Go: Update to 1.26.4

Python: Remove imprecise container steps #2

.github/workflows/go-version-update.yml

@@ -0,0 +1,207 @@
+name: Update Go version
+
+on:
+  workflow_dispatch:
+  pull_request:
+  schedule:
+    - cron: "0 3 * * 1"  # Run weekly on Mondays at 3 AM UTC (1 = Monday)
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-go-version:
+    name: Check and update Go version
+    if: github.repository == 'github/codeql'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Fetch latest Go version
+        id: fetch-version
+        run: |
+          LATEST_GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq -r '.[0].version')
+          
+          if [ -z "$LATEST_GO_VERSION" ] || [ "$LATEST_GO_VERSION" = "null" ]; then
+            echo "Error: Failed to fetch latest Go version from go.dev"
+            exit 1
+          fi
+          
+          echo "Latest Go version from go.dev: $LATEST_GO_VERSION"
+          echo "version=$LATEST_GO_VERSION" >> $GITHUB_OUTPUT
+          
+          # Extract version numbers (e.g., go1.26.0 -> 1.26.0)
+          LATEST_VERSION_NUM=$(echo $LATEST_GO_VERSION | sed 's/^go//')
+          echo "version_num=$LATEST_VERSION_NUM" >> $GITHUB_OUTPUT
+          
+          # Extract major.minor version (e.g., 1.26.0 -> 1.26)
+          LATEST_MAJOR_MINOR=$(echo $LATEST_VERSION_NUM | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
+          echo "major_minor=$LATEST_MAJOR_MINOR" >> $GITHUB_OUTPUT
+
+      - name: Check current Go version
+        id: current-version
+        run: |
+          CURRENT_VERSION=$(sed -n 's/.*go_sdk\.download(version = \"\([^\"]*\)\".*/\1/p' MODULE.bazel)
+          
+          if [ -z "$CURRENT_VERSION" ]; then
+            echo "Error: Could not extract Go version from MODULE.bazel"
+            exit 1
+          fi
+          
+          echo "Current Go version in MODULE.bazel: $CURRENT_VERSION"
+          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          
+          # Extract major.minor version
+          CURRENT_MAJOR_MINOR=$(echo $CURRENT_VERSION | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
+          echo "major_minor=$CURRENT_MAJOR_MINOR" >> $GITHUB_OUTPUT
+
+      - name: Compare versions
+        id: compare
+        run: |
+          LATEST="${{ steps.fetch-version.outputs.version_num }}"
+          CURRENT="${{ steps.current-version.outputs.version }}"
+          
+          echo "Latest: $LATEST"
+          echo "Current: $CURRENT"
+          
+          if [ "$LATEST" = "$CURRENT" ]; then
+            echo "Go version is up to date"
+            echo "needs_update=false" >> $GITHUB_OUTPUT
+          else
+            echo "Go version needs update from $CURRENT to $LATEST"
+            echo "needs_update=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Update Go version in files
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
+          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
+          CURRENT_MAJOR_MINOR="${{ steps.current-version.outputs.major_minor }}"
+          
+          echo "Updating from $CURRENT_VERSION to $LATEST_VERSION_NUM"
+          
+          # Escape dots in current version strings for use in sed patterns
+          CURRENT_VERSION_ESCAPED=$(echo "$CURRENT_VERSION" | sed 's/\./\\./g')
+          CURRENT_MAJOR_MINOR_ESCAPED=$(echo "$CURRENT_MAJOR_MINOR" | sed 's/\./\\./g')
+          
+          # Update MODULE.bazel
+          if ! sed -i "s/go_sdk\.download(version = \"$CURRENT_VERSION_ESCAPED\")/go_sdk.download(version = \"$LATEST_VERSION_NUM\")/" MODULE.bazel; then
+            echo "Warning: Failed to update MODULE.bazel"
+          fi
+          
+          # Update go/extractor/go.mod
+          if ! sed -i "s/^go $CURRENT_MAJOR_MINOR_ESCAPED\$/go $LATEST_MAJOR_MINOR/" go/extractor/go.mod; then
+            echo "Warning: Failed to update go directive in go.mod"
+          fi
+          if ! sed -i "s/^toolchain go$CURRENT_VERSION_ESCAPED\$/toolchain go$LATEST_VERSION_NUM/" go/extractor/go.mod; then
+            echo "Warning: Failed to update toolchain in go.mod"
+          fi
+          
+          # Update go/extractor/autobuilder/build-environment.go
+          if ! sed -i "s/var maxGoVersion = util\.NewSemVer(\"$CURRENT_MAJOR_MINOR_ESCAPED\")/var maxGoVersion = util.NewSemVer(\"$LATEST_MAJOR_MINOR\")/" go/extractor/autobuilder/build-environment.go; then
+            echo "Warning: Failed to update build-environment.go"
+          fi
+          
+          # Update go/actions/test/action.yml
+          if ! sed -i "s/default: \"~$CURRENT_VERSION_ESCAPED\"/default: \"~$LATEST_VERSION_NUM\"/" go/actions/test/action.yml; then
+            echo "Warning: Failed to update action.yml"
+          fi
+          
+          # Show what changed
+          git diff
+
+      - name: Check for changes
+        id: check-changes
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          if git diff --quiet; then
+            echo "No changes detected"
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "Changes detected"
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check for existing PR
+        if: steps.check-changes.outputs.has_changes == 'true'
+        id: check-pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
+          
+          if [ -n "$PR_NUMBER" ]; then
+            echo "Existing PR found: #$PR_NUMBER"
+            echo "pr_exists=true" >> $GITHUB_OUTPUT
+            echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+          else
+            echo "No existing PR found"
+            echo "pr_exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Commit and push changes
+        if: steps.check-changes.outputs.has_changes == 'true'
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
+          
+          # Create or switch to branch
+          git checkout -B "$BRANCH_NAME"
+          
+          # Stage and commit changes
+          git add MODULE.bazel go/extractor/go.mod go/extractor/autobuilder/build-environment.go go/actions/test/action.yml
+          git commit -m "Go: Update to $LATEST_VERSION_NUM"
+          
+          # Push changes
+          git push -f origin "$BRANCH_NAME"
+
+      - name: Create or update PR
+        if: steps.check-changes.outputs.has_changes == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
+          
+          PR_TITLE="Go: Update to $LATEST_VERSION_NUM"
+          
+          PR_BODY=$(cat <<EOF
+          This PR updates Go from $CURRENT_VERSION to $LATEST_VERSION_NUM.
+
+          Updated files:
+          - \`MODULE.bazel\` - go_sdk.download version
+          - \`go/extractor/go.mod\` - go directive and toolchain
+          - \`go/extractor/autobuilder/build-environment.go\` - maxGoVersion
+          - \`go/actions/test/action.yml\` - default go-test-version
+
+          This PR was automatically created by the [Go version update workflow](https://github.com/${{ github.repository }}/blob/main/.github/workflows/go-version-update.yml).
+          EOF
+          )
+          
+          if [ "${{ steps.check-pr.outputs.pr_exists }}" = "true" ]; then
+            echo "Updating existing PR #${{ steps.check-pr.outputs.pr_number }}"
+            gh pr edit "${{ steps.check-pr.outputs.pr_number }}" --title "$PR_TITLE" --body "$PR_BODY"
+          else
+            echo "Creating new PR"
+            gh pr create \
+              --title "$PR_TITLE" \
+              --body "$PR_BODY" \
+              --base main \
+              --head "$BRANCH_NAME" \
+              --label "Go"
+          fi

MODULE.bazel

@@ -273,7 +273,7 @@ use_repo(
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.26.0")
+go_sdk.download(version = "1.26.4")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.37
+version: 0.4.38-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.29
+version: 0.6.30-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

config/identical-files.json

@@ -11,10 +11,6 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
-  "Bound Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
-  ],
   "ModulusAnalysis Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"

cpp/ql/lib/DefaultOptions.qll

@@ -30,8 +30,6 @@ class Options extends string {
   predicate overrideReturnsNull(Call call) {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup")
-    or
-    CustomOptions::overrideReturnsNull(call) // old Options.qll
   }
 
   /**
@@ -45,8 +43,6 @@ class Options extends string {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup") and
     nullValue(call.getArgument(0))
-    or
-    CustomOptions::returnsNull(call) // old Options.qll
   }
 
   /**
@@ -65,8 +61,6 @@ class Options extends string {
     f.hasGlobalOrStdName([
         "exit", "_exit", "_Exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
       ])
-    or
-    CustomOptions::exits(f) // old Options.qll
   }
 
   /**
@@ -79,8 +73,7 @@ class Options extends string {
    * runtime, the program's behavior is undefined)
    */
   predicate exprExits(Expr e) {
-    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0 or
+    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0
-    CustomOptions::exprExits(e) // old Options.qll
   }
 
   /**
@@ -88,10 +81,7 @@ class Options extends string {
    *
    * By default holds only for `fgets`.
    */
-  predicate alwaysCheckReturnValue(Function f) {
+  predicate alwaysCheckReturnValue(Function f) { f.hasGlobalOrStdName("fgets") }
-    f.hasGlobalOrStdName("fgets") or
-    CustomOptions::alwaysCheckReturnValue(f) // old Options.qll
-  }
 
   /**
    * Holds if it is reasonable to ignore the return value of function
@@ -107,8 +97,6 @@ class Options extends string {
     // common way of sleeping using select:
     fc.getTarget().hasGlobalName("select") and
     fc.getArgument(0).getValue() = "0"
-    or
-    CustomOptions::okToIgnoreReturnValue(fc) // old Options.qll
   }
 }
 

cpp/ql/lib/Options.qll

@@ -98,57 +98,3 @@ class CustomMutexType extends MutexType {
    */
   override predicate unlockAccess(FunctionCall fc, Expr arg) { none() }
 }
-
-/**
- * DEPRECATED: customize `CustomOptions.overrideReturnsNull` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate overrideReturnsNull(Call call) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.returnsNull` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate returnsNull(Call call) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.exits` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate exits(Function f) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.exprExits` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate exprExits(Expr e) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.alwaysCheckReturnValue` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate alwaysCheckReturnValue(Function f) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.okToIgnoreReturnValue` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate okToIgnoreReturnValue(FunctionCall fc) { none() }

cpp/ql/lib/change-notes/2026-05-27-deprecated-removal.md

@@ -0,0 +1,15 @@
+---
+category: breaking
+---
+* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
+* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
+* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
+* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
+* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
+* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
+* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
+* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
+* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.

cpp/ql/lib/cpp.qll

@@ -32,7 +32,6 @@ import semmle.code.cpp.Class
 import semmle.code.cpp.Struct
 import semmle.code.cpp.Union
 import semmle.code.cpp.Enum
-import semmle.code.cpp.Member
 import semmle.code.cpp.Field
 import semmle.code.cpp.Function
 import semmle.code.cpp.MemberFunction

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.2.0
+version: 10.2.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -148,28 +148,3 @@ class UnknownLocation extends Location {
     this.getFile().getAbsolutePath() = "" and locations_default(this, _, 0, 0, 0, 0)
   }
 }
-
-/**
- * A dummy location which is used when something doesn't have a location in
- * the source code but needs to have a `Location` associated with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownDefaultLocation extends UnknownLocation { }
-
-/**
- * A dummy location which is used when an expression doesn't have a
- * location in the source code but needs to have a `Location` associated
- * with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownExprLocation extends UnknownLocation { }
-
-/**
- * A dummy location which is used when a statement doesn't have a location
- * in the source code but needs to have a `Location` associated with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownStmtLocation extends UnknownLocation { }

cpp/ql/lib/semmle/code/cpp/Member.qll

@@ -1,6 +0,0 @@
-/**
- * DEPRECATED: import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly as required.
- */
-
-import semmle.code.cpp.Element
-import semmle.code.cpp.Type

cpp/ql/lib/semmle/code/cpp/TemplateParameter.qll

@@ -35,13 +35,6 @@ class NonTypeTemplateParameter extends Literal, TemplateParameterImpl {
   override string getAPrimaryQlClass() { result = "NonTypeTemplateParameter" }
 }
 
-/**
- * A C++ `typename` (or `class`) template parameter.
- *
- * DEPRECATED: Use `TypeTemplateParameter` instead.
- */
-deprecated class TemplateParameter = TypeTemplateParameter;
-
 /**
  * A C++ `typename` (or `class`) template parameter.
  *

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -276,6 +276,45 @@ private predicate isClassConstructedFrom(Class c, Class templateClass) {
   not c.isConstructedFrom(_) and c = templateClass
 }
 
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClassOld(Class c) {
+  not c.isFromUninstantiatedTemplate(_) and
+  isClassConstructedFrom(c, result)
+}
+
+private TemplateClass getOriginalClassTemplate(TemplateClass tc) {
+  result = tc.getOriginalTemplate()
+  or
+  not exists(tc.getOriginalTemplate()) and
+  result = tc
+}
+
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClassNew(Class c) {
+  not c.isFromUninstantiatedTemplate(_) and
+  exists(Class mid |
+    c.isConstructedFrom(mid)
+    or
+    not c.isConstructedFrom(_) and c = mid
+  |
+    result = getOriginalClassTemplate(mid)
+    or
+    not mid instanceof TemplateClass and mid = result
+  )
+}
+
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClass(Class c) {
+  // The `Class::getOriginalTemplate` predicate was introduced in CodeQL
+  // version 2.25.6 and the upgrade script leaves the
+  // `class_template_generated_from` extensionals empty if the database
+  // was generated with an older extractor. So we use the old implementation
+  // if the `class_template_generated_from` extensional is empty.
+  if class_template_generated_from(_, _)
+  then result = getFullyTemplatedClassNew(c)
+  else result = getFullyTemplatedClassOld(c)
+}
+
 /**
  * Holds if `f` is an instantiation of a function template `templateFunc`, or
  * holds with `f = templateFunc` if `f` is not an instantiation of any function
@@ -292,7 +331,7 @@ private predicate isFunctionConstructedFrom(Function f, Function templateFunc) {
 }
 
 /** Gets the fully templated version of `f`. */
-Function getFullyTemplatedFunction(Function f) {
+private Function getFullyTemplatedFunctionOld(Function f) {
   not f.isFromUninstantiatedTemplate(_) and
   (
     exists(Class c, Class templateClass, int i |
@@ -306,13 +345,46 @@ Function getFullyTemplatedFunction(Function f) {
   )
 }
 
+private TemplateFunction getOriginalFunctionTemplate(TemplateFunction tf) {
+  result = tf.getOriginalTemplate()
+  or
+  not exists(tf.getOriginalTemplate()) and
+  result = tf
+}
+
+/** Gets the fully templated version of `f`. */
+private Function getFullyTemplatedFunctionNew(Function f) {
+  not f.isFromUninstantiatedTemplate(_) and
+  exists(Function mid |
+    f.isConstructedFrom(mid)
+    or
+    not f.isConstructedFrom(_) and f = mid
+  |
+    result = getOriginalFunctionTemplate(mid)
+    or
+    not mid instanceof TemplateFunction and mid = result
+  )
+}
+
+/** Gets the fully templated version of `f`. */
+Function getFullyTemplatedFunction(Function f) {
+  // The `Function::getOriginalTemplate` predicate was introduced in CodeQL
+  // version 2.25.6 and the upgrade script leaves the
+  // `function_template_generated_from` extensionals empty if the database
+  // was generated with an older extractor. So we use the old implementation
+  // if the `function_template_generated_from` extensional is empty.
+  if function_template_generated_from(_, _)
+  then result = getFullyTemplatedFunctionNew(f)
+  else result = getFullyTemplatedFunctionOld(f)
+}
+
 /** Prefixes `const` to `s` if `t` is const, or returns `s` otherwise. */
 bindingset[s, t]
 private string withConst(string s, Type t) {
   if t.isConst() then result = "const " + s else result = s
 }
 
-/** Prefixes `volatile` to `s` if `t` is const, or returns `s` otherwise. */
+/** Prefixes `volatile` to `s` if `t` is volatile, or returns `s` otherwise. */
 bindingset[s, t]
 private string withVolatile(string s, Type t) {
   if t.isVolatile() then result = "volatile " + s else result = s
@@ -490,7 +562,7 @@ pragma[nomagic]
 private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
   // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
-    isClassConstructedFrom(f.getDeclaringType(), template) and
+    template = getFullyTemplatedClass(f.getDeclaringType()) and
     remaining = getNumberOfSupportedClassTemplateArguments(template) and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
@@ -502,7 +574,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   or
   exists(string mid, TypeTemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
-    isClassConstructedFrom(f.getDeclaringType(), template) and
+    template = getFullyTemplatedClass(f.getDeclaringType()) and
     tp = getSupportedClassTemplateArgument(template, remaining)
   |
     result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())

cpp/ql/lib/semmle/code/cpp/internal/ResolveClass.qll

@@ -1,59 +1,5 @@
 import semmle.code.cpp.Type
 
-/** For upgraded databases without mangled name info. */
-pragma[noinline]
-private string getTopLevelClassName(@usertype c) {
-  not mangled_name(_, _, _) and
-  isClass(c) and
-  usertypes(c, result, _) and
-  not namespacembrs(_, c) and // not in a namespace
-  not member(_, _, c) and // not in some structure
-  not class_instantiation(c, _) // not a template instantiation
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `d` is a unique complete class named `name`.
- */
-pragma[noinline]
-private predicate existsCompleteWithName(string name, @usertype d) {
-  not mangled_name(_, _, _) and
-  is_complete(d) and
-  name = getTopLevelClassName(d) and
-  onlyOneCompleteClassExistsWithName(name)
-}
-
-/** For upgraded databases without mangled name info. */
-pragma[noinline]
-private predicate onlyOneCompleteClassExistsWithName(string name) {
-  not mangled_name(_, _, _) and
-  strictcount(@usertype c | is_complete(c) and getTopLevelClassName(c) = name) = 1
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `c` is an incomplete class named `name`.
- */
-pragma[noinline]
-private predicate existsIncompleteWithName(string name, @usertype c) {
-  not mangled_name(_, _, _) and
-  not is_complete(c) and
-  name = getTopLevelClassName(c)
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `c` is an incomplete class, and there exists a unique complete class `d`
- * with the same name.
- */
-private predicate oldHasCompleteTwin(@usertype c, @usertype d) {
-  not mangled_name(_, _, _) and
-  exists(string name |
-    existsIncompleteWithName(name, c) and
-    existsCompleteWithName(name, d)
-  )
-}
-
 pragma[noinline]
 private @mangledname getClassMangledName(@usertype c) {
   isClass(c) and
@@ -103,10 +49,7 @@ private module Cached {
   @usertype resolveClass(@usertype c) {
     hasCompleteTwin(c, result)
     or
-    oldHasCompleteTwin(c, result)
-    or
     not hasCompleteTwin(c, _) and
-    not oldHasCompleteTwin(c, _) and
     result = c
   }
 

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.4
+version: 1.6.5-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -51,13 +51,16 @@ models
 | 50 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
 | 51 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
 | 52 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
-| 53 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 53 | Summary: ; TemplateClass1; true; templateFunction2<U,V>; (U,V); ; Argument[1]; ReturnValue; value; manual |
-| 54 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 54 | Summary: ; TemplateClass1<T>; false; templateFunction<U>; (T,U); ; Argument[0]; ReturnValue; value; manual |
-| 55 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
+| 55 | Summary: ; TemplateClass2<T,U>; true; function; (U,T); ; Argument[1]; ReturnValue; value; manual |
-| 56 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
+| 56 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
-| 57 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
+| 57 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 58 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
+| 59 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
+| 60 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
 edges
-| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:57 |
+| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:60 |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:32  |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:32 Sink:MaD:2 |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
@@ -66,24 +69,24 @@ edges
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance |  |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:57 |
+| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:60 |
-| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:56 |
+| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:59 |
-| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:53 |
+| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:56 |
-| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:54 |
+| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:57 |
-| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:55 |
+| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:58 |
 | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue in ReadToEnd [element] | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:253:48:253:60 | *call to GetBodyStream | provenance | Src:MaD:29  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:257:5:257:8 | *resp | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:262:5:262:8 | *resp | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:266:38:266:41 | *resp | provenance |  |
 | azure.cpp:257:5:257:8 | *resp | azure.cpp:113:16:113:19 | [summary param] this in Read | provenance |  |
-| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:53 |
+| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:56 |
 | azure.cpp:257:16:257:21 | Read output argument | azure.cpp:258:10:258:16 | * ... | provenance |  |
 | azure.cpp:262:5:262:8 | *resp | azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | provenance |  |
-| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:54 |
+| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:57 |
 | azure.cpp:262:23:262:28 | ReadToCount output argument | azure.cpp:263:10:263:16 | * ... | provenance |  |
 | azure.cpp:266:38:266:41 | *resp | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance |  |
-| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:55 |
+| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:58 |
 | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance |  |
 | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:267:10:267:12 | vec [element] | provenance |  |
 | azure.cpp:267:10:267:12 | vec [element] | azure.cpp:267:10:267:12 | vec | provenance |  |
@@ -100,11 +103,11 @@ edges
 | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | provenance | Src:MaD:26  |
 | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:282:21:282:23 | *call to get | provenance |  |
 | azure.cpp:282:21:282:23 | *call to get | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance |  |
-| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:55 |
+| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:58 |
 | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:10:282:38 | call to ReadToEnd | provenance |  |
 | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance |  |
 | azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:62:10:62:14 | [summary param] this in Value | provenance |  |
-| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:56 |
+| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:59 |
 | azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:24:289:56 | call to GetHeader | provenance |  |
 | azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:32:289:40 | call to GetHeader | provenance | Src:MaD:30  |
 | azure.cpp:289:63:289:65 | call to Value | azure.cpp:289:63:289:65 | call to Value | provenance |  |
@@ -180,6 +183,39 @@ edges
 | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | test.cpp:119:10:119:11 | y2 | provenance | Sink:MaD:1 |
 | test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | provenance |  |
 | test.cpp:118:44:118:44 | *x | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance | MaD:48 |
+| test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | provenance | MaD:54 |
+| test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | provenance | MaD:53 |
+| test.cpp:133:10:133:18 | call to ymlSource | test.cpp:133:10:133:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:133:10:133:18 | call to ymlSource | test.cpp:134:45:134:45 | x | provenance |  |
+| test.cpp:134:13:134:43 | call to templateFunction | test.cpp:134:13:134:43 | call to templateFunction | provenance |  |
+| test.cpp:134:13:134:43 | call to templateFunction | test.cpp:135:10:135:10 | y | provenance | Sink:MaD:1 |
+| test.cpp:134:45:134:45 | x | test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | provenance |  |
+| test.cpp:134:45:134:45 | x | test.cpp:134:13:134:43 | call to templateFunction | provenance | MaD:54 |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:55 |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:55 |
+| test.cpp:146:10:146:18 | call to ymlSource | test.cpp:146:10:146:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:146:10:146:18 | call to ymlSource | test.cpp:148:26:148:26 | x | provenance |  |
+| test.cpp:148:10:148:27 | call to function | test.cpp:148:10:148:27 | call to function | provenance |  |
+| test.cpp:148:10:148:27 | call to function | test.cpp:149:10:149:10 | z | provenance | Sink:MaD:1 |
+| test.cpp:148:26:148:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | provenance |  |
+| test.cpp:148:26:148:26 | x | test.cpp:148:10:148:27 | call to function | provenance | MaD:55 |
+| test.cpp:155:10:155:18 | call to ymlSource | test.cpp:155:10:155:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:155:10:155:18 | call to ymlSource | test.cpp:157:26:157:26 | x | provenance |  |
+| test.cpp:157:13:157:20 | call to function | test.cpp:157:13:157:20 | call to function | provenance |  |
+| test.cpp:157:13:157:20 | call to function | test.cpp:158:10:158:10 | z | provenance | Sink:MaD:1 |
+| test.cpp:157:26:157:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | provenance |  |
+| test.cpp:157:26:157:26 | x | test.cpp:157:13:157:20 | call to function | provenance | MaD:55 |
+| test.cpp:164:34:164:34 | x | test.cpp:165:69:165:69 | x | provenance |  |
+| test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:164:7:164:7 | *templateFunction3 | provenance |  |
+| test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 | provenance |  |
+| test.cpp:165:69:165:69 | x | test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | provenance |  |
+| test.cpp:165:69:165:69 | x | test.cpp:165:12:165:64 | call to templateFunction2 | provenance | MaD:53 |
+| test.cpp:170:10:170:18 | call to ymlSource | test.cpp:170:10:170:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:170:10:170:18 | call to ymlSource | test.cpp:172:51:172:51 | x | provenance |  |
+| test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 | provenance |  |
+| test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:173:10:173:10 | y | provenance | Sink:MaD:1 |
+| test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | provenance |  |
+| test.cpp:172:51:172:51 | x | test.cpp:172:13:172:44 | call to templateFunction3 | provenance | MaD:53 |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:33 |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance |  |
@@ -483,6 +519,43 @@ nodes
 | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | semmle.label | call to callWithNonTypeTemplate |
 | test.cpp:118:44:118:44 | *x | semmle.label | *x |
 | test.cpp:119:10:119:11 | y2 | semmle.label | y2 |
+| test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | semmle.label | [summary param] 0 in templateFunction |
+| test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | semmle.label | [summary] to write: ReturnValue in templateFunction |
+| test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | semmle.label | [summary param] 1 in templateFunction2 |
+| test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | semmle.label | [summary] to write: ReturnValue in templateFunction2 |
+| test.cpp:133:10:133:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:133:10:133:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:134:13:134:43 | call to templateFunction | semmle.label | call to templateFunction |
+| test.cpp:134:13:134:43 | call to templateFunction | semmle.label | call to templateFunction |
+| test.cpp:134:45:134:45 | x | semmle.label | x |
+| test.cpp:135:10:135:10 | y | semmle.label | y |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | semmle.label | [summary param] 1 in function |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | semmle.label | [summary param] 1 in function |
+| test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | semmle.label | [summary] to write: ReturnValue in function |
+| test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | semmle.label | [summary] to write: ReturnValue in function |
+| test.cpp:146:10:146:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:146:10:146:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:148:10:148:27 | call to function | semmle.label | call to function |
+| test.cpp:148:10:148:27 | call to function | semmle.label | call to function |
+| test.cpp:148:26:148:26 | x | semmle.label | x |
+| test.cpp:149:10:149:10 | z | semmle.label | z |
+| test.cpp:155:10:155:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:155:10:155:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:157:13:157:20 | call to function | semmle.label | call to function |
+| test.cpp:157:13:157:20 | call to function | semmle.label | call to function |
+| test.cpp:157:26:157:26 | x | semmle.label | x |
+| test.cpp:158:10:158:10 | z | semmle.label | z |
+| test.cpp:164:7:164:7 | *templateFunction3 | semmle.label | *templateFunction3 |
+| test.cpp:164:34:164:34 | x | semmle.label | x |
+| test.cpp:165:12:165:64 | call to templateFunction2 | semmle.label | call to templateFunction2 |
+| test.cpp:165:12:165:64 | call to templateFunction2 | semmle.label | call to templateFunction2 |
+| test.cpp:165:69:165:69 | x | semmle.label | x |
+| test.cpp:170:10:170:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:170:10:170:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:172:13:172:44 | call to templateFunction3 | semmle.label | call to templateFunction3 |
+| test.cpp:172:13:172:44 | call to templateFunction3 | semmle.label | call to templateFunction3 |
+| test.cpp:172:51:172:51 | x | semmle.label | x |
+| test.cpp:173:10:173:10 | y | semmle.label | y |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | semmle.label | [summary param] *0 in CommandLineToArgvA |
 | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | semmle.label | [summary] to write: ReturnValue[**] in CommandLineToArgvA |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
@@ -688,6 +761,11 @@ subpaths
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
 | test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate |
+| test.cpp:134:45:134:45 | x | test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | test.cpp:134:13:134:43 | call to templateFunction |
+| test.cpp:148:26:148:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | test.cpp:148:10:148:27 | call to function |
+| test.cpp:157:26:157:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | test.cpp:157:13:157:20 | call to function |
+| test.cpp:165:69:165:69 | x | test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 |
+| test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | test.cpp:164:7:164:7 | *templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |
 | windows.cpp:537:40:537:41 | *& ... | windows.cpp:473:17:473:37 | [summary param] *1 in RtlCopyVolatileMemory | windows.cpp:473:17:473:37 | [summary param] *0 in RtlCopyVolatileMemory [Return] | windows.cpp:537:27:537:37 | RtlCopyVolatileMemory output argument |
 | windows.cpp:542:38:542:39 | *& ... | windows.cpp:479:17:479:35 | [summary param] *1 in RtlCopyDeviceMemory | windows.cpp:479:17:479:35 | [summary param] *0 in RtlCopyDeviceMemory [Return] | windows.cpp:542:25:542:35 | RtlCopyDeviceMemory output argument |

cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml

@@ -19,3 +19,6 @@ extensions:
       - ["", "", False, "ymlStepGenerated_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
       - ["", "", False, "callWithArgument", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]
       - ["", "", False, "callWithNonTypeTemplate<T>", "(const T &)", "", "Argument[*0]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass1<T>", False, "templateFunction<U>", "(T,U)", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass1", True, "templateFunction2<U,V>", "(U,V)", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass2<T,U>", True, "function", "(U,T)", "", "Argument[1]", "ReturnValue", "value", "manual"]

cpp/ql/test/library-tests/dataflow/external-models/sinks.expected

@@ -15,3 +15,7 @@
 | test.cpp:89:11:89:11 | y | test-sink |
 | test.cpp:116:10:116:11 | y1 | test-sink |
 | test.cpp:119:10:119:11 | y2 | test-sink |
+| test.cpp:135:10:135:10 | y | test-sink |
+| test.cpp:149:10:149:10 | z | test-sink |
+| test.cpp:158:10:158:10 | z | test-sink |
+| test.cpp:173:10:173:10 | y | test-sink |

cpp/ql/test/library-tests/dataflow/external-models/sources.expected

@@ -9,6 +9,10 @@
 | test.cpp:56:8:56:16 | call to ymlSource | local |
 | test.cpp:94:10:94:18 | call to ymlSource | local |
 | test.cpp:114:10:114:18 | call to ymlSource | local |
+| test.cpp:133:10:133:18 | call to ymlSource | local |
+| test.cpp:146:10:146:18 | call to ymlSource | local |
+| test.cpp:155:10:155:18 | call to ymlSource | local |
+| test.cpp:170:10:170:18 | call to ymlSource | local |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | local |
 | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | local |
 | windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | local |

cpp/ql/test/library-tests/dataflow/external-models/test.cpp

@@ -118,3 +118,57 @@ void test_callWithNonTypeTemplate() {
 	int y2 = callWithNonTypeTemplate<int, 10>(x);
 	ymlSink(y2); // $ ir
 }
+
+template<class T>
+struct TemplateClass1 {
+  template<class U>
+  U templateFunction(T, U);
+
+	template<class U, class V>
+  V templateFunction2(U, V);
+};
+
+void test_template_function_in_template_class() {
+	TemplateClass1<int> b;
+	int x = ymlSource();
+	auto y = b.templateFunction<unsigned long>(x, 0UL);
+	ymlSink(y); // $ ir
+}
+
+template<class S, class T>
+struct TemplateClass2 {
+	T function(T, S);
+};
+
+template<class V> using PartialInstantiationOfTemplateClass2 = TemplateClass2<int, V>;
+
+void test_partial_class_instantiation() {
+	int x = ymlSource();
+	PartialInstantiationOfTemplateClass2<unsigned long> y;
+	int z = y.function(0UL, x);
+	ymlSink(z); // $ ir
+}
+
+template<class V> struct DeriveFromFromPartialTemplateInstantiation : TemplateClass2<int, V> { };
+
+void test_inheritance() {
+	int x = ymlSource();
+	DeriveFromFromPartialTemplateInstantiation<long> y;
+	auto z = y.function(0L, x);
+	ymlSink(z); // $ ir
+}
+
+template<class T>
+struct Class1 : TemplateClass1<T> {
+  template<class U>
+  int templateFunction3(U u, int x) {
+    return TemplateClass1<T>::template templateFunction2<U, int>(u, x);
+  }
+};
+
+void test_class1() {
+	int x = ymlSource();
+	Class1<int> c;
+	auto y = c.templateFunction3<unsigned long>(0UL, x);
+	ymlSink(y); // $ ir
+}

cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected

@@ -27383,54 +27383,55 @@ getParameterTypeName
 | stl.h:91:24:91:33 | operator++ | 0 | int |
 | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & |
 | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & |
-| stl.h:148:3:148:14 | basic_string | 0 | const class:2 & |
+| stl.h:147:12:147:23 | basic_string | 0 | const class:2 & |
-| stl.h:149:33:149:44 | basic_string | 0 | const class:0 * |
+| stl.h:148:3:148:14 | basic_string | 0 | const class:0 * |
-| stl.h:149:33:149:44 | basic_string | 1 | const class:2 & |
+| stl.h:148:3:148:14 | basic_string | 1 | const class:2 & |
-| stl.h:151:16:151:20 | c_str | 0 | func:0 |
+| stl.h:149:33:149:44 | basic_string | 0 | func:0 |
-| stl.h:151:16:151:20 | c_str | 1 | func:0 |
+| stl.h:149:33:149:44 | basic_string | 1 | func:0 |
-| stl.h:151:16:151:20 | c_str | 2 | const class:2 & |
+| stl.h:149:33:149:44 | basic_string | 2 | const class:2 & |
+| stl.h:165:8:165:16 | push_back | 0 | class:0 |
 | stl.h:173:13:173:22 | operator[] | 0 | size_type |
 | stl.h:175:13:175:14 | at | 0 | size_type |
-| stl.h:176:35:176:44 | operator+= | 0 | size_type |
+| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & |
-| stl.h:176:35:176:44 | operator+= | 0 | size_type |
+| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & |
-| stl.h:177:17:177:26 | operator+= | 0 | const func:0 & |
+| stl.h:177:17:177:26 | operator+= | 0 | const class:0 * |
-| stl.h:178:17:178:22 | append | 0 | const class:0 * |
+| stl.h:178:17:178:22 | append | 0 | const basic_string & |
-| stl.h:179:17:179:22 | append | 0 | const basic_string & |
+| stl.h:179:17:179:22 | append | 0 | const class:0 * |
-| stl.h:180:17:180:22 | append | 0 | const class:0 * |
+| stl.h:180:17:180:22 | append | 0 | size_type |
-| stl.h:181:47:181:52 | append | 0 | size_type |
+| stl.h:180:17:180:22 | append | 1 | class:0 |
-| stl.h:181:47:181:52 | append | 1 | class:0 |
+| stl.h:181:47:181:52 | append | 0 | func:0 |
-| stl.h:182:17:182:22 | assign | 0 | func:0 |
+| stl.h:181:47:181:52 | append | 1 | func:0 |
-| stl.h:182:17:182:22 | assign | 1 | func:0 |
+| stl.h:182:17:182:22 | assign | 0 | const basic_string & |
-| stl.h:183:17:183:22 | assign | 0 | const basic_string & |
+| stl.h:183:17:183:22 | assign | 0 | size_type |
-| stl.h:184:47:184:52 | assign | 0 | size_type |
+| stl.h:183:17:183:22 | assign | 1 | class:0 |
-| stl.h:184:47:184:52 | assign | 1 | class:0 |
+| stl.h:184:47:184:52 | assign | 0 | func:0 |
-| stl.h:185:17:185:22 | insert | 0 | func:0 |
+| stl.h:184:47:184:52 | assign | 1 | func:0 |
-| stl.h:185:17:185:22 | insert | 1 | func:0 |
+| stl.h:185:17:185:22 | insert | 0 | size_type |
+| stl.h:185:17:185:22 | insert | 1 | const basic_string & |
 | stl.h:186:17:186:22 | insert | 0 | size_type |
-| stl.h:186:17:186:22 | insert | 1 | const basic_string & |
+| stl.h:186:17:186:22 | insert | 1 | size_type |
+| stl.h:186:17:186:22 | insert | 2 | class:0 |
 | stl.h:187:17:187:22 | insert | 0 | size_type |
-| stl.h:187:17:187:22 | insert | 1 | size_type |
+| stl.h:187:17:187:22 | insert | 1 | const class:0 * |
-| stl.h:187:17:187:22 | insert | 2 | class:0 |
+| stl.h:188:12:188:17 | insert | 0 | const_iterator |
-| stl.h:188:12:188:17 | insert | 0 | size_type |
+| stl.h:188:12:188:17 | insert | 1 | size_type |
-| stl.h:188:12:188:17 | insert | 1 | const class:0 * |
+| stl.h:188:12:188:17 | insert | 2 | class:0 |
 | stl.h:189:42:189:47 | insert | 0 | const_iterator |
-| stl.h:189:42:189:47 | insert | 1 | size_type |
+| stl.h:189:42:189:47 | insert | 1 | func:0 |
-| stl.h:189:42:189:47 | insert | 2 | class:0 |
+| stl.h:189:42:189:47 | insert | 2 | func:0 |
-| stl.h:190:17:190:23 | replace | 0 | const_iterator |
+| stl.h:190:17:190:23 | replace | 0 | size_type |
-| stl.h:190:17:190:23 | replace | 1 | func:0 |
+| stl.h:190:17:190:23 | replace | 1 | size_type |
-| stl.h:190:17:190:23 | replace | 2 | func:0 |
+| stl.h:190:17:190:23 | replace | 2 | const basic_string & |
 | stl.h:191:17:191:23 | replace | 0 | size_type |
 | stl.h:191:17:191:23 | replace | 1 | size_type |
-| stl.h:191:17:191:23 | replace | 2 | const basic_string & |
+| stl.h:191:17:191:23 | replace | 2 | size_type |
-| stl.h:192:13:192:16 | copy | 0 | size_type |
+| stl.h:191:17:191:23 | replace | 3 | class:0 |
+| stl.h:192:13:192:16 | copy | 0 | class:0 * |
 | stl.h:192:13:192:16 | copy | 1 | size_type |
 | stl.h:192:13:192:16 | copy | 2 | size_type |
-| stl.h:192:13:192:16 | copy | 3 | class:0 |
+| stl.h:194:16:194:21 | substr | 0 | size_type |
-| stl.h:193:8:193:12 | clear | 0 | class:0 * |
+| stl.h:194:16:194:21 | substr | 1 | size_type |
-| stl.h:193:8:193:12 | clear | 1 | size_type |
+| stl.h:195:8:195:11 | swap | 0 | basic_string & |
-| stl.h:193:8:193:12 | clear | 2 | size_type |
-| stl.h:195:8:195:11 | swap | 0 | size_type |
-| stl.h:195:8:195:11 | swap | 1 | size_type |
 | stl.h:198:94:198:102 | operator+ | 0 | const basic_string & |
 | stl.h:198:94:198:102 | operator+ | 1 | const basic_string & |
 | stl.h:199:94:199:102 | operator+ | 0 | const basic_string & |

cpp/ql/test/library-tests/friends/loop/friends.expected

@@ -1,14 +1,14 @@
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<D> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:29 | E<D> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<T> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:29 | F<D> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:29 | E<C> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<T> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:29 | F<D> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<D> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:29 | E<C> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:29 | E<D> |
 | loop.cpp:6:5:6:5 | E<T>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:7:5:7:5 | E<T>'s friend | loop.cpp:7:36:7:36 | F<U> |
 | loop.cpp:11:5:11:5 | F<T>'s friend | loop.cpp:11:36:11:36 | E<U> |

csharp/extractor/Semmle.Extraction.CSharp/CodeAnalysisExtensions/SymbolExtensions.cs

@@ -664,7 +664,7 @@ namespace Semmle.Extraction.CSharp
                 // Find the (possibly unbound) original extension method that maps to this implementation (if any).
                 var unboundDeclaration = extensions.SelectMany(e => e.GetMembers())
                     .OfType<IMethodSymbol>()
-                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation, method.ConstructedFrom));
+                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation?.ConstructedFrom, method.ConstructedFrom));
 
                 var isFullyConstructed = method.IsBoundGenericMethod();
                 if (isFullyConstructed && unboundDeclaration?.ContainingType is INamedTypeSymbol extensionType)

csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs

@@ -69,6 +69,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
 
             Overrides(trapFile);
+            ExtractRefReturn(trapFile, Symbol, this);
 
             if (Symbol.FromSource() && !HasBody)
             {

csharp/paket.dependencies

@@ -4,7 +4,7 @@ source https://api.nuget.org/v3/index.json
 # behave like nuget in choosing transitive dependency versions
 strategy: max
 
-nuget Basic.CompilerLog.Util 0.9.25
+nuget Basic.CompilerLog.Util 0.9.39
 nuget Mono.Posix.NETStandard
 nuget Newtonsoft.Json
 nuget NuGet.Versioning
@@ -12,7 +12,7 @@ nuget xunit
 nuget xunit.runner.visualstudio
 nuget xunit.runner.utility
 nuget Microsoft.NET.Test.Sdk
-nuget Microsoft.CodeAnalysis.CSharp 5.0.0
+nuget Microsoft.CodeAnalysis.CSharp 5.3.0
-nuget Microsoft.CodeAnalysis 5.0.0
+nuget Microsoft.CodeAnalysis 5.3.0
-nuget Microsoft.Build 18.0.2
+nuget Microsoft.Build 18.6.3
 nuget Microsoft.VisualStudio.SolutionPersistence

csharp/paket.lock

@@ -3,45 +3,42 @@ STRATEGY: MAX
 RESTRICTION: == net10.0
 NUGET
   remote: https://api.nuget.org/v3/index.json
-    Basic.CompilerLog.Util (0.9.25)
+    Basic.CompilerLog.Util (0.9.39)
       MessagePack (>= 3.1.4)
-      Microsoft.Bcl.Memory (>= 9.0.10)
+      Microsoft.Bcl.Memory (>= 10.0.7)
       Microsoft.CodeAnalysis (>= 4.8)
       Microsoft.CodeAnalysis.CSharp (>= 4.8)
       Microsoft.CodeAnalysis.VisualBasic (>= 4.8)
-      Microsoft.Extensions.ObjectPool (>= 9.0.10)
+      Microsoft.Extensions.ObjectPool (>= 10.0.7)
-      MSBuild.StructuredLogger (>= 2.3.71)
+      MSBuild.StructuredLogger (>= 2.3.178)
-      NaturalSort.Extension (>= 4.4)
-      NuGet.Versioning (>= 6.14)
     Humanizer.Core (3.0.10)
-    MessagePack (3.1.4)
+    MessagePack (3.1.6)
-      MessagePack.Annotations (>= 3.1.4)
+      MessagePack.Annotations (>= 3.1.6)
-      MessagePackAnalyzer (>= 3.1.4)
+      MessagePackAnalyzer (>= 3.1.6)
       Microsoft.NET.StringTools (>= 17.11.4)
-    MessagePack.Annotations (3.1.4)
+    MessagePack.Annotations (3.1.6)
-    MessagePackAnalyzer (3.1.4)
+    MessagePackAnalyzer (3.1.6)
     Microsoft.Bcl.AsyncInterfaces (10.0.8)
     Microsoft.Bcl.Memory (10.0.8)
-    Microsoft.Build (18.0.2)
+    Microsoft.Build (18.6.3)
-      Microsoft.Build.Framework (>= 18.0.2)
+      Microsoft.Build.Framework (>= 18.6.3)
-      Microsoft.NET.StringTools (>= 18.0.2)
+      System.Configuration.ConfigurationManager (>= 10.0.3)
-      System.Configuration.ConfigurationManager (>= 9.0)
+      System.Diagnostics.EventLog (>= 10.0.3)
-      System.Diagnostics.EventLog (>= 9.0)
+      System.Reflection.MetadataLoadContext (>= 10.0.3)
-      System.Reflection.MetadataLoadContext (>= 9.0)
+      System.Security.Cryptography.ProtectedData (>= 10.0.3)
-      System.Security.Cryptography.ProtectedData (>= 9.0.6)
+    Microsoft.Build.Framework (18.6.3)
-    Microsoft.Build.Framework (18.4)
+      Microsoft.NET.StringTools (>= 18.6.3)
-    Microsoft.Build.Utilities.Core (18.4)
+    Microsoft.Build.Utilities.Core (18.6.3)
-      Microsoft.Build.Framework (>= 18.4)
+      Microsoft.Build.Framework (>= 18.6.3)
-      Microsoft.NET.StringTools (>= 18.4)
+      System.Configuration.ConfigurationManager (>= 10.0.3)
-      System.Configuration.ConfigurationManager (>= 10.0.1)
+      System.Diagnostics.EventLog (>= 10.0.3)
-      System.Diagnostics.EventLog (>= 10.0.1)
+      System.Security.Cryptography.ProtectedData (>= 10.0.3)
-      System.Security.Cryptography.ProtectedData (>= 10.0.1)
+    Microsoft.CodeAnalysis (5.3)
-    Microsoft.CodeAnalysis (5.0)
       Humanizer.Core (>= 2.14.1)
       Microsoft.Bcl.AsyncInterfaces (>= 9.0)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.CSharp.Workspaces (5.0)
+      Microsoft.CodeAnalysis.CSharp.Workspaces (5.3)
-      Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.0)
+      Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.3)
       System.Buffers (>= 4.6)
       System.Collections.Immutable (>= 9.0)
       System.Composition (>= 9.0)
@@ -54,36 +51,36 @@ NUGET
       System.Threading.Channels (>= 8.0)
       System.Threading.Tasks.Extensions (>= 4.6)
     Microsoft.CodeAnalysis.Analyzers (5.3)
-    Microsoft.CodeAnalysis.Common (5.0)
+    Microsoft.CodeAnalysis.Common (5.3)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-    Microsoft.CodeAnalysis.CSharp (5.0)
+    Microsoft.CodeAnalysis.CSharp (5.3)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Common (5.3)
-    Microsoft.CodeAnalysis.CSharp.Workspaces (5.0)
+    Microsoft.CodeAnalysis.CSharp.Workspaces (5.3)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Common (5.3)
-      Microsoft.CodeAnalysis.CSharp (5.0)
+      Microsoft.CodeAnalysis.CSharp (5.3)
-      Microsoft.CodeAnalysis.Workspaces.Common (5.0)
+      Microsoft.CodeAnalysis.Workspaces.Common (5.3)
       System.Composition (>= 9.0)
-    Microsoft.CodeAnalysis.VisualBasic (5.0)
+    Microsoft.CodeAnalysis.VisualBasic (5.3)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Common (5.3)
-    Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.0)
+    Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.3)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Common (5.3)
-      Microsoft.CodeAnalysis.VisualBasic (5.0)
+      Microsoft.CodeAnalysis.VisualBasic (5.3)
-      Microsoft.CodeAnalysis.Workspaces.Common (5.0)
+      Microsoft.CodeAnalysis.Workspaces.Common (5.3)
       System.Composition (>= 9.0)
-    Microsoft.CodeAnalysis.Workspaces.Common (5.0)
+    Microsoft.CodeAnalysis.Workspaces.Common (5.3)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Common (5.3)
       System.Composition (>= 9.0)
     Microsoft.CodeCoverage (18.5.1)
     Microsoft.Extensions.ObjectPool (10.0.8)
-    Microsoft.NET.StringTools (18.4)
+    Microsoft.NET.StringTools (18.6.3)
     Microsoft.NET.Test.Sdk (18.5.1)
       Microsoft.CodeCoverage (>= 18.5.1)
       Microsoft.TestPlatform.TestHost (>= 18.5.1)
@@ -97,7 +94,6 @@ NUGET
     MSBuild.StructuredLogger (2.3.204)
       Microsoft.Build.Framework (>= 17.5)
       Microsoft.Build.Utilities.Core (>= 17.5)
-    NaturalSort.Extension (4.4.1)
     Newtonsoft.Json (13.0.4)
     NuGet.Versioning (7.6)
     System.Buffers (4.6.1)

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.68
+version: 1.7.69-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.68
+version: 1.7.69-dev
 groups:
   - csharp
   - solorigate

csharp/ql/integration-tests/posix/standalone_dependencies_executing_runtime/Assemblies.expected

@@ -22,7 +22,6 @@
 | [...]/csharp/tools/[...]/Microsoft.Win32.Primitives.dll |
 | [...]/csharp/tools/[...]/Microsoft.Win32.Registry.dll |
 | [...]/csharp/tools/[...]/Mono.Posix.NETStandard.dll |
-| [...]/csharp/tools/[...]/NaturalSort.Extension.dll |
 | [...]/csharp/tools/[...]/Newtonsoft.Json.dll |
 | [...]/csharp/tools/[...]/NuGet.Versioning.dll |
 | [...]/csharp/tools/[...]/StructuredLogger.dll |

csharp/ql/lib/change-notes/2026-05-19-properties-indexers-refreturn.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved call target resolution for ref-return properties and indexers.

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 6.0.2
+version: 6.0.3-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
@@ -9,6 +9,7 @@ dependencies:
   codeql/controlflow: ${workspace}
   codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
+  codeql/rangeanalysis: ${workspace}
   codeql/ssa: ${workspace}
   codeql/threat-models: ${workspace}
   codeql/tutorial: ${workspace}

csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll

@@ -4,67 +4,31 @@
 overlay[local?]
 module;
 
-private import internal.rangeanalysis.BoundSpecific
+private import csharp as CS
+private import semmle.code.csharp.dataflow.SSA::Ssa
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils as CU
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as RU
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU
+private import codeql.rangeanalysis.Bound as SharedBound
 
-private newtype TBound =
+/** Provides C#-specific definitions for bounds. */
-  TBoundZero() or
+private module BoundDefs implements SharedBound::BoundDefinitions<CS::Location> {
-  TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or
+  class Type = CS::Type;
-  TBoundExpr(Expr e) {
-    interestingExprBound(e) and
-    not exists(SsaVariable v | e = v.getAUse())
-  }
 
-/**
+  class SsaVariable = SU::SsaVariable;
- * A bound that may be inferred for an expression plus/minus an integer delta.
- */
-abstract class Bound extends TBound {
-  /** Gets a textual representation of this bound. */
-  abstract string toString();
 
-  /** Gets an expression that equals this bound plus `delta`. */
+  class SsaSourceVariable = SourceVariable;
-  abstract Expr getExpr(int delta);
 
-  /** Gets an expression that equals this bound. */
+  class Expr = CS::ControlFlowNodes::ExprNode;
-  Expr getExpr() { result = this.getExpr(0) }
 
-  /** Gets the location of this bound. */
+  class IntegralType = CS::IntegralType;
-  abstract Location getLocation();
+
+  class ConstantIntegerExpr = CU::ConstantIntegerExpr;
+
+  /** Holds if `e` is a bound expression and it is not an SSA variable read. */
+  predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) }
 }
 
-/**
+module BoundImpl = SharedBound::Bound<CS::Location, BoundDefs>;
- * The bound that corresponds to the integer 0. This is used to represent all
- * integer bounds as bounds are always accompanied by an added integer delta.
- */
-class ZeroBound extends Bound, TBoundZero {
-  override string toString() { result = "0" }
 
-  override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta }
+import BoundImpl
-
-  override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) }
-}
-
-/**
- * A bound corresponding to the value of an SSA variable.
- */
-class SsaBound extends Bound, TBoundSsa {
-  /** Gets the SSA variable that equals this bound. */
-  SsaVariable getSsa() { this = TBoundSsa(result) }
-
-  override string toString() { result = this.getSsa().toString() }
-
-  override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 }
-
-  override Location getLocation() { result = this.getSsa().getLocation() }
-}
-
-/**
- * A bound that corresponds to the value of a specific expression that might be
- * interesting, but isn't otherwise represented by the value of an SSA variable.
- */
-class ExprBound extends Bound, TBoundExpr {
-  override string toString() { result = this.getExpr().toString() }
-
-  override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 }
-
-  override Location getLocation() { result = this.getExpr().getLocation() }
-}

csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll

@@ -1,22 +0,0 @@
-/**
- * Provides C#-specific definitions for bounds.
- */
-
-private import csharp as CS
-private import semmle.code.csharp.dataflow.SSA::Ssa as Ssa
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils as CU
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as RU
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU
-
-class SsaVariable = SU::SsaVariable;
-
-class Expr = CS::ControlFlowNodes::ExprNode;
-
-class Location = CS::Location;
-
-class IntegralType = CS::IntegralType;
-
-class ConstantIntegerExpr = CU::ConstantIntegerExpr;
-
-/** Holds if `e` is a bound expression and it is not an SSA variable read. */
-predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) }

csharp/ql/lib/semmle/code/csharp/exprs/Call.qll

@@ -766,7 +766,16 @@ class PropertyCall extends AccessorCall, PropertyAccessExpr {
   }
 
   override Accessor getWriteTarget() {
-    this instanceof AssignableWrite and result = this.getProperty().getSetter()
+    this instanceof AssignableWrite and
+    exists(Property p | p = this.getProperty() |
+      result = p.getSetter()
+      or
+      result =
+        any(Getter g |
+          g = p.getGetter() and
+          g.getAnnotatedReturnType().isRef()
+        )
+    )
   }
 
   override Expr getArgument(int i) {
@@ -801,7 +810,16 @@ class IndexerCall extends AccessorCall, IndexerAccessExpr {
   }
 
   override Accessor getWriteTarget() {
-    this instanceof AssignableWrite and result = this.getIndexer().getSetter()
+    this instanceof AssignableWrite and
+    exists(Indexer i | i = this.getIndexer() |
+      result = i.getSetter()
+      or
+      result =
+        any(Getter g |
+          g = i.getGetter() and
+          g.getAnnotatedReturnType().isRef()
+        )
+    )
   }
 
   override Expr getArgument(int i) {

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.4
+version: 1.7.5-dev
 groups:
   - csharp
   - queries

csharp/ql/test/library-tests/csharp8/NullableRefTypes.expected

@@ -227,7 +227,7 @@ returnTypes
 | NullableRefTypes.cs:107:26:107:36 | ReturnsRef5 | readonly MyClass! |
 | NullableRefTypes.cs:108:26:108:36 | ReturnsRef6 | readonly MyClass! |
 | NullableRefTypes.cs:110:10:110:20 | Parameters1 | Void! |
-| NullableRefTypes.cs:113:32:113:44 | get_RefProperty | MyClass! |
+| NullableRefTypes.cs:113:32:113:44 | get_RefProperty | ref MyClass! |
 | NullableRefTypes.cs:116:7:116:23 | <object initializer> | Void |
 | NullableRefTypes.cs:116:7:116:23 | ToStringWithTypes | Void! |
 | NullableRefTypes.cs:136:7:136:24 | <object initializer> | Void |

csharp/ql/test/library-tests/encoding/SBCS.cs

@@ -1,4 +1,4 @@
-class SBCS
+class SBCS
 {
-    string sbcs = "<22>";
+    string sbcs = "<22>";
 }

csharp/ql/test/library-tests/indexers/Indexers13.expected

@@ -0,0 +1,4 @@
+| indexers.cs:24:21:24:24 | Item | indexers.cs:62:22:62:29 | access to indexer | indexers.cs:26:13:26:15 | get_Item |
+| indexers.cs:24:21:24:24 | Item | indexers.cs:65:25:65:32 | access to indexer | indexers.cs:34:13:34:15 | set_Item |
+| indexers.cs:143:24:143:27 | Item | indexers.cs:156:13:156:16 | access to indexer | indexers.cs:145:13:145:15 | get_Item |
+| indexers.cs:143:24:143:27 | Item | indexers.cs:157:21:157:24 | access to indexer | indexers.cs:145:13:145:15 | get_Item |

csharp/ql/test/library-tests/indexers/Indexers13.ql

@@ -0,0 +1,8 @@
+import csharp
+
+from IndexerCall ic, Indexer i, Accessor target
+where
+  ic.getIndexer() = i and
+  ic.getTarget() = target and
+  i.fromSource()
+select i, ic, target

csharp/ql/test/library-tests/indexers/PrintAst.expected

@@ -360,3 +360,57 @@ indexers.cs:
 #  130|         4: [BlockStmt] {...}
 #  130|           0: [ReturnStmt] return ...;
 #  130|             0: [IntLiteral] 0
+#  134|   5: [RefStruct] S
+#  136|     6: [Field] x
+#  136|       -1: [TypeMention] int
+#  138|     7: [InstanceConstructor] S
+#-----|       2: (Parameters)
+#  138|         0: [Parameter] v
+#  138|           -1: [TypeMention] int
+#  139|       4: [BlockStmt] {...}
+#  140|         0: [ExprStmt] ...;
+#  140|           0: [AssignExpr] ... = ...
+#  140|             0: [FieldAccess] access to field x
+#  140|             1: [RefExpr] ref ...
+#  140|               0: [ParameterAccess] access to parameter v
+#  143|     8: [Indexer] Item
+#  143|       -1: [TypeMention] int
+#-----|       1: (Parameters)
+#  143|         0: [Parameter] i
+#  143|           -1: [TypeMention] int
+#  145|       3: [Getter] get_Item
+#-----|         2: (Parameters)
+#  143|           0: [Parameter] i
+#  145|         4: [BlockStmt] {...}
+#  145|           0: [ReturnStmt] return ...;
+#  145|             0: [RefExpr] ref ...
+#  145|               0: [FieldAccess] access to field x
+#  149|   6: [Class] TestRefReturns
+#  151|     6: [Method] M
+#  151|       -1: [TypeMention] Void
+#  152|       4: [BlockStmt] {...}
+#  153|         0: [LocalVariableDeclStmt] ... ...;
+#  153|           0: [LocalVariableDeclAndInitExpr] Int32 a = ...
+#  153|             -1: [TypeMention] int
+#  153|             0: [LocalVariableAccess] access to local variable a
+#  153|             1: [IntLiteral] 0
+#  155|         1: [LocalVariableDeclStmt] ... ...;
+#  155|           0: [LocalVariableDeclAndInitExpr] S s = ...
+#  155|             -1: [TypeMention] S
+#  155|             0: [LocalVariableAccess] access to local variable s
+#  155|             1: [ObjectCreation] object creation of type S
+#  155|               -1: [TypeMention] S
+#  155|               0: [LocalVariableAccess] access to local variable a
+#  156|         2: [ExprStmt] ...;
+#  156|           0: [AssignExpr] ... = ...
+#  156|             0: [IndexerCall] access to indexer
+#  156|               -1: [LocalVariableAccess] access to local variable s
+#  156|               0: [IntLiteral] 0
+#  156|             1: [IntLiteral] 1
+#  157|         3: [LocalVariableDeclStmt] ... ...;
+#  157|           0: [LocalVariableDeclAndInitExpr] Int32 x = ...
+#  157|             -1: [TypeMention] int
+#  157|             0: [LocalVariableAccess] access to local variable x
+#  157|             1: [IndexerCall] access to indexer
+#  157|               -1: [LocalVariableAccess] access to local variable s
+#  157|               0: [IntLiteral] 0

csharp/ql/test/library-tests/indexers/indexers.cs

@@ -130,4 +130,31 @@ namespace Indexers
             get { return 0; }
         }
     }
+
+    public ref struct S
+    {
+        private ref int x;
+
+        public S(ref int v)
+        {
+            x = ref v;
+        }
+
+        public ref int this[int i]
+        {
+            get { return ref x; }
+        }
+    }
+
+    public class TestRefReturns
+    {
+        public void M()
+        {
+            int a = 0;
+
+            S s = new S(ref a);
+            s[0] = 1;
+            var x = s[0];
+        }
+    }
 }

csharp/ql/test/library-tests/properties/PrintAst.expected

@@ -246,3 +246,50 @@ properties.cs:
 #  133|               0: [FieldAccess] access to field Prop.field
 #  133|               1: [ParameterAccess] access to parameter value
 #  130|     7: [Field] Prop.field
+#  137|   11: [RefStruct] S
+#  139|     6: [Field] x
+#  139|       -1: [TypeMention] int
+#  141|     7: [InstanceConstructor] S
+#-----|       2: (Parameters)
+#  141|         0: [Parameter] v
+#  141|           -1: [TypeMention] int
+#  142|       4: [BlockStmt] {...}
+#  143|         0: [ExprStmt] ...;
+#  143|           0: [AssignExpr] ... = ...
+#  143|             0: [FieldAccess] access to field x
+#  143|             1: [RefExpr] ref ...
+#  143|               0: [ParameterAccess] access to parameter v
+#  146|     8: [Property] Prop
+#  146|       -1: [TypeMention] int
+#  148|       3: [Getter] get_Prop
+#  148|         4: [BlockStmt] {...}
+#  148|           0: [ReturnStmt] return ...;
+#  148|             0: [RefExpr] ref ...
+#  148|               0: [FieldAccess] access to field x
+#  152|   12: [Class] TestRefReturns
+#  154|     6: [Method] M
+#  154|       -1: [TypeMention] Void
+#  155|       4: [BlockStmt] {...}
+#  156|         0: [LocalVariableDeclStmt] ... ...;
+#  156|           0: [LocalVariableDeclAndInitExpr] Int32 a = ...
+#  156|             -1: [TypeMention] int
+#  156|             0: [LocalVariableAccess] access to local variable a
+#  156|             1: [IntLiteral] 0
+#  158|         1: [LocalVariableDeclStmt] ... ...;
+#  158|           0: [LocalVariableDeclAndInitExpr] S s = ...
+#  158|             -1: [TypeMention] S
+#  158|             0: [LocalVariableAccess] access to local variable s
+#  158|             1: [ObjectCreation] object creation of type S
+#  158|               -1: [TypeMention] S
+#  158|               0: [LocalVariableAccess] access to local variable a
+#  159|         2: [ExprStmt] ...;
+#  159|           0: [AssignExpr] ... = ...
+#  159|             0: [PropertyCall] access to property Prop
+#  159|               -1: [LocalVariableAccess] access to local variable s
+#  159|             1: [IntLiteral] 1
+#  160|         3: [LocalVariableDeclStmt] ... ...;
+#  160|           0: [LocalVariableDeclAndInitExpr] Int32 x = ...
+#  160|             -1: [TypeMention] int
+#  160|             0: [LocalVariableAccess] access to local variable x
+#  160|             1: [PropertyCall] access to property Prop
+#  160|               -1: [LocalVariableAccess] access to local variable s

csharp/ql/test/library-tests/properties/Properties17.expected

@@ -1,5 +1,6 @@
 | Prop.field |
 | caption |
 | next |
+| x |
 | y |
 | z |

csharp/ql/test/library-tests/properties/Properties19.expected

@@ -0,0 +1,8 @@
+| properties.cs:12:23:12:29 | Caption | properties.cs:29:13:29:28 | access to property Caption | properties.cs:17:13:17:15 | set_Caption |
+| properties.cs:12:23:12:29 | Caption | properties.cs:30:24:30:39 | access to property Caption | properties.cs:15:13:15:15 | get_Caption |
+| properties.cs:57:20:57:20 | X | properties.cs:61:13:61:13 | access to property X | properties.cs:57:37:57:39 | set_X |
+| properties.cs:58:20:58:20 | Y | properties.cs:62:13:62:13 | access to property Y | properties.cs:58:37:58:39 | set_Y |
+| properties.cs:70:28:70:28 | X | properties.cs:82:46:82:51 | access to property X | properties.cs:70:32:70:34 | get_X |
+| properties.cs:71:28:71:28 | Y | properties.cs:83:39:83:44 | access to property Y | properties.cs:74:13:74:15 | set_Y |
+| properties.cs:146:24:146:27 | Prop | properties.cs:159:13:159:18 | access to property Prop | properties.cs:148:13:148:15 | get_Prop |
+| properties.cs:146:24:146:27 | Prop | properties.cs:160:21:160:26 | access to property Prop | properties.cs:148:13:148:15 | get_Prop |

csharp/ql/test/library-tests/properties/Properties19.ql

@@ -0,0 +1,8 @@
+import csharp
+
+from PropertyCall pc, Property p, Accessor target
+where
+  pc.getProperty() = p and
+  pc.getTarget() = target and
+  p.fromSource()
+select p, pc, target

csharp/ql/test/library-tests/properties/properties.cs

@@ -133,4 +133,31 @@ namespace Properties
             set { field = value; }
         }
     }
+
+    public ref struct S
+    {
+        private ref int x;
+
+        public S(ref int v)
+        {
+            x = ref v;
+        }
+
+        public ref int Prop
+        {
+            get { return ref x; }
+        }
+    }
+
+    public class TestRefReturns
+    {
+        public void M()
+        {
+            int a = 0;
+
+            S s = new S(ref a);
+            s.Prop = 1;
+            var x = s.Prop;
+        }
+    }
 }

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected

@@ -1,3 +1,2 @@
 | Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer |
 | Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer |
-| Quality.cs:32:9:32:21 | access to indexer | Call without target $@. | Quality.cs:32:9:32:21 | access to indexer | access to indexer |

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected

@@ -9,6 +9,5 @@
 | Quality.cs:23:9:23:30 | delegate call | Call without target $@. | Quality.cs:23:9:23:30 | delegate call | delegate call |
 | Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer |
 | Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer |
-| Quality.cs:32:9:32:21 | access to indexer | Call without target $@. | Quality.cs:32:9:32:21 | access to indexer | access to indexer |
 | Quality.cs:38:16:38:26 | access to property MyProperty2 | Call without target $@. | Quality.cs:38:16:38:26 | access to property MyProperty2 | access to property MyProperty2 |
 | Quality.cs:50:20:50:26 | object creation of type T | Call without target $@. | Quality.cs:50:20:50:26 | object creation of type T | object creation of type T |

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs

@@ -29,7 +29,7 @@ public class Test
         var slice = sp[..3];        // TODO: this is not an indexer call, but rather a `sp.Slice(0, 3)` call.
 
         Span<byte> guidBytes = stackalloc byte[16];
-        guidBytes[08] = 1;          // TODO: this indexer call has no target, because the target is a `ref` returning getter.
+        guidBytes[08] = 1;
 
         new MyList([new(), new Test()]);
     }

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.6.rst

@@ -0,0 +1,139 @@
+.. _codeql-cli-2.25.6:
+
+==========================
+CodeQL 2.25.6 (2026-06-04)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.25.6 runs a total of 496 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 131 queries (covering 32 more CWE).
+
+CodeQL CLI
+----------
+
+Improvements
+~~~~~~~~~~~~
+
+*   When the :code:`git` executable is available, CodeQL can now obtain configuration and queries from SHA-256 Git repositories, and infer Git metadata about them.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.11.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Adjusted (minor) help file descriptions for queries: :code:`actions/untrusted-checkout/critical`, :code:`actions/untrusted-checkout/high`, :code:`actions/untrusted-checkout/medium`. Clarified wording on a minor point, added one more listed resource and added one more recommendation for things to check.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Adjusted :code:`actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Altered the alert message for clarity for queries: :code:`actions/untrusted-checkout/critical`, :code:`actions/untrusted-checkout/high`.
+*   The :code:`actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Reversed adjustment of the name of :code:`actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in :code:`actions/untrusted-checkout/high` and :code:`actions/untrusted-checkout/medium`.
+
+Language Libraries
+------------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Swift
+"""""
+
+*   Upgraded to allow analysis of Swift 6.3.2.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added flow source models for :code:`scanf_s` and related functions.
+*   Added a :code:`Call` column to :code:`LocalFlowSourceFunction::hasLocalFlowSource` and :code:`RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a :code:`Call` column continue to be supported.
+
+C#
+""
+
+*   Full support for C# 14 / .NET 10. All new language features are now supported by the extractor. The QL library and data flow analysis now support the new C# 14 language constructs and include generated Models as Data (MaD) models for the .NET 10 runtime.
+*   C# 14: Added support for user-defined instance increment/decrement operators.
+
+Java/Kotlin
+"""""""""""
+
+*   Added LLM-generated source and sink models for :code:`org.apache.avro`.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example :code:`js/clear-text-logging`) may find more correct results and fewer false positive results after these changes.
+
+Python
+""""""
+
+*   The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example :code:`py/clear-text-logging-sensitive-data`) may find more correct results and fewer false positive results after these changes.
+
+Swift
+"""""
+
+*   The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example :code:`swift/cleartext-logging`) may find more correct results and fewer false positive results after these changes.
+
+GitHub Actions
+""""""""""""""
+
+*   The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like :code:`^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+
+Rust
+""""
+
+*   The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example :code:`rust/cleartext-logging`) may find more correct results and fewer false positive results after these changes.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`UsingAliasTypedefType` class has been deprecated. Use :code:`TypeAliasType` instead.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a :code:`getOriginalTemplate` predicate to :code:`TemplateClass`, :code:`TemplateFunction`, :code:`TemplateVariable`, and :code:`AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.
+*   Added :code:`AliasTemplateType` and :code:`AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.

docs/codeql/codeql-overview/codeql-changelog/index.rst

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
    :maxdepth: 1
 
+   codeql-cli-2.25.6
    codeql-cli-2.25.5
    codeql-cli-2.25.4
    codeql-cli-2.25.3

go/actions/test/action.yml

@@ -4,7 +4,7 @@ inputs:
   go-test-version:
     description: Which Go version to use for running the tests
     required: false
-    default: "~1.26.0"
+    default: "~1.26.4"
   run-code-checks:
     description: Whether to run formatting, code and qhelp generation checks
     required: false

go/extractor/go.mod

@@ -2,7 +2,7 @@ module github.com/github/codeql-go/extractor
 
 go 1.26
 
-toolchain go1.26.0
+toolchain go1.26.4
 
 // when updating this, run
 //    bazel run @rules_go//go -- mod tidy

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.51
+version: 1.0.52-dev
 groups:
   - go
   - queries

go/ql/lib/change-notes/2026-06-01-non-returning-functions.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* More logging functions are now recognized as not returning or panicking.

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.1.2
+version: 7.1.3-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/lib/semmle/go/Concepts.qll

@@ -413,17 +413,13 @@ private class ExternalLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
   }
 }
 
-/**
+private class HeuristicLoggerFunction extends Method {
- * A call to an interface that looks like a logger. It is common to use a
+  string logFunctionPrefix;
- * locally-defined interface for logging to make it easy to changing logging
+
- * library.
+  HeuristicLoggerFunction() {
- */
+    exists(string tp, string name |
-private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
+      this.hasQualifiedName(_, tp, name) and
-  HeuristicLoggerCall() {
+      this.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
-    exists(Method m, string tp, string logFunctionPrefix, string name |
-      m = this.getTarget() and
-      m.hasQualifiedName(_, tp, name) and
-      m.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
     |
       tp.regexpMatch(".*[lL]ogger") and
       logFunctionPrefix =
@@ -435,6 +431,19 @@ private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode
     )
   }
 
+  override predicate mayReturnNormally() { logFunctionPrefix != "Fatal" }
+
+  override predicate mustPanic() { logFunctionPrefix = "Panic" }
+}
+
+/**
+ * A call to an interface that looks like a logger. It is common to use a
+ * locally-defined interface for logging to make it easy to change logging
+ * library.
+ */
+private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
+  HeuristicLoggerCall() { this.getTarget() instanceof HeuristicLoggerFunction }
+
   override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
 }
 

go/ql/lib/semmle/go/frameworks/Glog.qll

@@ -12,17 +12,37 @@ import go
  * forks.
  */
 module Glog {
+  /** Gets a package name for `glog` or `klog` (which is a fork). */
+  string packagePath() {
+    result =
+      package([
+          "github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog", "github.com/barakmich/glog"
+        ], "")
+  }
+
   private class GlogFunction extends Function {
     int firstPrintedArg;
+    string format;
+    string level;
 
     GlogFunction() {
-      exists(string pkg, string fn, string level |
+      exists(string pkg, string context, int nContextArgs, string depth, int nDepthArgs, string fn |
-        pkg = package(["github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog"], "") and
+        pkg = packagePath() and
         level = ["Error", "Exit", "Fatal", "Info", "Warning"] and
         (
-          fn = level + ["", "f", "ln"] and firstPrintedArg = 0
+          context = "" and nContextArgs = 0
           or
-          fn = level + "Depth" and firstPrintedArg = 1
+          context = "Context" and nContextArgs = 1
+        ) and
+        (
+          depth = "" and nDepthArgs = 0
+          or
+          depth = "Depth" and nDepthArgs = 1
+        ) and
+        format = ["", "f", "ln"] and
+        (
+          fn = level + context + depth + format and
+          firstPrintedArg = nContextArgs + nDepthArgs
         )
       |
         this.hasQualifiedName(pkg, fn)
@@ -35,10 +55,15 @@ module Glog {
      * Gets the index of the first argument that may be output, including a format string if one is present.
      */
     int getFirstPrintedArg() { result = firstPrintedArg }
+
+    /** Holds if this function takes a format string. */
+    predicate formatter() { format = "f" }
+
+    override predicate mayReturnNormally() { level != "Fatal" and level != "Exit" }
   }
 
   private class StringFormatter extends StringOps::Formatting::Range instanceof GlogFunction {
-    StringFormatter() { this.getName().matches("%f") }
+    StringFormatter() { this.formatter() }
 
     override int getFormatStringIndex() { result = super.getFirstPrintedArg() }
   }

go/ql/lib/semmle/go/frameworks/Logrus.qll

@@ -28,6 +28,12 @@ module Logrus {
         this.(Method).hasQualifiedName(packagePath(), ["Entry", "Logger"], name)
       )
     }
+
+    override predicate mayReturnNormally() {
+      not exists(string level, string suffix | level = ["Fatal", "Panic"] |
+        this.getName() = level + suffix
+      )
+    }
   }
 
   private class StringFormatters extends StringOps::Formatting::Range instanceof LogFunction {

go/ql/lib/semmle/go/frameworks/Zap.qll

@@ -47,7 +47,7 @@ module Zap {
   }
 
   /** A Zap logging function which always panics. */
-  private class FatalLogMethod extends Method {
+  private class FatalLogMethod extends ZapFunction {
     FatalLogMethod() {
       this.hasQualifiedName(packagePath(), "Logger", "Fatal")
       or
@@ -58,7 +58,7 @@ module Zap {
   }
 
   /** A Zap logging function which always panics. */
-  private class MustPanicLogMethod extends Method {
+  private class MustPanicLogMethod extends ZapFunction {
     MustPanicLogMethod() {
       this.hasQualifiedName(packagePath(), "Logger", "Panic")
       or

go/ql/lib/semmle/go/frameworks/stdlib/Log.qll

@@ -29,18 +29,37 @@ module Log {
   }
 
   private class LogFormatter extends StringOps::Formatting::Range instanceof LogFunction {
-    LogFormatter() { this.getName() = ["Fatalf", "Panicf", "Printf"] }
+    LogFormatter() { this.getName() = ["Fatalf", "Panicf", "Printf", "Panic", "Panicf", "Panicln"] }
 
     override int getFormatStringIndex() { result = 0 }
   }
 
   /** A fatal log function, which calls `os.Exit`. */
   private class FatalLogFunction extends Function {
-    FatalLogFunction() { this.hasQualifiedName("log", ["Fatal", "Fatalf", "Fatalln"]) }
+    FatalLogFunction() {
+      exists(string fn | fn = ["Fatal", "Fatalf", "Fatalln"] |
+        this.hasQualifiedName("log", fn)
+        or
+        this.(Method).hasQualifiedName("log", "Logger", fn)
+      )
+    }
 
     override predicate mayReturnNormally() { none() }
   }
 
+  /** A log function which must panic. */
+  private class PanicLogFunction extends Function {
+    PanicLogFunction() {
+      exists(string fn | fn = ["Panic", "Panicf", "Panicln"] |
+        this.hasQualifiedName("log", fn)
+        or
+        this.(Method).hasQualifiedName("log", "Logger", fn)
+      )
+    }
+
+    override predicate mustPanic() { any() }
+  }
+
   // These models are not implemented using Models-as-Data because they represent reverse flow.
   private class FunctionModels extends TaintTracking::FunctionModel {
     FunctionInput inp;
@@ -63,30 +82,6 @@ module Log {
     FunctionOutput outp;
 
     MethodModels() {
-      // signature: func (*Logger) Fatal(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatal") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Fatalf(format string, v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatalf") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Fatalln(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatalln") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panic(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panic") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panicf(format string, v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panicf") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panicln(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panicln") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
       // signature: func (*Logger) Print(v ...interface{})
       this.hasQualifiedName("log", "Logger", "Print") and
       (inp.isParameter(_) and outp.isReceiver())

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.4
+version: 1.6.5-dev
 groups:
   - go
   - queries

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go

@@ -1,54 +1,181 @@
-//go:generate depstubber -vendor github.com/golang/glog "" Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln
+//go:generate depstubber -vendor github.com/golang/glog Level,Verbose Error,ErrorContext,ErrorContextDepth,ErrorContextDepthf,ErrorContextf,ErrorDepth,ErrorDepthf,Errorf,Errorln,Exit,ExitContext,ExitContextDepth,ExitContextDepthf,ExitContextf,ExitDepth,ExitDepthf,Exitf,Exitln,Fatal,FatalContext,FatalContextDepth,FatalContextDepthf,FatalContextf,FatalDepth,FatalDepthf,Fatalf,Fatalln,Info,InfoContext,InfoContextDepth,InfoContextDepthf,InfoContextf,InfoDepth,InfoDepthf,Infof,Infoln,V,VDepth,Warning,WarningContext,WarningContextDepth,WarningContextDepthf,WarningContextf,WarningDepth,WarningDepthf,Warningf,Warningln
-//go:generate depstubber -vendor k8s.io/klog "" Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln
+//go:generate depstubber -vendor k8s.io/klog Level,Verbose Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,V,Warning,WarningDepth,Warningf,Warningln
 
 package main
 
 import (
+	"context"
+
 	"github.com/golang/glog"
 	"k8s.io/klog"
 )
 
-func glogTest() {
+func glogTest(selector int) {
+	ctx := context.Background()
+
 	glog.Error(text)                           // $ logger=text
+	glog.ErrorContext(ctx, text)               // $ logger=text
+	glog.ErrorContextDepth(ctx, 0, text)       // $ logger=text
+	glog.ErrorContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.ErrorContextf(ctx, fmt, text)         // $ logger=fmt logger=text
 	glog.ErrorDepth(0, text)                   // $ logger=text
+	glog.ErrorDepthf(0, fmt, text)             // $ logger=fmt logger=text
 	glog.Errorf(fmt, text)                     // $ logger=fmt logger=text
 	glog.Errorln(text)                         // $ logger=text
+	if selector == 1 {
 		glog.Exit(text) // $ logger=text
+	}
+	if selector == 2 {
+		glog.ExitContext(ctx, text) // $ logger=text
+	}
+	if selector == 3 {
+		glog.ExitContextDepth(ctx, 0, text) // $ logger=text
+	}
+	if selector == 4 {
+		glog.ExitContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 5 {
+		glog.ExitContextf(ctx, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 6 {
 		glog.ExitDepth(0, text) // $ logger=text
+	}
+	if selector == 7 {
+		glog.ExitDepthf(0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 8 {
 		glog.Exitf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 9 {
 		glog.Exitln(text) // $ logger=text
+	}
+	if selector == 10 {
 		glog.Fatal(text) // $ logger=text
+	}
+	if selector == 11 {
+		glog.FatalContext(ctx, text) // $ logger=text
+	}
+	if selector == 12 {
+		glog.FatalContextDepth(ctx, 0, text) // $ logger=text
+	}
+	if selector == 13 {
+		glog.FatalContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 14 {
+		glog.FatalContextf(ctx, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 15 {
 		glog.FatalDepth(0, text) // $ logger=text
+	}
+	if selector == 16 {
+		glog.FatalDepthf(0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 17 {
 		glog.Fatalf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 18 {
 		glog.Fatalln(text) // $ logger=text
+	}
 	glog.Info(text)                              // $ logger=text
+	glog.InfoContext(ctx, text)                  // $ logger=text
+	glog.InfoContextDepth(ctx, 0, text)          // $ logger=text
+	glog.InfoContextDepthf(ctx, 0, fmt, text)    // $ logger=fmt logger=text
+	glog.InfoContextf(ctx, fmt, text)            // $ logger=fmt logger=text
 	glog.InfoDepth(0, text)                      // $ logger=text
+	glog.InfoDepthf(0, fmt, text)                // $ logger=fmt logger=text
 	glog.Infof(fmt, text)                        // $ logger=fmt logger=text
 	glog.Infoln(text)                            // $ logger=text
 	glog.Warning(text)                           // $ logger=text
+	glog.WarningContext(ctx, text)               // $ logger=text
+	glog.WarningContextDepth(ctx, 0, text)       // $ logger=text
+	glog.WarningContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.WarningContextf(ctx, fmt, text)         // $ logger=fmt logger=text
 	glog.WarningDepth(0, text)                   // $ logger=text
+	glog.WarningDepthf(0, fmt, text)             // $ logger=fmt logger=text
 	glog.Warningf(fmt, text)                     // $ logger=fmt logger=text
 	glog.Warningln(text)                         // $ logger=text
 
+	glog.V(0).Info(text)                           // $ logger=text
+	glog.V(0).InfoContext(ctx, text)               // $ logger=text
+	glog.V(0).InfoContextDepth(ctx, 0, text)       // $ logger=text
+	glog.V(0).InfoContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.V(0).InfoContextf(ctx, fmt, text)         // $ logger=fmt logger=text
+	glog.V(0).InfoDepth(0, text)                   // $ logger=text
+	glog.V(0).InfoDepthf(0, fmt, text)             // $ logger=fmt logger=text
+	glog.V(0).Infof(fmt, text)                     // $ logger=fmt logger=text
+	glog.V(0).Infoln(text)                         // $ logger=text
+	glog.VDepth(0, 0).Info(text)                   // $ logger=text
+
 	// components corresponding to the format specifier "%T" are not considered vulnerable
+	glog.ErrorContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorContextf(ctx, "%s: found type %T", text, v)         // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorDepthf(0, "%s: found type %T", text, v)             // $ logger="%s: found type %T" logger=text type-logger=v
 	glog.Errorf("%s: found type %T", text, v)                     // $ logger="%s: found type %T" logger=text type-logger=v
+	if selector == 19 {
+		glog.ExitContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 20 {
+		glog.ExitContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 21 {
+		glog.ExitDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 22 {
 		glog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 23 {
+		glog.FatalContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 24 {
+		glog.FatalContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 25 {
+		glog.FatalDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 26 {
 		glog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	glog.InfoContextDepthf(ctx, 0, "%s: found type %T", text, v)      // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.InfoContextf(ctx, "%s: found type %T", text, v)              // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.InfoDepthf(0, "%s: found type %T", text, v)                  // $ logger="%s: found type %T" logger=text type-logger=v
 	glog.Infof("%s: found type %T", text, v)                          // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningContextDepthf(ctx, 0, "%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningContextf(ctx, "%s: found type %T", text, v)           // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningDepthf(0, "%s: found type %T", text, v)               // $ logger="%s: found type %T" logger=text type-logger=v
 	glog.Warningf("%s: found type %T", text, v)                       // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoContextf(ctx, "%s: found type %T", text, v)         // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoDepthf(0, "%s: found type %T", text, v)             // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).Infof("%s: found type %T", text, v)                     // $ logger="%s: found type %T" logger=text type-logger=v
 
 	klog.Error(text)         // $ logger=text
 	klog.ErrorDepth(0, text) // $ logger=text
 	klog.Errorf(fmt, text)   // $ logger=fmt logger=text
 	klog.Errorln(text)       // $ logger=text
+	if selector == 27 {
 		klog.Exit(text) // $ logger=text
+	}
+	if selector == 28 {
 		klog.ExitDepth(0, text) // $ logger=text
+	}
+	if selector == 29 {
 		klog.Exitf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 30 {
 		klog.Exitln(text) // $ logger=text
+	}
+	if selector == 31 {
 		klog.Fatal(text) // $ logger=text
+	}
+	if selector == 32 {
 		klog.FatalDepth(0, text) // $ logger=text
+	}
+	if selector == 33 {
 		klog.Fatalf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 34 {
 		klog.Fatalln(text) // $ logger=text
+	}
 	klog.Info(text)            // $ logger=text
 	klog.InfoDepth(0, text)    // $ logger=text
 	klog.Infof(fmt, text)      // $ logger=fmt logger=text
@@ -57,11 +184,19 @@ func glogTest() {
 	klog.WarningDepth(0, text) // $ logger=text
 	klog.Warningf(fmt, text)   // $ logger=fmt logger=text
 	klog.Warningln(text)       // $ logger=text
+	klog.V(0).Info(text)       // $ logger=text
+	klog.V(0).Infof(fmt, text) // $ logger=fmt logger=text
+	klog.V(0).Infoln(text)     // $ logger=text
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
 	klog.Errorf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	if selector == 35 {
 		klog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 36 {
 		klog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
 	klog.Infof("%s: found type %T", text, v)      // $ logger="%s: found type %T" logger=text type-logger=v
 	klog.Warningf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.V(0).Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
 }

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/go.mod

@@ -3,7 +3,7 @@ module codeql-go-tests/concepts/loggercall
 go 1.15
 
 require (
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+	github.com/golang/glog v1.2.5
 	github.com/sirupsen/logrus v1.7.0
 	k8s.io/klog v1.0.0
 )

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go

@@ -6,5 +6,6 @@ const text = "test"
 var v []byte
 
 func main() {
+	glogTest(len(v))
 	stdlib()
 }

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/github.com/golang/glog/stub.go

@@ -2,47 +2,125 @@
 // This is a simple stub for github.com/golang/glog, strictly for use in testing.
 
 // See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/golang/glog (exports: ; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln)
+// Source: github.com/golang/glog (exports: Level,Verbose; functions: Error,ErrorContext,ErrorContextDepth,ErrorContextDepthf,ErrorContextf,ErrorDepth,ErrorDepthf,Errorf,Errorln,Exit,ExitContext,ExitContextDepth,ExitContextDepthf,ExitContextf,ExitDepth,ExitDepthf,Exitf,Exitln,Fatal,FatalContext,FatalContextDepth,FatalContextDepthf,FatalContextf,FatalDepth,FatalDepthf,Fatalf,Fatalln,Info,InfoContext,InfoContextDepth,InfoContextDepthf,InfoContextf,InfoDepth,InfoDepthf,Infof,Infoln,V,VDepth,Warning,WarningContext,WarningContextDepth,WarningContextDepthf,WarningContextf,WarningDepth,WarningDepthf,Warningf,Warningln)
 
 // Package glog is a stub of github.com/golang/glog, generated by depstubber.
 package glog
 
+import "context"
+
+type Level int32
+
+type Verbose bool
+
 func Error(_ ...interface{}) {}
 
+func ErrorContext(_ context.Context, _ ...interface{}) {}
+
+func ErrorContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func ErrorContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func ErrorContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func ErrorDepth(_ int, _ ...interface{}) {}
 
+func ErrorDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Errorf(_ string, _ ...interface{}) {}
 
 func Errorln(_ ...interface{}) {}
 
 func Exit(_ ...interface{}) {}
 
+func ExitContext(_ context.Context, _ ...interface{}) {}
+
+func ExitContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func ExitContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func ExitContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func ExitDepth(_ int, _ ...interface{}) {}
 
+func ExitDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Exitf(_ string, _ ...interface{}) {}
 
 func Exitln(_ ...interface{}) {}
 
 func Fatal(_ ...interface{}) {}
 
+func FatalContext(_ context.Context, _ ...interface{}) {}
+
+func FatalContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func FatalContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func FatalContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func FatalDepth(_ int, _ ...interface{}) {}
 
+func FatalDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Fatalf(_ string, _ ...interface{}) {}
 
 func Fatalln(_ ...interface{}) {}
 
 func Info(_ ...interface{}) {}
 
+func InfoContext(_ context.Context, _ ...interface{}) {}
+
+func InfoContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func InfoContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func InfoContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func InfoDepth(_ int, _ ...interface{}) {}
 
+func InfoDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Infof(_ string, _ ...interface{}) {}
 
 func Infoln(_ ...interface{}) {}
 
+func V(_ Level) Verbose { return false }
+
+func VDepth(_ int, _ Level) Verbose { return false }
+
 func Warning(_ ...interface{}) {}
 
+func WarningContext(_ context.Context, _ ...interface{}) {}
+
+func WarningContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func WarningContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func WarningContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func WarningDepth(_ int, _ ...interface{}) {}
 
+func WarningDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Warningf(_ string, _ ...interface{}) {}
 
 func Warningln(_ ...interface{}) {}
+
+func (_ Verbose) Info(_ ...interface{}) {}
+
+func (_ Verbose) InfoContext(_ context.Context, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextf(_ context.Context, _ string, _ ...interface{}) {}
+
+func (_ Verbose) InfoDepth(_ int, _ ...interface{}) {}
+
+func (_ Verbose) InfoDepthf(_ int, _ string, _ ...interface{}) {}
+
+func (_ Verbose) Infof(_ string, _ ...interface{}) {}
+
+func (_ Verbose) Infoln(_ ...interface{}) {}

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/k8s.io/klog/stub.go

@@ -2,11 +2,15 @@
 // This is a simple stub for k8s.io/klog, strictly for use in testing.
 
 // See the LICENSE file for information about the licensing of the original library.
-// Source: k8s.io/klog (exports: ; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln)
+// Source: k8s.io/klog (exports: Level,Verbose; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,V,Warning,WarningDepth,Warningf,Warningln)
 
 // Package klog is a stub of k8s.io/klog, generated by depstubber.
 package klog
 
+type Level int32
+
+type Verbose bool
+
 func Error(_ ...interface{}) {}
 
 func ErrorDepth(_ int, _ ...interface{}) {}
@@ -39,6 +43,8 @@ func Infof(_ string, _ ...interface{}) {}
 
 func Infoln(_ ...interface{}) {}
 
+func V(_ Level) Verbose { return false }
+
 func Warning(_ ...interface{}) {}
 
 func WarningDepth(_ int, _ ...interface{}) {}
@@ -46,3 +52,9 @@ func WarningDepth(_ int, _ ...interface{}) {}
 func Warningf(_ string, _ ...interface{}) {}
 
 func Warningln(_ ...interface{}) {}
+
+func (_ Verbose) Info(_ ...interface{}) {}
+
+func (_ Verbose) Infof(_ string, _ ...interface{}) {}
+
+func (_ Verbose) Infoln(_ ...interface{}) {}

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/modules.txt

@@ -1,4 +1,4 @@
-# github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+# github.com/golang/glog v1.2.5
 ## explicit
 github.com/golang/glog
 # github.com/sirupsen/logrus v1.7.0

go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected

@@ -1,11 +1,21 @@
-| file://:0:0:0:0 | Exit | package os |
+| file://:0:0:0:0 | Exit | os.Exit |
-| file://:0:0:0:0 | Fatal | package log |
+| file://:0:0:0:0 | Fatal | log.Fatal |
-| file://:0:0:0:0 | Fatalf | package log |
+| file://:0:0:0:0 | Fatal | log.Logger.Fatal |
-| file://:0:0:0:0 | Fatalln | package log |
+| file://:0:0:0:0 | Fatalf | log.Fatalf |
-| noretfunctions.go:8:6:8:12 | isNoRet | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Fatalf | log.Logger.Fatalf |
-| noretfunctions.go:20:6:20:22 | noRetUsesLogFatal | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Fatalln | log.Fatalln |
-| noretfunctions.go:24:6:24:23 | noRetUsesLogFatalf | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Fatalln | log.Logger.Fatalln |
-| stmts7.go:10:6:10:15 | canRecover | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Panic | log.Logger.Panic |
-| stmts.go:10:6:10:10 | test5 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Panic | log.Panic |
-| stmts.go:46:6:46:10 | test6 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Panicf | log.Logger.Panicf |
-| stmts.go:112:6:112:10 | test9 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Panicf | log.Panicf |
+| file://:0:0:0:0 | Panicln | log.Logger.Panicln |
+| file://:0:0:0:0 | Panicln | log.Panicln |
+| file://:0:0:0:0 | panic | panic |
+| noretfunctions.go:8:6:8:12 | isNoRet | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.isNoRet |
+| noretfunctions.go:20:6:20:22 | noRetUsesLogFatal | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.noRetUsesLogFatal |
+| noretfunctions.go:24:6:24:23 | noRetUsesLogFatalf | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.noRetUsesLogFatalf |
+| stmts7.go:10:6:10:15 | canRecover | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.canRecover |
+| stmts.go:10:6:10:10 | test5 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test5 |
+| stmts.go:46:6:46:10 | test6 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test6 |
+| stmts.go:112:6:112:10 | test9 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test9 |

go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.ql

@@ -2,4 +2,4 @@ import go
 
 from Function f
 where not f.mayReturnNormally()
-select f, f.getPackage()
+select f, f.getQualifiedName()

go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ql

@@ -9,9 +9,9 @@ import semmle.go.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 import utils.test.InlineFlowTest
 
 module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { sourceNode(src, "qltest") }
+  predicate isSource(DataFlow::Node source) { sourceNode(source, "qltest") }
 
-  predicate isSink(DataFlow::Node src) { sinkNode(src, "qltest") }
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, "qltest") }
 }
 
 import ValueFlowTest<Config>

go/ql/test/library-tests/semmle/go/dataflow/VarArgs/CONSISTENCY/DataFlowConsistency.expected

@@ -0,0 +1,2 @@
+reverseRead
+| main.go:23:3:23:5 | out | Origin of readStep is missing a PostUpdateNode. |

go/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go

@@ -4,7 +4,7 @@ func source() string {
 	return "untrusted data"
 }
 
-func sink(string) {
+func sink(any) {
 }
 
 type A struct {
@@ -19,6 +19,10 @@ func functionWithVarArgsParameter(s ...string) string {
 	return s[1]
 }
 
+func functionWithVarArgsOutParameter(in string, out ...*string) {
+	*out[0] = in
+}
+
 func functionWithSliceOfStructsParameter(s []A) string {
 	return s[1].f
 }
@@ -38,6 +42,12 @@ func main() {
 	sink(functionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to functionWithVarArgsParameter"
 	sink(functionWithVarArgsParameter(s0, s1))    // $ hasValueFlow="call to functionWithVarArgsParameter"
 
+	var out1 *string
+	var out2 *string
+	functionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ MISSING: hasValueFlow="out1"
+	sink(out2) // $ MISSING: hasValueFlow="out2"
+
 	sliceOfStructs := []A{{f: source()}}
 	sink(sliceOfStructs[0].f) // $ hasValueFlow="selection of f"
 

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected

@@ -0,0 +1,2 @@
+invalidModelRow
+testFailures

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml

@@ -0,0 +1,21 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "FunctionWithParameter", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithSliceParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOutParameter", "", "", "Argument[0]", "Argument[1].ArrayElement", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithSliceOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "VariadicSource", "", "", "Argument[0]", "qltest", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "VariadicSink", "", "", "Argument[0]", "qltest", "manual"]

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql

@@ -0,0 +1,22 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import utils.test.InlineFlowTest
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    sourceNode(source, "qltest")
+    or
+    exists(Function fn | fn.hasQualifiedName(_, ["source", "taint"]) |
+      source = fn.getACall().getResult()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sinkNode(sink, "qltest")
+    or
+    exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument())
+  }
+}
+
+import FlowTest<Config, Config>

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod

@@ -0,0 +1,5 @@
+module semmle.go.Packages
+
+go 1.25
+
+require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	"github.com/nonexistent/test"
+)
+
+func source() string {
+	return "untrusted data"
+}
+
+func sink(any) {
+}
+
+func main() {
+	s := source()
+	sink(test.FunctionWithParameter(s)) // $ hasValueFlow="call to FunctionWithParameter"
+
+	stringSlice := []string{source()}
+	sink(stringSlice[0]) // $ hasValueFlow="index expression"
+
+	s0 := ""
+	s1 := source()
+	sSlice := []string{s0, s1}
+	sink(test.FunctionWithParameter(sSlice[1]))        // $ hasValueFlow="call to FunctionWithParameter"
+	sink(test.FunctionWithSliceParameter(sSlice))      // $ hasValueFlow="call to FunctionWithSliceParameter"
+	sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+	sink(test.FunctionWithVarArgsParameter(s0, s1))    // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+
+	var out1 *string
+	var out2 *string
+	test.FunctionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ MISSING: hasValueFlow="out1"
+	sink(out2) // $ MISSING: hasValueFlow="out2"
+
+	sliceOfStructs := []test.A{{Field: source()}}
+	sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
+
+	a0 := test.A{Field: ""}
+	a1 := test.A{Field: source()}
+	aSlice := []test.A{a0, a1}
+	sink(test.FunctionWithSliceOfStructsParameter(aSlice))      // $ hasValueFlow="call to FunctionWithSliceOfStructsParameter"
+	sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
+	sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1))    // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
+
+	var variadicSource string
+	test.VariadicSource(&variadicSource)
+	sink(variadicSource)  // $ MISSING: hasTaintFlow="variadicSource"
+	sink(&variadicSource) // $ MISSING: hasTaintFlow="&..."
+
+	var variadicSourcePtr *string
+	test.VariadicSource(variadicSourcePtr)
+	sink(variadicSourcePtr)  // $ MISSING: hasTaintFlow="variadicSourcePtr"
+	sink(*variadicSourcePtr) // $ MISSING: hasTaintFlow="star expression"
+
+	test.VariadicSink(source()) // $ hasTaintFlow="[]type{args}"
+}

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go

@@ -0,0 +1,32 @@
+package test
+
+type A struct {
+	Field string
+}
+
+func FunctionWithParameter(s string) string {
+	return ""
+}
+
+func FunctionWithSliceParameter(s []string) string {
+	return ""
+}
+
+func FunctionWithVarArgsParameter(s ...string) string {
+	return ""
+}
+
+func FunctionWithVarArgsOutParameter(in string, out ...*string) {
+}
+
+func FunctionWithSliceOfStructsParameter(s []A) string {
+	return ""
+}
+
+func FunctionWithVarArgsOfStructsParameter(s ...A) string {
+	return ""
+}
+
+func VariadicSource(s ...*string) {}
+
+func VariadicSink(s ...string) {}

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/modules.txt

@@ -0,0 +1,3 @@
+# github.com/nonexistent/test v0.0.0-20200203000000-0000000000000
+## explicit
+github.com/nonexistent/test

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql

@@ -20,6 +20,9 @@ class SummaryModelTest extends DataFlow::FunctionModel {
     this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsParameter") and
     (inp.isParameter(_) and outp.isResult())
     or
+    this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsOutParameter") and
+    (inp.isParameter(0) and outp.isParameter(any(int i | i >= 1)))
+    or
     this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithSliceOfStructsParameter") and
     (inp.isParameter(0) and outp.isResult())
     or

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/go.mod

@@ -1,5 +1,5 @@
 module semmle.go.Packages
 
-go 1.17
+go 1.25
 
 require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go

@@ -8,7 +8,7 @@ func source() string {
 	return "untrusted data"
 }
 
-func sink(string) {
+func sink(any) {
 }
 
 func main() {
@@ -24,7 +24,14 @@ func main() {
 	sink(test.FunctionWithParameter(sSlice[1]))           // $ hasValueFlow="call to FunctionWithParameter"
 	sink(test.FunctionWithSliceParameter(sSlice))         // $ hasTaintFlow="call to FunctionWithSliceParameter" MISSING: hasValueFlow="call to FunctionWithSliceParameter"
 	sink(test.FunctionWithVarArgsParameter(sSlice...))    // $ hasTaintFlow="call to FunctionWithVarArgsParameter" MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
-	sink(test.FunctionWithVarArgsParameter(s0, s1))    // $ MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
+	randomFunctionWithMoreThanOneParameter(1, 2, 3, 4, 5) // This is needed to make the next line pass, because we need to have seen a call to a function with at least 2 parameters for ParameterInput to exist with index 1.
+	sink(test.FunctionWithVarArgsParameter(s0, s1))       // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+
+	var out1 *string
+	var out2 *string
+	test.FunctionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ hasValueFlow="out1"
+	sink(out2) // $ hasValueFlow="out2"
 
 	sliceOfStructs := []test.A{{Field: source()}}
 	sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
@@ -37,3 +44,6 @@ func main() {
 	sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ MISSING: hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
 	sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1))    // $ MISSING: hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
 }
+
+func randomFunctionWithMoreThanOneParameter(i1, i2, i3, i4, i5 int) {
+}

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/vendor/github.com/nonexistent/test/stub.go

@@ -16,6 +16,9 @@ func FunctionWithVarArgsParameter(s ...string) string {
 	return ""
 }
 
+func FunctionWithVarArgsOutParameter(in string, out ...*string) {
+}
+
 func FunctionWithSliceOfStructsParameter(s []A) string {
 	return ""
 }

go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Log.go

@@ -15,62 +15,6 @@ func TaintStepTest_LogNew_B0I0O0(sourceCQL interface{}) interface{} {
 	return intoWriter414
 }
 
-func TaintStepTest_LogLoggerFatal_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface518 := sourceCQL.(interface{})
-	var intoLogger650 log.Logger
-	intoLogger650.Fatal(fromInterface518)
-	return intoLogger650
-}
-
-func TaintStepTest_LogLoggerFatalf_B0I0O0(sourceCQL interface{}) interface{} {
-	fromString784 := sourceCQL.(string)
-	var intoLogger957 log.Logger
-	intoLogger957.Fatalf(fromString784, nil)
-	return intoLogger957
-}
-
-func TaintStepTest_LogLoggerFatalf_B0I1O0(sourceCQL interface{}) interface{} {
-	fromInterface520 := sourceCQL.(interface{})
-	var intoLogger443 log.Logger
-	intoLogger443.Fatalf("", fromInterface520)
-	return intoLogger443
-}
-
-func TaintStepTest_LogLoggerFatalln_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface127 := sourceCQL.(interface{})
-	var intoLogger483 log.Logger
-	intoLogger483.Fatalln(fromInterface127)
-	return intoLogger483
-}
-
-func TaintStepTest_LogLoggerPanic_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface989 := sourceCQL.(interface{})
-	var intoLogger982 log.Logger
-	intoLogger982.Panic(fromInterface989)
-	return intoLogger982
-}
-
-func TaintStepTest_LogLoggerPanicf_B0I0O0(sourceCQL interface{}) interface{} {
-	fromString417 := sourceCQL.(string)
-	var intoLogger584 log.Logger
-	intoLogger584.Panicf(fromString417, nil)
-	return intoLogger584
-}
-
-func TaintStepTest_LogLoggerPanicf_B0I1O0(sourceCQL interface{}) interface{} {
-	fromInterface991 := sourceCQL.(interface{})
-	var intoLogger881 log.Logger
-	intoLogger881.Panicf("", fromInterface991)
-	return intoLogger881
-}
-
-func TaintStepTest_LogLoggerPanicln_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface186 := sourceCQL.(interface{})
-	var intoLogger284 log.Logger
-	intoLogger284.Panicln(fromInterface186)
-	return intoLogger284
-}
-
 func TaintStepTest_LogLoggerPrint_B0I0O0(sourceCQL interface{}) interface{} {
 	fromInterface908 := sourceCQL.(interface{})
 	var intoLogger137 log.Logger
@@ -125,46 +69,6 @@ func RunAllTaints_Log() {
 		out := TaintStepTest_LogNew_B0I0O0(source)
 		sink(0, out)
 	}
-	{
-		source := newSource(1)
-		out := TaintStepTest_LogLoggerFatal_B0I0O0(source)
-		sink(1, out)
-	}
-	{
-		source := newSource(2)
-		out := TaintStepTest_LogLoggerFatalf_B0I0O0(source)
-		sink(2, out)
-	}
-	{
-		source := newSource(3)
-		out := TaintStepTest_LogLoggerFatalf_B0I1O0(source)
-		sink(3, out)
-	}
-	{
-		source := newSource(4)
-		out := TaintStepTest_LogLoggerFatalln_B0I0O0(source)
-		sink(4, out)
-	}
-	{
-		source := newSource(5)
-		out := TaintStepTest_LogLoggerPanic_B0I0O0(source)
-		sink(5, out)
-	}
-	{
-		source := newSource(6)
-		out := TaintStepTest_LogLoggerPanicf_B0I0O0(source)
-		sink(6, out)
-	}
-	{
-		source := newSource(7)
-		out := TaintStepTest_LogLoggerPanicf_B0I1O0(source)
-		sink(7, out)
-	}
-	{
-		source := newSource(8)
-		out := TaintStepTest_LogLoggerPanicln_B0I0O0(source)
-		sink(8, out)
-	}
 	{
 		source := newSource(9)
 		out := TaintStepTest_LogLoggerPrint_B0I0O0(source)

go/ql/test/query-tests/Security/CWE-117/CONSISTENCY/DataFlowConsistency.expected

@@ -3,9 +3,9 @@ reverseRead
 | LogInjection.go:33:14:33:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | LogInjection.go:34:18:34:20 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | LogInjection.go:35:14:35:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:447:14:447:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:551:14:551:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:455:14:455:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:559:14:559:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:463:14:463:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:567:14:567:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:498:14:498:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:602:14:602:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:499:14:499:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:603:14:603:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:724:12:724:14 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:828:12:828:14 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |

go/ql/test/query-tests/Security/CWE-117/LogInjection.go

@@ -49,22 +49,22 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		log.Printf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		log.Println("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 
-		if testFlag == "true" {
+		if testFlag == "1" {
 			log.Fatal("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "2" {
 			log.Fatalf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "3" {
 			log.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "4" {
 			log.Panic("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "5" {
 			log.Panicf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "6" {
 			log.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
 
@@ -72,13 +72,25 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.Print("user is logged in:", username, password)   // $ hasTaintFlow="username" hasTaintFlow="password"
 		logger.Printf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		logger.Println("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		if testFlag == "7" {
 			logger.Fatal("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "8" {
 			logger.Fatalf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "9" {
 			logger.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "10" {
 			logger.Panic("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "11" {
 			logger.Panicf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "12" {
 			logger.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
+	}
 	// k8s.io/klog
 	{
 		verbose := klog.V(0)
@@ -91,13 +103,25 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		klog.Error(username)     // $ hasTaintFlow="username"
 		klog.Errorf(username)    // $ hasTaintFlow="username"
 		klog.Errorln(username)   // $ hasTaintFlow="username"
+		if testFlag == "77" {
 			klog.Fatal(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "78" {
 			klog.Fatalf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "79" {
 			klog.Fatalln(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "80" {
 			klog.Exit(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "81" {
 			klog.Exitf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "82" {
 			klog.Exitln(username) // $ hasTaintFlow="username"
 		}
+	}
 	// astaxie/beego
 	{
 		beego.Alert(username)         // $ hasTaintFlow="username"
@@ -161,14 +185,30 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		glog.ErrorDepth(0, username) // $ hasTaintFlow="username"
 		glog.Errorf(username)        // $ hasTaintFlow="username"
 		glog.Errorln(username)       // $ hasTaintFlow="username"
+		if testFlag == "83" {
 			glog.Fatal(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "84" {
 			glog.FatalDepth(0, username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "85" {
 			glog.Fatalf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "86" {
 			glog.Fatalln(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "87" {
 			glog.Exit(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "88" {
 			glog.ExitDepth(0, username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "89" {
 			glog.Exitf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "90" {
 			glog.Exitln(username) // $ hasTaintFlow="username"
+		}
 
 	}
 	// sirupsen/logrus
@@ -187,18 +227,34 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logrus.Errorf(username, "") // $ hasTaintFlow="username"
 		logrus.Errorf("", username) // $ hasTaintFlow="username"
 		logrus.Errorln(username)    // $ hasTaintFlow="username"
+		if testFlag == "13" {
 			logrus.Fatal(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "14" {
 			logrus.Fatalf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "15" {
 			logrus.Fatalf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "16" {
 			logrus.Fatalln(username) // $ hasTaintFlow="username"
+		}
 		logrus.Info(username)      // $ hasTaintFlow="username"
 		logrus.Infof(username, "") // $ hasTaintFlow="username"
 		logrus.Infof("", username) // $ hasTaintFlow="username"
 		logrus.Infoln(username)    // $ hasTaintFlow="username"
+		if testFlag == "17" {
 			logrus.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "18" {
 			logrus.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "19" {
 			logrus.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "20" {
 			logrus.Panicln(username) // $ hasTaintFlow="username"
+		}
 		logrus.Print(username)         // $ hasTaintFlow="username"
 		logrus.Printf(username, "")    // $ hasTaintFlow="username"
 		logrus.Printf("", username)    // $ hasTaintFlow="username"
@@ -228,10 +284,18 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry.Errorf(username, "") // $ hasTaintFlow="username"
 		entry.Errorf("", username) // $ hasTaintFlow="username"
 		entry.Errorln(username)    // $ hasTaintFlow="username"
+		if testFlag == "21" {
 			entry.Fatal(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "22" {
 			entry.Fatalf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "23" {
 			entry.Fatalf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "24" {
 			entry.Fatalln(username) // $ hasTaintFlow="username"
+		}
 		entry.Info(username)        // $ hasTaintFlow="username"
 		entry.Infof(username, "")   // $ hasTaintFlow="username"
 		entry.Infof("", username)   // $ hasTaintFlow="username"
@@ -240,10 +304,18 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry.Logf(0, username, "") // $ hasTaintFlow="username"
 		entry.Logf(0, "", username) // $ hasTaintFlow="username"
 		entry.Logln(0, username)    // $ hasTaintFlow="username"
+		if testFlag == "25" {
 			entry.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "26" {
 			entry.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "27" {
 			entry.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "28" {
 			entry.Panicln(username) // $ hasTaintFlow="username"
+		}
 		entry.Print(username)         // $ hasTaintFlow="username"
 		entry.Printf(username, "")    // $ hasTaintFlow="username"
 		entry.Printf("", username)    // $ hasTaintFlow="username"
@@ -273,10 +345,18 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.Errorf(username, "") // $ hasTaintFlow="username"
 		logger.Errorf("", username) // $ hasTaintFlow="username"
 		logger.Errorln(username)    // $ hasTaintFlow="username"
+		if testFlag == "29" {
 			logger.Fatal(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "30" {
 			logger.Fatalf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "31" {
 			logger.Fatalf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "32" {
 			logger.Fatalln(username) // $ hasTaintFlow="username"
+		}
 		logger.Info(username)        // $ hasTaintFlow="username"
 		logger.Infof(username, "")   // $ hasTaintFlow="username"
 		logger.Infof("", username)   // $ hasTaintFlow="username"
@@ -285,10 +365,18 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.Logf(0, username, "") // $ hasTaintFlow="username"
 		logger.Logf(0, "", username) // $ hasTaintFlow="username"
 		logger.Logln(0, username)    // $ hasTaintFlow="username"
+		if testFlag == "33" {
 			logger.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "34" {
 			logger.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "35" {
 			logger.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "36" {
 			logger.Panicln(username) // $ hasTaintFlow="username"
+		}
 		logger.Print(username)         // $ hasTaintFlow="username"
 		logger.Printf(username, "")    // $ hasTaintFlow="username"
 		logger.Printf("", username)    // $ hasTaintFlow="username"
@@ -319,18 +407,34 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		fieldlogger.Errorf(username, "") // $ hasTaintFlow="username"
 		fieldlogger.Errorf("", username) // $ hasTaintFlow="username"
 		fieldlogger.Errorln(username)    // $ hasTaintFlow="username"
+		if testFlag == "37" {
 			fieldlogger.Fatal(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "38" {
 			fieldlogger.Fatalf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "39" {
 			fieldlogger.Fatalf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "40" {
 			fieldlogger.Fatalln(username) // $ hasTaintFlow="username"
+		}
 		fieldlogger.Info(username)      // $ hasTaintFlow="username"
 		fieldlogger.Infof(username, "") // $ hasTaintFlow="username"
 		fieldlogger.Infof("", username) // $ hasTaintFlow="username"
 		fieldlogger.Infoln(username)    // $ hasTaintFlow="username"
+		if testFlag == "41" {
 			fieldlogger.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "42" {
 			fieldlogger.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "43" {
 			fieldlogger.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "44" {
 			fieldlogger.Panicln(username) // $ hasTaintFlow="username"
+		}
 		fieldlogger.Print(username)         // $ hasTaintFlow="username"
 		fieldlogger.Printf(username, "")    // $ hasTaintFlow="username"
 		fieldlogger.Printf("", username)    // $ hasTaintFlow="username"
@@ -366,11 +470,11 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.DPanic(username) // $ hasTaintFlow="username"
 		logger.Debug(username)  // $ hasTaintFlow="username"
 		logger.Error(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "45" {
 			logger.Fatal(username) // $ hasTaintFlow="username"
 		}
 		logger.Info(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "46" {
 			logger.Panic(username) // $ hasTaintFlow="username"
 		}
 		logger.Warn(username)        // $ hasTaintFlow="username"
@@ -382,33 +486,33 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.DPanic(username) // $ hasTaintFlow="username"
 		sLogger.Debug(username)  // $ hasTaintFlow="username"
 		sLogger.Error(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "47" {
 			sLogger.Fatal(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Info(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "48" {
 			sLogger.Panic(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warn(username)    // $ hasTaintFlow="username"
 		sLogger.DPanicf(username) // $ hasTaintFlow="username"
 		sLogger.Debugf(username)  // $ hasTaintFlow="username"
 		sLogger.Errorf(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "49" {
 			sLogger.Fatalf(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Infof(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "50" {
 			sLogger.Panicf(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warnf(username)   // $ hasTaintFlow="username"
 		sLogger.DPanicw(username) // $ hasTaintFlow="username"
 		sLogger.Debugw(username)  // $ hasTaintFlow="username"
 		sLogger.Errorw(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "51" {
 			sLogger.Fatalw(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Infow(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "52" {
 			sLogger.Panicw(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warnw(username) // $ hasTaintFlow="username"
@@ -515,10 +619,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		verbose.Infof("user %q logged in.\n", username)
 		klog.Infof("user %q logged in.\n", username)
 		klog.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "53" {
 			klog.Fatalf("user %q logged in.\n", username)
 		}
-		if testFlag == " true" {
+		if testFlag == "54" {
 			klog.Exitf("user %q logged in.\n", username)
 		}
 	}
@@ -534,10 +638,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 
 		glog.Infof("user %q logged in.\n", username)
 		glog.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "55" {
 			glog.Fatalf("user %q logged in.\n", username)
 		}
-		if testFlag == " true" {
+		if testFlag == "56" {
 			glog.Exitf("user %q logged in.\n", username)
 		}
 	}
@@ -545,11 +649,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 	{
 		logrus.Debugf("user %q logged in.\n", username)
 		logrus.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "57" {
 			logrus.Fatalf("user %q logged in.\n", username)
 		}
 		logrus.Infof("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "58" {
 			logrus.Panicf("user %q logged in.\n", username)
 		}
 		logrus.Printf("user %q logged in.\n", username)
@@ -561,12 +665,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry := logrus.WithFields(fields)
 		entry.Debugf("user %q logged in.\n", username)
 		entry.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "59" {
 			entry.Fatalf("user %q logged in.\n", username)
 		}
 		entry.Infof("user %q logged in.\n", username)
 		entry.Logf(0, "user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "60" {
 			entry.Panicf("user %q logged in.\n", username)
 		}
 		entry.Printf("user %q logged in.\n", username)
@@ -577,12 +681,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger := entry.Logger
 		logger.Debugf("user %q logged in.\n", username)
 		logger.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "61" {
 			logger.Fatalf("user %q logged in.\n", username)
 		}
 		logger.Infof("user %q logged in.\n", username)
 		logger.Logf(0, "user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "62" {
 			logger.Panicf("user %q logged in.\n", username)
 		}
 		logger.Printf("user %q logged in.\n", username)
@@ -603,11 +707,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.DPanicf("user %q logged in.\n", username)
 		sLogger.Debugf("user %q logged in.\n", username)
 		sLogger.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "63" {
 			sLogger.Fatalf("user %q logged in.\n", username)
 		}
 		sLogger.Infof("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "64" {
 			sLogger.Panicf("user %q logged in.\n", username)
 		}
 		sLogger.Warnf("user %q logged in.\n", username)
@@ -620,10 +724,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		verbose.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		klog.Infof("user %#q logged in.\n", username)    // $ hasTaintFlow="username"
 		klog.Errorf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "65" {
 			klog.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
-		if testFlag == " true" {
+		if testFlag == "66" {
 			klog.Exitf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 	}
@@ -639,10 +743,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 
 		glog.Infof("user %#q logged in.\n", username)  // $ hasTaintFlow="username"
 		glog.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "67" {
 			glog.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
-		if testFlag == " true" {
+		if testFlag == "68" {
 			glog.Exitf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 	}
@@ -650,11 +754,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 	{
 		logrus.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		logrus.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "69" {
 			logrus.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logrus.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "70" {
 			logrus.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logrus.Printf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
@@ -666,12 +770,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry := logrus.WithFields(fields)
 		entry.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		entry.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "71" {
 			entry.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		entry.Infof("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
 		entry.Logf(0, "user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "72" {
 			entry.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		entry.Printf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
@@ -682,12 +786,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger := entry.Logger
 		logger.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		logger.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "73" {
 			logger.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logger.Infof("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
 		logger.Logf(0, "user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "74" {
 			logger.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logger.Printf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
@@ -708,11 +812,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.DPanicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		sLogger.Debugf("user %#q logged in.\n", username)  // $ hasTaintFlow="username"
 		sLogger.Errorf("user %#q logged in.\n", username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "75" {
 			sLogger.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		sLogger.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "76" {
 			sLogger.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warnf("user %#q logged in.\n", username) // $ hasTaintFlow="username"

go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected

@@ -37,22 +37,22 @@
 | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | $@ flows to a logging call. | passwords.go:26:14:26:23 | selection of password | Sensitive data returned by an access to password |
 | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | $@ flows to a logging call. | passwords.go:27:14:27:26 | call to getPassword | Sensitive data returned by a call to getPassword |
 | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | $@ flows to a logging call. | passwords.go:28:14:28:28 | call to getPassword | Sensitive data returned by a call to getPassword |
-| passwords.go:32:12:32:19 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:33:13:33:20 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:33:13:33:20 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:34:14:34:35 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:34:14:34:35 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:36:14:36:35 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:36:14:36:35 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:39:14:39:17 | obj1 | passwords.go:37:13:37:13 | x | passwords.go:39:14:39:17 | obj1 | $@ flows to a logging call. | passwords.go:37:13:37:13 | x | Sensitive data returned by an access to password |
+| passwords.go:41:14:41:17 | obj1 | passwords.go:39:13:39:13 | x | passwords.go:41:14:41:17 | obj1 | $@ flows to a logging call. | passwords.go:39:13:39:13 | x | Sensitive data returned by an access to password |
-| passwords.go:44:14:44:17 | obj2 | passwords.go:21:2:21:9 | definition of password | passwords.go:44:14:44:17 | obj2 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:46:14:46:17 | obj2 | passwords.go:21:2:21:9 | definition of password | passwords.go:46:14:46:17 | obj2 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:51:14:51:27 | fixed_password | passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | $@ flows to a logging call. | passwords.go:50:2:50:15 | definition of fixed_password | Sensitive data returned by an access to fixed_password |
+| passwords.go:53:14:53:27 | fixed_password | passwords.go:52:2:52:15 | definition of fixed_password | passwords.go:53:14:53:27 | fixed_password | $@ flows to a logging call. | passwords.go:52:2:52:15 | definition of fixed_password | Sensitive data returned by an access to fixed_password |
-| passwords.go:89:14:89:26 | utilityObject | passwords.go:87:16:87:36 | call to make | passwords.go:89:14:89:26 | utilityObject | $@ flows to a logging call. | passwords.go:87:16:87:36 | call to make | Sensitive data returned by an access to passwordSet |
+| passwords.go:91:14:91:26 | utilityObject | passwords.go:89:16:89:36 | call to make | passwords.go:91:14:91:26 | utilityObject | $@ flows to a logging call. | passwords.go:89:16:89:36 | call to make | Sensitive data returned by an access to passwordSet |
-| passwords.go:92:23:92:28 | secret | passwords.go:21:2:21:9 | definition of password | passwords.go:92:23:92:28 | secret | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:94:23:94:28 | secret | passwords.go:21:2:21:9 | definition of password | passwords.go:94:23:94:28 | secret | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:102:15:102:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:102:15:102:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:104:15:104:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:104:15:104:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:108:16:108:41 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:108:16:108:41 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:110:16:110:41 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:110:16:110:41 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:113:15:113:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:113:15:113:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:115:15:115:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:115:15:115:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:117:14:117:45 | ...+... | passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:14:117:45 | ...+... | $@ flows to a logging call. | passwords.go:116:6:116:14 | definition of password1 | Sensitive data returned by an access to password1 |
+| passwords.go:119:14:119:45 | ...+... | passwords.go:118:6:118:14 | definition of password1 | passwords.go:119:14:119:45 | ...+... | $@ flows to a logging call. | passwords.go:118:6:118:14 | definition of password1 | Sensitive data returned by an access to password1 |
-| passwords.go:127:14:127:19 | config | passwords.go:21:2:21:9 | definition of password | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:129:14:129:19 | config | passwords.go:21:2:21:9 | definition of password | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:127:14:127:19 | config | passwords.go:121:13:121:14 | x3 | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:121:13:121:14 | x3 | Sensitive data returned by an access to password |
+| passwords.go:129:14:129:19 | config | passwords.go:123:13:123:14 | x3 | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:123:13:123:14 | x3 | Sensitive data returned by an access to password |
-| passwords.go:127:14:127:19 | config | passwords.go:124:13:124:25 | call to getPassword | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword |
+| passwords.go:129:14:129:19 | config | passwords.go:126:13:126:25 | call to getPassword | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:126:13:126:25 | call to getPassword | Sensitive data returned by a call to getPassword |
-| passwords.go:128:14:128:21 | selection of x | passwords.go:21:2:21:9 | definition of password | passwords.go:128:14:128:21 | selection of x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:130:14:130:21 | selection of x | passwords.go:21:2:21:9 | definition of password | passwords.go:130:14:130:21 | selection of x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:129:14:129:21 | selection of y | passwords.go:124:13:124:25 | call to getPassword | passwords.go:129:14:129:21 | selection of y | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword |
+| passwords.go:131:14:131:21 | selection of y | passwords.go:126:13:126:25 | call to getPassword | passwords.go:131:14:131:21 | selection of y | $@ flows to a logging call. | passwords.go:126:13:126:25 | call to getPassword | Sensitive data returned by a call to getPassword |
 | protobuf.go:14:14:14:35 | call to GetDescription | protobuf.go:9:2:9:9 | definition of password | protobuf.go:14:14:14:35 | call to GetDescription | $@ flows to a logging call. | protobuf.go:9:2:9:9 | definition of password | Sensitive data returned by an access to password |
 edges
 | klog.go:21:3:26:3 | range statement[1] | klog.go:22:27:22:33 | headers | provenance |  |
@@ -82,95 +82,15 @@ edges
 | main.go:53:11:53:18 | password | main.go:54:12:54:19 | password | provenance |  |
 | main.go:53:11:53:18 | password | main.go:54:12:54:19 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:56:11:56:18 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:56:11:56:18 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:62:12:62:19 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 |
 | main.go:54:12:54:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:68:11:68:18 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:68:11:68:18 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:74:12:74:19 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
 | main.go:54:12:54:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:77:13:77:20 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
 | main.go:54:12:54:19 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:62:12:62:19 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 |
-| main.go:56:11:56:18 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:56:11:56:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:56:11:56:18 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:62:12:62:19 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 |
-| main.go:59:18:59:25 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:59:18:59:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:59:18:59:25 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:62:12:62:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:62:12:62:19 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:65:13:65:20 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:65:13:65:20 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:68:11:68:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:68:11:68:18 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:71:18:71:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:71:18:71:25 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:74:12:74:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:74:12:74:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:74:12:74:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:74:12:74:19 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:77:13:77:20 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:77:13:77:20 | password | main.go:80:17:80:24 | password | provenance |  |
 | main.go:80:17:80:24 | password | main.go:82:12:82:19 | password | provenance |  |
 | main.go:80:17:80:24 | password | main.go:83:17:83:24 | password | provenance |  |
 | main.go:80:17:80:24 | password | main.go:86:19:86:26 | password | provenance |  |
@@ -182,46 +102,46 @@ edges
 | passwords.go:8:12:8:12 | definition of x | passwords.go:9:14:9:14 | x | provenance |  |
 | passwords.go:21:2:21:9 | definition of password | passwords.go:25:14:25:21 | password | provenance |  |
 | passwords.go:21:2:21:9 | definition of password | passwords.go:30:8:30:15 | password | provenance |  |
-| passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | provenance |  |
+| passwords.go:21:2:21:9 | definition of password | passwords.go:33:13:33:20 | password | provenance |  |
-| passwords.go:21:2:21:9 | definition of password | passwords.go:34:28:34:35 | password | provenance |  |
+| passwords.go:21:2:21:9 | definition of password | passwords.go:36:28:36:35 | password | provenance |  |
 | passwords.go:30:8:30:15 | password | passwords.go:8:12:8:12 | definition of x | provenance |  |
-| passwords.go:34:28:34:35 | password | passwords.go:34:14:34:35 | ...+... | provenance | Config |
+| passwords.go:36:28:36:35 | password | passwords.go:36:14:36:35 | ...+... | provenance | Config |
-| passwords.go:34:28:34:35 | password | passwords.go:42:6:42:13 | password | provenance |  |
+| passwords.go:36:28:36:35 | password | passwords.go:44:6:44:13 | password | provenance |  |
-| passwords.go:36:10:38:2 | struct literal | passwords.go:39:14:39:17 | obj1 | provenance |  |
+| passwords.go:38:10:40:2 | struct literal | passwords.go:41:14:41:17 | obj1 | provenance |  |
-| passwords.go:37:13:37:13 | x | passwords.go:36:10:38:2 | struct literal | provenance | Config |
+| passwords.go:39:13:39:13 | x | passwords.go:38:10:40:2 | struct literal | provenance | Config |
-| passwords.go:41:10:43:2 | struct literal | passwords.go:44:14:44:17 | obj2 | provenance |  |
+| passwords.go:43:10:45:2 | struct literal | passwords.go:46:14:46:17 | obj2 | provenance |  |
-| passwords.go:42:6:42:13 | password | passwords.go:41:10:43:2 | struct literal | provenance | Config |
+| passwords.go:44:6:44:13 | password | passwords.go:43:10:45:2 | struct literal | provenance | Config |
-| passwords.go:42:6:42:13 | password | passwords.go:48:11:48:18 | password | provenance |  |
+| passwords.go:44:6:44:13 | password | passwords.go:50:11:50:18 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:92:23:92:28 | secret | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:94:23:94:28 | secret | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:102:33:102:40 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:104:33:104:40 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:108:34:108:41 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:110:34:110:41 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:113:33:113:40 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:115:33:115:40 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:123:13:123:20 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:125:13:125:20 | password | provenance |  |
-| passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | provenance |  |
+| passwords.go:52:2:52:15 | definition of fixed_password | passwords.go:53:14:53:27 | fixed_password | provenance |  |
-| passwords.go:86:19:88:2 | struct literal | passwords.go:89:14:89:26 | utilityObject | provenance |  |
+| passwords.go:88:19:90:2 | struct literal | passwords.go:91:14:91:26 | utilityObject | provenance |  |
-| passwords.go:87:16:87:36 | call to make | passwords.go:86:19:88:2 | struct literal | provenance | Config |
+| passwords.go:89:16:89:36 | call to make | passwords.go:88:19:90:2 | struct literal | provenance | Config |
-| passwords.go:102:33:102:40 | password | passwords.go:102:15:102:40 | ...+... | provenance | Config |
+| passwords.go:104:33:104:40 | password | passwords.go:104:15:104:40 | ...+... | provenance | Config |
-| passwords.go:102:33:102:40 | password | passwords.go:108:34:108:41 | password | provenance |  |
+| passwords.go:104:33:104:40 | password | passwords.go:110:34:110:41 | password | provenance |  |
-| passwords.go:102:33:102:40 | password | passwords.go:113:33:113:40 | password | provenance |  |
+| passwords.go:104:33:104:40 | password | passwords.go:115:33:115:40 | password | provenance |  |
-| passwords.go:102:33:102:40 | password | passwords.go:123:13:123:20 | password | provenance |  |
+| passwords.go:104:33:104:40 | password | passwords.go:125:13:125:20 | password | provenance |  |
-| passwords.go:108:34:108:41 | password | passwords.go:108:16:108:41 | ...+... | provenance | Config |
+| passwords.go:110:34:110:41 | password | passwords.go:110:16:110:41 | ...+... | provenance | Config |
-| passwords.go:108:34:108:41 | password | passwords.go:113:33:113:40 | password | provenance |  |
+| passwords.go:110:34:110:41 | password | passwords.go:115:33:115:40 | password | provenance |  |
-| passwords.go:108:34:108:41 | password | passwords.go:123:13:123:20 | password | provenance |  |
+| passwords.go:110:34:110:41 | password | passwords.go:125:13:125:20 | password | provenance |  |
-| passwords.go:113:33:113:40 | password | passwords.go:113:15:113:40 | ...+... | provenance | Config |
+| passwords.go:115:33:115:40 | password | passwords.go:115:15:115:40 | ...+... | provenance | Config |
-| passwords.go:113:33:113:40 | password | passwords.go:123:13:123:20 | password | provenance |  |
+| passwords.go:115:33:115:40 | password | passwords.go:125:13:125:20 | password | provenance |  |
-| passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:28:117:36 | password1 | provenance |  |
+| passwords.go:118:6:118:14 | definition of password1 | passwords.go:119:28:119:36 | password1 | provenance |  |
-| passwords.go:117:28:117:36 | password1 | passwords.go:117:28:117:45 | call to String | provenance | Config |
+| passwords.go:119:28:119:36 | password1 | passwords.go:119:28:119:45 | call to String | provenance | Config |
-| passwords.go:117:28:117:45 | call to String | passwords.go:117:14:117:45 | ...+... | provenance | Config |
+| passwords.go:119:28:119:45 | call to String | passwords.go:119:14:119:45 | ...+... | provenance | Config |
-| passwords.go:120:12:125:2 | struct literal | passwords.go:127:14:127:19 | config | provenance |  |
+| passwords.go:122:12:127:2 | struct literal | passwords.go:129:14:129:19 | config | provenance |  |
-| passwords.go:120:12:125:2 | struct literal [x] | passwords.go:128:14:128:19 | config [x] | provenance |  |
+| passwords.go:122:12:127:2 | struct literal [x] | passwords.go:130:14:130:19 | config [x] | provenance |  |
-| passwords.go:120:12:125:2 | struct literal [y] | passwords.go:129:14:129:19 | config [y] | provenance |  |
+| passwords.go:122:12:127:2 | struct literal [y] | passwords.go:131:14:131:19 | config [y] | provenance |  |
-| passwords.go:121:13:121:14 | x3 | passwords.go:120:12:125:2 | struct literal | provenance | Config |
+| passwords.go:123:13:123:14 | x3 | passwords.go:122:12:127:2 | struct literal | provenance | Config |
-| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal | provenance | Config |
+| passwords.go:125:13:125:20 | password | passwords.go:122:12:127:2 | struct literal | provenance | Config |
-| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal [x] | provenance |  |
+| passwords.go:125:13:125:20 | password | passwords.go:122:12:127:2 | struct literal [x] | provenance |  |
-| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal | provenance | Config |
+| passwords.go:126:13:126:25 | call to getPassword | passwords.go:122:12:127:2 | struct literal | provenance | Config |
-| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal [y] | provenance |  |
+| passwords.go:126:13:126:25 | call to getPassword | passwords.go:122:12:127:2 | struct literal [y] | provenance |  |
-| passwords.go:128:14:128:19 | config [x] | passwords.go:128:14:128:21 | selection of x | provenance |  |
+| passwords.go:130:14:130:19 | config [x] | passwords.go:130:14:130:21 | selection of x | provenance |  |
-| passwords.go:129:14:129:19 | config [y] | passwords.go:129:14:129:21 | selection of y | provenance |  |
+| passwords.go:131:14:131:19 | config [y] | passwords.go:131:14:131:21 | selection of y | provenance |  |
 | protobuf.go:9:2:9:9 | definition of password | protobuf.go:12:22:12:29 | password | provenance |  |
 | protobuf.go:12:2:12:6 | implicit dereference [postupdate] [Description] | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | provenance |  |
 | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | protobuf.go:14:14:14:18 | query [pointer, Description] | provenance |  |
@@ -274,20 +194,12 @@ nodes
 | main.go:54:12:54:19 | password | semmle.label | password |
 | main.go:54:12:54:19 | password | semmle.label | password |
 | main.go:56:11:56:18 | password | semmle.label | password |
-| main.go:56:11:56:18 | password | semmle.label | password |
-| main.go:59:18:59:25 | password | semmle.label | password |
 | main.go:59:18:59:25 | password | semmle.label | password |
 | main.go:62:12:62:19 | password | semmle.label | password |
-| main.go:62:12:62:19 | password | semmle.label | password |
-| main.go:65:13:65:20 | password | semmle.label | password |
 | main.go:65:13:65:20 | password | semmle.label | password |
 | main.go:68:11:68:18 | password | semmle.label | password |
-| main.go:68:11:68:18 | password | semmle.label | password |
-| main.go:71:18:71:25 | password | semmle.label | password |
 | main.go:71:18:71:25 | password | semmle.label | password |
 | main.go:74:12:74:19 | password | semmle.label | password |
-| main.go:74:12:74:19 | password | semmle.label | password |
-| main.go:77:13:77:20 | password | semmle.label | password |
 | main.go:77:13:77:20 | password | semmle.label | password |
 | main.go:79:14:79:21 | password | semmle.label | password |
 | main.go:80:17:80:24 | password | semmle.label | password |
@@ -308,43 +220,43 @@ nodes
 | passwords.go:27:14:27:26 | call to getPassword | semmle.label | call to getPassword |
 | passwords.go:28:14:28:28 | call to getPassword | semmle.label | call to getPassword |
 | passwords.go:30:8:30:15 | password | semmle.label | password |
-| passwords.go:32:12:32:19 | password | semmle.label | password |
+| passwords.go:33:13:33:20 | password | semmle.label | password |
-| passwords.go:34:14:34:35 | ...+... | semmle.label | ...+... |
+| passwords.go:36:14:36:35 | ...+... | semmle.label | ...+... |
-| passwords.go:34:28:34:35 | password | semmle.label | password |
+| passwords.go:36:28:36:35 | password | semmle.label | password |
-| passwords.go:36:10:38:2 | struct literal | semmle.label | struct literal |
+| passwords.go:38:10:40:2 | struct literal | semmle.label | struct literal |
-| passwords.go:37:13:37:13 | x | semmle.label | x |
+| passwords.go:39:13:39:13 | x | semmle.label | x |
-| passwords.go:39:14:39:17 | obj1 | semmle.label | obj1 |
+| passwords.go:41:14:41:17 | obj1 | semmle.label | obj1 |
-| passwords.go:41:10:43:2 | struct literal | semmle.label | struct literal |
+| passwords.go:43:10:45:2 | struct literal | semmle.label | struct literal |
-| passwords.go:42:6:42:13 | password | semmle.label | password |
+| passwords.go:44:6:44:13 | password | semmle.label | password |
-| passwords.go:44:14:44:17 | obj2 | semmle.label | obj2 |
+| passwords.go:46:14:46:17 | obj2 | semmle.label | obj2 |
-| passwords.go:48:11:48:18 | password | semmle.label | password |
+| passwords.go:50:11:50:18 | password | semmle.label | password |
-| passwords.go:50:2:50:15 | definition of fixed_password | semmle.label | definition of fixed_password |
+| passwords.go:52:2:52:15 | definition of fixed_password | semmle.label | definition of fixed_password |
-| passwords.go:51:14:51:27 | fixed_password | semmle.label | fixed_password |
+| passwords.go:53:14:53:27 | fixed_password | semmle.label | fixed_password |
-| passwords.go:86:19:88:2 | struct literal | semmle.label | struct literal |
+| passwords.go:88:19:90:2 | struct literal | semmle.label | struct literal |
-| passwords.go:87:16:87:36 | call to make | semmle.label | call to make |
+| passwords.go:89:16:89:36 | call to make | semmle.label | call to make |
-| passwords.go:89:14:89:26 | utilityObject | semmle.label | utilityObject |
+| passwords.go:91:14:91:26 | utilityObject | semmle.label | utilityObject |
-| passwords.go:92:23:92:28 | secret | semmle.label | secret |
+| passwords.go:94:23:94:28 | secret | semmle.label | secret |
-| passwords.go:102:15:102:40 | ...+... | semmle.label | ...+... |
+| passwords.go:104:15:104:40 | ...+... | semmle.label | ...+... |
-| passwords.go:102:33:102:40 | password | semmle.label | password |
+| passwords.go:104:33:104:40 | password | semmle.label | password |
-| passwords.go:108:16:108:41 | ...+... | semmle.label | ...+... |
+| passwords.go:110:16:110:41 | ...+... | semmle.label | ...+... |
-| passwords.go:108:34:108:41 | password | semmle.label | password |
+| passwords.go:110:34:110:41 | password | semmle.label | password |
-| passwords.go:113:15:113:40 | ...+... | semmle.label | ...+... |
+| passwords.go:115:15:115:40 | ...+... | semmle.label | ...+... |
-| passwords.go:113:33:113:40 | password | semmle.label | password |
+| passwords.go:115:33:115:40 | password | semmle.label | password |
-| passwords.go:116:6:116:14 | definition of password1 | semmle.label | definition of password1 |
+| passwords.go:118:6:118:14 | definition of password1 | semmle.label | definition of password1 |
-| passwords.go:117:14:117:45 | ...+... | semmle.label | ...+... |
+| passwords.go:119:14:119:45 | ...+... | semmle.label | ...+... |
-| passwords.go:117:28:117:36 | password1 | semmle.label | password1 |
+| passwords.go:119:28:119:36 | password1 | semmle.label | password1 |
-| passwords.go:117:28:117:45 | call to String | semmle.label | call to String |
+| passwords.go:119:28:119:45 | call to String | semmle.label | call to String |
-| passwords.go:120:12:125:2 | struct literal | semmle.label | struct literal |
+| passwords.go:122:12:127:2 | struct literal | semmle.label | struct literal |
-| passwords.go:120:12:125:2 | struct literal [x] | semmle.label | struct literal [x] |
+| passwords.go:122:12:127:2 | struct literal [x] | semmle.label | struct literal [x] |
-| passwords.go:120:12:125:2 | struct literal [y] | semmle.label | struct literal [y] |
+| passwords.go:122:12:127:2 | struct literal [y] | semmle.label | struct literal [y] |
-| passwords.go:121:13:121:14 | x3 | semmle.label | x3 |
+| passwords.go:123:13:123:14 | x3 | semmle.label | x3 |
-| passwords.go:123:13:123:20 | password | semmle.label | password |
+| passwords.go:125:13:125:20 | password | semmle.label | password |
-| passwords.go:124:13:124:25 | call to getPassword | semmle.label | call to getPassword |
+| passwords.go:126:13:126:25 | call to getPassword | semmle.label | call to getPassword |
-| passwords.go:127:14:127:19 | config | semmle.label | config |
+| passwords.go:129:14:129:19 | config | semmle.label | config |
-| passwords.go:128:14:128:19 | config [x] | semmle.label | config [x] |
+| passwords.go:130:14:130:19 | config [x] | semmle.label | config [x] |
-| passwords.go:128:14:128:21 | selection of x | semmle.label | selection of x |
+| passwords.go:130:14:130:21 | selection of x | semmle.label | selection of x |
-| passwords.go:129:14:129:19 | config [y] | semmle.label | config [y] |
+| passwords.go:131:14:131:19 | config [y] | semmle.label | config [y] |
-| passwords.go:129:14:129:21 | selection of y | semmle.label | selection of y |
+| passwords.go:131:14:131:21 | selection of y | semmle.label | selection of y |
 | protobuf.go:9:2:9:9 | definition of password | semmle.label | definition of password |
 | protobuf.go:12:2:12:6 | implicit dereference [postupdate] [Description] | semmle.label | implicit dereference [postupdate] [Description] |
 | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | semmle.label | query [postupdate] [pointer, Description] |

go/ql/test/query-tests/Security/CWE-312/passwords.go

@@ -16,7 +16,7 @@ func redact(kind, value string) string {
 	return value
 }
 
-func test() {
+func test(selector int) {
 	name := "user"
 	password := "P@ssw0rd" // $ Source
 	x := "horsebatterystapleincorrect"
@@ -29,7 +29,9 @@ func test() {
 
 	myLog(password)
 
+	if selector == 1 {
 		log.Panic(password) // $ Alert
+	}
 
 	log.Println(name + ", " + password) // $ Alert
 

java/documentation/library-coverage/coverage.csv

@@ -194,7 +194,7 @@ org.apache.hc.core5.http,73,2,45,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,72,,,,,,,,,,,
 org.apache.hc.core5.net,,,18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,
 org.apache.hc.core5.util,,,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,6
 org.apache.hive.hcatalog.templeton,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,
-org.apache.http,48,3,95,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,46,,,,,,,,,,,,,,,,3,86,9
+org.apache.http,53,3,117,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,51,,,,,,,,,,,,,,,,3,108,9
 org.apache.ibatis.jdbc,6,,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,57,
 org.apache.ibatis.mapping,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
 org.apache.log4j,11,,,,,,,,,,,,,,,,,,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

java/documentation/library-coverage/coverage.rst

@@ -13,7 +13,7 @@ Java framework & library support
    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,570,124,105,,,,,15
    `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,425,7,,,,,,
    `Apache Commons Text <https://commons.apache.org/proper/commons-text/>`_,``org.apache.commons.text``,,272,,,,,,,
-   `Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,183,122,,3,,,,119
+   `Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,205,127,,3,,,,124
    `Apache Log4j 2 <https://logging.apache.org/log4j/2.0/>`_,``org.apache.logging.log4j``,,8,359,,,,,,
    `Apache Struts <https://struts.apache.org/>`_,"``org.apache.struts2``, ``org.apache.struts.beanvalidation.validation.interceptor``",,3877,14,,,,,,
    `Apache Velocity <https://velocity.apache.org/>`_,"``org.apache.velocity.app``, ``org.apache.velocity.runtime``",,,8,,,,,,
@@ -41,5 +41,5 @@ Java framework & library support
    `Thymeleaf <https://www.thymeleaf.org/>`_,``org.thymeleaf``,,2,2,,,,,,
    `jOOQ <https://www.jooq.org/>`_,``org.jooq``,,,1,,,1,,,
    Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.com.caucho.hessian.io``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.caucho.burlap.io``, ``com.caucho.hessian.io``, ``com.cedarsoftware.util.io``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.esotericsoftware.yamlbeans``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``hudson``, ``io.jsonwebtoken``, ``io.undertow.server.handlers.resource``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.lingala.zip4j``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.avro``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.fileupload``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.authc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.codehaus.cargo.container.installer``, ``org.dom4j``, ``org.exolab.castor.xml``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.ho.yaml``, ``org.influxdb``, ``org.jabsorb``, ``org.jboss.vfs``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.lastaflute.web``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``software.amazon.awssdk.transfer.s3.model``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",127,6034,775,148,6,14,18,,186
-   Totals,,382,26381,2702,421,16,137,33,1,410
+   Totals,,382,26403,2707,421,16,137,33,1,415
 

java/ql/lib/change-notes/2026-05-07-apache-httpclient-ssrf-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved modeling of Apache HttpClient `execute` method sinks for `java/ssrf` and `java/non-https-url`.

java/ql/lib/ext/org.apache.http.client.methods.model.yml

@@ -11,7 +11,7 @@ extensions:
       - ["org.apache.http.client.methods", "HttpPost", False, "HttpPost", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "HttpPut", False, "HttpPut", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "HttpRequestBase", True, "setURI", "", "", "Argument[0]", "request-forgery", "manual"]
-      - ["org.apache.http.client.methods", "HttpRequestWrapper", True, "setURI", "(URI)", "", "Argument[0]", "request-forgery", "hq-manual"]
+      - ["org.apache.http.client.methods", "HttpRequestWrapper", True, "setURI", "(URI)", "", "Argument[0]", "request-forgery", "ai-manual"]
       - ["org.apache.http.client.methods", "HttpTrace", False, "HttpTrace", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "RequestBuilder", False, "delete", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "RequestBuilder", False, "get", "", "", "Argument[0]", "request-forgery", "manual"]
@@ -22,3 +22,29 @@ extensions:
       - ["org.apache.http.client.methods", "RequestBuilder", False, "put", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "RequestBuilder", False, "setUri", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "RequestBuilder", False, "trace", "", "", "Argument[0]", "request-forgery", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "build", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "delete", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "delete", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "get", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "get", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "getUri", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "head", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "head", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "options", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "options", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "patch", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "patch", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "post", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "post", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "put", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "put", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "setUri", "(String)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "setUri", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "setUri", "(URI)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "setUri", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "trace", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "trace", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

java/ql/lib/ext/org.apache.http.client.model.yml

@@ -3,6 +3,11 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
-      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
       - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 9.1.2
+version: 9.1.3-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/lib/semmle/code/java/dataflow/Bound.qll

@@ -4,67 +4,33 @@
 overlay[local?]
 module;
 
-private import internal.rangeanalysis.BoundSpecific
+private import java as J
+private import semmle.code.java.dataflow.SSA
+private import semmle.code.java.dataflow.RangeUtils as RU
+private import codeql.rangeanalysis.Bound as SharedBound
 
-private newtype TBound =
+private module BoundDefs implements SharedBound::BoundDefinitions<J::Location> {
-  TBoundZero() or
+  class SsaVariable extends Ssa::SsaDefinition {
-  TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or
+    /** Gets a use of this variable. */
-  TBoundExpr(Expr e) {
+    Expr getAUse() { result = super.getARead() }
-    interestingExprBound(e) and
-    not exists(SsaVariable v | e = v.getAUse())
   }
 
-/**
+  class SsaSourceVariable = Ssa::SourceVariable;
- * A bound that may be inferred for an expression plus/minus an integer delta.
- */
-abstract class Bound extends TBound {
-  /** Gets a textual representation of this bound. */
-  abstract string toString();
 
-  /** Gets an expression that equals this bound plus `delta`. */
+  class Type = J::Type;
-  abstract Expr getExpr(int delta);
 
-  /** Gets an expression that equals this bound. */
+  class Expr = J::Expr;
-  Expr getExpr() { result = this.getExpr(0) }
 
-  /** Gets the location of this bound. */
+  class IntegralType = J::IntegralType;
-  abstract Location getLocation();
+
+  class ConstantIntegerExpr = RU::ConstantIntegerExpr;
+
+  /** Holds if `e` is a bound expression and it is not an SSA variable read. */
+  predicate interestingExprBound(Expr e) {
+    e.(J::FieldRead).getField() instanceof J::ArrayLengthField
+  }
 }
 
-/**
+module BoundImpl = SharedBound::Bound<J::Location, BoundDefs>;
- * The bound that corresponds to the integer 0. This is used to represent all
- * integer bounds as bounds are always accompanied by an added integer delta.
- */
-class ZeroBound extends Bound, TBoundZero {
-  override string toString() { result = "0" }
 
-  override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta }
+import BoundImpl
-
-  override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) }
-}
-
-/**
- * A bound corresponding to the value of an SSA variable.
- */
-class SsaBound extends Bound, TBoundSsa {
-  /** Gets the SSA variable that equals this bound. */
-  SsaVariable getSsa() { this = TBoundSsa(result) }
-
-  override string toString() { result = this.getSsa().toString() }
-
-  override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 }
-
-  override Location getLocation() { result = this.getSsa().getLocation() }
-}
-
-/**
- * A bound that corresponds to the value of a specific expression that might be
- * interesting, but isn't otherwise represented by the value of an SSA variable.
- */
-class ExprBound extends Bound, TBoundExpr {
-  override string toString() { result = this.getExpr().toString() }
-
-  override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 }
-
-  override Location getLocation() { result = this.getExpr().getLocation() }
-}

java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll

@@ -1,27 +0,0 @@
-/**
- * Provides Java-specific definitions for bounds.
- */
-overlay[local?]
-module;
-
-private import java as J
-private import semmle.code.java.dataflow.SSA as Ssa
-private import semmle.code.java.dataflow.RangeUtils as RU
-
-class SsaVariable extends Ssa::SsaDefinition {
-  /** Gets a use of this variable. */
-  Expr getAUse() { result = super.getARead() }
-}
-
-class Expr = J::Expr;
-
-class Location = J::Location;
-
-class IntegralType = J::IntegralType;
-
-class ConstantIntegerExpr = RU::ConstantIntegerExpr;
-
-/** Holds if `e` is a bound expression and it is not an SSA variable read. */
-predicate interestingExprBound(Expr e) {
-  e.(J::FieldRead).getField() instanceof J::ArrayLengthField
-}