative: day = 15;
+ *        ... values eventually used in the same time struct
+ * If this is even more challenging if the struct the values end up in are not
+ * local (set inter-procedurally).
+ * This configuration looks for constants 1-31 flowing to a month or day assignment.
+ * It is assumed a user of this flow will check if the month/day source and month/day sink
+ * are in the same basic blocks as a year modification source and a year modification sink.
+ * It is also assumed a user will check if the constant source is a value that is ignorable
+ * e.g., if it is 2 and the sink is a month assignment, then it isn't ignorable or
+ * if the value is < 27 and is a day assignment, it is likely ignorable
+ *
+ * Obviously this does not handle all conditions (e.g., the month set in another block).
+ * It is meant to capture the most common cases of false positives.
+ */
+module CandidateConstantToDayOrMonthAssignmentConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source.asExpr().getValue().toInt() in [1 .. 31] and
+    (
+      exists(Assignment a | a.getRValue() = source.asExpr())
+      or
+      exists(Call c | c.getAnArgument() = source.asExpr())
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(Assignment a |
+      (a.getLValue() instanceof MonthFieldAccess or a.getLValue() instanceof DayFieldAccess) and
+      a.getRValue() = sink.asExpr()
+    )
+  }
+}
+
+// NOTE: only data flow here (no taint tracking) as we want the exact
+// constant flowing to the month assignment
+module CandidateConstantToDayOrMonthAssignmentFlow =
+  DataFlow::Global<CandidateConstantToDayOrMonthAssignmentConfig>;
+
+/**
+ * Holds if value the assignment `a` resolves to (`dayOrMonthValSrcExpr`) doesn't represent February,
+ * and/or if it represents a day, is a 'safe' day (meaning the 27th or prior).
+ */
+bindingset[dayOrMonthValSrcExpr]
+predicate isSafeValueForAssignmentOfMonthOrDayValue(Assignment a, Expr dayOrMonthValSrcExpr) {
+  a.getLValue() instanceof MonthFieldAccess and
+  dayOrMonthValSrcExpr.getValue().toInt() != 2
+  or
+  a.getLValue() instanceof DayFieldAccess and
+  dayOrMonthValSrcExpr.getValue().toInt() <= 27
+}
+
+import OperationToYearAssignmentFlow::PathGraph
+
+from OperationToYearAssignmentFlow::PathNode src, OperationToYearAssignmentFlow::PathNode sink
+where
+  OperationToYearAssignmentFlow::flowPath(src, sink) and
+  // Check if a month is set in the same block as the year operation source
+  // and the month value would indicate its set to any other month than february.
+  // Finds if the source year node is in the same block as a source month block
+  // and if the same for the sinks.
+  not exists(DataFlow::Node dayOrMonthValSrc, DataFlow::Node dayOrMonthValSink, Assignment a |
+    CandidateConstantToDayOrMonthAssignmentFlow::flow(dayOrMonthValSrc, dayOrMonthValSink) and
+    a.getRValue() = dayOrMonthValSink.asExpr() and
+    dayOrMonthValSink.getBasicBlock() = sink.getNode().getBasicBlock() and
+    exists(IRBlock dayOrMonthValBB |
+      dayOrMonthValBB = dayOrMonthValSrc.getBasicBlock() and
+      // The source of the day is set in the same block as the source for the year
+      // or the source for the day is set in the same block as the sink for the year
+      dayOrMonthValBB in [
+          src.getNode().getBasicBlock(),
+          sink.getNode().getBasicBlock()
+        ]
+    ) and
+    isSafeValueForAssignmentOfMonthOrDayValue(a, dayOrMonthValSrc.asExpr())
+  )
+select sink, src, sink,
+  "Year field has been modified, but no appropriate check for LeapYear was found."

cpp/ql/src/Likely Bugs/Leap Year/UncheckedReturnValueForTimeFunctions.ql

@@ -44,23 +44,9 @@ class SafeTimeGatheringFunction extends Function {
   }
 }
 
-/**
- * This list of APIs should check for the return value to detect problems during the conversion.
- */
-class TimeConversionFunction extends Function {
-  TimeConversionFunction() {
-    this.getQualifiedName() =
-      [
-        "FileTimeToSystemTime", "SystemTimeToFileTime", "SystemTimeToTzSpecificLocalTime",
-        "SystemTimeToTzSpecificLocalTimeEx", "TzSpecificLocalTimeToSystemTime",
-        "TzSpecificLocalTimeToSystemTimeEx", "RtlLocalTimeToSystemTime",
-        "RtlTimeToSecondsSince1970", "_mkgmtime"
-      ]
-  }
-}
-
 from FunctionCall fcall, TimeConversionFunction trf, Variable var
 where
+  not trf.isAutoLeapYearCorrecting() and
   fcall = trf.getACallToThisFunction() and
   fcall instanceof ExprInVoidContext and
   var.getUnderlyingType() instanceof UnpackedTimeType and

cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql

@@ -16,17 +16,15 @@
 import cpp
 import semmle.code.cpp.ir.IR
 import semmle.code.cpp.ir.dataflow.MustFlow
-import PathGraph
+import ReturnStackAllocatedMemory::PathGraph
 
 /** Holds if `f` has a name that we interpret as evidence of intentionally returning the value of the stack pointer. */
 predicate intentionallyReturnsStackPointer(Function f) {
   f.getName().toLowerCase().matches(["%stack%", "%sp%"])
 }
 
-class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
-  ReturnStackAllocatedMemoryConfig() { this = "ReturnStackAllocatedMemoryConfig" }
-
-  override predicate isSource(Instruction source) {
+module ReturnStackAllocatedMemoryConfig implements MustFlow::ConfigSig {
+  predicate isSource(Instruction source) {
     exists(Function func |
       // Rule out FPs caused by extraction errors.
       not func.hasErrors() and
@@ -50,7 +48,7 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
     )
   }
 
-  override predicate isSink(Operand sink) {
+  predicate isSink(Operand sink) {
     // Holds if `sink` is a node that represents the `StoreInstruction` that is subsequently used in
     // a `ReturnValueInstruction`.
     // We use the `StoreInstruction` instead of the instruction that defines the
@@ -72,7 +70,7 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
   //   int* px = id(&x);
   //  }
   //   ```
-  override predicate allowInterproceduralFlow() { none() }
+  predicate allowInterproceduralFlow() { none() }
 
   /**
    * This configuration intentionally conflates addresses of fields and their object, and pointer offsets
@@ -87,20 +85,22 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
    * }
    * ```
    */
-  override predicate isAdditionalFlowStep(Operand node1, Instruction node2) {
+  predicate isAdditionalFlowStep(Operand node1, Instruction node2) {
     node2.(FieldAddressInstruction).getObjectAddressOperand() = node1
     or
     node2.(PointerOffsetInstruction).getLeftOperand() = node1
   }
 
-  override predicate isBarrier(Instruction n) { n.getResultType() instanceof ErroneousType }
+  predicate isBarrier(Instruction n) { n.getResultType() instanceof ErroneousType }
 }
 
+module ReturnStackAllocatedMemory = MustFlow::Global<ReturnStackAllocatedMemoryConfig>;
+
 from
-  MustFlowPathNode source, MustFlowPathNode sink, Instruction instr,
-  ReturnStackAllocatedMemoryConfig conf
+  ReturnStackAllocatedMemory::PathNode source, ReturnStackAllocatedMemory::PathNode sink,
+  Instruction instr
 where
-  conf.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and
+  ReturnStackAllocatedMemory::flowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and
   source.getInstruction() = instr
 select sink.getInstruction(), source, sink, "May return stack-allocated memory from $@.",
   instr.getAst(), instr.getAst().toString()

cpp/ql/src/Likely Bugs/Memory Management/UninitializedLocal.ql

@@ -15,7 +15,7 @@
 import cpp
 import semmle.code.cpp.ir.IR
 import semmle.code.cpp.ir.dataflow.MustFlow
-import PathGraph
+import UninitializedLocal::PathGraph
 
 /**
  * Auxiliary predicate: Types that don't require initialization
@@ -70,25 +70,26 @@ predicate isSinkImpl(Instruction sink, VariableAccess va) {
   )
 }
 
-class MustFlow extends MustFlowConfiguration {
-  MustFlow() { this = "MustFlow" }
-
-  override predicate isSource(Instruction source) {
+module UninitializedLocalConfig implements MustFlow::ConfigSig {
+  predicate isSource(Instruction source) {
     source instanceof UninitializedInstruction and
     exists(Type t | t = source.getResultType() | not allocatedType(t))
   }
 
-  override predicate isSink(Operand sink) { isSinkImpl(sink.getDef(), _) }
+  predicate isSink(Operand sink) { isSinkImpl(sink.getDef(), _) }
 
-  override predicate allowInterproceduralFlow() { none() }
+  predicate allowInterproceduralFlow() { none() }
 
-  override predicate isBarrier(Instruction instr) { instr instanceof ChiInstruction }
+  predicate isBarrier(Instruction instr) { instr instanceof ChiInstruction }
 }
 
+module UninitializedLocal = MustFlow::Global<UninitializedLocalConfig>;
+
 from
-  VariableAccess va, LocalVariable v, MustFlow conf, MustFlowPathNode source, MustFlowPathNode sink
+  VariableAccess va, LocalVariable v, UninitializedLocal::PathNode source,
+  UninitializedLocal::PathNode sink
 where
-  conf.hasFlowPath(source, sink) and
+  UninitializedLocal::flowPath(source, sink) and
   isSinkImpl(sink.getInstruction(), va) and
   v = va.getTarget()
 select va, source, sink, "The variable $@ may not be initialized at this access.", v, v.getName()

cpp/ql/src/Likely Bugs/OO/UnsafeUseOfThis.ql

@@ -17,16 +17,16 @@
 import cpp
 import semmle.code.cpp.ir.IR
 import semmle.code.cpp.ir.dataflow.MustFlow
-import PathGraph
+import UnsafeUseOfThis::PathGraph
 
-class UnsafeUseOfThisConfig extends MustFlowConfiguration {
-  UnsafeUseOfThisConfig() { this = "UnsafeUseOfThisConfig" }
+module UnsafeUseOfThisConfig implements MustFlow::ConfigSig {
+  predicate isSource(Instruction source) { isSource(source, _, _) }
 
-  override predicate isSource(Instruction source) { isSource(source, _, _) }
-
-  override predicate isSink(Operand sink) { isSink(sink, _) }
+  predicate isSink(Operand sink) { isSink(sink, _) }
 }
 
+module UnsafeUseOfThis = MustFlow::Global<UnsafeUseOfThisConfig>;
+
 /** Holds if `sink` is a `this` pointer used by the call instruction `call`. */
 predicate isSink(Operand sink, CallInstruction call) {
   exists(PureVirtualFunction func |
@@ -66,19 +66,17 @@ predicate isSource(InitializeParameterInstruction source, string msg, Class c) {
  * - `msg` is a string describing whether `source` is from a constructor or destructor.
  */
 predicate flows(
-  MustFlowPathNode source, string msg, Class sourceClass, MustFlowPathNode sink,
+  UnsafeUseOfThis::PathNode source, string msg, Class sourceClass, UnsafeUseOfThis::PathNode sink,
   CallInstruction call
 ) {
-  exists(UnsafeUseOfThisConfig conf |
-    conf.hasFlowPath(source, sink) and
-    isSource(source.getInstruction(), msg, sourceClass) and
-    isSink(sink.getInstruction().getAUse(), call)
-  )
+  UnsafeUseOfThis::flowPath(source, sink) and
+  isSource(source.getInstruction(), msg, sourceClass) and
+  isSink(sink.getInstruction().getAUse(), call)
 }
 
 from
-  MustFlowPathNode source, MustFlowPathNode sink, CallInstruction call, string msg,
-  Class sourceClass
+  UnsafeUseOfThis::PathNode source, UnsafeUseOfThis::PathNode sink, CallInstruction call,
+  string msg, Class sourceClass
 where
   flows(source, msg, sourceClass, sink, call) and
   // Only raise an alert if there is no override of the pure virtual function in any base class.

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.11
+version: 1.5.12-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.ql

@@ -2,8 +2,20 @@ import cpp
 import utils.test.InlineExpectationsTest
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 
-query predicate estimateNrOfBounds(Expr e, float nrOfBounds) {
-  nrOfBounds = SimpleRangeAnalysisInternal::estimateNrOfBounds(e)
+query predicate estimateNrOfBounds(
+  Expr e, float nrOfBounds, float actualNrOfLowerBounds, float actualNrOfUpperBounds
+) {
+  nrOfBounds = SimpleRangeAnalysisInternal::estimateNrOfBounds(e) and
+  (
+    actualNrOfLowerBounds = SimpleRangeAnalysisInternal::countNrOfLowerBounds(e)
+    or
+    not exists(SimpleRangeAnalysisInternal::countNrOfLowerBounds(e)) and actualNrOfLowerBounds = -1
+  ) and
+  (
+    actualNrOfUpperBounds = SimpleRangeAnalysisInternal::countNrOfUpperBounds(e)
+    or
+    not exists(SimpleRangeAnalysisInternal::countNrOfUpperBounds(e)) and actualNrOfUpperBounds = -1
+  )
 }
 
 /**

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/ternaryLower.expected

@@ -77,77 +77,77 @@
 | test.c:426:22:426:82 | ... ? ... : ... | 0.13204114 | 0.42186276 | 0.13204114 |
 | test.c:426:26:426:69 | ... ? ... : ... | 0.42186276 | 0.42186276 | 0.44996679 |
 | test.c:426:30:426:56 | ... ? ... : ... | 0.42186276 | 0.42186276 | 0.53843358 |
-| test.c:468:4:642:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:468:5:470:49 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:471:6:553:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:472:8:490:41 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:475:10:479:21 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:475:31:475:79 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:477:13:479:21 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:484:12:489:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:485:12:485:60 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:487:15:489:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:491:6:510:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:494:8:498:19 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:494:29:494:77 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:496:11:498:19 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:499:6:499:54 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:503:10:507:21 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:503:31:503:79 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:505:13:507:21 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:508:9:510:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:512:10:531:43 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:515:12:520:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:516:12:516:60 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:518:15:520:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:525:14:530:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:526:14:526:62 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:528:17:530:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:532:9:553:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:535:14:540:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:536:14:536:62 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:538:17:540:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:541:12:541:60 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:545:12:550:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:546:12:546:60 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:548:15:550:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:551:11:553:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:554:9:556:51 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:557:9:642:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:558:14:577:47 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:561:16:566:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:562:16:562:64 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:564:19:566:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:571:18:576:29 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:572:18:572:66 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:574:21:576:29 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:578:12:599:29 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:581:14:586:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:582:14:582:62 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:584:17:586:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:587:12:587:60 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:591:16:596:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:592:16:592:64 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:594:19:596:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:597:15:599:29 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:601:12:620:45 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:604:14:609:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:605:14:605:62 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:607:17:609:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:614:16:619:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:615:16:615:64 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:617:19:619:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:621:11:642:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:624:16:629:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:625:16:625:64 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:627:19:629:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:630:14:630:62 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:634:14:639:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:635:14:635:62 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:637:17:639:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:640:13:642:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
-| test.c:668:20:668:36 | ... ? ... : ... | 0.0 | 0.0 | 100.0 |
-| test.c:880:5:880:14 | ... ? ... : ... | 0.0 | 1.0 | 0.0 |
-| test.c:881:5:881:14 | ... ? ... : ... | 0.0 | 0.0 | 1.0 |
+| test.c:485:4:659:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:485:5:487:49 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:488:6:570:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:489:8:507:41 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:492:10:496:21 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:492:31:492:79 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:494:13:496:21 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:501:12:506:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:502:12:502:60 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:504:15:506:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:508:6:527:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:511:8:515:19 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:511:29:511:77 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:513:11:515:19 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:516:6:516:54 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:520:10:524:21 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:520:31:520:79 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:522:13:524:21 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:525:9:527:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:529:10:548:43 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:532:12:537:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:533:12:533:60 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:535:15:537:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:542:14:547:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:543:14:543:62 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:545:17:547:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:549:9:570:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:552:14:557:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:553:14:553:62 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:555:17:557:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:558:12:558:60 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:562:12:567:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:563:12:563:60 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:565:15:567:23 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:568:11:570:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:571:9:573:51 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:574:9:659:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:575:14:594:47 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:578:16:583:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:579:16:579:64 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:581:19:583:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:588:18:593:29 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:589:18:589:66 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:591:21:593:29 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:595:12:616:29 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:598:14:603:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:599:14:599:62 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:601:17:603:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:604:12:604:60 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:608:16:613:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:609:16:609:64 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:611:19:613:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:614:15:616:29 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:618:12:637:45 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:621:14:626:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:622:14:622:62 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:624:17:626:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:631:16:636:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:632:16:632:64 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:634:19:636:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:638:11:659:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:641:16:646:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:642:16:642:64 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:644:19:646:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:647:14:647:62 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:651:14:656:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:652:14:652:62 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:654:17:656:25 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:657:13:659:27 | ... ? ... : ... | 0.0 | 0.0 | 0.0 |
+| test.c:685:20:685:36 | ... ? ... : ... | 0.0 | 0.0 | 100.0 |
+| test.c:897:5:897:14 | ... ? ... : ... | 0.0 | 1.0 | 0.0 |
+| test.c:898:5:898:14 | ... ? ... : ... | 0.0 | 0.0 | 1.0 |
 | test.cpp:121:3:121:12 | ... ? ... : ... | 0.0 | 1.0 | 0.0 |
 | test.cpp:122:3:122:12 | ... ? ... : ... | 0.0 | 0.0 | 1.0 |

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/ternaryUpper.expected

@@ -77,77 +77,77 @@
 | test.c:426:22:426:82 | ... ? ... : ... | 0.53843358 | 0.53843358 | 0.13204114 |
 | test.c:426:26:426:69 | ... ? ... : ... | 0.53843358 | 0.53843358 | 0.44996679 |
 | test.c:426:30:426:56 | ... ? ... : ... | 0.53843358 | 0.42186276 | 0.53843358 |
-| test.c:468:4:642:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:468:5:470:49 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:471:6:553:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:472:8:490:41 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:475:10:479:21 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:475:31:475:79 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:477:13:479:21 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:484:12:489:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:485:12:485:60 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:487:15:489:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:491:6:510:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:494:8:498:19 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:494:29:494:77 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:496:11:498:19 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:499:6:499:54 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:503:10:507:21 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:503:31:503:79 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:505:13:507:21 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:508:9:510:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:512:10:531:43 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:515:12:520:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:516:12:516:60 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:518:15:520:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:525:14:530:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:526:14:526:62 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:528:17:530:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:532:9:553:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:535:14:540:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:536:14:536:62 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:538:17:540:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:541:12:541:60 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:545:12:550:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:546:12:546:60 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:548:15:550:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:551:11:553:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:554:9:556:51 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:557:9:642:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:558:14:577:47 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:561:16:566:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:562:16:562:64 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:564:19:566:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:571:18:576:29 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:572:18:572:66 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:574:21:576:29 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:578:12:599:29 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:581:14:586:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:582:14:582:62 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:584:17:586:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:587:12:587:60 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:591:16:596:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:592:16:592:64 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:594:19:596:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:597:15:599:29 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:601:12:620:45 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:604:14:609:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:605:14:605:62 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:607:17:609:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:614:16:619:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:615:16:615:64 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:617:19:619:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:621:11:642:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:624:16:629:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:625:16:625:64 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:627:19:629:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:630:14:630:62 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:634:14:639:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:635:14:635:62 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:637:17:639:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:640:13:642:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
-| test.c:668:20:668:36 | ... ? ... : ... | 100.0 | 99.0 | 100.0 |
-| test.c:880:5:880:14 | ... ? ... : ... | 32767.0 | 32767.0 | 0.0 |
-| test.c:881:5:881:14 | ... ? ... : ... | 32767.0 | 0.0 | 32767.0 |
+| test.c:485:4:659:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:485:5:487:49 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:488:6:570:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:489:8:507:41 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:492:10:496:21 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:492:31:492:79 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:494:13:496:21 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:501:12:506:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:502:12:502:60 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:504:15:506:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:508:6:527:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:511:8:515:19 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:511:29:511:77 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:513:11:515:19 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:516:6:516:54 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:520:10:524:21 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:520:31:520:79 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:522:13:524:21 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:525:9:527:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:529:10:548:43 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:532:12:537:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:533:12:533:60 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:535:15:537:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:542:14:547:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:543:14:543:62 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:545:17:547:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:549:9:570:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:552:14:557:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:553:14:553:62 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:555:17:557:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:558:12:558:60 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:562:12:567:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:563:12:563:60 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:565:15:567:23 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:568:11:570:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:571:9:573:51 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:574:9:659:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:575:14:594:47 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:578:16:583:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:579:16:579:64 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:581:19:583:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:588:18:593:29 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:589:18:589:66 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:591:21:593:29 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:595:12:616:29 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:598:14:603:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:599:14:599:62 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:601:17:603:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:604:12:604:60 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:608:16:613:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:609:16:609:64 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:611:19:613:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:614:15:616:29 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:618:12:637:45 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:621:14:626:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:622:14:622:62 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:624:17:626:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:631:16:636:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:632:16:632:64 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:634:19:636:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:638:11:659:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:641:16:646:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:642:16:642:64 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:644:19:646:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:647:14:647:62 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:651:14:656:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:652:14:652:62 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:654:17:656:25 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:657:13:659:27 | ... ? ... : ... | 4.294967295E9 | 4.294967295E9 | 4.294967295E9 |
+| test.c:685:20:685:36 | ... ? ... : ... | 100.0 | 99.0 | 100.0 |
+| test.c:897:5:897:14 | ... ? ... : ... | 32767.0 | 32767.0 | 0.0 |
+| test.c:898:5:898:14 | ... ? ... : ... | 32767.0 | 0.0 | 32767.0 |
 | test.cpp:121:3:121:12 | ... ? ... : ... | 32767.0 | 32767.0 | 0.0 |
 | test.cpp:122:3:122:12 | ... ? ... : ... | 32767.0 | 0.0 | 32767.0 |

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/test.c

@@ -446,6 +446,23 @@ int repeated_if_statements(unsigned int rhs) {
   return rhs; // rhs has 6 bounds
 }
 
+int repeated_if_else_statements(unsigned int rhs) {
+  // Test how many bounds we estimate for repeated `if`-`else` statements that
+  // guard the same variable.
+  if (rhs < 10) { rhs << 1; } else { rhs << 2; }
+  if (rhs < 11) { rhs << 1; } else { rhs << 2; }
+  if (rhs < 12) { rhs << 1; } else { rhs << 2; }
+  if (rhs < 13) { rhs << 1; } else { rhs << 2; }
+  if (rhs < 14) { rhs << 1; } else { rhs << 2; }
+  if (rhs < 15) { rhs << 1; } else { rhs << 2; }
+  if (rhs < 16) { rhs << 1; } else { rhs << 2; }
+  if (rhs < 17) { rhs << 1; } else { rhs << 2; }
+  if (rhs < 18) { rhs << 1; } else { rhs << 2; }
+  if (rhs < 19) { rhs << 1; } else { rhs << 2; }
+  if (rhs < 20) { rhs << 1; } else { rhs << 2; }
+  return rhs; // rhs has 12 bounds
+}
+
 int ne_phi_nodes(int a, int b) {
   if (a == 17) {
     if (b == 23) {

cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.expected

@@ -1,15 +1,143 @@
-| test.cpp:314:5:314:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:309:13:309:14 | st | st |
-| test.cpp:327:5:327:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:322:13:322:14 | st | st |
-| test.cpp:338:6:338:10 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:333:62:333:63 | st | st |
-| test.cpp:484:5:484:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:480:13:480:14 | st | st |
-| test.cpp:497:5:497:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:492:13:492:14 | st | st |
-| test.cpp:509:5:509:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:505:13:505:14 | st | st |
-| test.cpp:606:11:606:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:56:6:56:12 | tm_year | tm_year | test.cpp:602:12:602:19 | timeinfo | timeinfo |
-| test.cpp:634:11:634:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:56:6:56:12 | tm_year | tm_year | test.cpp:628:12:628:19 | timeinfo | timeinfo |
-| test.cpp:636:11:636:17 | tm_year | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:56:6:56:12 | tm_year | tm_year | test.cpp:628:12:628:19 | timeinfo | timeinfo |
-| test.cpp:640:5:640:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:629:13:629:14 | st | st |
-| test.cpp:642:5:642:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:629:13:629:14 | st | st |
-| test.cpp:718:5:718:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:712:13:712:14 | st | st |
-| test.cpp:731:5:731:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:725:13:725:14 | st | st |
-| test.cpp:732:5:732:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:725:13:725:14 | st | st |
-| test.cpp:733:5:733:9 | wYear | Field $@ on variable $@ has been modified, but no appropriate check for LeapYear was found. | test.cpp:12:7:12:11 | wYear | wYear | test.cpp:725:13:725:14 | st | st |
+#select
+| test.cpp:422:2:422:14 | ... += ... | test.cpp:422:2:422:14 | ... += ... | test.cpp:422:2:422:14 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:440:2:440:11 | ... ++ | test.cpp:440:2:440:11 | ... ++ | test.cpp:440:2:440:11 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:456:2:456:12 | ... ++ | test.cpp:456:2:456:12 | ... ++ | test.cpp:456:2:456:12 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:681:2:681:23 | ... += ... | test.cpp:681:2:681:23 | ... += ... | test.cpp:681:2:681:23 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:813:2:813:40 | ... = ... | test.cpp:813:21:813:40 | ... + ... | test.cpp:813:2:813:40 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:818:2:818:24 | ... = ... | test.cpp:818:13:818:24 | ... + ... | test.cpp:818:2:818:24 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:951:3:951:25 | ... = ... | test.cpp:951:14:951:25 | ... + ... | test.cpp:951:3:951:25 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:969:3:969:12 | ... ++ | test.cpp:969:3:969:12 | ... ++ | test.cpp:969:3:969:12 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1031:2:1031:11 | ... ++ | test.cpp:1031:2:1031:11 | ... ++ | test.cpp:1031:2:1031:11 | ... ++ | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1051:16:1051:23 | increment_arg output argument | test.cpp:1039:2:1039:4 | ... ++ | test.cpp:1051:16:1051:23 | increment_arg output argument | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1055:27:1055:35 | increment_arg_by_pointer output argument | test.cpp:1043:2:1043:7 | ... ++ | test.cpp:1055:27:1055:35 | increment_arg_by_pointer output argument | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1109:2:1109:26 | ... = ... | test.cpp:1109:14:1109:26 | ... - ... | test.cpp:1109:2:1109:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1160:2:1160:19 | ... = ... | test.cpp:1158:2:1158:15 | ... += ... | test.cpp:1160:2:1160:19 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1199:2:1199:28 | ... = ... | test.cpp:1199:16:1199:28 | ... + ... | test.cpp:1199:2:1199:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1214:2:1214:28 | ... = ... | test.cpp:1214:16:1214:28 | ... + ... | test.cpp:1214:2:1214:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1228:2:1228:28 | ... = ... | test.cpp:1228:16:1228:28 | ... + ... | test.cpp:1228:2:1228:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1242:2:1242:26 | ... = ... | test.cpp:1242:14:1242:26 | ... + ... | test.cpp:1242:2:1242:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1256:2:1256:26 | ... = ... | test.cpp:1256:14:1256:26 | ... + ... | test.cpp:1256:2:1256:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1262:2:1262:28 | ... = ... | test.cpp:1262:16:1262:28 | ... + ... | test.cpp:1262:2:1262:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1274:2:1274:28 | ... = ... | test.cpp:1274:16:1274:28 | ... + ... | test.cpp:1274:2:1274:28 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1287:2:1287:26 | ... = ... | test.cpp:1287:14:1287:26 | ... + ... | test.cpp:1287:2:1287:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1299:2:1299:26 | ... = ... | test.cpp:1299:14:1299:26 | ... + ... | test.cpp:1299:2:1299:26 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1341:2:1341:17 | ... = ... | test.cpp:1432:12:1432:17 | ... + ... | test.cpp:1341:2:1341:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1341:2:1341:17 | ... = ... | test.cpp:1446:9:1446:16 | ... + ... | test.cpp:1341:2:1341:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1341:2:1341:17 | ... = ... | test.cpp:1458:9:1458:16 | ... + ... | test.cpp:1341:2:1341:17 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1515:2:1515:15 | ... = ... | test.cpp:1512:2:1512:10 | ... += ... | test.cpp:1515:2:1515:15 | ... = ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1545:2:1545:22 | ... += ... | test.cpp:1545:2:1545:22 | ... += ... | test.cpp:1545:2:1545:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1553:2:1553:22 | ... += ... | test.cpp:1553:2:1553:22 | ... += ... | test.cpp:1553:2:1553:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1632:2:1632:22 | ... += ... | test.cpp:1632:2:1632:22 | ... += ... | test.cpp:1632:2:1632:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1644:2:1644:22 | ... += ... | test.cpp:1644:2:1644:22 | ... += ... | test.cpp:1644:2:1644:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1677:2:1677:22 | ... += ... | test.cpp:1677:2:1677:22 | ... += ... | test.cpp:1677:2:1677:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+| test.cpp:1753:2:1753:22 | ... += ... | test.cpp:1753:2:1753:22 | ... += ... | test.cpp:1753:2:1753:22 | ... += ... | Year field has been modified, but no appropriate check for LeapYear was found. |
+edges
+| test.cpp:813:21:813:40 | ... + ... | test.cpp:813:2:813:40 | ... = ... | provenance |  |
+| test.cpp:818:13:818:24 | ... + ... | test.cpp:818:2:818:24 | ... = ... | provenance |  |
+| test.cpp:951:14:951:25 | ... + ... | test.cpp:951:3:951:25 | ... = ... | provenance |  |
+| test.cpp:1038:26:1038:26 | *x | test.cpp:1051:16:1051:23 | increment_arg output argument | provenance |  |
+| test.cpp:1039:2:1039:4 | ... ++ | test.cpp:1038:26:1038:26 | *x | provenance |  |
+| test.cpp:1042:37:1042:37 | *x | test.cpp:1055:27:1055:35 | increment_arg_by_pointer output argument | provenance |  |
+| test.cpp:1043:2:1043:7 | ... ++ | test.cpp:1042:37:1042:37 | *x | provenance |  |
+| test.cpp:1109:14:1109:26 | ... - ... | test.cpp:1109:2:1109:26 | ... = ... | provenance |  |
+| test.cpp:1158:2:1158:15 | ... += ... | test.cpp:1160:2:1160:19 | ... = ... | provenance |  |
+| test.cpp:1199:16:1199:28 | ... + ... | test.cpp:1199:2:1199:28 | ... = ... | provenance |  |
+| test.cpp:1214:16:1214:28 | ... + ... | test.cpp:1214:2:1214:28 | ... = ... | provenance |  |
+| test.cpp:1228:16:1228:28 | ... + ... | test.cpp:1228:2:1228:28 | ... = ... | provenance |  |
+| test.cpp:1242:14:1242:26 | ... + ... | test.cpp:1242:2:1242:26 | ... = ... | provenance |  |
+| test.cpp:1256:14:1256:26 | ... + ... | test.cpp:1256:2:1256:26 | ... = ... | provenance |  |
+| test.cpp:1262:16:1262:28 | ... + ... | test.cpp:1262:2:1262:28 | ... = ... | provenance |  |
+| test.cpp:1274:16:1274:28 | ... + ... | test.cpp:1274:2:1274:28 | ... = ... | provenance |  |
+| test.cpp:1287:14:1287:26 | ... + ... | test.cpp:1287:2:1287:26 | ... = ... | provenance |  |
+| test.cpp:1299:14:1299:26 | ... + ... | test.cpp:1299:2:1299:26 | ... = ... | provenance |  |
+| test.cpp:1338:20:1338:23 | year | test.cpp:1341:2:1341:17 | ... = ... | provenance |  |
+| test.cpp:1351:15:1351:22 | ... + ... | test.cpp:1351:3:1351:22 | ... = ... | provenance |  |
+| test.cpp:1356:12:1356:17 | ... + ... | test.cpp:1338:20:1338:23 | year | provenance |  |
+| test.cpp:1365:15:1365:22 | ... + ... | test.cpp:1365:3:1365:22 | ... = ... | provenance |  |
+| test.cpp:1375:3:1375:20 | ... = ... | test.cpp:1377:12:1377:18 | yeartmp | provenance |  |
+| test.cpp:1375:13:1375:20 | ... + ... | test.cpp:1375:3:1375:20 | ... = ... | provenance |  |
+| test.cpp:1377:12:1377:18 | yeartmp | test.cpp:1338:20:1338:23 | year | provenance |  |
+| test.cpp:1420:15:1420:22 | ... + ... | test.cpp:1420:3:1420:22 | ... = ... | provenance |  |
+| test.cpp:1425:12:1425:17 | ... + ... | test.cpp:1338:20:1338:23 | year | provenance |  |
+| test.cpp:1432:12:1432:17 | ... + ... | test.cpp:1338:20:1338:23 | year | provenance |  |
+| test.cpp:1446:2:1446:16 | ... = ... | test.cpp:1450:3:1450:18 | ... = ... | provenance |  |
+| test.cpp:1446:2:1446:16 | ... = ... | test.cpp:1455:12:1455:15 | year | provenance |  |
+| test.cpp:1446:9:1446:16 | ... + ... | test.cpp:1446:2:1446:16 | ... = ... | provenance |  |
+| test.cpp:1455:12:1455:15 | year | test.cpp:1338:20:1338:23 | year | provenance |  |
+| test.cpp:1458:2:1458:16 | ... = ... | test.cpp:1464:12:1464:15 | year | provenance |  |
+| test.cpp:1458:9:1458:16 | ... + ... | test.cpp:1458:2:1458:16 | ... = ... | provenance |  |
+| test.cpp:1464:12:1464:15 | year | test.cpp:1338:20:1338:23 | year | provenance |  |
+| test.cpp:1512:2:1512:10 | ... += ... | test.cpp:1515:2:1515:15 | ... = ... | provenance |  |
+nodes
+| test.cpp:422:2:422:14 | ... += ... | semmle.label | ... += ... |
+| test.cpp:440:2:440:11 | ... ++ | semmle.label | ... ++ |
+| test.cpp:456:2:456:12 | ... ++ | semmle.label | ... ++ |
+| test.cpp:482:3:482:12 | ... ++ | semmle.label | ... ++ |
+| test.cpp:681:2:681:23 | ... += ... | semmle.label | ... += ... |
+| test.cpp:813:2:813:40 | ... = ... | semmle.label | ... = ... |
+| test.cpp:813:21:813:40 | ... + ... | semmle.label | ... + ... |
+| test.cpp:818:2:818:24 | ... = ... | semmle.label | ... = ... |
+| test.cpp:818:13:818:24 | ... + ... | semmle.label | ... + ... |
+| test.cpp:872:4:872:15 | ... ++ | semmle.label | ... ++ |
+| test.cpp:951:3:951:25 | ... = ... | semmle.label | ... = ... |
+| test.cpp:951:14:951:25 | ... + ... | semmle.label | ... + ... |
+| test.cpp:969:3:969:12 | ... ++ | semmle.label | ... ++ |
+| test.cpp:1031:2:1031:11 | ... ++ | semmle.label | ... ++ |
+| test.cpp:1038:26:1038:26 | *x | semmle.label | *x |
+| test.cpp:1039:2:1039:4 | ... ++ | semmle.label | ... ++ |
+| test.cpp:1042:37:1042:37 | *x | semmle.label | *x |
+| test.cpp:1043:2:1043:7 | ... ++ | semmle.label | ... ++ |
+| test.cpp:1051:16:1051:23 | increment_arg output argument | semmle.label | increment_arg output argument |
+| test.cpp:1055:27:1055:35 | increment_arg_by_pointer output argument | semmle.label | increment_arg_by_pointer output argument |
+| test.cpp:1109:2:1109:26 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1109:14:1109:26 | ... - ... | semmle.label | ... - ... |
+| test.cpp:1158:2:1158:15 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1160:2:1160:19 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1199:2:1199:28 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1199:16:1199:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1214:2:1214:28 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1214:16:1214:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1228:2:1228:28 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1228:16:1228:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1242:2:1242:26 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1242:14:1242:26 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1256:2:1256:26 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1256:14:1256:26 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1262:2:1262:28 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1262:16:1262:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1274:2:1274:28 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1274:16:1274:28 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1287:2:1287:26 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1287:14:1287:26 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1299:2:1299:26 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1299:14:1299:26 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1338:20:1338:23 | year | semmle.label | year |
+| test.cpp:1341:2:1341:17 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1351:3:1351:22 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1351:15:1351:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1356:12:1356:17 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1365:3:1365:22 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1365:15:1365:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1375:3:1375:20 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1375:13:1375:20 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1377:12:1377:18 | yeartmp | semmle.label | yeartmp |
+| test.cpp:1420:3:1420:22 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1420:15:1420:22 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1425:12:1425:17 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1432:12:1432:17 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1446:2:1446:16 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1446:9:1446:16 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1450:3:1450:18 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1455:12:1455:15 | year | semmle.label | year |
+| test.cpp:1458:2:1458:16 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1458:9:1458:16 | ... + ... | semmle.label | ... + ... |
+| test.cpp:1464:12:1464:15 | year | semmle.label | year |
+| test.cpp:1512:2:1512:10 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1515:2:1515:15 | ... = ... | semmle.label | ... = ... |
+| test.cpp:1545:2:1545:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1553:2:1553:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1632:2:1632:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1644:2:1644:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1677:2:1677:22 | ... += ... | semmle.label | ... += ... |
+| test.cpp:1753:2:1753:22 | ... += ... | semmle.label | ... += ... |
+subpaths

cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedLeapYearAfterYearModification.qlref

@@ -1 +1,2 @@
-Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql
+query: Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql

cpp/ql/test/query-tests/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification/UncheckedReturnValueForTimeFunctions.expected

@@ -1,5 +1,6 @@
-| test.cpp:317:2:317:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:63:1:63:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:309:13:309:14 | st | st |
-| test.cpp:330:2:330:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:63:1:63:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:322:13:322:14 | st | st |
-| test.cpp:341:2:341:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:63:1:63:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:333:62:333:63 | st | st |
-| test.cpp:720:2:720:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:63:1:63:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:712:13:712:14 | st | st |
-| test.cpp:735:2:735:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:63:1:63:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:725:13:725:14 | st | st |
+| test.cpp:425:2:425:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:417:13:417:14 | st | st |
+| test.cpp:443:2:443:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:435:13:435:14 | st | st |
+| test.cpp:459:2:459:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:451:62:451:63 | st | st |
+| test.cpp:953:3:953:22 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:944:14:944:15 | st | st |
+| test.cpp:971:3:971:22 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:962:14:962:15 | st | st |
+| test.cpp:1035:2:1035:21 | call to SystemTimeToFileTime | Return value of $@ function should be verified to check for any error because variable $@ is not guaranteed to be safe. | test.cpp:101:1:101:20 | SystemTimeToFileTime | SystemTimeToFileTime | test.cpp:1025:13:1025:14 | st | st |

cpp/ql/test/query-tests/Likely Bugs/Memory Management/ReturnStackAllocatedMemory/test.cpp

@@ -250,3 +250,8 @@ void* test_strndupa(const char* s, size_t size) {
 	return s2; // BAD
 }
 
+int* f_rec(int *p) {
+  int x;
+  int* px = f_rec(&x); // GOOD
+  return p;
+}

csharp/extractor/Semmle.Extraction.CSharp/Entities/Event.cs

@@ -11,6 +11,10 @@ namespace Semmle.Extraction.CSharp.Entities
         private Event(Context cx, IEventSymbol init)
             : base(cx, init) { }
 
+        protected override IEventSymbol BodyDeclaringSymbol => Symbol.PartialImplementationPart ?? Symbol;
+
+        public override Microsoft.CodeAnalysis.Location? ReportingLocation => BodyDeclaringSymbol.Locations.BestOrDefault();
+
         public override void WriteId(EscapingTextWriter trapFile)
         {
             trapFile.WriteSubId(ContainingType!);
@@ -27,13 +31,13 @@ namespace Semmle.Extraction.CSharp.Entities
             var type = Type.Create(Context, Symbol.Type);
             trapFile.events(this, Symbol.GetName(), ContainingType!, type.TypeRef, Create(Context, Symbol.OriginalDefinition));
 
-            var adder = Symbol.AddMethod;
-            var remover = Symbol.RemoveMethod;
+            var adder = BodyDeclaringSymbol.AddMethod;
+            var remover = BodyDeclaringSymbol.RemoveMethod;
 
-            if (!(adder is null))
+            if (adder is not null)
                 Method.Create(Context, adder);
 
-            if (!(remover is null))
+            if (remover is not null)
                 Method.Create(Context, remover);
 
             PopulateModifiers(trapFile);

csharp/extractor/Semmle.Extraction.CSharp/Entities/EventAccessor.cs

@@ -13,6 +13,10 @@ namespace Semmle.Extraction.CSharp.Entities
             this.@event = @event;
         }
 
+        public override bool NeedsPopulation =>
+            base.NeedsPopulation &&
+            !Symbol.IsPartialDefinition; // Accessors always have an implementing declaration as well.
+
         /// <summary>
         /// Gets the event symbol associated with accessor `symbol`, or `null`
         /// if there is no associated symbol.

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Factory.cs

@@ -160,6 +160,9 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                     case SyntaxKind.ThisExpression:
                         return This.CreateExplicit(info);
 
+                    case SyntaxKind.FieldExpression:
+                        return PropertyFieldAccess.Create(info);
+
                     case SyntaxKind.AddressOfExpression:
                         return Unary.Create(info.SetKind(ExprKind.ADDRESS_OF));
 

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PropertyFieldAccess.cs

@@ -0,0 +1,28 @@
+using System.IO;
+using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Semmle.Extraction.Kinds;
+
+namespace Semmle.Extraction.CSharp.Entities.Expressions
+{
+    internal class PropertyFieldAccess : Expression<FieldExpressionSyntax>
+    {
+        private PropertyFieldAccess(ExpressionNodeInfo info) : base(info.SetKind(ExprKind.FIELD_ACCESS)) { }
+
+        public static Expression Create(ExpressionNodeInfo info) => new PropertyFieldAccess(info).TryPopulate();
+
+        protected override void PopulateExpression(TextWriter trapFile)
+        {
+            var symbolInfo = Context.GetSymbolInfo(Syntax);
+            if (symbolInfo.Symbol is IFieldSymbol field)
+            {
+                var target = PropertyField.Create(Context, field);
+                trapFile.expr_access(this, target);
+                if (!field.IsStatic)
+                {
+                    This.CreateImplicit(Context, field.ContainingType, Location, this, -1);
+                }
+            }
+        }
+    }
+}

csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs

@@ -10,7 +10,7 @@ namespace Semmle.Extraction.CSharp.Entities
 {
     internal class Field : CachedSymbol<IFieldSymbol>, IExpressionParentEntity
     {
-        private Field(Context cx, IFieldSymbol init)
+        protected Field(Context cx, IFieldSymbol init)
             : base(cx, init)
         {
             type = new Lazy<Type>(() => Entities.Type.Create(cx, Symbol.Type));

csharp/extractor/Semmle.Extraction.CSharp/Entities/PropertyField.cs

@@ -0,0 +1,53 @@
+using System.IO;
+using Microsoft.CodeAnalysis;
+using Semmle.Extraction.CSharp.Util;
+using Semmle.Extraction.Kinds;
+
+namespace Semmle.Extraction.CSharp.Entities
+{
+    /// <summary>
+    /// Represents the autogenerated backing field `field` for a property.
+    /// It is only created for properties that use the `field` keyword in their getter or setter, and
+    /// is not created for auto-properties.
+    /// </summary>
+    internal class PropertyField : Field
+    {
+        protected PropertyField(Context cx, IFieldSymbol init)
+            : base(cx, init)
+        {
+        }
+
+        public static new PropertyField Create(Context cx, IFieldSymbol field) => PropertyFieldFactory.Instance.CreateEntity(cx, (field, field.AssociatedSymbol), field);
+
+        public override bool NeedsPopulation => true;
+
+        public override void Populate(TextWriter trapFile)
+        {
+            PopulateNullability(trapFile, Symbol.GetAnnotatedType());
+
+            var unboundFieldKey = PropertyField.Create(Context, Symbol.OriginalDefinition);
+            var name = Symbol.AssociatedSymbol is not null ? $"{Symbol.AssociatedSymbol.GetName()}.field" : Symbol.Name;
+            trapFile.fields(this, VariableKind.None, name, ContainingType!, Type.TypeRef, unboundFieldKey);
+            trapFile.compiler_generated(this);
+
+            PopulateModifiers(trapFile);
+
+            if (Context.OnlyScaffold)
+            {
+                return;
+            }
+
+            if (Context.ExtractLocation(Symbol))
+            {
+                WriteLocationsToTrap(trapFile.field_location, this, Locations);
+            }
+        }
+
+        private class PropertyFieldFactory : CachedEntityFactory<IFieldSymbol, PropertyField>
+        {
+            public static PropertyFieldFactory Instance { get; } = new PropertyFieldFactory();
+
+            public override PropertyField Create(Context cx, IFieldSymbol init) => new PropertyField(cx, init);
+        }
+    }
+}

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.59
+version: 1.7.60-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.59
+version: 1.7.60-dev
 groups:
   - csharp
   - solorigate

csharp/ql/integration-tests/posix/conftest.py

@@ -0,0 +1,19 @@
+import runs_on
+
+
+def _supports_mono_nuget():
+    """
+    Helper function to determine if the current platform supports Mono and nuget.
+    
+    Returns True if running on Linux or on macOS x86_64 (excluding macos-15 and macos-26).
+    macOS ARM runners (macos-15 and macos-26) are excluded due to issues with Mono and nuget.
+    """
+    return (
+        runs_on.linux
+        or (
+            runs_on.macos
+            and runs_on.x86_64
+            and not runs_on.macos_15
+            and not runs_on.macos_26
+        )
+    )

csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py

@@ -1,13 +1,9 @@
-import runs_on
 import pytest
 import os
+from ..conftest import _supports_mono_nuget
 
 
-# Skipping the test on the ARM runners and macos-15, as we're running into trouble with Mono and nuget.
-@pytest.mark.only_if(
-    runs_on.linux
-    or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15)
-)
+@pytest.mark.only_if(_supports_mono_nuget())
 def test(codeql, csharp):
     os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_DOTNET_FRAMEWORK_REFERENCES"] = (
         "/non-existent-path"

csharp/ql/integration-tests/posix/standalone_dependencies_nuget with_space/test.py

@@ -1,13 +1,9 @@
 import os
-import runs_on
 import pytest
+from ..conftest import _supports_mono_nuget
 
 
-# Skipping the test on the ARM runners and macos-15, as we're running into trouble with Mono and nuget.
-@pytest.mark.only_if(
-    runs_on.linux
-    or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15)
-)
+@pytest.mark.only_if(_supports_mono_nuget())
 def test(codeql, csharp):
     # making sure we're not doing any fallback restore:
     os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_NUGET_FEEDS_CHECK_FALLBACK_TIMEOUT"] = "1"

csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py

@@ -1,11 +1,7 @@
-import runs_on
 import pytest
+from ..conftest import _supports_mono_nuget
 
 
-# Skipping the test on the ARM runners and macos-15, as we're running into trouble with Mono and nuget.
-@pytest.mark.only_if(
-    runs_on.linux
-    or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15)
-)
+@pytest.mark.only_if(_supports_mono_nuget())
 def test(codeql, csharp):
     codeql.database.create(build_mode="none")

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py

@@ -1,11 +1,7 @@
-import runs_on
 import pytest
+from ..conftest import _supports_mono_nuget
 
 
-# Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.
-@pytest.mark.only_if(
-    runs_on.linux
-    or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15)
-)
+@pytest.mark.only_if(_supports_mono_nuget())
 def test(codeql, csharp):
     codeql.database.create(source_root="proj", build_mode="none")

csharp/ql/lib/change-notes/2026-02-12-field-keyword.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* C# 14: Added support for the `field` keyword in properties.

csharp/ql/lib/change-notes/2026-02-16-partial-events.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* C# 14: Added support for partial events.

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.7
+version: 5.4.8-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.6.2
+version: 1.6.3-dev
 groups:
   - csharp
   - queries

csharp/ql/test/library-tests/dataflow/fields/D.cs

@@ -89,3 +89,65 @@ public partial class DPartial
 
     static T Source<T>(object source) => throw null;
 }
+
+public class DFieldProps
+{
+    object FieldProp0
+    {
+        get { return field; }
+        set { field = value; }
+    } = Source<object>(0);
+
+    object FieldProp1
+    {
+        get { return field; }
+        set { field = value; }
+    }
+
+    object FieldProp2
+    {
+        get { return field; }
+        set
+        {
+            var x = value;
+            field = x;
+        }
+    }
+
+    static object StaticFieldProp
+    {
+        get { return field; }
+        set { field = value; }
+    }
+
+    private void M()
+    {
+        var d0 = new DFieldProps();
+        Sink(d0.FieldProp0); // $ hasValueFlow=0
+        Sink(d0.FieldProp1); // no flow
+        Sink(d0.FieldProp2); // no flow
+
+        var d1 = new DFieldProps();
+        var o1 = Source<object>(1);
+        d1.FieldProp1 = o1;
+        Sink(d1.FieldProp0); // $ hasValueFlow=0
+        Sink(d1.FieldProp1); // $ hasValueFlow=1
+        Sink(d1.FieldProp2); // no flow
+
+        var d2 = new DFieldProps();
+        var o2 = Source<object>(2);
+        d2.FieldProp2 = o2;
+        Sink(d2.FieldProp0); // $ hasValueFlow=0
+        Sink(d2.FieldProp1); // no flow
+        Sink(d2.FieldProp2); // $ hasValueFlow=2
+
+        var o3 = Source<object>(3);
+        DFieldProps.StaticFieldProp = o3;
+        Sink(DFieldProps.StaticFieldProp); // $ hasValueFlow=3
+    }
+
+    public static void Sink(object o) { }
+
+    static T Source<T>(object source) => throw null;
+
+}

csharp/ql/test/library-tests/dataflow/fields/FieldFlow.expected

@@ -532,6 +532,118 @@ edges
 | D.cs:84:14:84:14 | access to local variable d : DPartial [field _backingField] : Object | D.cs:60:9:60:11 | this : DPartial [field _backingField] : Object | provenance |  |
 | D.cs:84:14:84:14 | access to local variable d : DPartial [field _backingField] : Object | D.cs:84:14:84:27 | access to property PartialProp1 | provenance |  |
 | D.cs:84:14:84:14 | access to local variable d : DPartial [field _backingField] : Object | D.cs:84:14:84:27 | access to property PartialProp1 | provenance |  |
+| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:125:18:125:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:125:18:125:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:130:18:130:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:130:18:130:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:137:18:137:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:137:18:137:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | this access : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | this access : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:97:22:97:26 | this access : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | provenance |  |
+| D.cs:97:22:97:26 | this access : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | provenance |  |
+| D.cs:98:9:98:11 | value : Object | D.cs:98:23:98:27 | access to parameter value : Object | provenance |  |
+| D.cs:98:9:98:11 | value : Object | D.cs:98:23:98:27 | access to parameter value : Object | provenance |  |
+| D.cs:98:15:98:19 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:98:9:98:11 | this [Return] : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:98:15:98:19 | [post] this access : DFieldProps [field FieldProp0.field] : Object | D.cs:98:9:98:11 | this [Return] : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:98:23:98:27 | access to parameter value : Object | D.cs:98:15:98:19 | [post] this access : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:98:23:98:27 | access to parameter value : Object | D.cs:98:15:98:19 | [post] this access : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:99:9:99:25 | call to method Source<Object> : Object | D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:99:9:99:25 | call to method Source<Object> : Object | D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:99:9:99:25 | call to method Source<Object> : Object | D.cs:98:9:98:11 | value : Object | provenance |  |
+| D.cs:99:9:99:25 | call to method Source<Object> : Object | D.cs:98:9:98:11 | value : Object | provenance |  |
+| D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | D.cs:103:22:103:26 | this access : DFieldProps [field FieldProp1.field] : Object | provenance |  |
+| D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | D.cs:103:22:103:26 | this access : DFieldProps [field FieldProp1.field] : Object | provenance |  |
+| D.cs:103:22:103:26 | this access : DFieldProps [field FieldProp1.field] : Object | D.cs:103:22:103:26 | access to field FieldProp1.field : Object | provenance |  |
+| D.cs:103:22:103:26 | this access : DFieldProps [field FieldProp1.field] : Object | D.cs:103:22:103:26 | access to field FieldProp1.field : Object | provenance |  |
+| D.cs:104:9:104:11 | value : Object | D.cs:104:23:104:27 | access to parameter value : Object | provenance |  |
+| D.cs:104:9:104:11 | value : Object | D.cs:104:23:104:27 | access to parameter value : Object | provenance |  |
+| D.cs:104:15:104:19 | [post] this access : DFieldProps [field FieldProp1.field] : Object | D.cs:104:9:104:11 | this [Return] : DFieldProps [field FieldProp1.field] : Object | provenance |  |
+| D.cs:104:15:104:19 | [post] this access : DFieldProps [field FieldProp1.field] : Object | D.cs:104:9:104:11 | this [Return] : DFieldProps [field FieldProp1.field] : Object | provenance |  |
+| D.cs:104:23:104:27 | access to parameter value : Object | D.cs:104:15:104:19 | [post] this access : DFieldProps [field FieldProp1.field] : Object | provenance |  |
+| D.cs:104:23:104:27 | access to parameter value : Object | D.cs:104:15:104:19 | [post] this access : DFieldProps [field FieldProp1.field] : Object | provenance |  |
+| D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | D.cs:109:22:109:26 | this access : DFieldProps [field FieldProp2.field] : Object | provenance |  |
+| D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | D.cs:109:22:109:26 | this access : DFieldProps [field FieldProp2.field] : Object | provenance |  |
+| D.cs:109:22:109:26 | this access : DFieldProps [field FieldProp2.field] : Object | D.cs:109:22:109:26 | access to field FieldProp2.field : Object | provenance |  |
+| D.cs:109:22:109:26 | this access : DFieldProps [field FieldProp2.field] : Object | D.cs:109:22:109:26 | access to field FieldProp2.field : Object | provenance |  |
+| D.cs:110:9:110:11 | value : Object | D.cs:112:17:112:17 | access to local variable x : Object | provenance |  |
+| D.cs:110:9:110:11 | value : Object | D.cs:112:17:112:17 | access to local variable x : Object | provenance |  |
+| D.cs:112:17:112:17 | access to local variable x : Object | D.cs:113:21:113:21 | access to local variable x : Object | provenance |  |
+| D.cs:112:17:112:17 | access to local variable x : Object | D.cs:113:21:113:21 | access to local variable x : Object | provenance |  |
+| D.cs:113:13:113:17 | [post] this access : DFieldProps [field FieldProp2.field] : Object | D.cs:110:9:110:11 | this [Return] : DFieldProps [field FieldProp2.field] : Object | provenance |  |
+| D.cs:113:13:113:17 | [post] this access : DFieldProps [field FieldProp2.field] : Object | D.cs:110:9:110:11 | this [Return] : DFieldProps [field FieldProp2.field] : Object | provenance |  |
+| D.cs:113:21:113:21 | access to local variable x : Object | D.cs:113:13:113:17 | [post] this access : DFieldProps [field FieldProp2.field] : Object | provenance |  |
+| D.cs:113:21:113:21 | access to local variable x : Object | D.cs:113:13:113:17 | [post] this access : DFieldProps [field FieldProp2.field] : Object | provenance |  |
+| D.cs:119:22:119:26 | access to field StaticFieldProp.field : Object | D.cs:146:14:146:40 | access to property StaticFieldProp | provenance |  |
+| D.cs:119:22:119:26 | access to field StaticFieldProp.field : Object | D.cs:146:14:146:40 | access to property StaticFieldProp | provenance |  |
+| D.cs:120:9:120:11 | value : Object | D.cs:120:23:120:27 | access to parameter value : Object | provenance |  |
+| D.cs:120:9:120:11 | value : Object | D.cs:120:23:120:27 | access to parameter value : Object | provenance |  |
+| D.cs:120:23:120:27 | access to parameter value : Object | D.cs:119:22:119:26 | access to field StaticFieldProp.field : Object | provenance |  |
+| D.cs:120:23:120:27 | access to parameter value : Object | D.cs:119:22:119:26 | access to field StaticFieldProp.field : Object | provenance |  |
+| D.cs:125:13:125:14 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:125:13:125:14 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:125:18:125:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | D.cs:125:13:125:14 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:125:18:125:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | D.cs:125:13:125:14 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:126:14:126:26 | access to property FieldProp0 | provenance |  |
+| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:126:14:126:26 | access to property FieldProp0 | provenance |  |
+| D.cs:130:13:130:14 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:130:13:130:14 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:130:18:130:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | D.cs:130:13:130:14 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:130:18:130:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | D.cs:130:13:130:14 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:131:13:131:14 | access to local variable o1 : Object | D.cs:132:25:132:26 | access to local variable o1 : Object | provenance |  |
+| D.cs:131:13:131:14 | access to local variable o1 : Object | D.cs:132:25:132:26 | access to local variable o1 : Object | provenance |  |
+| D.cs:131:18:131:34 | call to method Source<Object> : Object | D.cs:131:13:131:14 | access to local variable o1 : Object | provenance |  |
+| D.cs:131:18:131:34 | call to method Source<Object> : Object | D.cs:131:13:131:14 | access to local variable o1 : Object | provenance |  |
+| D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | provenance |  |
+| D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | provenance |  |
+| D.cs:132:25:132:26 | access to local variable o1 : Object | D.cs:104:9:104:11 | value : Object | provenance |  |
+| D.cs:132:25:132:26 | access to local variable o1 : Object | D.cs:104:9:104:11 | value : Object | provenance |  |
+| D.cs:132:25:132:26 | access to local variable o1 : Object | D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | provenance |  |
+| D.cs:132:25:132:26 | access to local variable o1 : Object | D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | provenance |  |
+| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:133:14:133:26 | access to property FieldProp0 | provenance |  |
+| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:133:14:133:26 | access to property FieldProp0 | provenance |  |
+| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | provenance |  |
+| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | provenance |  |
+| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:134:14:134:26 | access to property FieldProp1 | provenance |  |
+| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:134:14:134:26 | access to property FieldProp1 | provenance |  |
+| D.cs:137:13:137:14 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:137:13:137:14 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:137:18:137:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | D.cs:137:13:137:14 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:137:18:137:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | D.cs:137:13:137:14 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:138:13:138:14 | access to local variable o2 : Object | D.cs:139:25:139:26 | access to local variable o2 : Object | provenance |  |
+| D.cs:138:13:138:14 | access to local variable o2 : Object | D.cs:139:25:139:26 | access to local variable o2 : Object | provenance |  |
+| D.cs:138:18:138:34 | call to method Source<Object> : Object | D.cs:138:13:138:14 | access to local variable o2 : Object | provenance |  |
+| D.cs:138:18:138:34 | call to method Source<Object> : Object | D.cs:138:13:138:14 | access to local variable o2 : Object | provenance |  |
+| D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | provenance |  |
+| D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | provenance |  |
+| D.cs:139:25:139:26 | access to local variable o2 : Object | D.cs:110:9:110:11 | value : Object | provenance |  |
+| D.cs:139:25:139:26 | access to local variable o2 : Object | D.cs:110:9:110:11 | value : Object | provenance |  |
+| D.cs:139:25:139:26 | access to local variable o2 : Object | D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | provenance |  |
+| D.cs:139:25:139:26 | access to local variable o2 : Object | D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | provenance |  |
+| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | provenance |  |
+| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:140:14:140:26 | access to property FieldProp0 | provenance |  |
+| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:140:14:140:26 | access to property FieldProp0 | provenance |  |
+| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | provenance |  |
+| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | provenance |  |
+| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:142:14:142:26 | access to property FieldProp2 | provenance |  |
+| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:142:14:142:26 | access to property FieldProp2 | provenance |  |
+| D.cs:144:13:144:14 | access to local variable o3 : Object | D.cs:145:9:145:35 | access to property StaticFieldProp : Object | provenance |  |
+| D.cs:144:13:144:14 | access to local variable o3 : Object | D.cs:145:9:145:35 | access to property StaticFieldProp : Object | provenance |  |
+| D.cs:144:13:144:14 | access to local variable o3 : Object | D.cs:145:39:145:40 | access to local variable o3 : Object | provenance |  |
+| D.cs:144:13:144:14 | access to local variable o3 : Object | D.cs:145:39:145:40 | access to local variable o3 : Object | provenance |  |
+| D.cs:144:18:144:34 | call to method Source<Object> : Object | D.cs:144:13:144:14 | access to local variable o3 : Object | provenance |  |
+| D.cs:144:18:144:34 | call to method Source<Object> : Object | D.cs:144:13:144:14 | access to local variable o3 : Object | provenance |  |
+| D.cs:145:9:145:35 | access to property StaticFieldProp : Object | D.cs:146:14:146:40 | access to property StaticFieldProp | provenance |  |
+| D.cs:145:9:145:35 | access to property StaticFieldProp : Object | D.cs:146:14:146:40 | access to property StaticFieldProp | provenance |  |
+| D.cs:145:39:145:40 | access to local variable o3 : Object | D.cs:120:9:120:11 | value : Object | provenance |  |
+| D.cs:145:39:145:40 | access to local variable o3 : Object | D.cs:120:9:120:11 | value : Object | provenance |  |
 | E.cs:8:29:8:29 | o : Object | E.cs:11:21:11:21 | access to parameter o : Object | provenance |  |
 | E.cs:8:29:8:29 | o : Object | E.cs:11:21:11:21 | access to parameter o : Object | provenance |  |
 | E.cs:11:9:11:11 | [post] access to local variable ret : S [field Field] : Object | E.cs:12:16:12:18 | access to local variable ret : S [field Field] : Object | provenance |  |
@@ -1807,6 +1919,120 @@ nodes
 | D.cs:84:14:84:14 | access to local variable d : DPartial [field _backingField] : Object | semmle.label | access to local variable d : DPartial [field _backingField] : Object |
 | D.cs:84:14:84:27 | access to property PartialProp1 | semmle.label | access to property PartialProp1 |
 | D.cs:84:14:84:27 | access to property PartialProp1 | semmle.label | access to property PartialProp1 |
+| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:93:14:93:24 | [post] this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | semmle.label | this : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | semmle.label | this : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:97:22:97:26 | access to field FieldProp0.field : Object | semmle.label | access to field FieldProp0.field : Object |
+| D.cs:97:22:97:26 | access to field FieldProp0.field : Object | semmle.label | access to field FieldProp0.field : Object |
+| D.cs:97:22:97:26 | this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | this access : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:97:22:97:26 | this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | this access : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:98:9:98:11 | this [Return] : DFieldProps [field FieldProp0.field] : Object | semmle.label | this [Return] : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:98:9:98:11 | this [Return] : DFieldProps [field FieldProp0.field] : Object | semmle.label | this [Return] : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:98:9:98:11 | value : Object | semmle.label | value : Object |
+| D.cs:98:9:98:11 | value : Object | semmle.label | value : Object |
+| D.cs:98:15:98:19 | [post] this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:98:15:98:19 | [post] this access : DFieldProps [field FieldProp0.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:98:23:98:27 | access to parameter value : Object | semmle.label | access to parameter value : Object |
+| D.cs:98:23:98:27 | access to parameter value : Object | semmle.label | access to parameter value : Object |
+| D.cs:99:9:99:25 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| D.cs:99:9:99:25 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | semmle.label | this : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | semmle.label | this : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:103:22:103:26 | access to field FieldProp1.field : Object | semmle.label | access to field FieldProp1.field : Object |
+| D.cs:103:22:103:26 | access to field FieldProp1.field : Object | semmle.label | access to field FieldProp1.field : Object |
+| D.cs:103:22:103:26 | this access : DFieldProps [field FieldProp1.field] : Object | semmle.label | this access : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:103:22:103:26 | this access : DFieldProps [field FieldProp1.field] : Object | semmle.label | this access : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:104:9:104:11 | this [Return] : DFieldProps [field FieldProp1.field] : Object | semmle.label | this [Return] : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:104:9:104:11 | this [Return] : DFieldProps [field FieldProp1.field] : Object | semmle.label | this [Return] : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:104:9:104:11 | value : Object | semmle.label | value : Object |
+| D.cs:104:9:104:11 | value : Object | semmle.label | value : Object |
+| D.cs:104:15:104:19 | [post] this access : DFieldProps [field FieldProp1.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:104:15:104:19 | [post] this access : DFieldProps [field FieldProp1.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:104:23:104:27 | access to parameter value : Object | semmle.label | access to parameter value : Object |
+| D.cs:104:23:104:27 | access to parameter value : Object | semmle.label | access to parameter value : Object |
+| D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | semmle.label | this : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | semmle.label | this : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:109:22:109:26 | access to field FieldProp2.field : Object | semmle.label | access to field FieldProp2.field : Object |
+| D.cs:109:22:109:26 | access to field FieldProp2.field : Object | semmle.label | access to field FieldProp2.field : Object |
+| D.cs:109:22:109:26 | this access : DFieldProps [field FieldProp2.field] : Object | semmle.label | this access : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:109:22:109:26 | this access : DFieldProps [field FieldProp2.field] : Object | semmle.label | this access : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:110:9:110:11 | this [Return] : DFieldProps [field FieldProp2.field] : Object | semmle.label | this [Return] : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:110:9:110:11 | this [Return] : DFieldProps [field FieldProp2.field] : Object | semmle.label | this [Return] : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:110:9:110:11 | value : Object | semmle.label | value : Object |
+| D.cs:110:9:110:11 | value : Object | semmle.label | value : Object |
+| D.cs:112:17:112:17 | access to local variable x : Object | semmle.label | access to local variable x : Object |
+| D.cs:112:17:112:17 | access to local variable x : Object | semmle.label | access to local variable x : Object |
+| D.cs:113:13:113:17 | [post] this access : DFieldProps [field FieldProp2.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:113:13:113:17 | [post] this access : DFieldProps [field FieldProp2.field] : Object | semmle.label | [post] this access : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:113:21:113:21 | access to local variable x : Object | semmle.label | access to local variable x : Object |
+| D.cs:113:21:113:21 | access to local variable x : Object | semmle.label | access to local variable x : Object |
+| D.cs:119:22:119:26 | access to field StaticFieldProp.field : Object | semmle.label | access to field StaticFieldProp.field : Object |
+| D.cs:119:22:119:26 | access to field StaticFieldProp.field : Object | semmle.label | access to field StaticFieldProp.field : Object |
+| D.cs:120:9:120:11 | value : Object | semmle.label | value : Object |
+| D.cs:120:9:120:11 | value : Object | semmle.label | value : Object |
+| D.cs:120:23:120:27 | access to parameter value : Object | semmle.label | access to parameter value : Object |
+| D.cs:120:23:120:27 | access to parameter value : Object | semmle.label | access to parameter value : Object |
+| D.cs:125:13:125:14 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:125:13:125:14 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:125:18:125:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | semmle.label | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:125:18:125:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | semmle.label | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:126:14:126:26 | access to property FieldProp0 | semmle.label | access to property FieldProp0 |
+| D.cs:126:14:126:26 | access to property FieldProp0 | semmle.label | access to property FieldProp0 |
+| D.cs:130:13:130:14 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:130:13:130:14 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:130:18:130:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | semmle.label | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:130:18:130:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | semmle.label | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:131:13:131:14 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
+| D.cs:131:13:131:14 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
+| D.cs:131:18:131:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| D.cs:131:18:131:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | semmle.label | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | semmle.label | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:132:25:132:26 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
+| D.cs:132:25:132:26 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
+| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:133:14:133:26 | access to property FieldProp0 | semmle.label | access to property FieldProp0 |
+| D.cs:133:14:133:26 | access to property FieldProp0 | semmle.label | access to property FieldProp0 |
+| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | semmle.label | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | semmle.label | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:134:14:134:26 | access to property FieldProp1 | semmle.label | access to property FieldProp1 |
+| D.cs:134:14:134:26 | access to property FieldProp1 | semmle.label | access to property FieldProp1 |
+| D.cs:137:13:137:14 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:137:13:137:14 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:137:18:137:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | semmle.label | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:137:18:137:34 | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object | semmle.label | object creation of type DFieldProps : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:138:13:138:14 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
+| D.cs:138:13:138:14 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
+| D.cs:138:18:138:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| D.cs:138:18:138:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | semmle.label | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | semmle.label | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:139:25:139:26 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
+| D.cs:139:25:139:26 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
+| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | semmle.label | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:140:14:140:26 | access to property FieldProp0 | semmle.label | access to property FieldProp0 |
+| D.cs:140:14:140:26 | access to property FieldProp0 | semmle.label | access to property FieldProp0 |
+| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | semmle.label | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | semmle.label | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:142:14:142:26 | access to property FieldProp2 | semmle.label | access to property FieldProp2 |
+| D.cs:142:14:142:26 | access to property FieldProp2 | semmle.label | access to property FieldProp2 |
+| D.cs:144:13:144:14 | access to local variable o3 : Object | semmle.label | access to local variable o3 : Object |
+| D.cs:144:13:144:14 | access to local variable o3 : Object | semmle.label | access to local variable o3 : Object |
+| D.cs:144:18:144:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| D.cs:144:18:144:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| D.cs:145:9:145:35 | access to property StaticFieldProp : Object | semmle.label | access to property StaticFieldProp : Object |
+| D.cs:145:9:145:35 | access to property StaticFieldProp : Object | semmle.label | access to property StaticFieldProp : Object |
+| D.cs:145:39:145:40 | access to local variable o3 : Object | semmle.label | access to local variable o3 : Object |
+| D.cs:145:39:145:40 | access to local variable o3 : Object | semmle.label | access to local variable o3 : Object |
+| D.cs:146:14:146:40 | access to property StaticFieldProp | semmle.label | access to property StaticFieldProp |
+| D.cs:146:14:146:40 | access to property StaticFieldProp | semmle.label | access to property StaticFieldProp |
 | E.cs:8:29:8:29 | o : Object | semmle.label | o : Object |
 | E.cs:8:29:8:29 | o : Object | semmle.label | o : Object |
 | E.cs:11:9:11:11 | [post] access to local variable ret : S [field Field] : Object | semmle.label | [post] access to local variable ret : S [field Field] : Object |
@@ -2648,6 +2874,22 @@ subpaths
 | D.cs:81:26:81:26 | access to local variable o : Object | D.cs:61:9:61:11 | value : Object | D.cs:61:9:61:11 | this [Return] : DPartial [field _backingField] : Object | D.cs:81:9:81:9 | [post] access to local variable d : DPartial [field _backingField] : Object |
 | D.cs:84:14:84:14 | access to local variable d : DPartial [field _backingField] : Object | D.cs:60:9:60:11 | this : DPartial [field _backingField] : Object | D.cs:60:22:60:34 | access to field _backingField : Object | D.cs:84:14:84:27 | access to property PartialProp1 |
 | D.cs:84:14:84:14 | access to local variable d : DPartial [field _backingField] : Object | D.cs:60:9:60:11 | this : DPartial [field _backingField] : Object | D.cs:60:22:60:34 | access to field _backingField : Object | D.cs:84:14:84:27 | access to property PartialProp1 |
+| D.cs:99:9:99:25 | call to method Source<Object> : Object | D.cs:98:9:98:11 | value : Object | D.cs:98:9:98:11 | this [Return] : DFieldProps [field FieldProp0.field] : Object | D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:99:9:99:25 | call to method Source<Object> : Object | D.cs:98:9:98:11 | value : Object | D.cs:98:9:98:11 | this [Return] : DFieldProps [field FieldProp0.field] : Object | D.cs:95:12:95:21 | [post] this access : DFieldProps [field FieldProp0.field] : Object |
+| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | D.cs:126:14:126:26 | access to property FieldProp0 |
+| D.cs:126:14:126:15 | access to local variable d0 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | D.cs:126:14:126:26 | access to property FieldProp0 |
+| D.cs:132:25:132:26 | access to local variable o1 : Object | D.cs:104:9:104:11 | value : Object | D.cs:104:9:104:11 | this [Return] : DFieldProps [field FieldProp1.field] : Object | D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:132:25:132:26 | access to local variable o1 : Object | D.cs:104:9:104:11 | value : Object | D.cs:104:9:104:11 | this [Return] : DFieldProps [field FieldProp1.field] : Object | D.cs:132:9:132:10 | [post] access to local variable d1 : DFieldProps [field FieldProp1.field] : Object |
+| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | D.cs:133:14:133:26 | access to property FieldProp0 |
+| D.cs:133:14:133:15 | access to local variable d1 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | D.cs:133:14:133:26 | access to property FieldProp0 |
+| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | D.cs:103:22:103:26 | access to field FieldProp1.field : Object | D.cs:134:14:134:26 | access to property FieldProp1 |
+| D.cs:134:14:134:15 | access to local variable d1 : DFieldProps [field FieldProp1.field] : Object | D.cs:103:9:103:11 | this : DFieldProps [field FieldProp1.field] : Object | D.cs:103:22:103:26 | access to field FieldProp1.field : Object | D.cs:134:14:134:26 | access to property FieldProp1 |
+| D.cs:139:25:139:26 | access to local variable o2 : Object | D.cs:110:9:110:11 | value : Object | D.cs:110:9:110:11 | this [Return] : DFieldProps [field FieldProp2.field] : Object | D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:139:25:139:26 | access to local variable o2 : Object | D.cs:110:9:110:11 | value : Object | D.cs:110:9:110:11 | this [Return] : DFieldProps [field FieldProp2.field] : Object | D.cs:139:9:139:10 | [post] access to local variable d2 : DFieldProps [field FieldProp2.field] : Object |
+| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | D.cs:140:14:140:26 | access to property FieldProp0 |
+| D.cs:140:14:140:15 | access to local variable d2 : DFieldProps [field FieldProp0.field] : Object | D.cs:97:9:97:11 | this : DFieldProps [field FieldProp0.field] : Object | D.cs:97:22:97:26 | access to field FieldProp0.field : Object | D.cs:140:14:140:26 | access to property FieldProp0 |
+| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | D.cs:109:22:109:26 | access to field FieldProp2.field : Object | D.cs:142:14:142:26 | access to property FieldProp2 |
+| D.cs:142:14:142:15 | access to local variable d2 : DFieldProps [field FieldProp2.field] : Object | D.cs:109:9:109:11 | this : DFieldProps [field FieldProp2.field] : Object | D.cs:109:22:109:26 | access to field FieldProp2.field : Object | D.cs:142:14:142:26 | access to property FieldProp2 |
 | E.cs:23:25:23:25 | access to local variable o : Object | E.cs:8:29:8:29 | o : Object | E.cs:12:16:12:18 | access to local variable ret : S [field Field] : Object | E.cs:23:17:23:26 | call to method CreateS : S [field Field] : Object |
 | E.cs:23:25:23:25 | access to local variable o : Object | E.cs:8:29:8:29 | o : Object | E.cs:12:16:12:18 | access to local variable ret : S [field Field] : Object | E.cs:23:17:23:26 | call to method CreateS : S [field Field] : Object |
 | E.cs:55:29:55:33 | access to local variable taint : Object | E.cs:43:46:43:46 | o : Object | E.cs:43:36:43:36 | s [Return] : RefS [field RefField] : Object | E.cs:55:23:55:26 | [post] access to local variable refs : RefS [field RefField] : Object |
@@ -2758,6 +3000,18 @@ testFailures
 | D.cs:47:14:47:26 | access to property ComplexProp | D.cs:43:32:43:48 | call to method Source<Object> : Object | D.cs:47:14:47:26 | access to property ComplexProp | $@ | D.cs:43:32:43:48 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | D.cs:84:14:84:27 | access to property PartialProp1 | D.cs:78:17:78:33 | call to method Source<Object> : Object | D.cs:84:14:84:27 | access to property PartialProp1 | $@ | D.cs:78:17:78:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | D.cs:84:14:84:27 | access to property PartialProp1 | D.cs:78:17:78:33 | call to method Source<Object> : Object | D.cs:84:14:84:27 | access to property PartialProp1 | $@ | D.cs:78:17:78:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| D.cs:126:14:126:26 | access to property FieldProp0 | D.cs:99:9:99:25 | call to method Source<Object> : Object | D.cs:126:14:126:26 | access to property FieldProp0 | $@ | D.cs:99:9:99:25 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| D.cs:126:14:126:26 | access to property FieldProp0 | D.cs:99:9:99:25 | call to method Source<Object> : Object | D.cs:126:14:126:26 | access to property FieldProp0 | $@ | D.cs:99:9:99:25 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| D.cs:133:14:133:26 | access to property FieldProp0 | D.cs:99:9:99:25 | call to method Source<Object> : Object | D.cs:133:14:133:26 | access to property FieldProp0 | $@ | D.cs:99:9:99:25 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| D.cs:133:14:133:26 | access to property FieldProp0 | D.cs:99:9:99:25 | call to method Source<Object> : Object | D.cs:133:14:133:26 | access to property FieldProp0 | $@ | D.cs:99:9:99:25 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| D.cs:134:14:134:26 | access to property FieldProp1 | D.cs:131:18:131:34 | call to method Source<Object> : Object | D.cs:134:14:134:26 | access to property FieldProp1 | $@ | D.cs:131:18:131:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| D.cs:134:14:134:26 | access to property FieldProp1 | D.cs:131:18:131:34 | call to method Source<Object> : Object | D.cs:134:14:134:26 | access to property FieldProp1 | $@ | D.cs:131:18:131:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| D.cs:140:14:140:26 | access to property FieldProp0 | D.cs:99:9:99:25 | call to method Source<Object> : Object | D.cs:140:14:140:26 | access to property FieldProp0 | $@ | D.cs:99:9:99:25 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| D.cs:140:14:140:26 | access to property FieldProp0 | D.cs:99:9:99:25 | call to method Source<Object> : Object | D.cs:140:14:140:26 | access to property FieldProp0 | $@ | D.cs:99:9:99:25 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| D.cs:142:14:142:26 | access to property FieldProp2 | D.cs:138:18:138:34 | call to method Source<Object> : Object | D.cs:142:14:142:26 | access to property FieldProp2 | $@ | D.cs:138:18:138:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| D.cs:142:14:142:26 | access to property FieldProp2 | D.cs:138:18:138:34 | call to method Source<Object> : Object | D.cs:142:14:142:26 | access to property FieldProp2 | $@ | D.cs:138:18:138:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| D.cs:146:14:146:40 | access to property StaticFieldProp | D.cs:144:18:144:34 | call to method Source<Object> : Object | D.cs:146:14:146:40 | access to property StaticFieldProp | $@ | D.cs:144:18:144:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| D.cs:146:14:146:40 | access to property StaticFieldProp | D.cs:144:18:144:34 | call to method Source<Object> : Object | D.cs:146:14:146:40 | access to property StaticFieldProp | $@ | D.cs:144:18:144:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | E.cs:24:14:24:20 | access to field Field | E.cs:22:17:22:33 | call to method Source<Object> : Object | E.cs:24:14:24:20 | access to field Field | $@ | E.cs:22:17:22:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | E.cs:24:14:24:20 | access to field Field | E.cs:22:17:22:33 | call to method Source<Object> : Object | E.cs:24:14:24:20 | access to field Field | $@ | E.cs:22:17:22:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | E.cs:57:14:57:26 | access to field RefField | E.cs:54:21:54:37 | call to method Source<Object> : Object | E.cs:57:14:57:26 | access to field RefField | $@ | E.cs:54:21:54:37 | call to method Source<Object> : Object | call to method Source<Object> : Object |

csharp/ql/test/library-tests/dispatch/CallGraph.expected

@@ -270,7 +270,9 @@
 | ViableCallable.cs:679:17:679:20 | Run3 | ViableCallable.cs:637:21:637:21 | M |
 | ViableCallable.cs:679:17:679:20 | Run3 | ViableCallable.cs:646:21:646:21 | M |
 | ViableCallable.cs:679:17:679:20 | Run3 | ViableCallable.cs:648:21:648:21 | M |
-| ViableCallable.cs:707:17:707:20 | Run1 | ViableCallable.cs:702:42:702:44 | get_Property |
-| ViableCallable.cs:707:17:707:20 | Run1 | ViableCallable.cs:702:63:702:65 | set_Property |
-| ViableCallable.cs:707:17:707:20 | Run1 | ViableCallable.cs:704:49:704:51 | get_Item |
-| ViableCallable.cs:707:17:707:20 | Run1 | ViableCallable.cs:704:70:704:72 | set_Item |
+| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:703:42:703:44 | get_Property |
+| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:703:63:703:65 | set_Property |
+| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:705:49:705:51 | get_Item |
+| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:705:70:705:72 | set_Item |
+| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:706:51:706:53 | add_Event |
+| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:706:59:706:64 | remove_Event |

csharp/ql/test/library-tests/dispatch/GetADynamicTarget.expected

@@ -518,7 +518,9 @@
 | ViableCallable.cs:683:9:683:16 | call to method M | C22+TestOverloadResolution2<System.Int32>.M(Int32[]) |
 | ViableCallable.cs:687:9:687:16 | call to method M | C22+TestOverloadResolution1<System.Int32>.M(List<int>) |
 | ViableCallable.cs:687:9:687:16 | call to method M | C22+TestOverloadResolution2<System.Int32>.M(List<int>) |
-| ViableCallable.cs:712:9:712:18 | access to property Property | C23+Partial1.set_Property(object) |
-| ViableCallable.cs:715:13:715:22 | access to property Property | C23+Partial1.get_Property() |
-| ViableCallable.cs:718:9:718:12 | access to indexer | C23+Partial1.set_Item(int, object) |
-| ViableCallable.cs:721:13:721:16 | access to indexer | C23+Partial1.get_Item(int) |
+| ViableCallable.cs:714:9:714:18 | access to property Property | C23+Partial1.set_Property(object) |
+| ViableCallable.cs:717:13:717:22 | access to property Property | C23+Partial1.get_Property() |
+| ViableCallable.cs:720:9:720:12 | access to indexer | C23+Partial1.set_Item(int, object) |
+| ViableCallable.cs:723:13:723:16 | access to indexer | C23+Partial1.get_Item(int) |
+| ViableCallable.cs:726:9:726:15 | access to event Event | C23+Partial1.add_Event(EventHandler) |
+| ViableCallable.cs:729:9:729:15 | access to event Event | C23+Partial1.remove_Event(EventHandler) |

csharp/ql/test/library-tests/dispatch/ViableCallable.cs

@@ -695,6 +695,7 @@ public class C23
         public partial object Property { get; set; }
 
         public partial object this[int index] { get; set; }
+        public partial event EventHandler Event;
     }
 
     public partial class Partial1
@@ -702,6 +703,7 @@ public class C23
         public partial object Property { get { return null; } set { } }
 
         public partial object this[int index] { get { return null; } set { } }
+        public partial event EventHandler Event { add { } remove { } }
     }
 
     public void Run1(Partial1 p)
@@ -719,5 +721,11 @@ public class C23
 
         // Viable callable: Partial1.get_Item(int)
         o = p[0];
+
+        // Viable callable: Partial1.add_Event
+        p.Event += (sender, e) => { };
+
+        // Viable callable: Partial1.remove_Event
+        p.Event -= (sender, e) => { };
     }
 }

csharp/ql/test/library-tests/partial/MethodIsPartial.expected

@@ -1,7 +1,7 @@
-| Partial.cs:4:18:4:42 | PartialMethodWithoutBody1 | true |
-| Partial.cs:5:17:5:23 | Method2 | false |
-| Partial.cs:14:18:14:39 | PartialMethodWithBody1 | true |
-| Partial.cs:15:17:15:23 | Method3 | false |
-| Partial.cs:34:18:34:42 | PartialMethodWithoutBody2 | true |
-| Partial.cs:35:17:35:23 | Method4 | false |
-| Partial.cs:40:17:40:23 | Method5 | false |
+| Partial.cs:6:18:6:42 | PartialMethodWithoutBody1 | true |
+| Partial.cs:7:17:7:23 | Method2 | false |
+| Partial.cs:18:18:18:39 | PartialMethodWithBody1 | true |
+| Partial.cs:19:17:19:23 | Method3 | false |
+| Partial.cs:41:18:41:42 | PartialMethodWithoutBody2 | true |
+| Partial.cs:42:17:42:23 | Method4 | false |
+| Partial.cs:47:17:47:23 | Method5 | false |

csharp/ql/test/library-tests/partial/Partial.cs

@@ -1,3 +1,5 @@
+using System;
+
 partial class TwoPartClass
 {
     partial void PartialMethodWithBody1();
@@ -7,6 +9,8 @@ partial class TwoPartClass
     public partial object PartialProperty1 { get; set; }
     // Declaring declaration.
     public partial object this[int index] { get; set; }
+    // Declaring declaration.
+    public partial event EventHandler PartialEvent1;
 }
 
 partial class TwoPartClass
@@ -27,6 +31,9 @@ partial class TwoPartClass
         get { return _backingArray[index]; }
         set { _backingArray[index] = value; }
     }
+
+    // Implementation declaration.
+    public partial event EventHandler PartialEvent1 { add { } remove { } }
 }
 
 partial class OnePartPartialClass
@@ -44,4 +51,5 @@ class NonPartialClass
         get { return null; }
         set { }
     }
+    public event EventHandler Event;
 }

csharp/ql/test/library-tests/partial/Partial1.expected

@@ -1,14 +1,17 @@
-| Partial.cs:1:15:1:26 | TwoPartClass |
-| Partial.cs:4:18:4:42 | PartialMethodWithoutBody1 |
-| Partial.cs:12:15:12:26 | TwoPartClass |
-| Partial.cs:14:18:14:39 | PartialMethodWithBody1 |
-| Partial.cs:18:27:18:42 | PartialProperty1 |
-| Partial.cs:20:9:20:11 | get_PartialProperty1 |
-| Partial.cs:21:9:21:11 | set_PartialProperty1 |
-| Partial.cs:25:27:25:30 | Item |
-| Partial.cs:27:9:27:11 | get_Item |
-| Partial.cs:28:9:28:11 | set_Item |
-| Partial.cs:32:15:32:33 | OnePartPartialClass |
-| Partial.cs:34:18:34:42 | PartialMethodWithoutBody2 |
+| Partial.cs:3:15:3:26 | TwoPartClass |
+| Partial.cs:6:18:6:42 | PartialMethodWithoutBody1 |
+| Partial.cs:16:15:16:26 | TwoPartClass |
+| Partial.cs:18:18:18:39 | PartialMethodWithBody1 |
+| Partial.cs:22:27:22:42 | PartialProperty1 |
+| Partial.cs:24:9:24:11 | get_PartialProperty1 |
+| Partial.cs:25:9:25:11 | set_PartialProperty1 |
+| Partial.cs:29:27:29:30 | Item |
+| Partial.cs:31:9:31:11 | get_Item |
+| Partial.cs:32:9:32:11 | set_Item |
+| Partial.cs:36:39:36:51 | PartialEvent1 |
+| Partial.cs:36:55:36:57 | add_PartialEvent1 |
+| Partial.cs:36:63:36:68 | remove_PartialEvent1 |
+| Partial.cs:39:15:39:33 | OnePartPartialClass |
+| Partial.cs:41:18:41:42 | PartialMethodWithoutBody2 |
 | PartialMultipleFiles1.cs:1:22:1:41 | PartialMultipleFiles |
 | PartialMultipleFiles2.cs:1:22:1:41 | PartialMultipleFiles |

csharp/ql/test/library-tests/partial/Partial2.expected

@@ -1,15 +1,15 @@
-| Partial.cs:1:15:1:26 | TwoPartClass | Partial.cs:1:15:1:26 | <object initializer> |
-| Partial.cs:1:15:1:26 | TwoPartClass | Partial.cs:4:18:4:42 | PartialMethodWithoutBody1 |
-| Partial.cs:1:15:1:26 | TwoPartClass | Partial.cs:5:17:5:23 | Method2 |
-| Partial.cs:1:15:1:26 | TwoPartClass | Partial.cs:14:18:14:39 | PartialMethodWithBody1 |
-| Partial.cs:1:15:1:26 | TwoPartClass | Partial.cs:15:17:15:23 | Method3 |
-| Partial.cs:12:15:12:26 | TwoPartClass | Partial.cs:1:15:1:26 | <object initializer> |
-| Partial.cs:12:15:12:26 | TwoPartClass | Partial.cs:4:18:4:42 | PartialMethodWithoutBody1 |
-| Partial.cs:12:15:12:26 | TwoPartClass | Partial.cs:5:17:5:23 | Method2 |
-| Partial.cs:12:15:12:26 | TwoPartClass | Partial.cs:14:18:14:39 | PartialMethodWithBody1 |
-| Partial.cs:12:15:12:26 | TwoPartClass | Partial.cs:15:17:15:23 | Method3 |
-| Partial.cs:32:15:32:33 | OnePartPartialClass | Partial.cs:32:15:32:33 | <object initializer> |
-| Partial.cs:32:15:32:33 | OnePartPartialClass | Partial.cs:34:18:34:42 | PartialMethodWithoutBody2 |
-| Partial.cs:32:15:32:33 | OnePartPartialClass | Partial.cs:35:17:35:23 | Method4 |
+| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:3:15:3:26 | <object initializer> |
+| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:6:18:6:42 | PartialMethodWithoutBody1 |
+| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:7:17:7:23 | Method2 |
+| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:18:18:18:39 | PartialMethodWithBody1 |
+| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:19:17:19:23 | Method3 |
+| Partial.cs:16:15:16:26 | TwoPartClass | Partial.cs:3:15:3:26 | <object initializer> |
+| Partial.cs:16:15:16:26 | TwoPartClass | Partial.cs:6:18:6:42 | PartialMethodWithoutBody1 |
+| Partial.cs:16:15:16:26 | TwoPartClass | Partial.cs:7:17:7:23 | Method2 |
+| Partial.cs:16:15:16:26 | TwoPartClass | Partial.cs:18:18:18:39 | PartialMethodWithBody1 |
+| Partial.cs:16:15:16:26 | TwoPartClass | Partial.cs:19:17:19:23 | Method3 |
+| Partial.cs:39:15:39:33 | OnePartPartialClass | Partial.cs:39:15:39:33 | <object initializer> |
+| Partial.cs:39:15:39:33 | OnePartPartialClass | Partial.cs:41:18:41:42 | PartialMethodWithoutBody2 |
+| Partial.cs:39:15:39:33 | OnePartPartialClass | Partial.cs:42:17:42:23 | Method4 |
 | PartialMultipleFiles1.cs:1:22:1:41 | PartialMultipleFiles | PartialMultipleFiles1.cs:1:22:1:41 | <object initializer> |
 | PartialMultipleFiles2.cs:1:22:1:41 | PartialMultipleFiles | PartialMultipleFiles1.cs:1:22:1:41 | <object initializer> |

csharp/ql/test/library-tests/partial/PartialAccessors.expected

@@ -1,8 +1,12 @@
-| Partial.cs:20:9:20:11 | get_PartialProperty1 | true |
-| Partial.cs:21:9:21:11 | set_PartialProperty1 | true |
-| Partial.cs:27:9:27:11 | get_Item | true |
-| Partial.cs:28:9:28:11 | set_Item | true |
-| Partial.cs:41:30:41:32 | get_Property | false |
-| Partial.cs:41:35:41:37 | set_Property | false |
-| Partial.cs:44:9:44:11 | get_Item | false |
-| Partial.cs:45:9:45:11 | set_Item | false |
+| Partial.cs:24:9:24:11 | get_PartialProperty1 | true |
+| Partial.cs:25:9:25:11 | set_PartialProperty1 | true |
+| Partial.cs:31:9:31:11 | get_Item | true |
+| Partial.cs:32:9:32:11 | set_Item | true |
+| Partial.cs:36:55:36:57 | add_PartialEvent1 | true |
+| Partial.cs:36:63:36:68 | remove_PartialEvent1 | true |
+| Partial.cs:48:30:48:32 | get_Property | false |
+| Partial.cs:48:35:48:37 | set_Property | false |
+| Partial.cs:51:9:51:11 | get_Item | false |
+| Partial.cs:52:9:52:11 | set_Item | false |
+| Partial.cs:54:31:54:35 | add_Event | false |
+| Partial.cs:54:31:54:35 | remove_Event | false |

csharp/ql/test/library-tests/partial/PartialConstructors.expected

@@ -1,4 +1,4 @@
-| Partial.cs:1:15:1:26 | TwoPartClass | Partial.cs:1:15:1:26 | {...} |
-| Partial.cs:32:15:32:33 | OnePartPartialClass | Partial.cs:32:15:32:33 | {...} |
-| Partial.cs:38:7:38:21 | NonPartialClass | Partial.cs:38:7:38:21 | {...} |
+| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:3:15:3:26 | {...} |
+| Partial.cs:39:15:39:33 | OnePartPartialClass | Partial.cs:39:15:39:33 | {...} |
+| Partial.cs:45:7:45:21 | NonPartialClass | Partial.cs:45:7:45:21 | {...} |
 | PartialMultipleFiles1.cs:1:22:1:41 | PartialMultipleFiles | PartialMultipleFiles1.cs:1:22:1:41 | {...} |

csharp/ql/test/library-tests/partial/PartialEvents.expected

@@ -0,0 +1,2 @@
+| Partial.cs:36:39:36:51 | PartialEvent1 | true |
+| Partial.cs:54:31:54:35 | Event | false |

csharp/ql/test/library-tests/partial/PartialEvents.ql

@@ -0,0 +1,7 @@
+import csharp
+
+private boolean isPartial(Event e) { if e.isPartial() then result = true else result = false }
+
+from Event e
+where e.fromSource()
+select e, isPartial(e)

csharp/ql/test/library-tests/partial/PartialIndexers.expected

@@ -1,2 +1,2 @@
-| Partial.cs:25:27:25:30 | Item | true |
-| Partial.cs:42:19:42:22 | Item | false |
+| Partial.cs:29:27:29:30 | Item | true |
+| Partial.cs:49:19:49:22 | Item | false |

csharp/ql/test/library-tests/partial/PartialMethodBody.expected

@@ -1,3 +1,3 @@
-| Partial.cs:4:18:4:42 | PartialMethodWithoutBody1 | false |
-| Partial.cs:14:18:14:39 | PartialMethodWithBody1 | true |
-| Partial.cs:34:18:34:42 | PartialMethodWithoutBody2 | false |
+| Partial.cs:6:18:6:42 | PartialMethodWithoutBody1 | false |
+| Partial.cs:18:18:18:39 | PartialMethodWithBody1 | true |
+| Partial.cs:41:18:41:42 | PartialMethodWithoutBody2 | false |

csharp/ql/test/library-tests/partial/PartialProperties.expected

@@ -1,2 +1,2 @@
-| Partial.cs:18:27:18:42 | PartialProperty1 | true |
-| Partial.cs:41:19:41:26 | Property | false |
+| Partial.cs:22:27:22:42 | PartialProperty1 | true |
+| Partial.cs:48:19:48:26 | Property | false |

csharp/ql/test/library-tests/partial/PrintAst.expected

@@ -1,94 +1,112 @@
 Partial.cs:
-#    1| [Class] TwoPartClass
-#    4|   6: [Method] PartialMethodWithoutBody1
-#    4|     -1: [TypeMention] Void
-#    5|   7: [Method] Method2
+#    3| [Class] TwoPartClass
+#    6|   6: [Method] PartialMethodWithoutBody1
+#    6|     -1: [TypeMention] Void
+#    7|   7: [Method] Method2
+#    7|     -1: [TypeMention] Void
+#    7|     4: [BlockStmt] {...}
+#   18|   8: [Method] PartialMethodWithBody1
 #    5|     -1: [TypeMention] Void
-#    5|     4: [BlockStmt] {...}
-#   14|   8: [Method] PartialMethodWithBody1
-#    3|     -1: [TypeMention] Void
-#   14|     4: [BlockStmt] {...}
-#   15|   9: [Method] Method3
-#   15|     -1: [TypeMention] Void
-#   15|     4: [BlockStmt] {...}
-#   16|   10: [Field] _backingField
-#   16|     -1: [TypeMention] object
-#   18|   11: [Property] PartialProperty1
-#    7|     -1: [TypeMention] object
-#   18|     -1: [TypeMention] object
-#   20|     3: [Getter] get_PartialProperty1
-#   20|       4: [BlockStmt] {...}
-#   20|         0: [ReturnStmt] return ...;
-#   20|           0: [FieldAccess] access to field _backingField
-#   21|     4: [Setter] set_PartialProperty1
-#-----|       2: (Parameters)
-#   21|         0: [Parameter] value
-#   21|       4: [BlockStmt] {...}
-#   21|         0: [ExprStmt] ...;
-#   21|           0: [AssignExpr] ... = ...
-#   21|             0: [FieldAccess] access to field _backingField
-#   21|             1: [ParameterAccess] access to parameter value
-#   23|   12: [Field] _backingArray
-#   23|     -1: [TypeMention] Object[]
-#   23|       1: [TypeMention] object
-#   25|   13: [Indexer] Item
+#   18|     4: [BlockStmt] {...}
+#   19|   9: [Method] Method3
+#   19|     -1: [TypeMention] Void
+#   19|     4: [BlockStmt] {...}
+#   20|   10: [Field] _backingField
+#   20|     -1: [TypeMention] object
+#   22|   11: [Property] PartialProperty1
 #    9|     -1: [TypeMention] object
-#   25|     -1: [TypeMention] object
+#   22|     -1: [TypeMention] object
+#   24|     3: [Getter] get_PartialProperty1
+#   24|       4: [BlockStmt] {...}
+#   24|         0: [ReturnStmt] return ...;
+#   24|           0: [FieldAccess] access to field _backingField
+#   25|     4: [Setter] set_PartialProperty1
+#-----|       2: (Parameters)
+#   25|         0: [Parameter] value
+#   25|       4: [BlockStmt] {...}
+#   25|         0: [ExprStmt] ...;
+#   25|           0: [AssignExpr] ... = ...
+#   25|             0: [FieldAccess] access to field _backingField
+#   25|             1: [ParameterAccess] access to parameter value
+#   27|   12: [Field] _backingArray
+#   27|     -1: [TypeMention] Object[]
+#   27|       1: [TypeMention] object
+#   29|   13: [Indexer] Item
+#   11|     -1: [TypeMention] object
+#   29|     -1: [TypeMention] object
 #-----|     1: (Parameters)
-#    9|       0: [Parameter] index
-#    9|         -1: [TypeMention] int
-#   25|         -1: [TypeMention] int
-#   27|     3: [Getter] get_Item
+#   11|       0: [Parameter] index
+#   11|         -1: [TypeMention] int
+#   29|         -1: [TypeMention] int
+#   31|     3: [Getter] get_Item
 #-----|       2: (Parameters)
-#   25|         0: [Parameter] index
-#   27|       4: [BlockStmt] {...}
-#   27|         0: [ReturnStmt] return ...;
-#   27|           0: [ArrayAccess] access to array element
-#   27|             -1: [FieldAccess] access to field _backingArray
-#   27|             0: [ParameterAccess] access to parameter index
-#   28|     4: [Setter] set_Item
+#   29|         0: [Parameter] index
+#   31|       4: [BlockStmt] {...}
+#   31|         0: [ReturnStmt] return ...;
+#   31|           0: [ArrayAccess] access to array element
+#   31|             -1: [FieldAccess] access to field _backingArray
+#   31|             0: [ParameterAccess] access to parameter index
+#   32|     4: [Setter] set_Item
 #-----|       2: (Parameters)
-#   25|         0: [Parameter] index
-#   28|         1: [Parameter] value
-#   28|       4: [BlockStmt] {...}
-#   28|         0: [ExprStmt] ...;
-#   28|           0: [AssignExpr] ... = ...
-#   28|             0: [ArrayAccess] access to array element
-#   28|               -1: [FieldAccess] access to field _backingArray
-#   28|               0: [ParameterAccess] access to parameter index
-#   28|             1: [ParameterAccess] access to parameter value
-#   32| [Class] OnePartPartialClass
-#   34|   6: [Method] PartialMethodWithoutBody2
-#   34|     -1: [TypeMention] Void
-#   35|   7: [Method] Method4
-#   35|     -1: [TypeMention] Void
-#   35|     4: [BlockStmt] {...}
-#   38| [Class] NonPartialClass
-#   40|   6: [Method] Method5
-#   40|     -1: [TypeMention] Void
-#   40|     4: [BlockStmt] {...}
-#   41|   7: [Property] Property
-#   41|     -1: [TypeMention] object
-#   41|     3: [Getter] get_Property
-#   41|     4: [Setter] set_Property
+#   29|         0: [Parameter] index
+#   32|         1: [Parameter] value
+#   32|       4: [BlockStmt] {...}
+#   32|         0: [ExprStmt] ...;
+#   32|           0: [AssignExpr] ... = ...
+#   32|             0: [ArrayAccess] access to array element
+#   32|               -1: [FieldAccess] access to field _backingArray
+#   32|               0: [ParameterAccess] access to parameter index
+#   32|             1: [ParameterAccess] access to parameter value
+#   36|   14: [Event] PartialEvent1
+#   13|     -1: [TypeMention] EventHandler
+#   36|     3: [AddEventAccessor] add_PartialEvent1
 #-----|       2: (Parameters)
-#   41|         0: [Parameter] value
-#   42|   8: [Indexer] Item
-#   42|     -1: [TypeMention] object
+#   36|         0: [Parameter] value
+#   36|       4: [BlockStmt] {...}
+#   36|     4: [RemoveEventAccessor] remove_PartialEvent1
+#-----|       2: (Parameters)
+#   36|         0: [Parameter] value
+#   36|       4: [BlockStmt] {...}
+#   39| [Class] OnePartPartialClass
+#   41|   6: [Method] PartialMethodWithoutBody2
+#   41|     -1: [TypeMention] Void
+#   42|   7: [Method] Method4
+#   42|     -1: [TypeMention] Void
+#   42|     4: [BlockStmt] {...}
+#   45| [Class] NonPartialClass
+#   47|   6: [Method] Method5
+#   47|     -1: [TypeMention] Void
+#   47|     4: [BlockStmt] {...}
+#   48|   7: [Property] Property
+#   48|     -1: [TypeMention] object
+#   48|     3: [Getter] get_Property
+#   48|     4: [Setter] set_Property
+#-----|       2: (Parameters)
+#   48|         0: [Parameter] value
+#   49|   8: [Indexer] Item
+#   49|     -1: [TypeMention] object
 #-----|     1: (Parameters)
-#   42|       0: [Parameter] index
-#   42|         -1: [TypeMention] int
-#   44|     3: [Getter] get_Item
+#   49|       0: [Parameter] index
+#   49|         -1: [TypeMention] int
+#   51|     3: [Getter] get_Item
 #-----|       2: (Parameters)
-#   42|         0: [Parameter] index
-#   44|       4: [BlockStmt] {...}
-#   44|         0: [ReturnStmt] return ...;
-#   44|           0: [NullLiteral] null
-#   45|     4: [Setter] set_Item
+#   49|         0: [Parameter] index
+#   51|       4: [BlockStmt] {...}
+#   51|         0: [ReturnStmt] return ...;
+#   51|           0: [NullLiteral] null
+#   52|     4: [Setter] set_Item
 #-----|       2: (Parameters)
-#   42|         0: [Parameter] index
-#   45|         1: [Parameter] value
-#   45|       4: [BlockStmt] {...}
+#   49|         0: [Parameter] index
+#   52|         1: [Parameter] value
+#   52|       4: [BlockStmt] {...}
+#   54|   9: [Event] Event
+#   54|     -1: [TypeMention] EventHandler
+#   54|     3: [AddEventAccessor] add_Event
+#-----|       2: (Parameters)
+#   54|         0: [Parameter] value
+#   54|     4: [RemoveEventAccessor] remove_Event
+#-----|       2: (Parameters)
+#   54|         0: [Parameter] value
 PartialMultipleFiles1.cs:
 #    1| [Class] PartialMultipleFiles
 PartialMultipleFiles2.cs:

csharp/ql/test/library-tests/properties/PrintAst.expected

@@ -230,3 +230,19 @@ properties.cs:
 #-----|         2: (Parameters)
 #  124|           0: [Parameter] value
 #  124|         4: [BlockStmt] {...}
+#  128|   10: [Class] UseFieldKeyword
+#  130|     6: [Property] Prop
+#  130|       -1: [TypeMention] object
+#  132|       3: [Getter] get_Prop
+#  132|         4: [BlockStmt] {...}
+#  132|           0: [ReturnStmt] return ...;
+#  132|             0: [FieldAccess] access to field Prop.field
+#  133|       4: [Setter] set_Prop
+#-----|         2: (Parameters)
+#  133|           0: [Parameter] value
+#  133|         4: [BlockStmt] {...}
+#  133|           0: [ExprStmt] ...;
+#  133|             0: [AssignExpr] ... = ...
+#  133|               0: [FieldAccess] access to field Prop.field
+#  133|               1: [ParameterAccess] access to parameter value
+#  130|     7: [Field] Prop.field

csharp/ql/test/library-tests/properties/Properties17.expected

@@ -1,3 +1,4 @@
+| Prop.field |
 | caption |
 | next |
 | y |

csharp/ql/test/library-tests/properties/Properties17.ql

@@ -1,5 +1,5 @@
 /**
- * @name Test that there are no backing fields
+ * @name Test that there are no backing fields except for properties that use the `field` keyword in their getter or setter.
  */
 
 import csharp

csharp/ql/test/library-tests/properties/properties.cs

@@ -124,4 +124,13 @@ namespace Properties
             set { }
         }
     }
+
+    class UseFieldKeyword
+    {
+        public object Prop
+        {
+            get { return field; }
+            set { field = value; }
+        }
+    }
 }

csharp/ql/test/query-tests/API Abuse/ClassDoesNotImplementEquals/NullableTest.cs

@@ -0,0 +1,86 @@
+using System;
+
+#nullable enable
+
+namespace Test
+{
+    class TestClass1 : IEquatable<TestClass1>
+    {
+        private int field1;
+
+        public bool Equals(TestClass1? param1)
+        {
+            return param1 != null && field1 == param1.field1;
+        }
+
+        public override bool Equals(object? param2)
+        {
+            return param2 is TestClass1 tc && Equals(tc);
+        }
+
+        public override int GetHashCode()
+        {
+            return field1;
+        }
+    }
+
+    class TestClass2 : IEquatable<TestClass2>
+    {
+        private int field1;
+
+        public bool Equals(TestClass2 param1)
+        {
+            return param1 != null && field1 == param1.field1;
+        }
+
+        public override bool Equals(object? param2)
+        {
+            return param2 is TestClass2 tc && Equals(tc);
+        }
+
+        public override int GetHashCode()
+        {
+            return field1;
+        }
+    }
+
+    class TestClass3 : IEquatable<TestClass3>
+    {
+        private int field1;
+
+        public bool Equals(TestClass3? param1)
+        {
+            return param1 != null && field1 == param1.field1;
+        }
+
+        public override bool Equals(object param2)
+        {
+            return param2 is TestClass3 tc && Equals(tc);
+        }
+
+        public override int GetHashCode()
+        {
+            return field1;
+        }
+    }
+
+    class TestClass4 : IEquatable<TestClass4>
+    {
+        private int field1;
+
+        public bool Equals(TestClass4 param1)
+        {
+            return param1 != null && field1 == param1.field1;
+        }
+
+        public override bool Equals(object param2)
+        {
+            return param2 is TestClass4 tc && Equals(tc);
+        }
+
+        public override int GetHashCode()
+        {
+            return field1;
+        }
+    }
+}

csharp/ql/test/query-tests/API Abuse/IncorrectEqualsSignature/NullableTest.cs

@@ -0,0 +1,86 @@
+using System;
+
+#nullable enable
+
+namespace Test
+{
+    class TestClass1 : IEquatable<TestClass1>
+    {
+        private int field1;
+
+        public bool Equals(TestClass1? param1)
+        {
+            return param1 != null && field1 == param1.field1;
+        }
+
+        public override bool Equals(object? param2)
+        {
+            return param2 is TestClass1 tc && Equals(tc);
+        }
+
+        public override int GetHashCode()
+        {
+            return field1;
+        }
+    }
+
+    class TestClass2 : IEquatable<TestClass2>
+    {
+        private int field1;
+
+        public bool Equals(TestClass2 param1)
+        {
+            return param1 != null && field1 == param1.field1;
+        }
+
+        public override bool Equals(object? param2)
+        {
+            return param2 is TestClass2 tc && Equals(tc);
+        }
+
+        public override int GetHashCode()
+        {
+            return field1;
+        }
+    }
+
+    class TestClass3 : IEquatable<TestClass3>
+    {
+        private int field1;
+
+        public bool Equals(TestClass3? param1)
+        {
+            return param1 != null && field1 == param1.field1;
+        }
+
+        public override bool Equals(object param2)
+        {
+            return param2 is TestClass3 tc && Equals(tc);
+        }
+
+        public override int GetHashCode()
+        {
+            return field1;
+        }
+    }
+
+    class TestClass4 : IEquatable<TestClass4>
+    {
+        private int field1;
+
+        public bool Equals(TestClass4 param1)
+        {
+            return param1 != null && field1 == param1.field1;
+        }
+
+        public override bool Equals(object param2)
+        {
+            return param2 is TestClass4 tc && Equals(tc);
+        }
+
+        public override int GetHashCode()
+        {
+            return field1;
+        }
+    }
+}

docs/codeql/reusables/supported-versions-compilers.rst

@@ -18,7 +18,7 @@
    .NET 5, .NET 6, .NET 7, .NET 8, .NET 9","``.sln``, ``.slnx``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
    GitHub Actions,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``"
    Go (aka Golang), "Go up to 1.26", "Go 1.11 or more recent", ``.go``
-   Java,"Java 7 to 25 [6]_","javac (OpenJDK and Oracle JDK),
+   Java,"Java 7 to 26 [6]_","javac (OpenJDK and Oracle JDK),
 
    Eclipse compiler for Java (ECJ) [7]_",``.java``
    Kotlin,"Kotlin 1.8.0 to 2.3.0\ *x*","kotlinc",``.kt``
@@ -36,7 +36,7 @@
     .. [3] Objective-C, Objective-C++, C++/CLI, and C++/CX are not supported.
     .. [4] Support for the clang-cl compiler is preliminary.
     .. [5] Support for the Arm Compiler (armcc) is preliminary.
-    .. [6] Builds that execute on Java 7 to 25 can be analyzed. The analysis understands standard language features in Java 8 to 25; "preview" and "incubator" features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code.
+    .. [6] Builds that execute on Java 7 to 26 can be analyzed. The analysis understands standard language features in Java 8 to 26; "preview" and "incubator" features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code.
     .. [7] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
     .. [8] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
     .. [9] The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python.

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.42
+version: 1.0.43-dev
 groups:
   - go
   - queries

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.0.0
+version: 7.0.1-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.5.6
+version: 1.5.7-dev
 groups:
   - go
   - queries

java/ql/lib/change-notes/2026-02-12-jakarta.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Some modelling which previously only worked for Java EE packages beginning with "javax" will now also work for Java EE packages beginning with "jakarta" as well. This may lead to some alert changes.

java/ql/lib/experimental/quantum/JCA.qll

@@ -27,9 +27,9 @@ module JCAModel {
   predicate cipher_names(string algo) {
     algo.toUpperCase()
         .matches([
-            "AES", "AESWrap", "AESWrapPad", "ARCFOUR", "Blowfish", "ChaCha20", "ChaCha20-Poly1305",
-            "DES", "DESede", "DESedeWrap", "ECIES", "PBEWith%", "RC2", "RC4", "RC5", "RSA",
-            "Skipjack", "Idea"
+            "AES", "AESWrap", "AESWrapPad", "ARCFOUR", "ARIA", "Blowfish", "Camellia", "ChaCha20",
+            "ChaCha20-Poly1305", "DES", "DESede", "DESedeWrap", "ECIES", "PBEWith%", "RC2", "RC4",
+            "RC5", "RSA", "Salsa20", "SEED", "Skipjack", "Idea", "Twofish"
           ].toUpperCase())
   }
 
@@ -106,7 +106,7 @@ module JCAModel {
   bindingset[name]
   predicate key_agreement_names(string name) {
     name.toUpperCase()
-        .matches(["DH", "EDH", "ECDH", "X25519", "X448", "ML-KEM%", "XDH"].toUpperCase())
+        .matches(["DH", "EDH", "ECDH", "ECMQV", "X25519", "X448", "ML-KEM%", "XDH"].toUpperCase())
   }
 
   bindingset[name]
@@ -189,6 +189,8 @@ module JCAModel {
     type = KeyOpAlg::PCBC() and name = "PCBC"
     or
     type = KeyOpAlg::KWP() and name = "KWP"
+    or
+    type = KeyOpAlg::LRW() and name = "LRW"
   }
 
   bindingset[name]
@@ -197,13 +199,32 @@ module JCAModel {
       upper.matches("AES%") and
       type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES())
       or
-      // NOTE: there is DES and DESede
+      // NOTE: DESede (TripleDES) must be matched before DES% to avoid misclassification
+      upper.matches("DESEDE%") and
+      type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TRIPLE_DES())
+      or
+      not upper.matches("DESEDE%") and
       upper.matches("DES%") and
       type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES())
       or
       upper = "TRIPLEDES" and
       type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TRIPLE_DES())
       or
+      upper = "ARIA" and
+      type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::ARIA())
+      or
+      upper = "CAMELLIA" and
+      type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CAMELLIA())
+      or
+      upper = "TWOFISH" and
+      type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TWOFISH())
+      or
+      upper = "SEED" and
+      type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::SEED())
+      or
+      upper = "SALSA20" and
+      type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::SALSA20())
+      or
       upper = "IDEA" and
       type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::IDEA())
       or
@@ -244,6 +265,9 @@ module JCAModel {
     type = Crypto::ECDH() and
     name.toUpperCase() in ["ECDH", "X25519", "X448", "XDH"]
     or
+    type = Crypto::ECMQV() and
+    name.toUpperCase() = "ECMQV"
+    or
     type = Crypto::OtherKeyAgreementType() and
     name.toUpperCase().matches("ML-KEM%")
   }
@@ -295,7 +319,7 @@ module JCAModel {
 
   class CipherGetInstanceCall extends MethodCall {
     CipherGetInstanceCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "Cipher", "getInstance")
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "getInstance")
     }
 
     Expr getAlgorithmArg() { result = this.getArgument(0) }
@@ -307,7 +331,8 @@ module JCAModel {
   private class CipherOperationCall extends MethodCall {
     CipherOperationCall() {
       this.getMethod()
-          .hasQualifiedName("javax.crypto", "Cipher", ["update", "doFinal", "wrap", "unwrap"])
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher",
+            ["update", "doFinal", "wrap", "unwrap"])
     }
 
     predicate isIntermediate() { this.getMethod().getName() = "update" }
@@ -362,6 +387,10 @@ module JCAModel {
       type instanceof KeyOpAlg::PKCS7 and name = ["PKCS5Padding", "PKCS7Padding"] // TODO: misnomer in the JCA?
       or
       type instanceof KeyOpAlg::OAEP and name.matches("OAEP%") // TODO: handle OAEPWith%
+      or
+      type instanceof KeyOpAlg::PKCS1_V1_5 and name = "PKCS1Padding"
+      or
+      type instanceof KeyOpAlg::PSS and name = "PSS"
     }
 
     override KeyOpAlg::PaddingSchemeType getPaddingType() {
@@ -474,7 +503,9 @@ module JCAModel {
    * An access to the `javax.crypto.Cipher` class.
    */
   private class CipherAccess extends TypeAccess {
-    CipherAccess() { this.getType().(Class).hasQualifiedName("javax.crypto", "Cipher") }
+    CipherAccess() {
+      this.getType().(Class).hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher")
+    }
   }
 
   /**
@@ -603,7 +634,7 @@ module JCAModel {
       }
 
       predicate isBarrier(DataFlow::Node node, FlowState state) {
-        exists(CipherInitCall call | node.asExpr() = call.getQualifier() |
+        exists(Init call | node.asExpr() = call.(MethodCall).getQualifier() |
           state instanceof UninitializedFlowState
           or
           state.(InitializedFlowState).getInitCall() != call
@@ -708,7 +739,9 @@ module JCAModel {
   // and through setter methods
   class IvParameterSpecInstance extends NonceParameterInstantiation {
     IvParameterSpecInstance() {
-      super.getConstructedType().hasQualifiedName("javax.crypto.spec", "IvParameterSpec")
+      super
+          .getConstructedType()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "IvParameterSpec")
     }
 
     override DataFlow::Node getInputNode() { result.asExpr() = super.getArgument(0) }
@@ -717,7 +750,9 @@ module JCAModel {
   // TODO: this also specifies the tag length for GCM
   class GCMParameterSpecInstance extends NonceParameterInstantiation {
     GCMParameterSpecInstance() {
-      super.getConstructedType().hasQualifiedName("javax.crypto.spec", "GCMParameterSpec")
+      super
+          .getConstructedType()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "GCMParameterSpec")
     }
 
     override DataFlow::Node getInputNode() { result.asExpr() = super.getArgument(1) }
@@ -725,7 +760,8 @@ module JCAModel {
 
   class IvParameterSpecGetIvCall extends MethodCall {
     IvParameterSpecGetIvCall() {
-      this.getMethod().hasQualifiedName("javax.crypto.spec", "IvParameterSpec", "getIV")
+      this.getMethod()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "IvParameterSpec", "getIV")
     }
   }
 
@@ -797,7 +833,9 @@ module JCAModel {
   }
 
   class CipherInitCall extends MethodCall {
-    CipherInitCall() { this.getCallee().hasQualifiedName("javax.crypto", "Cipher", "init") }
+    CipherInitCall() {
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Cipher", "init")
+    }
 
     /**
      * Returns the mode argument to the `init` method
@@ -966,7 +1004,9 @@ module JCAModel {
 
   class DHGenParameterSpecInstance extends KeyGeneratorParameterSpecClassInstanceExpr {
     DHGenParameterSpecInstance() {
-      super.getConstructedType().hasQualifiedName("javax.crypto.spec", "DHGenParameterSpec")
+      super
+          .getConstructedType()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec", "DHGenParameterSpec")
     }
 
     Expr getPrimeSizeArg() { result = this.getArgument(0) }
@@ -1067,7 +1107,7 @@ module JCAModel {
   //TODO: Link getAlgorithm from KeyPairGenerator to algorithm instances or AVCs? High priority.
   class KeyGeneratorGetInstanceCall extends MethodCall {
     KeyGeneratorGetInstanceCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyGenerator", "getInstance")
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator", "getInstance")
       or
       this.getCallee().hasQualifiedName("java.security", "KeyPairGenerator", "getInstance")
     }
@@ -1082,7 +1122,8 @@ module JCAModel {
       this.getCallee().hasQualifiedName("java.security", "KeyPairGenerator", "initialize") and
       keyType = Crypto::TAsymmetricKeyType()
       or
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyGenerator", ["init", "initialize"]) and
+      this.getCallee()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator", ["init", "initialize"]) and
       keyType = Crypto::TSymmetricKeyType()
     }
 
@@ -1111,7 +1152,7 @@ module JCAModel {
     Crypto::KeyArtifactType type;
 
     KeyGeneratorGenerateCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyGenerator", "generateKey") and
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyGenerator", "generateKey") and
       type instanceof Crypto::TSymmetricKeyType
       or
       this.getCallee()
@@ -1176,7 +1217,7 @@ module JCAModel {
   class KeySpecInstantiation extends ClassInstanceExpr {
     KeySpecInstantiation() {
       this.getConstructedType()
-          .hasQualifiedName("javax.crypto.spec",
+          .hasQualifiedName(javaxOrJakarta() + ".crypto.spec",
             ["PBEKeySpec", "SecretKeySpec", "PBEKeySpec", "DESedeKeySpec"])
     }
 
@@ -1227,7 +1268,8 @@ module JCAModel {
 
   class SecretKeyFactoryGetInstanceCall extends MethodCall {
     SecretKeyFactoryGetInstanceCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "SecretKeyFactory", "getInstance")
+      this.getCallee()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "SecretKeyFactory", "getInstance")
     }
 
     Expr getAlgorithmArg() { result = this.getArgument(0) }
@@ -1235,7 +1277,8 @@ module JCAModel {
 
   class SecretKeyFactoryGenerateSecretCall extends MethodCall {
     SecretKeyFactoryGenerateSecretCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "SecretKeyFactory", "generateSecret")
+      this.getCallee()
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "SecretKeyFactory", "generateSecret")
     }
 
     Expr getKeySpecArg() { result = this.getArgument(0) }
@@ -1430,7 +1473,7 @@ module JCAModel {
 
   class KeyAgreementInitCall extends MethodCall {
     KeyAgreementInitCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyAgreement", "init")
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement", "init")
     }
 
     Expr getServerKeyArg() { result = this.getArgument(0) }
@@ -1438,7 +1481,7 @@ module JCAModel {
 
   class KeyAgreementGetInstanceCall extends MethodCall {
     KeyAgreementGetInstanceCall() {
-      this.getCallee().hasQualifiedName("javax.crypto", "KeyAgreement", "getInstance")
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement", "getInstance")
     }
 
     Expr getAlgorithmArg() { result = super.getArgument(0) }
@@ -1482,7 +1525,8 @@ module JCAModel {
   class KeyAgreementCall extends MethodCall {
     KeyAgreementCall() {
       this.getCallee()
-          .hasQualifiedName("javax.crypto", "KeyAgreement", ["generateSecret", "doPhase"])
+          .hasQualifiedName(javaxOrJakarta() + ".crypto", "KeyAgreement",
+            ["generateSecret", "doPhase"])
     }
 
     predicate isIntermediate() { this.getCallee().getName() = "doPhase" }
@@ -1647,7 +1691,9 @@ module JCAModel {
   }
 
   class MacGetInstanceCall extends MethodCall {
-    MacGetInstanceCall() { this.getCallee().hasQualifiedName("javax.crypto", "Mac", "getInstance") }
+    MacGetInstanceCall() {
+      this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac", "getInstance")
+    }
 
     Expr getAlgorithmArg() { result = this.getArgument(0) }
 
@@ -1663,7 +1709,7 @@ module JCAModel {
   }
 
   class MacInitCall extends MethodCall {
-    MacInitCall() { this.getCallee().hasQualifiedName("javax.crypto", "Mac", "init") }
+    MacInitCall() { this.getCallee().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac", "init") }
 
     Expr getKeyArg() {
       result = this.getArgument(0) and this.getMethod().getParameterType(0).hasName("Key")
@@ -1691,7 +1737,7 @@ module JCAModel {
     Expr output;
 
     MacOperationCall() {
-      super.getMethod().getDeclaringType().hasQualifiedName("javax.crypto", "Mac") and
+      super.getMethod().getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".crypto", "Mac") and
       (
         super.getMethod().hasStringSignature(["doFinal()", "doFinal(byte[])"]) and this = output
         or
@@ -1833,7 +1879,14 @@ module JCAModel {
 
     override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() { none() }
 
-    override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() { none() }
+    override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() { result = this }
+
+    override predicate shouldHaveModeOfOperation() { none() }
+
+    override predicate shouldHavePaddingScheme() {
+      // Only RSA-based signatures have a meaningful padding concept (PSS or PKCS1v1.5)
+      signature_name_to_type_known(KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA()), super.getValue())
+    }
   }
 
   class SignatureHashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof SignatureStringLiteralAlgorithmInstance
@@ -1852,6 +1905,185 @@ module JCAModel {
     override int getFixedDigestLength() { result = digestLength }
   }
 
+  /**
+   * Determines if a signature algorithm name implies PSS padding.
+   */
+  bindingset[name]
+  private predicate signatureImpliesPss(string name) {
+    name.toUpperCase().matches("%RSASSA-PSS%") or
+    name.toUpperCase().matches("%WITHRSA%MGF1%") or
+    name.toUpperCase().matches("%WITHRSA/PSS%")
+  }
+
+  /**
+   * Base class for PSS padding derived from signature algorithm names.
+   * Provides getPaddingType() on PaddingAlgorithmInstance to break the non-monotonic
+   * recursion that would occur if the derived PssPaddingAlgorithmInstance class
+   * defined getPaddingType() itself (since PssPaddingAlgorithmInstance's charpred
+   * calls getPaddingType()).
+   * Follows the same two-class pattern used for OAEP:
+   *   CipherStringLiteralPaddingAlgorithmInstance → OaepPaddingAlgorithmInstance.
+   */
+  private class SignaturePssPaddingBase extends SignatureStringLiteralAlgorithmInstance,
+    Crypto::PaddingAlgorithmInstance instanceof SignatureStringLiteral
+  {
+    SignaturePssPaddingBase() { signatureImpliesPss(super.getValue()) }
+
+    override string getRawPaddingAlgorithmName() { result = "PSS" }
+
+    override KeyOpAlg::PaddingSchemeType getPaddingType() { result instanceof KeyOpAlg::PSS }
+  }
+
+  /**
+   * A PSS padding algorithm instance derived from a signature algorithm literal.
+   * Extends PssPaddingAlgorithmInstance (whose charpred evaluates through
+   * SignaturePssPaddingBase.getPaddingType()) to produce MD and MGF1Hash edges.
+   *
+   * For name-implied PSS (e.g., "SHA256withRSAandMGF1"), the same literal element
+   * is also a SignatureHashAlgorithmInstance, so `result = this` yields the hash.
+   * For bare "RSASSA-PSS", `result = this` has no result (this is not a
+   * HashAlgorithmInstance), so the graph falls back to self-referencing (unknown).
+   * When a PSSParameterSpec is connected via setParameter(), the explicit hash
+   * from the spec is used instead.
+   */
+  class SignaturePssPaddingAlgorithmInstance extends Crypto::PssPaddingAlgorithmInstance,
+    SignaturePssPaddingBase instanceof SignatureStringLiteral
+  {
+    override Crypto::HashAlgorithmInstance getHashAlgorithm() {
+      // Name-implied hash (e.g., SHA256withRSAandMGF1 → SHA-256)
+      result = this
+      or
+      // Explicit PSS hash from PSSParameterSpec via Signature.setParameter()
+      exists(PssParameterSpecInstantiation spec |
+        pssSpecForSignatureLiteral(spec, this) and
+        result.(PssParameterSpecDigestHashAlgorithmInstance).getSpec() = spec
+      )
+    }
+
+    override Crypto::HashAlgorithmInstance getMgf1HashAlgorithm() {
+      // Name-implied MGF1 hash (defaults to same hash as digest)
+      result = this
+      or
+      // Explicit MGF1 hash from PSSParameterSpec via Signature.setParameter()
+      exists(PssParameterSpecInstantiation spec |
+        pssSpecForSignatureLiteral(spec, this) and
+        result.(PssParameterSpecMgf1HashAlgorithmInstance).getSpec() = spec
+      )
+    }
+  }
+
+  /**
+   * A PSSParameterSpec instantiation, e.g.,
+   * new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1)
+   */
+  class PssParameterSpecInstantiation extends ClassInstanceExpr {
+    PssParameterSpecInstantiation() {
+      this.getConstructedType().hasQualifiedName("java.security.spec", "PSSParameterSpec")
+    }
+
+    /** Gets the digest algorithm name argument (arg 0). */
+    Expr getDigestAlgorithmArg() { result = this.getArgument(0) }
+
+    /** Gets the MGF algorithm name argument (arg 1). */
+    Expr getMgfAlgorithmArg() { result = this.getArgument(1) }
+
+    /** Gets the salt length argument (arg 3). */
+    Expr getSaltLengthArg() { result = this.getArgument(3) }
+
+    /** Gets the MGF parameter spec argument (arg 2), e.g., MGF1ParameterSpec.SHA256. */
+    Expr getMgfSpecArg() { result = this.getArgument(2) }
+  }
+
+  /**
+   * A static field access on `java.security.spec.MGF1ParameterSpec`, e.g.,
+   * `MGF1ParameterSpec.SHA256`. These fields represent well-known MGF1 hash
+   * algorithm configurations.
+   */
+  class Mgf1ParameterSpecFieldAccess extends FieldAccess {
+    Mgf1ParameterSpecFieldAccess() {
+      this.getField().getDeclaringType().hasQualifiedName("java.security.spec", "MGF1ParameterSpec") and
+      this.getField().isStatic()
+    }
+
+    /** Gets the hash algorithm name corresponding to this MGF1 field. */
+    string getHashAlgorithmName() {
+      this.getField().getName() = "SHA1" and result = "SHA-1"
+      or
+      this.getField().getName() = "SHA224" and result = "SHA-224"
+      or
+      this.getField().getName() = "SHA256" and result = "SHA-256"
+      or
+      this.getField().getName() = "SHA384" and result = "SHA-384"
+      or
+      this.getField().getName() = "SHA512" and result = "SHA-512"
+      or
+      this.getField().getName() = "SHA512_224" and result = "SHA-512/224"
+      or
+      this.getField().getName() = "SHA512_256" and result = "SHA-512/256"
+    }
+  }
+
+  /**
+   * A hash algorithm instance for the digest algorithm argument (arg 0) of a
+   * PSSParameterSpec instantiation, e.g., "SHA-256" in:
+   *   new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1)
+   *
+   * Type resolution delegates to hash_name_to_type_known from Standardization.
+   */
+  class PssParameterSpecDigestHashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof JavaConstant
+  {
+    PssParameterSpecInstantiation spec;
+
+    PssParameterSpecDigestHashAlgorithmInstance() {
+      this = spec.getDigestAlgorithmArg() and
+      // Only instantiate when the value resolves to a known hash type
+      exists(hash_name_to_type_known(super.getValue(), _))
+    }
+
+    /** Gets the PSSParameterSpec this digest hash belongs to. */
+    PssParameterSpecInstantiation getSpec() { result = spec }
+
+    override string getRawHashAlgorithmName() { result = super.getValue() }
+
+    override Crypto::THashType getHashType() {
+      result = hash_name_to_type_known(super.getValue(), _)
+    }
+
+    override int getFixedDigestLength() {
+      exists(hash_name_to_type_known(super.getValue(), result))
+    }
+  }
+
+  /**
+   * A hash algorithm instance for the MGF1 parameter spec argument (arg 2) of a
+   * PSSParameterSpec instantiation, e.g., MGF1ParameterSpec.SHA256 in:
+   *   new PSSParameterSpec("SHA-256", "MGF1", MGF1ParameterSpec.SHA256, 32, 1)
+   *
+   * The field name is normalized to a standard hash algorithm name (e.g.,
+   * SHA256 -> SHA-256), then type resolution delegates to hash_name_to_type_known.
+   */
+  class PssParameterSpecMgf1HashAlgorithmInstance extends Crypto::HashAlgorithmInstance instanceof Mgf1ParameterSpecFieldAccess
+  {
+    PssParameterSpecInstantiation spec;
+    string normalizedName;
+
+    PssParameterSpecMgf1HashAlgorithmInstance() {
+      this = spec.getMgfSpecArg() and
+      normalizedName = super.getHashAlgorithmName() and
+      // Only instantiate when the normalized name resolves to a known hash type
+      exists(hash_name_to_type_known(normalizedName, _))
+    }
+
+    /** Gets the PSSParameterSpec this MGF1 hash belongs to. */
+    PssParameterSpecInstantiation getSpec() { result = spec }
+
+    override string getRawHashAlgorithmName() { result = super.getField().getName() }
+
+    override Crypto::THashType getHashType() { result = hash_name_to_type_known(normalizedName, _) }
+
+    override int getFixedDigestLength() { exists(hash_name_to_type_known(normalizedName, result)) }
+  }
+
   class SignatureInitCall extends MethodCall {
     SignatureInitCall() {
       this.getCallee().hasQualifiedName("java.security", "Signature", ["initSign", "initVerify"])
@@ -1863,6 +2095,23 @@ module JCAModel {
     }
   }
 
+  /**
+   * A call to `Signature.setParameter(AlgorithmParameterSpec)`, used to
+   * configure algorithm parameters such as PSSParameterSpec on a Signature instance.
+   */
+  class SignatureSetParameterCall extends MethodCall {
+    SignatureSetParameterCall() {
+      this.getMethod().hasQualifiedName("java.security", "Signature", "setParameter") and
+      this.getMethod()
+          .getParameterType(0)
+          .(RefType)
+          .hasQualifiedName("java.security.spec", "AlgorithmParameterSpec")
+    }
+
+    /** Gets the AlgorithmParameterSpec argument. */
+    Expr getParameterSpecArg() { result = this.getArgument(0) }
+  }
+
   class SignatureOperationCall extends MethodCall {
     SignatureOperationCall() {
       this.getMethod().hasQualifiedName("java.security", "Signature", ["update", "sign", "verify"])
@@ -1927,7 +2176,6 @@ module JCAModel {
     }
 
     override Crypto::AlgorithmValueConsumer getHashAlgorithmValueConsumer() {
-      // TODO: RSASSA-PSS literal sets hashes differently, through a ParameterSpec
       result = this.getInstantiationCall().getAlgorithmArg()
     }
 
@@ -1954,6 +2202,58 @@ module JCAModel {
     GetInstanceInitUseFlowAnalysis<SignatureGetInstanceCall, SignatureInitCall,
       SignatureOperationCall>;
 
+  /**
+   * Flow from `Signature.getInstance()` return value to `Signature.setParameter()` qualifier.
+   * Used to connect a signature algorithm literal to its PSSParameterSpec configuration.
+   */
+  module SignatureToSetParameterConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node src) { src.asExpr() instanceof SignatureGetInstanceCall }
+
+    predicate isSink(DataFlow::Node sink) {
+      exists(SignatureSetParameterCall c | sink.asExpr() = c.getQualifier())
+    }
+  }
+
+  module SignatureToSetParameterFlow = DataFlow::Global<SignatureToSetParameterConfig>;
+
+  /**
+   * Flow from `PSSParameterSpec` instantiation to `Signature.setParameter()` argument.
+   */
+  module PssSpecToSetParameterConfig implements DataFlow::ConfigSig {
+    predicate isSource(DataFlow::Node src) { src.asExpr() instanceof PssParameterSpecInstantiation }
+
+    predicate isSink(DataFlow::Node sink) {
+      exists(SignatureSetParameterCall c | sink.asExpr() = c.getParameterSpecArg())
+    }
+  }
+
+  module PssSpecToSetParameterFlow = DataFlow::Global<PssSpecToSetParameterConfig>;
+
+  /**
+   * Connects a PSSParameterSpec instantiation to the signature PSS padding literal
+   * for which it provides configuration, via `Signature.setParameter()`.
+   *
+   * The connection requires:
+   * 1. The padding literal flows (via its consumer) to a `Signature.getInstance()` call
+   * 2. That getInstance call flows to a `Signature.setParameter()` qualifier
+   * 3. The PSSParameterSpec flows to the same setParameter's argument
+   */
+  private predicate pssSpecForSignatureLiteral(
+    PssParameterSpecInstantiation spec, SignaturePssPaddingAlgorithmInstance literal
+  ) {
+    exists(
+      SignatureSetParameterCall setParam, SignatureGetInstanceCall getInstance,
+      SignatureGetInstanceAlgorithmValueConsumer consumer
+    |
+      consumer = literal.getConsumer() and
+      consumer = getInstance.getAlgorithmArg() and
+      SignatureToSetParameterFlow::flow(DataFlow::exprNode(getInstance),
+        DataFlow::exprNode(setParam.getQualifier())) and
+      PssSpecToSetParameterFlow::flow(DataFlow::exprNode(spec),
+        DataFlow::exprNode(setParam.getParameterSpecArg()))
+    )
+  }
+
   /*
    * Elliptic Curves (EC)
    */

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 8.1.0
+version: 8.1.1-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/lib/semmle/code/java/J2EE.qll

@@ -6,52 +6,67 @@ module;
 
 import Type
 
+/** Gets "java" or "jakarta". */
+string javaxOrJakarta() { result = ["javax", "jakarta"] }
+
 /** An entity bean. */
 class EntityBean extends Class {
   EntityBean() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EntityBean") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EntityBean") |
+      this.hasSupertype+(i)
+    )
   }
 }
 
 /** An enterprise bean. */
 class EnterpriseBean extends RefType {
   EnterpriseBean() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EnterpriseBean") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EnterpriseBean") |
+      this.hasSupertype+(i)
+    )
   }
 }
 
 /** A local EJB home interface. */
 class LocalEjbHomeInterface extends Interface {
   LocalEjbHomeInterface() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBLocalHome") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBLocalHome") |
+      this.hasSupertype+(i)
+    )
   }
 }
 
 /** A remote EJB home interface. */
 class RemoteEjbHomeInterface extends Interface {
   RemoteEjbHomeInterface() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBHome") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBHome") |
+      this.hasSupertype+(i)
+    )
   }
 }
 
 /** A local EJB interface. */
 class LocalEjbInterface extends Interface {
   LocalEjbInterface() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBLocalObject") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBLocalObject") |
+      this.hasSupertype+(i)
+    )
   }
 }
 
 /** A remote EJB interface. */
 class RemoteEjbInterface extends Interface {
   RemoteEjbInterface() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "EJBObject") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBObject") |
+      this.hasSupertype+(i)
+    )
   }
 }
 
 /** A message bean. */
 class MessageBean extends Class {
   MessageBean() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "MessageDrivenBean") |
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "MessageDrivenBean") |
       this.hasSupertype+(i)
     )
   }
@@ -60,6 +75,8 @@ class MessageBean extends Class {
 /** A session bean. */
 class SessionBean extends Class {
   SessionBean() {
-    exists(Interface i | i.hasQualifiedName("javax.ejb", "SessionBean") | this.hasSupertype+(i))
+    exists(Interface i | i.hasQualifiedName(javaxOrJakarta() + ".ejb", "SessionBean") |
+      this.hasSupertype+(i)
+    )
   }
 }

java/ql/lib/semmle/code/java/JMX.qll

@@ -18,7 +18,7 @@ class MBean extends ManagedBean {
 class MXBean extends ManagedBean {
   MXBean() {
     this.getQualifiedName().matches("%MXBean%") or
-    this.getAnAnnotation().getType().hasQualifiedName("javax.management", "MXBean")
+    this.getAnAnnotation().getType().hasQualifiedName(javaxOrJakarta() + ".management", "MXBean")
   }
 }
 
@@ -61,7 +61,7 @@ class JmxRegistrationCall extends MethodCall {
 class JmxRegistrationMethod extends Method {
   JmxRegistrationMethod() {
     // A direct registration with the `MBeanServer`.
-    this.getDeclaringType().hasQualifiedName("javax.management", "MBeanServer") and
+    this.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".management", "MBeanServer") and
     this.getName() = "registerMBean"
     or
     // The `MBeanServer` is often wrapped by an application specific management class, so identify
@@ -78,7 +78,7 @@ class JmxRegistrationMethod extends Method {
    */
   int getObjectPosition() {
     // Passed as the first argument to `registerMBean`.
-    this.getDeclaringType().hasQualifiedName("javax.management", "MBeanServer") and
+    this.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".management", "MBeanServer") and
     this.getName() = "registerMBean" and
     result = 0
     or
@@ -92,16 +92,20 @@ class JmxRegistrationMethod extends Method {
 /** The class `javax.management.remote.JMXConnectorFactory`. */
 class TypeJmxConnectorFactory extends Class {
   TypeJmxConnectorFactory() {
-    this.hasQualifiedName("javax.management.remote", "JMXConnectorFactory")
+    this.hasQualifiedName(javaxOrJakarta() + ".management.remote", "JMXConnectorFactory")
   }
 }
 
 /** The class `javax.management.remote.JMXServiceURL`. */
 class TypeJmxServiceUrl extends Class {
-  TypeJmxServiceUrl() { this.hasQualifiedName("javax.management.remote", "JMXServiceURL") }
+  TypeJmxServiceUrl() {
+    this.hasQualifiedName(javaxOrJakarta() + ".management.remote", "JMXServiceURL")
+  }
 }
 
 /** The class `javax.management.remote.rmi.RMIConnector`. */
 class TypeRmiConnector extends Class {
-  TypeRmiConnector() { this.hasQualifiedName("javax.management.remote.rmi", "RMIConnector") }
+  TypeRmiConnector() {
+    this.hasQualifiedName(javaxOrJakarta() + ".management.remote.rmi", "RMIConnector")
+  }
 }

java/ql/lib/semmle/code/java/deadcode/EntryPoints.qll

@@ -316,7 +316,7 @@ class FacesComponentReflectivelyConstructedClass extends ReflectivelyConstructed
  * Entry point for EJB home interfaces.
  */
 class EjbHome extends Interface, EntryPoint {
-  EjbHome() { this.getAnAncestor().hasQualifiedName("javax.ejb", "EJBHome") }
+  EjbHome() { this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBHome") }
 
   override Callable getALiveCallable() { result = this.getACallable() }
 }
@@ -325,7 +325,7 @@ class EjbHome extends Interface, EntryPoint {
  * Entry point for EJB object interfaces.
  */
 class EjbObject extends Interface, EntryPoint {
-  EjbObject() { this.getAnAncestor().hasQualifiedName("javax.ejb", "EJBObject") }
+  EjbObject() { this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBObject") }
 
   override Callable getALiveCallable() { result = this.getACallable() }
 }
@@ -341,7 +341,9 @@ class GsonDeserializationEntryPoint extends ReflectivelyConstructedClass {
 class JaxbDeserializationEntryPoint extends ReflectivelyConstructedClass {
   JaxbDeserializationEntryPoint() {
     // A class can be deserialized by JAXB if it's an `XmlRootElement`...
-    this.getAnAnnotation().getType().hasQualifiedName("javax.xml.bind.annotation", "XmlRootElement")
+    this.getAnAnnotation()
+        .getType()
+        .hasQualifiedName(javaxOrJakarta() + ".xml.bind.annotation", "XmlRootElement")
     or
     // ... or the type of an `XmlElement` field.
     exists(Field elementField |

java/ql/lib/semmle/code/java/deadcode/WebEntryPoints.qll

@@ -45,7 +45,7 @@ class ServletListenerClass extends ReflectivelyConstructedClass {
  */
 class ServletFilterClass extends ReflectivelyConstructedClass {
   ServletFilterClass() {
-    this.getAnAncestor().hasQualifiedName("javax.servlet", "Filter") and
+    this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".servlet", "Filter") and
     // If we have seen any `web.xml` files, this filter will be considered to be live only if it is
     // referred to as a filter-class in at least one. If no `web.xml` files are found, we assume
     // that XML extraction was not enabled, and therefore consider all filter classes as live.

java/ql/lib/semmle/code/java/frameworks/JAXB.qll

@@ -6,20 +6,20 @@ import semmle.code.java.Type
 
 class JaxbElement extends Class {
   JaxbElement() {
-    this.getAnAncestor().hasQualifiedName("javax.xml.bind", "JAXBElement") or
+    this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".xml.bind", "JAXBElement") or
     this.getAnAnnotation().getType().getName() = "XmlRootElement"
   }
 }
 
 class JaxbMarshalMethod extends Method {
   JaxbMarshalMethod() {
-    this.getDeclaringType().hasQualifiedName("javax.xml.bind", "Marshaller") and
+    this.getDeclaringType().hasQualifiedName(javaxOrJakarta() + ".xml.bind", "Marshaller") and
     this.getName() = "marshal"
   }
 }
 
 class JaxbAnnotationType extends AnnotationType {
-  JaxbAnnotationType() { this.getPackage().getName() = "javax.xml.bind.annotation" }
+  JaxbAnnotationType() { this.getPackage().getName() = javaxOrJakarta() + ".xml.bind.annotation" }
 }
 
 class JaxbAnnotated extends Annotatable {

java/ql/lib/semmle/code/java/frameworks/JavaxAnnotations.qll

@@ -14,35 +14,45 @@ import java
  * A `@javax.annotation.Generated` annotation.
  */
 class GeneratedAnnotation extends Annotation {
-  GeneratedAnnotation() { this.getType().hasQualifiedName("javax.annotation", "Generated") }
+  GeneratedAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "Generated")
+  }
 }
 
 /**
  * A `@javax.annotation.PostConstruct` annotation.
  */
 class PostConstructAnnotation extends Annotation {
-  PostConstructAnnotation() { this.getType().hasQualifiedName("javax.annotation", "PostConstruct") }
+  PostConstructAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "PostConstruct")
+  }
 }
 
 /**
  * A `@javax.annotation.PreDestroy` annotation.
  */
 class PreDestroyAnnotation extends Annotation {
-  PreDestroyAnnotation() { this.getType().hasQualifiedName("javax.annotation", "PreDestroy") }
+  PreDestroyAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "PreDestroy")
+  }
 }
 
 /**
  * A `@javax.annotation.Resource` annotation.
  */
 class ResourceAnnotation extends Annotation {
-  ResourceAnnotation() { this.getType().hasQualifiedName("javax.annotation", "Resource") }
+  ResourceAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "Resource")
+  }
 }
 
 /**
  * A `@javax.annotation.Resources` annotation.
  */
 class ResourcesAnnotation extends Annotation {
-  ResourcesAnnotation() { this.getType().hasQualifiedName("javax.annotation", "Resources") }
+  ResourcesAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "Resources")
+  }
 }
 
 /**
@@ -50,7 +60,7 @@ class ResourcesAnnotation extends Annotation {
  */
 class JavaxManagedBeanAnnotation extends Annotation {
   JavaxManagedBeanAnnotation() {
-    this.getType().hasQualifiedName("javax.annotation", "ManagedBean")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation", "ManagedBean")
   }
 }
 
@@ -63,7 +73,7 @@ class JavaxManagedBeanAnnotation extends Annotation {
  */
 class DeclareRolesAnnotation extends Annotation {
   DeclareRolesAnnotation() {
-    this.getType().hasQualifiedName("javax.annotation.security", "DeclareRoles")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "DeclareRoles")
   }
 }
 
@@ -71,7 +81,9 @@ class DeclareRolesAnnotation extends Annotation {
  * A `@javax.annotation.security.DenyAll` annotation.
  */
 class DenyAllAnnotation extends Annotation {
-  DenyAllAnnotation() { this.getType().hasQualifiedName("javax.annotation.security", "DenyAll") }
+  DenyAllAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "DenyAll")
+  }
 }
 
 /**
@@ -79,7 +91,7 @@ class DenyAllAnnotation extends Annotation {
  */
 class PermitAllAnnotation extends Annotation {
   PermitAllAnnotation() {
-    this.getType().hasQualifiedName("javax.annotation.security", "PermitAll")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "PermitAll")
   }
 }
 
@@ -88,7 +100,7 @@ class PermitAllAnnotation extends Annotation {
  */
 class RolesAllowedAnnotation extends Annotation {
   RolesAllowedAnnotation() {
-    this.getType().hasQualifiedName("javax.annotation.security", "RolesAllowed")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "RolesAllowed")
   }
 }
 
@@ -96,7 +108,9 @@ class RolesAllowedAnnotation extends Annotation {
  * A `@javax.annotation.security.RunAs` annotation.
  */
 class RunAsAnnotation extends Annotation {
-  RunAsAnnotation() { this.getType().hasQualifiedName("javax.annotation.security", "RunAs") }
+  RunAsAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".annotation.security", "RunAs")
+  }
 }
 
 /*
@@ -107,7 +121,9 @@ class RunAsAnnotation extends Annotation {
  * A `@javax.interceptor.AroundInvoke` annotation.
  */
 class AroundInvokeAnnotation extends Annotation {
-  AroundInvokeAnnotation() { this.getType().hasQualifiedName("javax.interceptor", "AroundInvoke") }
+  AroundInvokeAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".interceptor", "AroundInvoke")
+  }
 }
 
 /**
@@ -115,7 +131,7 @@ class AroundInvokeAnnotation extends Annotation {
  */
 class ExcludeClassInterceptorsAnnotation extends Annotation {
   ExcludeClassInterceptorsAnnotation() {
-    this.getType().hasQualifiedName("javax.interceptor", "ExcludeClassInterceptors")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".interceptor", "ExcludeClassInterceptors")
   }
 }
 
@@ -124,7 +140,7 @@ class ExcludeClassInterceptorsAnnotation extends Annotation {
  */
 class ExcludeDefaultInterceptorsAnnotation extends Annotation {
   ExcludeDefaultInterceptorsAnnotation() {
-    this.getType().hasQualifiedName("javax.interceptor", "ExcludeDefaultInterceptors")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".interceptor", "ExcludeDefaultInterceptors")
   }
 }
 
@@ -132,7 +148,9 @@ class ExcludeDefaultInterceptorsAnnotation extends Annotation {
  * A `@javax.interceptor.Interceptors` annotation.
  */
 class InterceptorsAnnotation extends Annotation {
-  InterceptorsAnnotation() { this.getType().hasQualifiedName("javax.interceptor", "Interceptors") }
+  InterceptorsAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".interceptor", "Interceptors")
+  }
 }
 
 /*
@@ -143,14 +161,16 @@ class InterceptorsAnnotation extends Annotation {
  * A `@javax.jws.WebMethod` annotation.
  */
 class WebMethodAnnotation extends Annotation {
-  WebMethodAnnotation() { this.getType().hasQualifiedName("javax.jws", "WebMethod") }
+  WebMethodAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".jws", "WebMethod") }
 }
 
 /**
  * A `@javax.jws.WebService` annotation.
  */
 class WebServiceAnnotation extends Annotation {
-  WebServiceAnnotation() { this.getType().hasQualifiedName("javax.jws", "WebService") }
+  WebServiceAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".jws", "WebService")
+  }
 }
 
 /*
@@ -161,7 +181,9 @@ class WebServiceAnnotation extends Annotation {
  * A `@javax.xml.ws.WebServiceRef` annotation.
  */
 class WebServiceRefAnnotation extends Annotation {
-  WebServiceRefAnnotation() { this.getType().hasQualifiedName("javax.xml.ws", "WebServiceRef") }
+  WebServiceRefAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".xml.ws", "WebServiceRef")
+  }
 }
 
 /*
@@ -173,9 +195,7 @@ class WebServiceRefAnnotation extends Annotation {
  */
 class PatternAnnotation extends Annotation, RegexMatch::Range {
   PatternAnnotation() {
-    this.getType()
-        .hasQualifiedName(["javax.validation.constraints", "jakarta.validation.constraints"],
-          "Pattern")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".validation.constraints", "Pattern")
   }
 
   override Expr getRegex() { result = this.getValue("regexp") }

java/ql/lib/semmle/code/java/frameworks/JaxWS.qll

@@ -13,7 +13,7 @@ private import semmle.code.java.security.XSS
 /**
  * Gets a name for the root package of JAX-RS.
  */
-string getAJaxRsPackage() { result in ["javax.ws.rs", "jakarta.ws.rs"] }
+string getAJaxRsPackage() { result = javaxOrJakarta() + ".ws.rs" }
 
 /**
  * Gets a name for package `subpackage` within the JAX-RS hierarchy.
@@ -42,7 +42,7 @@ class JaxWsEndpoint extends Class {
     result.isPublic() and
     not result instanceof InitializerMethod and
     not exists(Annotation a | a = result.getAnAnnotation() |
-      a.getType().hasQualifiedName(["javax", "jakarta"] + ".jws", "WebMethod") and
+      a.getType().hasQualifiedName(javaxOrJakarta() + ".jws", "WebMethod") and
       a.getValue("exclude").(BooleanLiteral).getBooleanValue() = true
     ) and
     forex(ParamOrReturn paramOrRet | paramOrRet = result.getAParameter() or paramOrRet = result |
@@ -62,8 +62,7 @@ class JaxWsEndpoint extends Class {
 /** The annotation type `@XmlJavaTypeAdapter`. */
 class XmlJavaTypeAdapter extends AnnotationType {
   XmlJavaTypeAdapter() {
-    this.hasQualifiedName(["javax", "jakarta"] + ".xml.bind.annotation.adapters",
-      "XmlJavaTypeAdapter")
+    this.hasQualifiedName(javaxOrJakarta() + ".xml.bind.annotation.adapters", "XmlJavaTypeAdapter")
   }
 }
 
@@ -292,7 +291,7 @@ class JaxRSAnnotation extends Annotation {
   JaxRSAnnotation() {
     exists(AnnotationType a |
       a = this.getType() and
-      a.getPackage().getName().regexpMatch(["javax\\.ws\\.rs(\\..*)?", "jakarta\\.ws\\.rs(\\..*)?"])
+      a.getPackage().getName().regexpMatch(javaxOrJakarta() + "\\.ws\\.rs(\\..*)?")
     )
   }
 }

java/ql/lib/semmle/code/java/frameworks/Jms.qll

@@ -7,6 +7,6 @@ import java
 /** The method `ObjectMessage.getObject`. */
 class ObjectMessageGetObjectMethod extends Method {
   ObjectMessageGetObjectMethod() {
-    this.hasQualifiedName(["javax", "jakarta"] + ".jms", "ObjectMessage", "getObject")
+    this.hasQualifiedName(javaxOrJakarta() + ".jms", "ObjectMessage", "getObject")
   }
 }

java/ql/lib/semmle/code/java/frameworks/Jndi.qll

@@ -9,32 +9,34 @@ import java
 /*--- Types ---*/
 /** The interface `javax.naming.Context`. */
 class TypeNamingContext extends Interface {
-  TypeNamingContext() { this.hasQualifiedName("javax.naming", "Context") }
+  TypeNamingContext() { this.hasQualifiedName(javaxOrJakarta() + ".naming", "Context") }
 }
 
 /** The class `javax.naming.CompositeName`. */
 class TypeCompositeName extends Class {
-  TypeCompositeName() { this.hasQualifiedName("javax.naming", "CompositeName") }
+  TypeCompositeName() { this.hasQualifiedName(javaxOrJakarta() + ".naming", "CompositeName") }
 }
 
 /** The class `javax.naming.CompoundName`. */
 class TypeCompoundName extends Class {
-  TypeCompoundName() { this.hasQualifiedName("javax.naming", "CompoundName") }
+  TypeCompoundName() { this.hasQualifiedName(javaxOrJakarta() + ".naming", "CompoundName") }
 }
 
 /** The interface `javax.naming.directory.DirContext`. */
 class TypeDirContext extends Interface {
-  TypeDirContext() { this.hasQualifiedName("javax.naming.directory", "DirContext") }
+  TypeDirContext() { this.hasQualifiedName(javaxOrJakarta() + ".naming.directory", "DirContext") }
 }
 
 /** The class `javax.naming.directory.SearchControls` */
 class TypeSearchControls extends Class {
-  TypeSearchControls() { this.hasQualifiedName("javax.naming.directory", "SearchControls") }
+  TypeSearchControls() {
+    this.hasQualifiedName(javaxOrJakarta() + ".naming.directory", "SearchControls")
+  }
 }
 
 /** The class `javax.naming.ldap.LdapName`. */
 class TypeLdapName extends Class {
-  TypeLdapName() { this.hasQualifiedName("javax.naming.ldap", "LdapName") }
+  TypeLdapName() { this.hasQualifiedName(javaxOrJakarta() + ".naming.ldap", "LdapName") }
 }
 
 /*--- Methods ---*/

java/ql/lib/semmle/code/java/frameworks/Mail.qll

@@ -8,7 +8,7 @@ import java
  * The class `javax.mail.Session` or `jakarta.mail.Session`.
  */
 class MailSession extends Class {
-  MailSession() { this.hasQualifiedName(["javax.mail", "jakarta.mail"], "Session") }
+  MailSession() { this.hasQualifiedName(javaxOrJakarta() + ".mail", "Session") }
 }
 
 /**

java/ql/lib/semmle/code/java/frameworks/Networking.qll

@@ -20,7 +20,7 @@ class TypeSocket extends RefType {
 
 /** The type `javax.net.SocketFactory` */
 class TypeSocketFactory extends RefType {
-  TypeSocketFactory() { this.hasQualifiedName("javax.net", "SocketFactory") }
+  TypeSocketFactory() { this.hasQualifiedName(javaxOrJakarta() + ".net", "SocketFactory") }
 }
 
 /** The type `java.net.URL`. */

java/ql/lib/semmle/code/java/frameworks/Servlets.qll

@@ -12,7 +12,7 @@ import semmle.code.java.Type
  */
 class ServletRequest extends RefType {
   ServletRequest() {
-    this.hasQualifiedName("javax.servlet", "ServletRequest") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletRequest") or
     this instanceof HttpServletRequest
   }
 }
@@ -21,7 +21,9 @@ class ServletRequest extends RefType {
  * The interface `javax.servlet.http.HttpServletRequest`.
  */
 class HttpServletRequest extends RefType {
-  HttpServletRequest() { this.hasQualifiedName("javax.servlet.http", "HttpServletRequest") }
+  HttpServletRequest() {
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpServletRequest")
+  }
 }
 
 /**
@@ -168,7 +170,7 @@ class ServletRequestGetBodyMethod extends Method {
  */
 class ServletResponse extends RefType {
   ServletResponse() {
-    this.hasQualifiedName("javax.servlet", "ServletResponse") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletResponse") or
     this instanceof HttpServletResponse
   }
 }
@@ -177,7 +179,9 @@ class ServletResponse extends RefType {
  * The interface `javax.servlet.http.HttpServletResponse`.
  */
 class HttpServletResponse extends RefType {
-  HttpServletResponse() { this.hasQualifiedName("javax.servlet.http", "HttpServletResponse") }
+  HttpServletResponse() {
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpServletResponse")
+  }
 }
 
 /**
@@ -239,7 +243,7 @@ class ServletResponseGetOutputStreamMethod extends Method {
 
 /** The class `javax.servlet.http.Cookie`. */
 class TypeCookie extends Class {
-  TypeCookie() { this.hasQualifiedName("javax.servlet.http", "Cookie") }
+  TypeCookie() { this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "Cookie") }
 }
 
 /**
@@ -331,7 +335,7 @@ class ResponseSetContentTypeMethod extends Method {
  * A class that has `javax.servlet.Servlet` as an ancestor.
  */
 class ServletClass extends Class {
-  ServletClass() { this.getAnAncestor().hasQualifiedName("javax.servlet", "Servlet") }
+  ServletClass() { this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".servlet", "Servlet") }
 }
 
 /**
@@ -342,13 +346,13 @@ class ServletClass extends Class {
  */
 class ServletWebXmlListenerType extends RefType {
   ServletWebXmlListenerType() {
-    this.hasQualifiedName("javax.servlet", "ServletContextAttributeListener") or
-    this.hasQualifiedName("javax.servlet", "ServletContextListener") or
-    this.hasQualifiedName("javax.servlet", "ServletRequestAttributeListener") or
-    this.hasQualifiedName("javax.servlet", "ServletRequestListener") or
-    this.hasQualifiedName("javax.servlet.http", "HttpSessionAttributeListener") or
-    this.hasQualifiedName("javax.servlet.http", "HttpSessionIdListener") or
-    this.hasQualifiedName("javax.servlet.http", "HttpSessionListener")
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletContextAttributeListener") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletContextListener") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletRequestAttributeListener") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletRequestListener") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSessionAttributeListener") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSessionIdListener") or
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSessionListener")
     // Listeners that are not configured in `web.xml`:
     //  - `HttpSessionActivationListener`
     //  - `HttpSessionBindingListener`
@@ -373,8 +377,8 @@ predicate isRequestGetParamMethod(MethodCall ma) {
 /** The Java EE RequestDispatcher. */
 class RequestDispatcher extends RefType {
   RequestDispatcher() {
-    this.hasQualifiedName(["javax.servlet", "jakarta.servlet"], "RequestDispatcher") or
-    this.hasQualifiedName("javax.portlet", "PortletRequestDispatcher")
+    this.hasQualifiedName(javaxOrJakarta() + ".servlet", "RequestDispatcher") or
+    this.hasQualifiedName(javaxOrJakarta() + ".portlet", "PortletRequestDispatcher")
   }
 }
 
@@ -398,7 +402,7 @@ class RequestDispatchMethod extends Method {
  * The interface `javax.servlet.ServletContext`.
  */
 class ServletContext extends RefType {
-  ServletContext() { this.hasQualifiedName("javax.servlet", "ServletContext") }
+  ServletContext() { this.hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletContext") }
 }
 
 /** The `getResource` method of `ServletContext`. */
@@ -419,5 +423,5 @@ class GetServletResourceAsStreamMethod extends Method {
 
 /** The interface `javax.servlet.http.HttpSession` */
 class HttpServletSession extends RefType {
-  HttpServletSession() { this.hasQualifiedName("javax.servlet.http", "HttpSession") }
+  HttpServletSession() { this.hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSession") }
 }

java/ql/lib/semmle/code/java/frameworks/javaee/JavaServerFaces.qll

@@ -61,7 +61,7 @@ class FacesAccessibleType extends RefType {
 class FacesComponent extends Class {
   FacesComponent() {
     // Must extend UIComponent for it to be a valid component.
-    this.getAnAncestor().hasQualifiedName("javax.faces.component", "UIComponent") and
+    this.getAnAncestor().hasQualifiedName(javaxOrJakarta() + ".faces.component", "UIComponent") and
     (
       // Must be registered using either an annotation
       exists(FacesComponentAnnotation componentAnnotation |

java/ql/lib/semmle/code/java/frameworks/javaee/Persistence.qll

@@ -9,7 +9,7 @@ import java
 /**
  * Gets a JavaEE Persistence API package name.
  */
-string getAPersistencePackageName() { result = ["javax.persistence", "jakarta.persistence"] }
+string getAPersistencePackageName() { result = javaxOrJakarta() + ".persistence" }
 
 /**
  * A `RefType` with the `@Entity` annotation that indicates that it can be persisted using a JPA

java/ql/lib/semmle/code/java/frameworks/javaee/Xml.qll

@@ -33,7 +33,7 @@ private class ValidatorConfig extends TransformerConfig {
 
 /** The class `javax.xml.validation.Validator`. */
 private class Validator extends RefType {
-  Validator() { this.hasQualifiedName("javax.xml.validation", "Validator") }
+  Validator() { this.hasQualifiedName(javaxOrJakarta() + ".xml.validation", "Validator") }
 }
 
 /** A safely configured `Validator`. */

java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJB.qll

@@ -64,7 +64,7 @@ class SessionEjb extends EJB {
     result = this.getASupertype() and
     not result.hasQualifiedName("java.io", "Serializable") and
     not result.hasQualifiedName("java.io", "Externalizable") and
-    not result.getPackage().getName() = "javax.ejb"
+    not result.getPackage().getName() = javaxOrJakarta() + ".ejb"
   }
 
   /** Any remote interfaces of this EJB. */
@@ -216,14 +216,14 @@ abstract class BusinessInterfaceAnnotation extends EjbInterfaceAnnotation { }
  * An instance of a `@Remote` annotation.
  */
 class RemoteAnnotation extends BusinessInterfaceAnnotation {
-  RemoteAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Remote") }
+  RemoteAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Remote") }
 }
 
 /**
  * An instance of a `@Local` annotation.
  */
 class LocalAnnotation extends BusinessInterfaceAnnotation {
-  LocalAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Local") }
+  LocalAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Local") }
 }
 
 /**
@@ -330,7 +330,7 @@ class LocalAnnotatedBusinessInterface extends AnnotatedBusinessInterface {
  * A `@javax.ejb.Init` annotation.
  */
 class InitAnnotation extends Annotation {
-  InitAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Init") }
+  InitAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Init") }
 }
 
 /**
@@ -383,14 +383,16 @@ abstract class HomeAnnotation extends EjbInterfaceAnnotation { }
  * An instance of a `@RemoteHome` annotation.
  */
 class RemoteHomeAnnotation extends HomeAnnotation {
-  RemoteHomeAnnotation() { this.getType().hasQualifiedName("javax.ejb", "RemoteHome") }
+  RemoteHomeAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "RemoteHome")
+  }
 }
 
 /**
  * An instance of a `@LocalHome` annotation.
  */
 class LocalHomeAnnotation extends HomeAnnotation {
-  LocalHomeAnnotation() { this.getType().hasQualifiedName("javax.ejb", "LocalHome") }
+  LocalHomeAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "LocalHome") }
 }
 
 /**
@@ -748,7 +750,9 @@ Type inheritsMatchingCreateMethodExceptThrows(StatefulSessionEjb ejb, EjbInterfa
  * A `@javax.ejb.AccessTimeout` annotation.
  */
 class AccessTimeoutAnnotation extends Annotation {
-  AccessTimeoutAnnotation() { this.getType().hasQualifiedName("javax.ejb", "AccessTimeout") }
+  AccessTimeoutAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "AccessTimeout")
+  }
 }
 
 /**
@@ -756,7 +760,7 @@ class AccessTimeoutAnnotation extends Annotation {
  */
 class ActivationConfigPropertyAnnotation extends Annotation {
   ActivationConfigPropertyAnnotation() {
-    this.getType().hasQualifiedName("javax.ejb", "ActivationConfigProperty")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "ActivationConfigProperty")
   }
 }
 
@@ -764,14 +768,18 @@ class ActivationConfigPropertyAnnotation extends Annotation {
  * A `@javax.ejb.AfterBegin` annotation.
  */
 class AfterBeginAnnotation extends Annotation {
-  AfterBeginAnnotation() { this.getType().hasQualifiedName("javax.ejb", "AfterBegin") }
+  AfterBeginAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "AfterBegin")
+  }
 }
 
 /**
  * A `@javax.ejb.AfterCompletion` annotation.
  */
 class AfterCompletionAnnotation extends Annotation {
-  AfterCompletionAnnotation() { this.getType().hasQualifiedName("javax.ejb", "AfterCompletion") }
+  AfterCompletionAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "AfterCompletion")
+  }
 }
 
 /**
@@ -779,7 +787,7 @@ class AfterCompletionAnnotation extends Annotation {
  */
 class ApplicationExceptionAnnotation extends Annotation {
   ApplicationExceptionAnnotation() {
-    this.getType().hasQualifiedName("javax.ejb", "ApplicationException")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "ApplicationException")
   }
 }
 
@@ -787,14 +795,18 @@ class ApplicationExceptionAnnotation extends Annotation {
  * A `@javax.ejb.Asynchronous` annotation.
  */
 class AsynchronousAnnotation extends Annotation {
-  AsynchronousAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Asynchronous") }
+  AsynchronousAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Asynchronous")
+  }
 }
 
 /**
  * A `@javax.ejb.BeforeCompletion` annotation.
  */
 class BeforeCompletionAnnotation extends Annotation {
-  BeforeCompletionAnnotation() { this.getType().hasQualifiedName("javax.ejb", "BeforeCompletion") }
+  BeforeCompletionAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "BeforeCompletion")
+  }
 }
 
 /**
@@ -802,7 +814,7 @@ class BeforeCompletionAnnotation extends Annotation {
  */
 class ConcurrencyManagementAnnotation extends Annotation {
   ConcurrencyManagementAnnotation() {
-    this.getType().hasQualifiedName("javax.ejb", "ConcurrencyManagement")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "ConcurrencyManagement")
   }
 }
 
@@ -810,119 +822,127 @@ class ConcurrencyManagementAnnotation extends Annotation {
  * A `@javax.ejb.DependsOn` annotation.
  */
 class DependsOnAnnotation extends Annotation {
-  DependsOnAnnotation() { this.getType().hasQualifiedName("javax.ejb", "DependsOn") }
+  DependsOnAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "DependsOn") }
 }
 
 /**
  * A `@javax.ejb.EJB` annotation.
  */
 class EjbAnnotation extends Annotation {
-  EjbAnnotation() { this.getType().hasQualifiedName("javax.ejb", "EJB") }
+  EjbAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJB") }
 }
 
 /**
  * A `@javax.ejb.EJBs` annotation.
  */
 class EJBsAnnotation extends Annotation {
-  EJBsAnnotation() { this.getType().hasQualifiedName("javax.ejb", "EJBs") }
+  EJBsAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBs") }
 }
 
 /**
  * A `@javax.ejb.LocalBean` annotation.
  */
 class LocalBeanAnnotation extends Annotation {
-  LocalBeanAnnotation() { this.getType().hasQualifiedName("javax.ejb", "LocalBean") }
+  LocalBeanAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "LocalBean") }
 }
 
 /**
  * A `@javax.ejb.Lock` annotation.
  */
 class LockAnnotation extends Annotation {
-  LockAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Lock") }
+  LockAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Lock") }
 }
 
 /**
  * A `@javax.ejb.MessageDriven` annotation.
  */
 class MessageDrivenAnnotation extends Annotation {
-  MessageDrivenAnnotation() { this.getType().hasQualifiedName("javax.ejb", "MessageDriven") }
+  MessageDrivenAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "MessageDriven")
+  }
 }
 
 /**
  * A `@javax.ejb.PostActivate` annotation.
  */
 class PostActivateAnnotation extends Annotation {
-  PostActivateAnnotation() { this.getType().hasQualifiedName("javax.ejb", "PostActivate") }
+  PostActivateAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "PostActivate")
+  }
 }
 
 /**
  * A `@javax.ejb.PrePassivate` annotation.
  */
 class PrePassivateAnnotation extends Annotation {
-  PrePassivateAnnotation() { this.getType().hasQualifiedName("javax.ejb", "PrePassivate") }
+  PrePassivateAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "PrePassivate")
+  }
 }
 
 /**
  * A `@javax.ejb.Remove` annotation.
  */
 class RemoveAnnotation extends Annotation {
-  RemoveAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Remove") }
+  RemoveAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Remove") }
 }
 
 /**
  * A `@javax.ejb.Schedule` annotation.
  */
 class ScheduleAnnotation extends Annotation {
-  ScheduleAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Schedule") }
+  ScheduleAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Schedule") }
 }
 
 /**
  * A `@javax.ejb.Schedules` annotation.
  */
 class SchedulesAnnotation extends Annotation {
-  SchedulesAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Schedules") }
+  SchedulesAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Schedules") }
 }
 
 /**
  * A `@javax.ejb.Singleton` annotation.
  */
 class SingletonAnnotation extends Annotation {
-  SingletonAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Singleton") }
+  SingletonAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Singleton") }
 }
 
 /**
  * A `@javax.ejb.Startup` annotation.
  */
 class StartupAnnotation extends Annotation {
-  StartupAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Startup") }
+  StartupAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Startup") }
 }
 
 /**
  * A `@javax.ejb.Stateful` annotation.
  */
 class StatefulAnnotation extends Annotation {
-  StatefulAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Stateful") }
+  StatefulAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Stateful") }
 }
 
 /**
  * A `@javax.ejb.StatefulTimeout` annotation.
  */
 class StatefulTimeoutAnnotation extends Annotation {
-  StatefulTimeoutAnnotation() { this.getType().hasQualifiedName("javax.ejb", "StatefulTimeout") }
+  StatefulTimeoutAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "StatefulTimeout")
+  }
 }
 
 /**
  * A `@javax.ejb.Stateless` annotation.
  */
 class StatelessAnnotation extends Annotation {
-  StatelessAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Stateless") }
+  StatelessAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Stateless") }
 }
 
 /**
  * A `@javax.ejb.Timeout` annotation.
  */
 class TimeoutAnnotation extends Annotation {
-  TimeoutAnnotation() { this.getType().hasQualifiedName("javax.ejb", "Timeout") }
+  TimeoutAnnotation() { this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "Timeout") }
 }
 
 /**
@@ -930,7 +950,7 @@ class TimeoutAnnotation extends Annotation {
  */
 class TransactionAttributeAnnotation extends Annotation {
   TransactionAttributeAnnotation() {
-    this.getType().hasQualifiedName("javax.ejb", "TransactionAttribute")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "TransactionAttribute")
   }
 }
 
@@ -939,7 +959,7 @@ class TransactionAttributeAnnotation extends Annotation {
  */
 class TransactionManagementAnnotation extends Annotation {
   TransactionManagementAnnotation() {
-    this.getType().hasQualifiedName("javax.ejb", "TransactionManagement")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".ejb", "TransactionManagement")
   }
 }
 
@@ -951,7 +971,10 @@ class RequiredTransactionAttributeAnnotation extends TransactionAttributeAnnotat
   RequiredTransactionAttributeAnnotation() {
     exists(FieldRead fr |
       this.getValue("value") = fr and
-      fr.getField().getType().(RefType).hasQualifiedName("javax.ejb", "TransactionAttributeType") and
+      fr.getField()
+          .getType()
+          .(RefType)
+          .hasQualifiedName(javaxOrJakarta() + ".ejb", "TransactionAttributeType") and
       fr.getField().getName() = "REQUIRED"
     )
   }
@@ -965,7 +988,10 @@ class RequiresNewTransactionAttributeAnnotation extends TransactionAttributeAnno
   RequiresNewTransactionAttributeAnnotation() {
     exists(FieldRead fr |
       this.getValue("value") = fr and
-      fr.getField().getType().(RefType).hasQualifiedName("javax.ejb", "TransactionAttributeType") and
+      fr.getField()
+          .getType()
+          .(RefType)
+          .hasQualifiedName(javaxOrJakarta() + ".ejb", "TransactionAttributeType") and
       fr.getField().getName() = "REQUIRES_NEW"
     )
   }
@@ -999,7 +1025,9 @@ TransactionAttributeAnnotation getInnermostTransactionAttributeAnnotation(Method
  */
 class SetRollbackOnlyMethod extends Method {
   SetRollbackOnlyMethod() {
-    this.getDeclaringType().getAnAncestor().hasQualifiedName("javax.ejb", "EJBContext") and
+    this.getDeclaringType()
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".ejb", "EJBContext") and
     this.getName() = "setRollbackOnly" and
     this.hasNoParameters()
   }

java/ql/lib/semmle/code/java/frameworks/javaee/ejb/EJBRestrictions.qll

@@ -159,8 +159,8 @@ class GraphicsPackage extends Package {
   GraphicsPackage() {
     this.getName() = "java.awt" or
     this.getName().matches("java.awt.%") or
-    this.getName() = "javax.swing" or
-    this.getName().matches("javax.swing.%")
+    this.getName() = javaxOrJakarta() + ".swing" or
+    this.getName().matches(javaxOrJakarta() + ".swing.%")
   }
 }
 

java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFAnnotations.qll

@@ -9,7 +9,7 @@ import default
  */
 class FacesManagedBeanAnnotation extends Annotation {
   FacesManagedBeanAnnotation() {
-    this.getType().hasQualifiedName("javax.faces.bean", "ManagedBean")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".faces.bean", "ManagedBean")
   }
 
   /**
@@ -25,7 +25,7 @@ class FacesManagedBeanAnnotation extends Annotation {
  */
 class FacesComponentAnnotation extends Annotation {
   FacesComponentAnnotation() {
-    this.getType().hasQualifiedName("javax.faces.component", "FacesComponent")
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".faces.component", "FacesComponent")
   }
 
   /**

java/ql/lib/semmle/code/java/frameworks/javaee/jsf/JSFRenderer.qll

@@ -8,9 +8,7 @@ import java
  * The JSF class `FacesContext` for processing HTTP requests.
  */
 class FacesContext extends RefType {
-  FacesContext() {
-    this.hasQualifiedName(["javax.faces.context", "jakarta.faces.context"], "FacesContext")
-  }
+  FacesContext() { this.hasQualifiedName(javaxOrJakarta() + ".faces.context", "FacesContext") }
 }
 
 /**

java/ql/lib/semmle/code/java/frameworks/spring/SpringAutowire.qll

@@ -14,7 +14,7 @@ import SpringComponentScan
 predicate hasInjectAnnotation(Annotatable a) {
   a.hasAnnotation("org.springframework.beans.factory.annotation", "Autowired") or
   a.getAnAnnotation() instanceof SpringResourceAnnotation or
-  a.hasAnnotation("javax.inject", "Inject")
+  a.hasAnnotation(javaxOrJakarta() + ".inject", "Inject")
 }
 
 /**
@@ -292,7 +292,7 @@ class SpringBeanAutowiredField extends Field {
 class SpringQualifierAnnotationType extends AnnotationType {
   SpringQualifierAnnotationType() {
     this.hasQualifiedName("org.springframework.beans.factory.annotation", "Qualifier") or
-    this.hasQualifiedName("javax.inject", "Qualifier") or
+    this.hasQualifiedName(javaxOrJakarta() + ".inject", "Qualifier") or
     this.getAnAnnotation().getType() instanceof SpringQualifierAnnotationType
   }
 }
@@ -340,7 +340,9 @@ class SpringQualifierAnnotation extends Annotation {
  * autowired by Spring, and can optionally specify a qualifier in the "name".
  */
 class SpringResourceAnnotation extends Annotation {
-  SpringResourceAnnotation() { this.getType().hasQualifiedName("javax.inject", "Resource") }
+  SpringResourceAnnotation() {
+    this.getType().hasQualifiedName(javaxOrJakarta() + ".inject", "Resource")
+  }
 
   /**
    * Gets the specified name value, if any.

java/ql/lib/semmle/code/java/frameworks/spring/SpringController.qll

@@ -210,10 +210,22 @@ class SpringRequestMappingParameter extends Parameter {
   predicate isNotDirectlyTaintedInput() {
     this.getType().(RefType).getAnAncestor() instanceof SpringWebRequest or
     this.getType().(RefType).getAnAncestor() instanceof SpringNativeWebRequest or
-    this.getType().(RefType).getAnAncestor().hasQualifiedName("javax.servlet", "ServletRequest") or
-    this.getType().(RefType).getAnAncestor().hasQualifiedName("javax.servlet", "ServletResponse") or
-    this.getType().(RefType).getAnAncestor().hasQualifiedName("javax.servlet.http", "HttpSession") or
-    this.getType().(RefType).getAnAncestor().hasQualifiedName("javax.servlet.http", "PushBuilder") or
+    this.getType()
+        .(RefType)
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletRequest") or
+    this.getType()
+        .(RefType)
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".servlet", "ServletResponse") or
+    this.getType()
+        .(RefType)
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".servlet.http", "HttpSession") or
+    this.getType()
+        .(RefType)
+        .getAnAncestor()
+        .hasQualifiedName(javaxOrJakarta() + ".servlet.http", "PushBuilder") or
     this.getType().(RefType).getAnAncestor().hasQualifiedName("java.security", "Principal") or
     this.getType()
         .(RefType)