JS: Update use of API graphs library in features for ML-powered queries

Co-authored-by: Aditya Sharad <adityasharad@github.com>

.codeqlmanifest.json

@@ -10,14 +10,7 @@
         "javascript/ql/experimental/adaptivethreatmodeling/src/qlpack.yml",
         "misc/legacy-support/*/qlpack.yml",
         "misc/suite-helpers/qlpack.yml",
-        "ruby/extractor-pack/codeql-extractor.yml",
-        "ruby/ql/consistency-queries/qlpack.yml"
-    ],
-    "versionPolicies": {
-      "default": {
-        "requireChangeNotes": true,
-        "committedPrereleaseSuffix": "dev",
-        "committedVersion": "nextPatchRelease"
-      }
-    }
-}
+        "ruby/ql/consistency-queries/qlpack.yml",
+        "ruby/extractor-pack/codeql-extractor.yml"
+   ]
+}

.github/workflows/ruby-dataset-measure.yml

@@ -24,7 +24,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        repo: [rails/rails, discourse/discourse, spree/spree]
+        repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2

cpp/change-notes/2021-11-25-certificate-not-checked.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* A new query `cpp/certificate-not-checked` has been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.

cpp/change-notes/2021-11-25-certificate-result-conflation.md

@@ -0,0 +1,2 @@
+lgtm,codescanning
+* A new query `cpp/certificate-result-conflation` has been added for C/C++. The query flags unsafe use of OpenSSL and similar libraries.

cpp/ql/lib/CHANGELOG.md

@@ -1,7 +0,0 @@
-## 0.0.4
-
-### New Features
-
-* The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
-  `isFromSystemMacroDefinition` for identifying code that originates from a
-  macro outside the project being analyzed.

cpp/ql/lib/change-notes/released/0.0.4.md

@@ -1,7 +0,0 @@
-## 0.0.4
-
-### New Features
-
-* The QL library `semmle.code.cpp.commons.Exclusions` now contains a predicate
-  `isFromSystemMacroDefinition` for identifying code that originates from a
-  macro outside the project being analyzed.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +0,0 @@
----
-lastReleaseVersion: 0.0.4

cpp/ql/lib/qlpack.yml

@@ -1,8 +1,7 @@
 name: codeql/cpp-all
-version: 0.0.4
-groups: cpp
+version: 0.0.2
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
 library: true
 dependencies:
-  codeql/cpp-upgrades: 0.0.3
+  codeql/cpp-upgrades: 0.0.2

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

cpp/ql/src/CHANGELOG.md

@@ -1,5 +0,0 @@
-## 0.0.4
-
-### New Queries
-
-* A new query `cpp/non-https-url` has been added for C/C++. The query flags uses of `http` URLs that might be better replaced with `https`.

cpp/ql/src/Likely Bugs/Protocols/TlsSettingsMisconfiguration.ql

@@ -3,8 +3,10 @@
  * @description Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols, or disabling minimum-recommended protocols.
  * @kind problem
  * @problem.severity error
+ * @security-severity 7.5
  * @id cpp/boost/tls-settings-misconfiguration
  * @tags security
+ *       external/cwe/cwe-326
  */
 
 import cpp

cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.ql

@@ -3,8 +3,10 @@
  * @description Using a deprecated hard-coded protocol using the boost::asio library.
  * @kind problem
  * @problem.severity error
+ * @security-severity 7.5
  * @id cpp/boost/use-of-deprecated-hardcoded-security-protocol
  * @tags security
+ *       external/cwe/cwe-327
  */
 
 import cpp

cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.qhelp

@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>When checking the result of SSL certificate verification, accepting any error code may allow an attacker to impersonate someone who is trusted.</p>
+
+</overview>
+<recommendation>
+
+<p>When checking an SSL certificate with <code>SSL_get_verify_result</code>, only <code>X509_V_OK</code> is a success code. If there is any other result the certificate should not be accepted.</p>
+
+</recommendation>
+<example>
+
+<p>In this example the error code <code>X509_V_ERR_CERT_HAS_EXPIRED</code> is treated the same as an OK result. An expired certificate should not be accepted as it is more likely to be compromised than a valid certificate.</p>
+
+<sample src="SSLResultConflationBad.cpp" />
+
+<p>In the corrected example, only a result of <code>X509_V_OK</code> is accepted.</p>
+
+<sample src="SSLResultConflationGood.cpp" />
+
+</example>
+<references>
+
+</references>
+</qhelp>

cpp/ql/src/Security/CWE/CWE-295/SSLResultConflation.ql

@@ -0,0 +1,50 @@
+/**
+ * @name Certificate result conflation
+ * @description Only accept SSL certificates that pass certificate verification.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision medium
+ * @id cpp/certificate-result-conflation
+ * @tags security
+ *       external/cwe/cwe-295
+ */
+
+import cpp
+import semmle.code.cpp.controlflow.Guards
+import semmle.code.cpp.dataflow.DataFlow
+
+/**
+ * A call to `SSL_get_verify_result`.
+ */
+class SSLGetVerifyResultCall extends FunctionCall {
+  SSLGetVerifyResultCall() { getTarget().getName() = "SSL_get_verify_result" }
+}
+
+/**
+ * Data flow from a call to `SSL_get_verify_result` to a guard condition
+ * that references the result.
+ */
+class VerifyResultConfig extends DataFlow::Configuration {
+  VerifyResultConfig() { this = "VerifyResultConfig" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source.asExpr() instanceof SSLGetVerifyResultCall
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(GuardCondition guard | guard.getAChild*() = sink.asExpr())
+  }
+}
+
+from
+  VerifyResultConfig config, DataFlow::Node source, DataFlow::Node sink1, DataFlow::Node sink2,
+  GuardCondition guard, Expr c1, Expr c2, boolean testIsTrue
+where
+  config.hasFlow(source, sink1) and
+  config.hasFlow(source, sink2) and
+  guard.comparesEq(sink1.asExpr(), c1, 0, false, testIsTrue) and // (value != c1) => testIsTrue
+  guard.comparesEq(sink2.asExpr(), c2, 0, false, testIsTrue) and // (value != c2) => testIsTrue
+  c1.getValue().toInt() = 0 and
+  c2.getValue().toInt() != 0
+select guard, "This expression conflates OK and non-OK results from $@.", source, source.toString()

cpp/ql/src/Security/CWE/CWE-295/SSLResultConflationBad.cpp

@@ -0,0 +1,13 @@
+// ...
+
+if (cert = SSL_get_peer_certificate(ssl))
+{
+	result = SSL_get_verify_result(ssl);
+
+	if ((result == X509_V_OK) || (result == X509_V_ERR_CERT_HAS_EXPIRED)) // BAD (conflates OK and a non-OK codes)
+	{
+		do_ok();
+	} else {
+		do_error();
+	}
+}

cpp/ql/src/Security/CWE/CWE-295/SSLResultConflationGood.cpp

@@ -0,0 +1,13 @@
+// ...
+
+if (cert = SSL_get_peer_certificate(ssl))
+{
+	result = SSL_get_verify_result(ssl);
+
+	if (result == X509_V_OK) // GOOD
+	{
+		do_ok();
+	} else {
+		do_error();
+	}
+}

cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.qhelp

@@ -0,0 +1,28 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+<overview>
+<p>After fetching an SSL certificate, always check the result of certificate verification.</p>
+
+</overview>
+<recommendation>
+
+<p>Always check the result of SSL certificate verification. A certificate that has been revoked may indicate that data is coming from an attacker, whereas a certificate that has expired or was self-signed may indicate an increased likelihood that the data is malicious.</p>
+
+</recommendation>
+<example>
+
+<p>In this example, the <code>SSL_get_peer_certificate</code> function is used to get the certificate of a peer. However it is unsafe to use that information without checking if the certificate is valid.</p>
+
+<sample src="SSLResultNotCheckedBad.cpp" />
+
+<p>In the corrected example, we use <code>SSL_get_verify_result</code> to check that certificate verification was successful.</p>
+
+<sample src="SSLResultNotCheckedGood.cpp" />
+
+</example>
+<references>
+
+</references>
+</qhelp>

cpp/ql/src/Security/CWE/CWE-295/SSLResultNotChecked.ql

@@ -0,0 +1,120 @@
+/**
+ * @name Certificate not checked
+ * @description Always check the result of certificate verification after fetching an SSL certificate.
+ * @kind problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision medium
+ * @id cpp/certificate-not-checked
+ * @tags security
+ *       external/cwe/cwe-295
+ */
+
+import cpp
+import semmle.code.cpp.valuenumbering.GlobalValueNumbering
+import semmle.code.cpp.controlflow.IRGuards
+
+/**
+ * A call to `SSL_get_peer_certificate`.
+ */
+class SSLGetPeerCertificateCall extends FunctionCall {
+  SSLGetPeerCertificateCall() {
+    getTarget().getName() = "SSL_get_peer_certificate" // SSL_get_peer_certificate(ssl)
+  }
+
+  Expr getSSLArgument() { result = getArgument(0) }
+}
+
+/**
+ * A call to `SSL_get_verify_result`.
+ */
+class SSLGetVerifyResultCall extends FunctionCall {
+  SSLGetVerifyResultCall() {
+    getTarget().getName() = "SSL_get_verify_result" // SSL_get_peer_certificate(ssl)
+  }
+
+  Expr getSSLArgument() { result = getArgument(0) }
+}
+
+/**
+ * Holds if the SSL object passed into `SSL_get_peer_certificate` is checked with
+ * `SSL_get_verify_result` entering `node`.
+ */
+predicate resultIsChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode node) {
+  exists(Expr ssl, SSLGetVerifyResultCall check |
+    ssl = globalValueNumber(getCertCall.getSSLArgument()).getAnExpr() and
+    ssl = check.getSSLArgument() and
+    node = check
+  )
+}
+
+/**
+ * Holds if the certificate returned by `SSL_get_peer_certificate` is found to be
+ * `0` on the edge `node1` to `node2`.
+ */
+predicate certIsZero(
+  SSLGetPeerCertificateCall getCertCall, ControlFlowNode node1, ControlFlowNode node2
+) {
+  exists(Expr cert | cert = globalValueNumber(getCertCall).getAnExpr() |
+    exists(GuardCondition guard, Expr zero |
+      zero.getValue().toInt() = 0 and
+      node1 = guard and
+      (
+        // if (cert == zero) {
+        guard.comparesEq(cert, zero, 0, true, true) and
+        node2 = guard.getATrueSuccessor()
+        or
+        // if (cert != zero) { }
+        guard.comparesEq(cert, zero, 0, false, true) and
+        node2 = guard.getAFalseSuccessor()
+      )
+    )
+    or
+    (
+      // if (cert) { }
+      node1 = cert
+      or
+      // if (!cert) {
+      node1.(NotExpr).getAChild() = cert
+    ) and
+    node2 = node1.getASuccessor() and
+    not cert.(GuardCondition).controls(node2, true) // cert may be false
+  )
+}
+
+/**
+ * Holds if the SSL object passed into `SSL_get_peer_certificate` has not been checked with
+ * `SSL_get_verify_result` at `node`. Note that this is only computed at the call to
+ * `SSL_get_peer_certificate` and at the start and end of `BasicBlock`s.
+ */
+predicate certNotChecked(SSLGetPeerCertificateCall getCertCall, ControlFlowNode node) {
+  // cert is not checked at the call to `SSL_get_peer_certificate`
+  node = getCertCall
+  or
+  exists(BasicBlock bb, int pos |
+    // flow to end of a `BasicBlock`
+    certNotChecked(getCertCall, bb.getNode(pos)) and
+    node = bb.getEnd() and
+    // check for barrier node
+    not exists(int pos2 |
+      pos2 > pos and
+      resultIsChecked(getCertCall, bb.getNode(pos2))
+    )
+  )
+  or
+  exists(BasicBlock pred, BasicBlock bb |
+    // flow from the end of one `BasicBlock` to the beginning of a successor
+    certNotChecked(getCertCall, pred.getEnd()) and
+    bb = pred.getASuccessor() and
+    node = bb.getStart() and
+    // check for barrier bb
+    not certIsZero(getCertCall, pred.getEnd(), bb.getStart())
+  )
+}
+
+from SSLGetPeerCertificateCall getCertCall, ControlFlowNode node
+where
+  certNotChecked(getCertCall, node) and
+  node instanceof Function // (function exit)
+select getCertCall,
+  "This " + getCertCall.toString() + " is not followed by a call to SSL_get_verify_result."

cpp/ql/src/Security/CWE/CWE-295/SSLResultNotCheckedBad.cpp

@@ -0,0 +1,5 @@
+// ...
+
+X509 *cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called)
+
+// ...

cpp/ql/src/Security/CWE/CWE-295/SSLResultNotCheckedGood.cpp

@@ -0,0 +1,9 @@
+// ...
+
+X509 *cert = SSL_get_peer_certificate(ssl); // GOOD
+if (cert)
+{
+	result = SSL_get_verify_result(ssl);
+	if (result == X509_V_OK)
+	{
+		// ...

cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql

@@ -8,6 +8,7 @@
  * @precision high
  * @id cpp/cleartext-storage-file
  * @tags security
+ *       external/cwe/cwe-260
  *       external/cwe/cwe-313
  */
 

cpp/ql/src/change-notes/released/0.0.4.md

@@ -1,5 +0,0 @@
-## 0.0.4
-
-### New Queries
-
-* A new query `cpp/non-https-url` has been added for C/C++. The query flags uses of `http` URLs that might be better replaced with `https`.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +0,0 @@
----
-lastReleaseVersion: 0.0.4

cpp/ql/src/qlpack.yml

@@ -1,6 +1,5 @@
 name: codeql/cpp-queries
-version: 0.0.4
-groups: cpp
+version: 0.0.2
 dependencies:
     codeql/cpp-all: "*"
     codeql/suite-helpers: "*"

cpp/ql/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-tests
-groups: [cpp, test]
+version: 0.0.2
 dependencies:
   codeql/cpp-all: "*"
   codeql/cpp-queries: "*"

cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml

@@ -1,6 +1,6 @@
 # This directory has its own qlpack for reasons detailed in commit 2550788598010fa2117274607c9d58f64f997f34
 name: codeql/cpp-tests-cwe-190-tainted
-groups: [cpp, test]
+version: 0.0.2
 dependencies:
   codeql/cpp-all: "*"
   codeql/cpp-queries: "*"

cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/OverrunWrite.expected

@@ -3,13 +3,17 @@
 | tests.cpp:272:2:272:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
 | tests.cpp:273:2:273:8 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
 | tests.cpp:308:3:308:9 | call to sprintf | This 'call to sprintf' operation requires 9 bytes but the destination is only 8 bytes. |
-| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
-| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
-| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
-| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
-| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
-| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 2 bytes. |
+| tests.cpp:315:2:315:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
+| tests.cpp:316:2:316:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
+| tests.cpp:321:2:321:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
+| tests.cpp:324:3:324:9 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 4 bytes. |
+| tests.cpp:327:2:327:8 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 4 bytes. |
+| tests.cpp:329:3:329:9 | call to sprintf | This 'call to sprintf' operation requires 12 bytes but the destination is only 4 bytes. |
 | tests.cpp:341:2:341:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
 | tests.cpp:343:2:343:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
 | tests.cpp:345:2:345:8 | call to sprintf | This 'call to sprintf' operation requires 11 bytes but the destination is only 2 bytes. |
 | tests.cpp:347:2:347:8 | call to sprintf | This 'call to sprintf' operation requires 3 bytes but the destination is only 2 bytes. |
+| tests.cpp:350:2:350:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
+| tests.cpp:354:2:354:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
+| tests.cpp:358:2:358:8 | call to sprintf | This 'call to sprintf' operation requires 4 bytes but the destination is only 3 bytes. |
+| tests.cpp:363:2:363:8 | call to sprintf | This 'call to sprintf' operation requires 5 bytes but the destination is only 4 bytes. |

cpp/ql/test/query-tests/Security/CWE/CWE-242/semmle/tests/tests.cpp

@@ -310,39 +310,56 @@ namespace custom_sprintf_impl {
 }
 
 void test6(unsigned unsigned_value, int value) {
-	char buffer[2];
+	char buffer2[2], buffer3[3], buffer4[4], buffer5[5];
 	
-	sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
-	sprintf(buffer, "%d", unsigned_value); // BAD: buffer overflow
-	if (unsigned_value < 10) {
-		sprintf(buffer, "%u", unsigned_value); // GOOD
+	sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow
+	sprintf(buffer4, "%d", unsigned_value); // BAD: buffer overflow
+	if (unsigned_value < 1000) {
+		sprintf(buffer4, "%u", unsigned_value); // GOOD
 	}
 
-	sprintf(buffer, "%u", -10); // BAD: buffer overflow
+	sprintf(buffer4, "%u", -100); // BAD: buffer overflow
 
-	if(unsigned_value == (unsigned)-10) {
-		sprintf(buffer, "%u", unsigned_value); // BAD: buffer overflow
+	if(unsigned_value == (unsigned)-100) {
+		sprintf(buffer4, "%u", unsigned_value); // BAD: buffer overflow
 	}
 
-	sprintf(buffer, "%d", value); // BAD: buffer overflow
-	if (value < 10) {
-		sprintf(buffer, "%d", value); // BAD: buffer overflow
+	sprintf(buffer4, "%d", value); // BAD: buffer overflow
+	if (value < 1000) {
+		sprintf(buffer4, "%d", value); // BAD: buffer overflow
 
-		if(value > 0) {
-			sprintf(buffer, "%d", value); // GOOD
+		if(value > -100) {
+			sprintf(buffer4, "%d", value); // GOOD
 		}
 	}
 
-	sprintf(buffer, "%u", 0); // GOOD
-	sprintf(buffer, "%d", 0); // GOOD
-	sprintf(buffer, "%u", 5); // GOOD
-	sprintf(buffer, "%d", 5); // GOOD
+	sprintf(buffer2, "%u", 0); // GOOD
+	sprintf(buffer2, "%d", 0); // GOOD
+	sprintf(buffer2, "%u", 5); // GOOD
+	sprintf(buffer2, "%d", 5); // GOOD
 
-	sprintf(buffer, "%d", -1); // BAD
-	sprintf(buffer, "%d", 9); // GOOD
-	sprintf(buffer, "%d", 10); // BAD
+	sprintf(buffer2, "%d", -1); // BAD
+	sprintf(buffer2, "%d", 9); // GOOD
+	sprintf(buffer2, "%d", 10); // BAD
 
-	sprintf(buffer, "%u", -1); // BAD
-	sprintf(buffer, "%u", 9); // GOOD
-	sprintf(buffer, "%u", 10); // BAD
+	sprintf(buffer2, "%u", -1); // BAD
+	sprintf(buffer2, "%u", 9); // GOOD
+	sprintf(buffer2, "%u", 10); // BAD
+
+	unsigned char unsigned_char = unsigned_value;
+	sprintf(buffer3, "%u", (unsigned)unsigned_char); // BAD
+	sprintf(buffer4, "%u", (unsigned)unsigned_char); // GOOD: 0..255 fits
+
+	unsigned small = unsigned_value >> (sizeof(unsigned_value) * 8 - 9);  // in range 0..511
+	sprintf(buffer3, "%u", small); // BAD
+	sprintf(buffer4, "%u", small); // GOOD
+
+	small = unsigned_value & ((1u << 9) - 1);  // in range 0..511
+	sprintf(buffer3, "%u", small); // BAD
+	sprintf(buffer4, "%u", small); // GOOD: 0..511 fits
+
+	char c = value;
+
+	sprintf(buffer4, "%d", (int)c); // BAD: e.g. -127 does not fit
+	sprintf(buffer5, "%d", (int)c); // GOOD: -127..128 fits
 }

cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.expected

@@ -0,0 +1,8 @@
+| test.cpp:18:9:18:38 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:100:18:100:38 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:38:7:38:36 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:36:16:36:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:54:7:54:47 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:52:16:52:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:62:7:62:36 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:60:16:60:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:70:7:70:36 | ... && ... | This expression conflates OK and non-OK results from $@. | test.cpp:68:16:68:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:83:7:83:40 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:78:16:78:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:87:7:87:38 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:7:57:7:77 | call to SSL_get_verify_result | call to SSL_get_verify_result |
+| test.cpp:107:13:107:42 | ... \|\| ... | This expression conflates OK and non-OK results from $@. | test.cpp:105:16:105:36 | call to SSL_get_verify_result | call to SSL_get_verify_result |

cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultConflation.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-295/SSLResultConflation.ql

cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.expected

@@ -0,0 +1,4 @@
+| test2.cpp:13:13:13:36 | call to SSL_get_peer_certificate | This call to SSL_get_peer_certificate is not followed by a call to SSL_get_verify_result. |
+| test2.cpp:28:13:28:36 | call to SSL_get_peer_certificate | This call to SSL_get_peer_certificate is not followed by a call to SSL_get_verify_result. |
+| test2.cpp:61:9:61:32 | call to SSL_get_peer_certificate | This call to SSL_get_peer_certificate is not followed by a call to SSL_get_verify_result. |
+| test2.cpp:89:9:89:32 | call to SSL_get_peer_certificate | This call to SSL_get_peer_certificate is not followed by a call to SSL_get_verify_result. |

cpp/ql/test/query-tests/Security/CWE/CWE-295/SSLResultNotChecked.qlref

@@ -0,0 +1 @@
+Security/CWE/CWE-295/SSLResultNotChecked.ql

cpp/ql/test/query-tests/Security/CWE/CWE-295/test.cpp

@@ -0,0 +1,149 @@
+
+struct SSL {
+	// ...
+};
+
+int SSL_get_verify_result(const SSL *ssl);
+int get_verify_result_indirect(const SSL *ssl) { return SSL_get_verify_result(ssl); }
+
+int something_else(const SSL *ssl);
+
+bool is_ok(int result)
+{
+	return (result == 0); // GOOD
+}
+
+bool is_maybe_ok(int result)
+{
+	return (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes)
+}
+
+void test1_1(SSL *ssl)
+{
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if (result == 0) // GOOD
+		{
+		}
+
+		if (result == 1) // GOOD
+		{
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if ((result == 0) || (result == 1)) // BAD (conflates OK and a non-OK codes)
+		{
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if ((result == 1) || (result == 2)) // GOOD (both results are non-OK)
+		{
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if ((result == 0) || (false) || (result == 2)) // BAD (conflates OK and a non-OK codes)
+		{
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if ((0 == result) || (1 == result)) // BAD (conflates OK and a non-OK codes)
+		{
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if ((result != 0) && (result != 1)) // BAD (conflates OK and a non-OK codes)
+		{
+		} else {
+			// conflation occurs here
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+		int result_cpy = result;
+		int result2 = get_verify_result_indirect(ssl);
+		int result3 = something_else(ssl);
+
+		if ((result == 0) || (result_cpy == 1)) // BAD (conflates OK and a non-OK codes)
+		{
+		}
+	
+		if ((result2 == 0) || (result2 == 1)) // BAD (conflates OK and a non-OK codes)
+		{
+		}
+	
+		if ((result3 == 0) || (result3 == 1)) // GOOD (not an SSL result)
+		{
+		}
+	}
+
+	if (is_ok(SSL_get_verify_result(ssl)))
+	{
+	}
+
+	if (is_maybe_ok(SSL_get_verify_result(ssl)))
+	{
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		bool ok = (result == 0) || (result == 1); // BAD (conflates OK and a non-OK codes)
+	
+		if (ok) {
+		}
+	}
+
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if (result == 1) // BAD (conflates OK and a non-OK codes in `else`) [NOT DETECTED]
+		{
+		} else {
+		}
+	}
+}
+
+void do_good();
+
+void test1_2(SSL *ssl)
+{
+	int result = SSL_get_verify_result(ssl);
+
+	if (result == 0) { // GOOD
+		do_good();
+	} else if (result == 1) {
+		throw 1;
+	} else {
+		throw 1;
+	}
+}
+
+void test1_3(SSL *ssl)
+{
+	int result = SSL_get_verify_result(ssl);
+
+	if (result == 0) { // BAD (error code 1 is treated as OK, not as non-OK) [NOT DETECTED]
+		do_good();
+	} else if (result == 1) {
+		do_good();
+	} else {
+		throw 1;
+	}
+}

cpp/ql/test/query-tests/Security/CWE/CWE-295/test2.cpp

@@ -0,0 +1,147 @@
+
+struct SSL {
+	// ...
+};
+
+int SSL_get_peer_certificate(const SSL *ssl);
+int SSL_get_verify_result(const SSL *ssl);
+
+bool maybe();
+
+bool test2_1(SSL *ssl)
+{
+	int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called)
+
+	return true;
+}
+
+bool test2_2(SSL *ssl)
+{
+	int cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is always called)
+	int result = SSL_get_verify_result(ssl);
+
+	return (result == 0);
+}
+
+bool test2_3(SSL *ssl)
+{
+	int cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result may not be called)
+
+	if (maybe())
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		return (result == 0);
+	}
+
+	return true;
+}
+
+bool test2_4(SSL *ssl)
+{
+	int cert, result;
+
+	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
+	if (cert != 0)
+	{
+		result = SSL_get_verify_result(ssl);
+		if (result == 0)
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+bool test2_5(SSL *ssl)
+{
+	int cert, result;
+
+	cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is not used reliably)
+	if ((cert != 0) && (maybe()))
+	{
+		result = SSL_get_verify_result(ssl);
+		if (result == 0)
+		{
+			return true;
+		}
+	}
+
+	return false;
+}
+
+bool test2_6(SSL *ssl)
+{
+	int cert;
+
+	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
+	if (cert == 0) return false;
+	if (SSL_get_verify_result(ssl) != 0) return false;
+
+	return true;
+}
+
+bool test2_7(SSL *ssl)
+{
+	int cert;
+
+	cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is only called when there is not a cert)
+	if (cert != 0) return false;
+	if (SSL_get_verify_result(ssl) != 0) return false;
+
+	return true;
+}
+
+bool test2_8(SSL *ssl)
+{
+	int cert;
+
+	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
+	if (!cert) return false;
+	if (!SSL_get_verify_result(ssl)) return false;
+
+	return true;
+}
+
+bool test2_9(SSL *ssl)
+{
+	int cert;
+
+	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
+	if ((!cert) || (SSL_get_verify_result(ssl) != 0)) {
+		return false;
+	}
+
+	return true;
+}
+
+bool test2_10(SSL *ssl)
+{
+	int cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
+
+	if (cert)
+	{
+		int result = SSL_get_verify_result(ssl);
+
+		if (result == 0)
+		{
+			return true;
+		}
+	}
+
+	return true;
+}
+
+bool test2_11(SSL *ssl)
+{
+	int cert;
+
+	cert = SSL_get_peer_certificate(ssl); // GOOD (SSL_get_verify_result is called when there is a cert)
+
+	if ((cert) && (SSL_get_verify_result(ssl) == 0)) {
+		return true;
+	}
+
+	return false;
+}

cpp/upgrades/CHANGELOG.md

@@ -1 +0,0 @@
-## 0.0.4

cpp/upgrades/change-notes/released/0.0.4.md

@@ -1 +0,0 @@
-## 0.0.4

cpp/upgrades/codeql-pack.release.yml

@@ -1,2 +0,0 @@
----
-lastReleaseVersion: 0.0.4

cpp/upgrades/qlpack.yml

@@ -1,5 +1,4 @@
 name: codeql/cpp-upgrades
-groups: cpp
 upgrades: .
-version: 0.0.4
+version: 0.0.2
 library: true

csharp/ql/lib/CHANGELOG.md

@@ -1 +0,0 @@
-## 0.0.4

csharp/ql/lib/change-notes/released/0.0.4.md

@@ -1 +0,0 @@
-## 0.0.4

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +0,0 @@
----
-lastReleaseVersion: 0.0.4

csharp/ql/lib/qlpack.yml

@@ -1,8 +1,7 @@
 name: codeql/csharp-all
-version: 0.0.4
-groups: csharp
+version: 0.0.2
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
 library: true
 dependencies:
-  codeql/csharp-upgrades: 0.0.3
+  codeql/csharp-upgrades: 0.0.2

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -78,6 +78,7 @@ private import internal.DataFlowPublic
 private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private::External
 private import internal.FlowSummaryImplSpecific
+private import semmle.code.csharp.dispatch.OverridableCallable
 
 /**
  * A module importing the frameworks that provide external flow data,
@@ -347,12 +348,15 @@ private class UnboundValueOrRefType extends ValueOrRefType {
   }
 }
 
-private class UnboundCallable extends Callable, Virtualizable {
+private class UnboundCallable extends Callable {
   UnboundCallable() { this.isUnboundDeclaration() }
 
   predicate overridesOrImplementsUnbound(UnboundCallable that) {
     exists(Callable c |
-      this.overridesOrImplementsOrEquals(c) and
+      this.(Virtualizable).overridesOrImplementsOrEquals(c) or
+      this = c.(OverridableCallable).getAnUltimateImplementor() or
+      this = c.(OverridableCallable).getAnOverrider+()
+    |
       this != c and
       that = c.getUnboundDeclaration()
     )
@@ -409,7 +413,7 @@ private Element interpretElement0(
   string namespace, string type, boolean subtypes, string name, string signature
 ) {
   exists(UnboundValueOrRefType t | elementSpec(namespace, type, subtypes, name, signature, _, t) |
-    exists(Member m |
+    exists(Declaration m |
       (
         result = m
         or

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -1004,6 +1004,13 @@ module Private {
     abstract class RelevantSummarizedCallable extends SummarizedCallable {
       /** Gets the string representation of this callable used by `summary/1`. */
       abstract string getCallableCsv();
+
+      /** Holds if flow is propagated between `input` and `output`. */
+      predicate relevantSummary(
+        SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+      ) {
+        this.propagatesFlow(input, output, preservesValue)
+      }
     }
 
     /** Render the kind in the format used in flow summaries. */
@@ -1023,7 +1030,7 @@ module Private {
         RelevantSummarizedCallable c, SummaryComponentStack input, SummaryComponentStack output,
         boolean preservesValue
       |
-        c.propagatesFlow(input, output, preservesValue) and
+        c.relevantSummary(input, output, preservesValue) and
         csv =
           c.getCallableCsv() + ";;" + getComponentStackCsv(input) + ";" +
             getComponentStackCsv(output) + ";" + renderKind(preservesValue)

csharp/ql/lib/semmle/code/csharp/frameworks/JsonNET.qll

@@ -153,14 +153,14 @@ module JsonNET {
       // Serialize
       c = this.getSerializeMethod() and
       preservesValue = false and
-      source = any(CallableFlowSourceArg arg | arg.getArgumentIndex() = 0) and
-      sink = any(CallableFlowSinkArg arg | arg.getArgumentIndex() = 1)
+      source = any(CallableFlowSourceArg arg | arg.getArgumentIndex() = 1) and
+      sink = any(CallableFlowSinkArg arg | arg.getArgumentIndex() = 0)
       or
       // Deserialize
       c = this.getDeserializeMethod() and
       preservesValue = false and
       source = any(CallableFlowSourceArg arg | arg.getArgumentIndex() = 0) and
-      sink = any(CallableFlowSinkArg arg | arg.getArgumentIndex() = 1)
+      sink instanceof CallableFlowSinkReturn
     }
   }
 

csharp/ql/src/CHANGELOG.md

@@ -1 +0,0 @@
-## 0.0.4

csharp/ql/src/Stubs/helpers.py

@@ -2,7 +2,6 @@ import sys
 import os
 import subprocess
 
-
 def run_cmd(cmd, msg="Failed to run command"):
     print('Running ' + ' '.join(cmd))
     if subprocess.check_call(cmd):
@@ -10,6 +9,14 @@ def run_cmd(cmd, msg="Failed to run command"):
         exit(1)
 
 
+def run_cmd_cwd(cmd, cwd, msg):
+    print('Change working directory to: ' + cwd)
+    print('Running ' + ' '.join(cmd))
+    if subprocess.check_call(cmd, cwd=cwd):
+        print(msg)
+        exit(1)
+
+
 def get_argv(index, default):
     if len(sys.argv) > index:
         return sys.argv[index]

csharp/ql/src/Stubs/make_stubs_nuget.py

@@ -17,7 +17,7 @@ def write_csproj_prefix(ioWrapper):
 
 
 print('Script to generate stub file from a nuget package')
-print(' Usage: python ' + sys.argv[0] +
+print(' Usage: python3 ' + sys.argv[0] +
       ' NUGET_PACKAGE_NAME [VERSION=latest] [WORK_DIR=tempDir]')
 print(' The script uses the dotnet cli, codeql cli, and dotnet format global tool')
 
@@ -34,6 +34,9 @@ workDir = os.path.abspath(helpers.get_argv(3, "tempDir"))
 projectNameIn = "input"
 projectDirIn = os.path.join(workDir, projectNameIn)
 
+def run_cmd(cmd, msg="Failed to run command"):
+    helpers.run_cmd_cwd(cmd, workDir, msg)
+
 # /output contains the output of the stub generation
 outputDirName = "output"
 outputDir = os.path.join(workDir, outputDirName)
@@ -57,7 +60,7 @@ jsonFile = os.path.join(rawOutputDir, outputName + '.json')
 version = helpers.get_argv(2, "latest")
 
 print("\n* Creating new input project")
-helpers.run_cmd(['dotnet', 'new', 'classlib', "--language", "C#", '--name',
+run_cmd(['dotnet', 'new', 'classlib', "-f", "net5.0", "--language", "C#", '--name',
                  projectNameIn, '--output', projectDirIn])
 helpers.remove_files(projectDirIn, '.cs')
 
@@ -66,27 +69,31 @@ cmd = ['dotnet', 'add', projectDirIn, 'package', nuget]
 if (version != "latest"):
     cmd.append('--version')
     cmd.append(version)
-helpers.run_cmd(cmd)
+run_cmd(cmd)
+
+sdk_version = '5.0.402'
+print("\n* Creating new global.json file and setting SDK to " + sdk_version)
+run_cmd(['dotnet', 'new', 'globaljson', '--force', '--sdk-version', sdk_version, '--output', workDir])
 
 print("\n* Creating DB")
-helpers.run_cmd(['codeql', 'database', 'create', dbDir, '--language=csharp',
-                 '--command', 'dotnet build /t:rebuild ' + projectDirIn])
+run_cmd(['codeql', 'database', 'create', dbDir, '--language=csharp',
+                 '--command', 'dotnet build /t:rebuild /p:UseSharedCompilation=false ' + projectDirIn])
 
 if not os.path.isdir(dbDir):
     print("Expected database directory " + dbDir + " not found.")
     exit(1)
 
 print("\n* Running stubbing CodeQL query")
-helpers.run_cmd(['codeql', 'query', 'run', os.path.join(
+run_cmd(['codeql', 'query', 'run', os.path.join(
     thisDir, 'AllStubsFromReference.ql'), '--database', dbDir, '--output', bqrsFile])
 
-helpers.run_cmd(['codeql', 'bqrs', 'decode', bqrsFile, '--output',
+run_cmd(['codeql', 'bqrs', 'decode', bqrsFile, '--output',
                  jsonFile, '--format=json'])
 
 print("\n* Creating new raw output project")
 rawSrcOutputDirName = 'src'
 rawSrcOutputDir = os.path.join(rawOutputDir, rawSrcOutputDirName)
-helpers.run_cmd(['dotnet', 'new', 'classlib', "--language", "C#",
+run_cmd(['dotnet', 'new', 'classlib', "--language", "C#",
                 '--name', rawSrcOutputDirName, '--output', rawSrcOutputDir])
 helpers.remove_files(rawSrcOutputDir, '.cs')
 
@@ -102,7 +109,7 @@ with open(jsonFile) as json_data:
 print("\n --> Generated stub files: " + rawSrcOutputDir)
 
 print("\n* Formatting files")
-helpers.run_cmd(['dotnet', 'format', rawSrcOutputDir])
+run_cmd(['dotnet', 'format', rawSrcOutputDir])
 
 print("\n --> Generated (formatted) stub files: " + rawSrcOutputDir)
 

csharp/ql/src/change-notes/released/0.0.4.md

@@ -1 +0,0 @@
-## 0.0.4

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +0,0 @@
----
-lastReleaseVersion: 0.0.4

csharp/ql/src/qlpack.yml

@@ -1,6 +1,5 @@
 name: codeql/csharp-queries
-version: 0.0.4
-groups: csharp
+version: 0.0.2
 suites: codeql-suites
 extractor: csharp
 defaultSuiteFile: codeql-suites/csharp-code-scanning.qls

csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs

@@ -105,6 +105,13 @@ namespace My.Qltest
             Sink(d2.Field2);
         }
 
+        void M16()
+        {
+            var f = new F();
+            f.MyProp = new object();
+            Sink(f.MyProp);
+        }
+
         object StepArgRes(object x) { return null; }
 
         void StepArgArg(object @in, object @out) { }
@@ -142,4 +149,24 @@ namespace My.Qltest
 
         static void Sink(object o) { }
     }
+
+    public class E
+    {
+        object MyField;
+
+        public virtual object MyProp
+        {
+            get { throw null; }
+            set { throw null; }
+        }
+    }
+
+    public class F : E
+    {
+        public override object MyProp
+        {
+            get { throw null; }
+            set { throw null; }
+        }
+    }
 }

csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected

@@ -53,6 +53,9 @@ edges
 | ExternalFlow.cs:100:20:100:20 | d : Object | ExternalFlow.cs:102:22:102:22 | access to parameter d |
 | ExternalFlow.cs:103:16:103:17 | access to local variable d1 [field Field] : Object | ExternalFlow.cs:100:20:100:20 | d : Object |
 | ExternalFlow.cs:104:18:104:19 | access to local variable d1 [field Field] : Object | ExternalFlow.cs:104:18:104:25 | access to field Field |
+| ExternalFlow.cs:111:13:111:13 | [post] access to local variable f [field MyField] : Object | ExternalFlow.cs:112:18:112:18 | access to local variable f [field MyField] : Object |
+| ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:111:13:111:13 | [post] access to local variable f [field MyField] : Object |
+| ExternalFlow.cs:112:18:112:18 | access to local variable f [field MyField] : Object | ExternalFlow.cs:112:18:112:25 | access to property MyProp |
 nodes
 | ExternalFlow.cs:9:27:9:38 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | ExternalFlow.cs:10:18:10:33 | call to method StepArgRes | semmle.label | call to method StepArgRes |
@@ -123,6 +126,10 @@ nodes
 | ExternalFlow.cs:103:16:103:17 | access to local variable d1 [field Field] : Object | semmle.label | access to local variable d1 [field Field] : Object |
 | ExternalFlow.cs:104:18:104:19 | access to local variable d1 [field Field] : Object | semmle.label | access to local variable d1 [field Field] : Object |
 | ExternalFlow.cs:104:18:104:25 | access to field Field | semmle.label | access to field Field |
+| ExternalFlow.cs:111:13:111:13 | [post] access to local variable f [field MyField] : Object | semmle.label | [post] access to local variable f [field MyField] : Object |
+| ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
+| ExternalFlow.cs:112:18:112:18 | access to local variable f [field MyField] : Object | semmle.label | access to local variable f [field MyField] : Object |
+| ExternalFlow.cs:112:18:112:25 | access to property MyProp | semmle.label | access to property MyProp |
 subpaths
 invalidModelRow
 #select
@@ -144,3 +151,4 @@ invalidModelRow
 | ExternalFlow.cs:92:18:92:18 | (...) ... | ExternalFlow.cs:90:21:90:34 | object creation of type String : String | ExternalFlow.cs:92:18:92:18 | (...) ... | $@ | ExternalFlow.cs:90:21:90:34 | object creation of type String : String | object creation of type String : String |
 | ExternalFlow.cs:102:22:102:22 | access to parameter d | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:102:22:102:22 | access to parameter d | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:104:18:104:25 | access to field Field | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:104:18:104:25 | access to field Field | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object |
+| ExternalFlow.cs:112:18:112:25 | access to property MyProp | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:112:18:112:25 | access to property MyProp | $@ | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | object creation of type Object : Object |

csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.ql

@@ -28,7 +28,9 @@ class SummaryModelTest extends SummaryModelCsv {
         "My.Qltest;D;false;Apply2<>;(System.Action<S>,S,S);;Field[My.Qltest.D.Field2] of Argument[2];Parameter[0] of Argument[0];value",
         "My.Qltest;D;false;Map<,>;(S[],System.Func<S,T>);;Element of Argument[0];Parameter[0] of Argument[1];value",
         "My.Qltest;D;false;Map<,>;(S[],System.Func<S,T>);;ReturnValue of Argument[1];Element of ReturnValue;value",
-        "My.Qltest;D;false;Parse;(System.String,System.Int32);;Argument[0];Argument[1];taint"
+        "My.Qltest;D;false;Parse;(System.String,System.Int32);;Argument[0];Argument[1];taint",
+        "My.Qltest;E;true;get_MyProp;();;Field[My.Qltest.E.MyField] of Argument[-1];ReturnValue;value",
+        "My.Qltest;E;true;set_MyProp;(System.Object);;Argument[0];Field[My.Qltest.E.MyField] of Argument[-1];value"
       ]
   }
 }

csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.ql

@@ -0,0 +1,21 @@
+import shared.FlowSummaries
+
+class IncludeFilteredSummarizedCallable extends IncludeSummarizedCallable {
+  IncludeFilteredSummarizedCallable() { this instanceof SummarizedCallable }
+
+  /**
+   * Holds if flow is propagated between `input` and `output` and
+   * if there is no summary for a callable in a `base` class or interface
+   * that propagates the same flow between `input` and `output`.
+   */
+  override predicate relevantSummary(
+    SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
+  ) {
+    this.propagatesFlow(input, output, preservesValue) and
+    not exists(IncludeSummarizedCallable rsc |
+      rsc.isAbstractOrInterface() and
+      this.(Virtualizable).overridesOrImplementsOrEquals(rsc) and
+      rsc.propagatesFlow(input, output, preservesValue)
+    )
+  }
+}

csharp/ql/test/library-tests/dataflow/library/options

@@ -1 +1,3 @@
-semmle-extractor-options: /r:System.Net.dll /r:System.Web.dll /r:System.Net.HttpListener.dll /r:System.Collections.Specialized.dll /r:System.Private.Uri.dll /r:System.Runtime.Extensions.dll /r:System.Linq.Parallel.dll /r:System.Collections.Concurrent.dll /r:System.Linq.Expressions.dll /r:System.Collections.dll /r:System.Linq.Queryable.dll /r:System.Linq.dll /r:System.Collections.NonGeneric.dll /r:System.ObjectModel.dll /r:System.ComponentModel.TypeConverter.dll /r:System.IO.Compression.dll /r:System.IO.Pipes.dll /r:System.Net.Primitives.dll /r:System.Net.Security.dll /r:System.Security.Cryptography.Primitives.dll /r:System.Text.RegularExpressions.dll ${testdir}/../../../resources/stubs/System.Web.cs /r:System.Runtime.Serialization.Primitives.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/Newtonsoft.Json/13.0.1/Newtonsoft.Json.csproj
+semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs

csharp/ql/test/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-csharp-tests
-groups: [csharp, test]
+version: 0.0.2
 dependencies:
   codeql/csharp-all: "*"
   codeql/csharp-queries: "*"

csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/options

@@ -1,2 +1,3 @@
-semmle-extractor-options: /r:System.Private.Uri.dll
-semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs /r:System.Collections.Specialized.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: ${testdir}/../../../../resources/stubs/System.Web.cs

csharp/ql/test/query-tests/Security Features/CWE-601/UrlRedirect/stubs.cs

@@ -167,16 +167,3 @@ public struct StringValues : System.IEquatable<string[]>, System.IEquatable<stri
 }
 }
 }
-namespace System
-{
-// Generated from `System.Uri` in `System.Private.Uri, Version=4.0.4.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
-public class Uri : System.Runtime.Serialization.ISerializable
-{
-    public Uri(string uriString) => throw null;
-    public override bool Equals(object comparand) => throw null;
-    public override int GetHashCode() => throw null;
-    public override string ToString() => throw null;
-    void System.Runtime.Serialization.ISerializable.GetObjectData(System.Runtime.Serialization.SerializationInfo serializationInfo, System.Runtime.Serialization.StreamingContext streamingContext) => throw null;
-}
-
-}

csharp/ql/test/query-tests/Security Features/CWE-838/options

@@ -1 +1,4 @@
-semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs ${testdir}/../../../resources/stubs/System.Windows.cs /r:System.Collections.Specialized.dll ${testdir}/../../../resources/stubs/System.Net.cs /r:System.ComponentModel.Primitives.dll /r:System.ComponentModel.TypeConverter.dll ${testdir}/../../../resources/stubs/System.Data.cs /r:System.Data.Common.dll
+semmle-extractor-options: /nostdlib /noconfig
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj
+semmle-extractor-options: --load-sources-from-project:${testdir}/../../../resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj
+semmle-extractor-options: ${testdir}/../../../resources/stubs/System.Web.cs ${testdir}/../../../resources/stubs/System.Windows.cs

csharp/ql/test/resources/stubs/Microsoft.NETCore.Platforms/3.1.0/Microsoft.NETCore.Platforms.csproj

@@ -0,0 +1,12 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net5.0</TargetFramework>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <OutputPath>bin\</OutputPath>
+    <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj" />
+  </ItemGroup>
+</Project>

csharp/ql/test/resources/stubs/Microsoft.Win32.Registry/4.7.0/Microsoft.Win32.Registry.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net5.0</TargetFramework>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <OutputPath>bin\</OutputPath>
+    <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../System.Security.AccessControl/4.7.0/System.Security.AccessControl.csproj" />
+    <ProjectReference Include="../../System.Security.Principal.Windows/4.7.0/System.Security.Principal.Windows.csproj" />
+    <ProjectReference Include="../../_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj" />
+  </ItemGroup>
+</Project>

csharp/ql/test/resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.cs

@@ -0,0 +1,972 @@
+// This file contains auto-generated code.
+
+namespace Microsoft
+{
+    namespace SqlServer
+    {
+        namespace Server
+        {
+            // Generated from `Microsoft.SqlServer.Server.DataAccessKind` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public enum DataAccessKind
+            {
+                None,
+                Read,
+            }
+
+            // Generated from `Microsoft.SqlServer.Server.Format` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public enum Format
+            {
+                Native,
+                Unknown,
+                UserDefined,
+            }
+
+            // Generated from `Microsoft.SqlServer.Server.IBinarySerialize` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public interface IBinarySerialize
+            {
+                void Read(System.IO.BinaryReader r);
+                void Write(System.IO.BinaryWriter w);
+            }
+
+            // Generated from `Microsoft.SqlServer.Server.InvalidUdtException` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class InvalidUdtException : System.SystemException
+            {
+            }
+
+            // Generated from `Microsoft.SqlServer.Server.SqlDataRecord` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlDataRecord : System.Data.IDataRecord
+            {
+                public virtual int FieldCount { get => throw null; }
+                public virtual bool GetBoolean(int ordinal) => throw null;
+                public virtual System.Byte GetByte(int ordinal) => throw null;
+                public virtual System.Int64 GetBytes(int ordinal, System.Int64 fieldOffset, System.Byte[] buffer, int bufferOffset, int length) => throw null;
+                public virtual System.Char GetChar(int ordinal) => throw null;
+                public virtual System.Int64 GetChars(int ordinal, System.Int64 fieldOffset, System.Char[] buffer, int bufferOffset, int length) => throw null;
+                System.Data.IDataReader System.Data.IDataRecord.GetData(int ordinal) => throw null;
+                public virtual string GetDataTypeName(int ordinal) => throw null;
+                public virtual System.DateTime GetDateTime(int ordinal) => throw null;
+                public virtual System.DateTimeOffset GetDateTimeOffset(int ordinal) => throw null;
+                public virtual System.Decimal GetDecimal(int ordinal) => throw null;
+                public virtual double GetDouble(int ordinal) => throw null;
+                public virtual System.Type GetFieldType(int ordinal) => throw null;
+                public virtual float GetFloat(int ordinal) => throw null;
+                public virtual System.Guid GetGuid(int ordinal) => throw null;
+                public virtual System.Int16 GetInt16(int ordinal) => throw null;
+                public virtual int GetInt32(int ordinal) => throw null;
+                public virtual System.Int64 GetInt64(int ordinal) => throw null;
+                public virtual string GetName(int ordinal) => throw null;
+                public virtual int GetOrdinal(string name) => throw null;
+                public virtual System.Data.SqlTypes.SqlBinary GetSqlBinary(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlBoolean GetSqlBoolean(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlByte GetSqlByte(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlBytes GetSqlBytes(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlChars GetSqlChars(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlDateTime GetSqlDateTime(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlDecimal GetSqlDecimal(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlDouble GetSqlDouble(int ordinal) => throw null;
+                public virtual System.Type GetSqlFieldType(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlGuid GetSqlGuid(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlInt16 GetSqlInt16(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlInt32 GetSqlInt32(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlInt64 GetSqlInt64(int ordinal) => throw null;
+                public virtual Microsoft.SqlServer.Server.SqlMetaData GetSqlMetaData(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlMoney GetSqlMoney(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlSingle GetSqlSingle(int ordinal) => throw null;
+                public virtual System.Data.SqlTypes.SqlString GetSqlString(int ordinal) => throw null;
+                public virtual object GetSqlValue(int ordinal) => throw null;
+                public virtual int GetSqlValues(object[] values) => throw null;
+                public virtual System.Data.SqlTypes.SqlXml GetSqlXml(int ordinal) => throw null;
+                public virtual string GetString(int ordinal) => throw null;
+                public virtual System.TimeSpan GetTimeSpan(int ordinal) => throw null;
+                public virtual object GetValue(int ordinal) => throw null;
+                public virtual int GetValues(object[] values) => throw null;
+                public virtual bool IsDBNull(int ordinal) => throw null;
+                public virtual object this[int ordinal] { get => throw null; }
+                public virtual object this[string name] { get => throw null; }
+                public virtual void SetBoolean(int ordinal, bool value) => throw null;
+                public virtual void SetByte(int ordinal, System.Byte value) => throw null;
+                public virtual void SetBytes(int ordinal, System.Int64 fieldOffset, System.Byte[] buffer, int bufferOffset, int length) => throw null;
+                public virtual void SetChar(int ordinal, System.Char value) => throw null;
+                public virtual void SetChars(int ordinal, System.Int64 fieldOffset, System.Char[] buffer, int bufferOffset, int length) => throw null;
+                public virtual void SetDBNull(int ordinal) => throw null;
+                public virtual void SetDateTime(int ordinal, System.DateTime value) => throw null;
+                public virtual void SetDateTimeOffset(int ordinal, System.DateTimeOffset value) => throw null;
+                public virtual void SetDecimal(int ordinal, System.Decimal value) => throw null;
+                public virtual void SetDouble(int ordinal, double value) => throw null;
+                public virtual void SetFloat(int ordinal, float value) => throw null;
+                public virtual void SetGuid(int ordinal, System.Guid value) => throw null;
+                public virtual void SetInt16(int ordinal, System.Int16 value) => throw null;
+                public virtual void SetInt32(int ordinal, int value) => throw null;
+                public virtual void SetInt64(int ordinal, System.Int64 value) => throw null;
+                public virtual void SetSqlBinary(int ordinal, System.Data.SqlTypes.SqlBinary value) => throw null;
+                public virtual void SetSqlBoolean(int ordinal, System.Data.SqlTypes.SqlBoolean value) => throw null;
+                public virtual void SetSqlByte(int ordinal, System.Data.SqlTypes.SqlByte value) => throw null;
+                public virtual void SetSqlBytes(int ordinal, System.Data.SqlTypes.SqlBytes value) => throw null;
+                public virtual void SetSqlChars(int ordinal, System.Data.SqlTypes.SqlChars value) => throw null;
+                public virtual void SetSqlDateTime(int ordinal, System.Data.SqlTypes.SqlDateTime value) => throw null;
+                public virtual void SetSqlDecimal(int ordinal, System.Data.SqlTypes.SqlDecimal value) => throw null;
+                public virtual void SetSqlDouble(int ordinal, System.Data.SqlTypes.SqlDouble value) => throw null;
+                public virtual void SetSqlGuid(int ordinal, System.Data.SqlTypes.SqlGuid value) => throw null;
+                public virtual void SetSqlInt16(int ordinal, System.Data.SqlTypes.SqlInt16 value) => throw null;
+                public virtual void SetSqlInt32(int ordinal, System.Data.SqlTypes.SqlInt32 value) => throw null;
+                public virtual void SetSqlInt64(int ordinal, System.Data.SqlTypes.SqlInt64 value) => throw null;
+                public virtual void SetSqlMoney(int ordinal, System.Data.SqlTypes.SqlMoney value) => throw null;
+                public virtual void SetSqlSingle(int ordinal, System.Data.SqlTypes.SqlSingle value) => throw null;
+                public virtual void SetSqlString(int ordinal, System.Data.SqlTypes.SqlString value) => throw null;
+                public virtual void SetSqlXml(int ordinal, System.Data.SqlTypes.SqlXml value) => throw null;
+                public virtual void SetString(int ordinal, string value) => throw null;
+                public virtual void SetTimeSpan(int ordinal, System.TimeSpan value) => throw null;
+                public virtual void SetValue(int ordinal, object value) => throw null;
+                public virtual int SetValues(params object[] values) => throw null;
+                public SqlDataRecord(params Microsoft.SqlServer.Server.SqlMetaData[] metaData) => throw null;
+            }
+
+            // Generated from `Microsoft.SqlServer.Server.SqlFacetAttribute` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlFacetAttribute : System.Attribute
+            {
+                public bool IsFixedLength { get => throw null; set => throw null; }
+                public bool IsNullable { get => throw null; set => throw null; }
+                public int MaxSize { get => throw null; set => throw null; }
+                public int Precision { get => throw null; set => throw null; }
+                public int Scale { get => throw null; set => throw null; }
+                public SqlFacetAttribute() => throw null;
+            }
+
+            // Generated from `Microsoft.SqlServer.Server.SqlFunctionAttribute` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlFunctionAttribute : System.Attribute
+            {
+                public Microsoft.SqlServer.Server.DataAccessKind DataAccess { get => throw null; set => throw null; }
+                public string FillRowMethodName { get => throw null; set => throw null; }
+                public bool IsDeterministic { get => throw null; set => throw null; }
+                public bool IsPrecise { get => throw null; set => throw null; }
+                public string Name { get => throw null; set => throw null; }
+                public SqlFunctionAttribute() => throw null;
+                public Microsoft.SqlServer.Server.SystemDataAccessKind SystemDataAccess { get => throw null; set => throw null; }
+                public string TableDefinition { get => throw null; set => throw null; }
+            }
+
+            // Generated from `Microsoft.SqlServer.Server.SqlMetaData` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlMetaData
+            {
+                public System.Byte[] Adjust(System.Byte[] value) => throw null;
+                public System.Char[] Adjust(System.Char[] value) => throw null;
+                public System.DateTime Adjust(System.DateTime value) => throw null;
+                public System.DateTimeOffset Adjust(System.DateTimeOffset value) => throw null;
+                public System.Guid Adjust(System.Guid value) => throw null;
+                public System.Data.SqlTypes.SqlBinary Adjust(System.Data.SqlTypes.SqlBinary value) => throw null;
+                public System.Data.SqlTypes.SqlBoolean Adjust(System.Data.SqlTypes.SqlBoolean value) => throw null;
+                public System.Data.SqlTypes.SqlByte Adjust(System.Data.SqlTypes.SqlByte value) => throw null;
+                public System.Data.SqlTypes.SqlBytes Adjust(System.Data.SqlTypes.SqlBytes value) => throw null;
+                public System.Data.SqlTypes.SqlChars Adjust(System.Data.SqlTypes.SqlChars value) => throw null;
+                public System.Data.SqlTypes.SqlDateTime Adjust(System.Data.SqlTypes.SqlDateTime value) => throw null;
+                public System.Data.SqlTypes.SqlDecimal Adjust(System.Data.SqlTypes.SqlDecimal value) => throw null;
+                public System.Data.SqlTypes.SqlDouble Adjust(System.Data.SqlTypes.SqlDouble value) => throw null;
+                public System.Data.SqlTypes.SqlGuid Adjust(System.Data.SqlTypes.SqlGuid value) => throw null;
+                public System.Data.SqlTypes.SqlInt16 Adjust(System.Data.SqlTypes.SqlInt16 value) => throw null;
+                public System.Data.SqlTypes.SqlInt32 Adjust(System.Data.SqlTypes.SqlInt32 value) => throw null;
+                public System.Data.SqlTypes.SqlInt64 Adjust(System.Data.SqlTypes.SqlInt64 value) => throw null;
+                public System.Data.SqlTypes.SqlMoney Adjust(System.Data.SqlTypes.SqlMoney value) => throw null;
+                public System.Data.SqlTypes.SqlSingle Adjust(System.Data.SqlTypes.SqlSingle value) => throw null;
+                public System.Data.SqlTypes.SqlString Adjust(System.Data.SqlTypes.SqlString value) => throw null;
+                public System.Data.SqlTypes.SqlXml Adjust(System.Data.SqlTypes.SqlXml value) => throw null;
+                public System.TimeSpan Adjust(System.TimeSpan value) => throw null;
+                public bool Adjust(bool value) => throw null;
+                public System.Byte Adjust(System.Byte value) => throw null;
+                public System.Char Adjust(System.Char value) => throw null;
+                public System.Decimal Adjust(System.Decimal value) => throw null;
+                public double Adjust(double value) => throw null;
+                public float Adjust(float value) => throw null;
+                public int Adjust(int value) => throw null;
+                public System.Int64 Adjust(System.Int64 value) => throw null;
+                public object Adjust(object value) => throw null;
+                public System.Int16 Adjust(System.Int16 value) => throw null;
+                public string Adjust(string value) => throw null;
+                public System.Data.SqlTypes.SqlCompareOptions CompareOptions { get => throw null; }
+                public System.Data.DbType DbType { get => throw null; }
+                public static Microsoft.SqlServer.Server.SqlMetaData InferFromValue(object value, string name) => throw null;
+                public bool IsUniqueKey { get => throw null; }
+                public System.Int64 LocaleId { get => throw null; }
+                public static System.Int64 Max { get => throw null; }
+                public System.Int64 MaxLength { get => throw null; }
+                public string Name { get => throw null; }
+                public System.Byte Precision { get => throw null; }
+                public System.Byte Scale { get => throw null; }
+                public System.Data.SqlClient.SortOrder SortOrder { get => throw null; }
+                public int SortOrdinal { get => throw null; }
+                public System.Data.SqlDbType SqlDbType { get => throw null; }
+                public SqlMetaData(string name, System.Data.SqlDbType dbType) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, System.Type userDefinedType) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, System.Type userDefinedType, string serverTypeName) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, System.Type userDefinedType, string serverTypeName, bool useServerDefault, bool isUniqueKey, System.Data.SqlClient.SortOrder columnSortOrder, int sortOrdinal) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, bool useServerDefault, bool isUniqueKey, System.Data.SqlClient.SortOrder columnSortOrder, int sortOrdinal) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, System.Byte precision, System.Byte scale) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, System.Byte precision, System.Byte scale, bool useServerDefault, bool isUniqueKey, System.Data.SqlClient.SortOrder columnSortOrder, int sortOrdinal) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, System.Int64 maxLength) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, System.Int64 maxLength, bool useServerDefault, bool isUniqueKey, System.Data.SqlClient.SortOrder columnSortOrder, int sortOrdinal) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, System.Int64 maxLength, System.Byte precision, System.Byte scale, System.Int64 locale, System.Data.SqlTypes.SqlCompareOptions compareOptions, System.Type userDefinedType) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, System.Int64 maxLength, System.Byte precision, System.Byte scale, System.Int64 localeId, System.Data.SqlTypes.SqlCompareOptions compareOptions, System.Type userDefinedType, bool useServerDefault, bool isUniqueKey, System.Data.SqlClient.SortOrder columnSortOrder, int sortOrdinal) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, System.Int64 maxLength, System.Int64 locale, System.Data.SqlTypes.SqlCompareOptions compareOptions) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, System.Int64 maxLength, System.Int64 locale, System.Data.SqlTypes.SqlCompareOptions compareOptions, bool useServerDefault, bool isUniqueKey, System.Data.SqlClient.SortOrder columnSortOrder, int sortOrdinal) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, string database, string owningSchema, string objectName) => throw null;
+                public SqlMetaData(string name, System.Data.SqlDbType dbType, string database, string owningSchema, string objectName, bool useServerDefault, bool isUniqueKey, System.Data.SqlClient.SortOrder columnSortOrder, int sortOrdinal) => throw null;
+                public System.Type Type { get => throw null; }
+                public string TypeName { get => throw null; }
+                public bool UseServerDefault { get => throw null; }
+                public string XmlSchemaCollectionDatabase { get => throw null; }
+                public string XmlSchemaCollectionName { get => throw null; }
+                public string XmlSchemaCollectionOwningSchema { get => throw null; }
+            }
+
+            // Generated from `Microsoft.SqlServer.Server.SqlMethodAttribute` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlMethodAttribute : Microsoft.SqlServer.Server.SqlFunctionAttribute
+            {
+                public bool InvokeIfReceiverIsNull { get => throw null; set => throw null; }
+                public bool IsMutator { get => throw null; set => throw null; }
+                public bool OnNullCall { get => throw null; set => throw null; }
+                public SqlMethodAttribute() => throw null;
+            }
+
+            // Generated from `Microsoft.SqlServer.Server.SqlUserDefinedAggregateAttribute` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlUserDefinedAggregateAttribute : System.Attribute
+            {
+                public Microsoft.SqlServer.Server.Format Format { get => throw null; }
+                public bool IsInvariantToDuplicates { get => throw null; set => throw null; }
+                public bool IsInvariantToNulls { get => throw null; set => throw null; }
+                public bool IsInvariantToOrder { get => throw null; set => throw null; }
+                public bool IsNullIfEmpty { get => throw null; set => throw null; }
+                public int MaxByteSize { get => throw null; set => throw null; }
+                public const int MaxByteSizeValue = default;
+                public string Name { get => throw null; set => throw null; }
+                public SqlUserDefinedAggregateAttribute(Microsoft.SqlServer.Server.Format format) => throw null;
+            }
+
+            // Generated from `Microsoft.SqlServer.Server.SqlUserDefinedTypeAttribute` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlUserDefinedTypeAttribute : System.Attribute
+            {
+                public Microsoft.SqlServer.Server.Format Format { get => throw null; }
+                public bool IsByteOrdered { get => throw null; set => throw null; }
+                public bool IsFixedLength { get => throw null; set => throw null; }
+                public int MaxByteSize { get => throw null; set => throw null; }
+                public string Name { get => throw null; set => throw null; }
+                public SqlUserDefinedTypeAttribute(Microsoft.SqlServer.Server.Format format) => throw null;
+                public string ValidationMethodName { get => throw null; set => throw null; }
+            }
+
+            // Generated from `Microsoft.SqlServer.Server.SystemDataAccessKind` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public enum SystemDataAccessKind
+            {
+                None,
+                Read,
+            }
+
+        }
+    }
+}
+namespace System
+{
+    namespace Data
+    {
+        // Generated from `System.Data.OperationAbortedException` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+        public class OperationAbortedException : System.SystemException
+        {
+        }
+
+        namespace Sql
+        {
+            // Generated from `System.Data.Sql.SqlNotificationRequest` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlNotificationRequest
+            {
+                public string Options { get => throw null; set => throw null; }
+                public SqlNotificationRequest() => throw null;
+                public SqlNotificationRequest(string userData, string options, int timeout) => throw null;
+                public int Timeout { get => throw null; set => throw null; }
+                public string UserData { get => throw null; set => throw null; }
+            }
+
+        }
+        namespace SqlClient
+        {
+            // Generated from `System.Data.SqlClient.ApplicationIntent` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public enum ApplicationIntent
+            {
+                ReadOnly,
+                ReadWrite,
+            }
+
+            // Generated from `System.Data.SqlClient.OnChangeEventHandler` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public delegate void OnChangeEventHandler(object sender, System.Data.SqlClient.SqlNotificationEventArgs e);
+
+            // Generated from `System.Data.SqlClient.PoolBlockingPeriod` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public enum PoolBlockingPeriod
+            {
+                AlwaysBlock,
+                Auto,
+                NeverBlock,
+            }
+
+            // Generated from `System.Data.SqlClient.SortOrder` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public enum SortOrder
+            {
+                Ascending,
+                Descending,
+                Unspecified,
+            }
+
+            // Generated from `System.Data.SqlClient.SqlBulkCopy` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlBulkCopy : System.IDisposable
+            {
+                public int BatchSize { get => throw null; set => throw null; }
+                public int BulkCopyTimeout { get => throw null; set => throw null; }
+                public void Close() => throw null;
+                public System.Data.SqlClient.SqlBulkCopyColumnMappingCollection ColumnMappings { get => throw null; }
+                public string DestinationTableName { get => throw null; set => throw null; }
+                void System.IDisposable.Dispose() => throw null;
+                public bool EnableStreaming { get => throw null; set => throw null; }
+                public int NotifyAfter { get => throw null; set => throw null; }
+                public SqlBulkCopy(System.Data.SqlClient.SqlConnection connection) => throw null;
+                public SqlBulkCopy(System.Data.SqlClient.SqlConnection connection, System.Data.SqlClient.SqlBulkCopyOptions copyOptions, System.Data.SqlClient.SqlTransaction externalTransaction) => throw null;
+                public SqlBulkCopy(string connectionString) => throw null;
+                public SqlBulkCopy(string connectionString, System.Data.SqlClient.SqlBulkCopyOptions copyOptions) => throw null;
+                public event System.Data.SqlClient.SqlRowsCopiedEventHandler SqlRowsCopied;
+                public void WriteToServer(System.Data.DataRow[] rows) => throw null;
+                public void WriteToServer(System.Data.DataTable table) => throw null;
+                public void WriteToServer(System.Data.DataTable table, System.Data.DataRowState rowState) => throw null;
+                public void WriteToServer(System.Data.Common.DbDataReader reader) => throw null;
+                public void WriteToServer(System.Data.IDataReader reader) => throw null;
+                public System.Threading.Tasks.Task WriteToServerAsync(System.Data.DataRow[] rows) => throw null;
+                public System.Threading.Tasks.Task WriteToServerAsync(System.Data.DataRow[] rows, System.Threading.CancellationToken cancellationToken) => throw null;
+                public System.Threading.Tasks.Task WriteToServerAsync(System.Data.DataTable table) => throw null;
+                public System.Threading.Tasks.Task WriteToServerAsync(System.Data.DataTable table, System.Threading.CancellationToken cancellationToken) => throw null;
+                public System.Threading.Tasks.Task WriteToServerAsync(System.Data.DataTable table, System.Data.DataRowState rowState) => throw null;
+                public System.Threading.Tasks.Task WriteToServerAsync(System.Data.DataTable table, System.Data.DataRowState rowState, System.Threading.CancellationToken cancellationToken) => throw null;
+                public System.Threading.Tasks.Task WriteToServerAsync(System.Data.Common.DbDataReader reader) => throw null;
+                public System.Threading.Tasks.Task WriteToServerAsync(System.Data.Common.DbDataReader reader, System.Threading.CancellationToken cancellationToken) => throw null;
+                public System.Threading.Tasks.Task WriteToServerAsync(System.Data.IDataReader reader) => throw null;
+                public System.Threading.Tasks.Task WriteToServerAsync(System.Data.IDataReader reader, System.Threading.CancellationToken cancellationToken) => throw null;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlBulkCopyColumnMapping` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlBulkCopyColumnMapping
+            {
+                public string DestinationColumn { get => throw null; set => throw null; }
+                public int DestinationOrdinal { get => throw null; set => throw null; }
+                public string SourceColumn { get => throw null; set => throw null; }
+                public int SourceOrdinal { get => throw null; set => throw null; }
+                public SqlBulkCopyColumnMapping() => throw null;
+                public SqlBulkCopyColumnMapping(int sourceColumnOrdinal, int destinationOrdinal) => throw null;
+                public SqlBulkCopyColumnMapping(int sourceColumnOrdinal, string destinationColumn) => throw null;
+                public SqlBulkCopyColumnMapping(string sourceColumn, int destinationOrdinal) => throw null;
+                public SqlBulkCopyColumnMapping(string sourceColumn, string destinationColumn) => throw null;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlBulkCopyColumnMappingCollection` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlBulkCopyColumnMappingCollection : System.Collections.CollectionBase
+            {
+                public System.Data.SqlClient.SqlBulkCopyColumnMapping Add(System.Data.SqlClient.SqlBulkCopyColumnMapping bulkCopyColumnMapping) => throw null;
+                public System.Data.SqlClient.SqlBulkCopyColumnMapping Add(int sourceColumnIndex, int destinationColumnIndex) => throw null;
+                public System.Data.SqlClient.SqlBulkCopyColumnMapping Add(int sourceColumnIndex, string destinationColumn) => throw null;
+                public System.Data.SqlClient.SqlBulkCopyColumnMapping Add(string sourceColumn, int destinationColumnIndex) => throw null;
+                public System.Data.SqlClient.SqlBulkCopyColumnMapping Add(string sourceColumn, string destinationColumn) => throw null;
+                public void Clear() => throw null;
+                public bool Contains(System.Data.SqlClient.SqlBulkCopyColumnMapping value) => throw null;
+                public void CopyTo(System.Data.SqlClient.SqlBulkCopyColumnMapping[] array, int index) => throw null;
+                public int IndexOf(System.Data.SqlClient.SqlBulkCopyColumnMapping value) => throw null;
+                public void Insert(int index, System.Data.SqlClient.SqlBulkCopyColumnMapping value) => throw null;
+                public System.Data.SqlClient.SqlBulkCopyColumnMapping this[int index] { get => throw null; }
+                public void Remove(System.Data.SqlClient.SqlBulkCopyColumnMapping value) => throw null;
+                public void RemoveAt(int index) => throw null;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlBulkCopyOptions` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            [System.Flags]
+            public enum SqlBulkCopyOptions
+            {
+                CheckConstraints,
+                Default,
+                FireTriggers,
+                KeepIdentity,
+                KeepNulls,
+                TableLock,
+                UseInternalTransaction,
+            }
+
+            // Generated from `System.Data.SqlClient.SqlClientFactory` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlClientFactory : System.Data.Common.DbProviderFactory
+            {
+                public override System.Data.Common.DbCommand CreateCommand() => throw null;
+                public override System.Data.Common.DbCommandBuilder CreateCommandBuilder() => throw null;
+                public override System.Data.Common.DbConnection CreateConnection() => throw null;
+                public override System.Data.Common.DbConnectionStringBuilder CreateConnectionStringBuilder() => throw null;
+                public override System.Data.Common.DbDataAdapter CreateDataAdapter() => throw null;
+                public override System.Data.Common.DbParameter CreateParameter() => throw null;
+                public static System.Data.SqlClient.SqlClientFactory Instance;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlClientMetaDataCollectionNames` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public static class SqlClientMetaDataCollectionNames
+            {
+                public static string Columns;
+                public static string Databases;
+                public static string ForeignKeys;
+                public static string IndexColumns;
+                public static string Indexes;
+                public static string Parameters;
+                public static string ProcedureColumns;
+                public static string Procedures;
+                public static string Tables;
+                public static string UserDefinedTypes;
+                public static string Users;
+                public static string ViewColumns;
+                public static string Views;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlCommand` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlCommand : System.Data.Common.DbCommand, System.ICloneable
+            {
+                public System.IAsyncResult BeginExecuteNonQuery() => throw null;
+                public System.IAsyncResult BeginExecuteNonQuery(System.AsyncCallback callback, object stateObject) => throw null;
+                public System.IAsyncResult BeginExecuteReader() => throw null;
+                public System.IAsyncResult BeginExecuteReader(System.AsyncCallback callback, object stateObject) => throw null;
+                public System.IAsyncResult BeginExecuteReader(System.AsyncCallback callback, object stateObject, System.Data.CommandBehavior behavior) => throw null;
+                public System.IAsyncResult BeginExecuteReader(System.Data.CommandBehavior behavior) => throw null;
+                public System.IAsyncResult BeginExecuteXmlReader() => throw null;
+                public System.IAsyncResult BeginExecuteXmlReader(System.AsyncCallback callback, object stateObject) => throw null;
+                public override void Cancel() => throw null;
+                public System.Data.SqlClient.SqlCommand Clone() => throw null;
+                object System.ICloneable.Clone() => throw null;
+                public override string CommandText { get => throw null; set => throw null; }
+                public override int CommandTimeout { get => throw null; set => throw null; }
+                public override System.Data.CommandType CommandType { get => throw null; set => throw null; }
+                public System.Data.SqlClient.SqlConnection Connection { get => throw null; set => throw null; }
+                protected override System.Data.Common.DbParameter CreateDbParameter() => throw null;
+                public System.Data.SqlClient.SqlParameter CreateParameter() => throw null;
+                protected override System.Data.Common.DbConnection DbConnection { get => throw null; set => throw null; }
+                protected override System.Data.Common.DbParameterCollection DbParameterCollection { get => throw null; }
+                protected override System.Data.Common.DbTransaction DbTransaction { get => throw null; set => throw null; }
+                public override bool DesignTimeVisible { get => throw null; set => throw null; }
+                protected override void Dispose(bool disposing) => throw null;
+                public int EndExecuteNonQuery(System.IAsyncResult asyncResult) => throw null;
+                public System.Data.SqlClient.SqlDataReader EndExecuteReader(System.IAsyncResult asyncResult) => throw null;
+                public System.Xml.XmlReader EndExecuteXmlReader(System.IAsyncResult asyncResult) => throw null;
+                protected override System.Data.Common.DbDataReader ExecuteDbDataReader(System.Data.CommandBehavior behavior) => throw null;
+                protected override System.Threading.Tasks.Task<System.Data.Common.DbDataReader> ExecuteDbDataReaderAsync(System.Data.CommandBehavior behavior, System.Threading.CancellationToken cancellationToken) => throw null;
+                public override int ExecuteNonQuery() => throw null;
+                public override System.Threading.Tasks.Task<int> ExecuteNonQueryAsync(System.Threading.CancellationToken cancellationToken) => throw null;
+                public System.Data.SqlClient.SqlDataReader ExecuteReader() => throw null;
+                public System.Data.SqlClient.SqlDataReader ExecuteReader(System.Data.CommandBehavior behavior) => throw null;
+                public System.Threading.Tasks.Task<System.Data.SqlClient.SqlDataReader> ExecuteReaderAsync() => throw null;
+                public System.Threading.Tasks.Task<System.Data.SqlClient.SqlDataReader> ExecuteReaderAsync(System.Threading.CancellationToken cancellationToken) => throw null;
+                public System.Threading.Tasks.Task<System.Data.SqlClient.SqlDataReader> ExecuteReaderAsync(System.Data.CommandBehavior behavior) => throw null;
+                public System.Threading.Tasks.Task<System.Data.SqlClient.SqlDataReader> ExecuteReaderAsync(System.Data.CommandBehavior behavior, System.Threading.CancellationToken cancellationToken) => throw null;
+                public override object ExecuteScalar() => throw null;
+                public override System.Threading.Tasks.Task<object> ExecuteScalarAsync(System.Threading.CancellationToken cancellationToken) => throw null;
+                public System.Xml.XmlReader ExecuteXmlReader() => throw null;
+                public System.Threading.Tasks.Task<System.Xml.XmlReader> ExecuteXmlReaderAsync() => throw null;
+                public System.Threading.Tasks.Task<System.Xml.XmlReader> ExecuteXmlReaderAsync(System.Threading.CancellationToken cancellationToken) => throw null;
+                public System.Data.Sql.SqlNotificationRequest Notification { get => throw null; set => throw null; }
+                public System.Data.SqlClient.SqlParameterCollection Parameters { get => throw null; }
+                public override void Prepare() => throw null;
+                public void ResetCommandTimeout() => throw null;
+                public SqlCommand() => throw null;
+                public SqlCommand(string cmdText) => throw null;
+                public SqlCommand(string cmdText, System.Data.SqlClient.SqlConnection connection) => throw null;
+                public SqlCommand(string cmdText, System.Data.SqlClient.SqlConnection connection, System.Data.SqlClient.SqlTransaction transaction) => throw null;
+                public event System.Data.StatementCompletedEventHandler StatementCompleted;
+                public System.Data.SqlClient.SqlTransaction Transaction { get => throw null; set => throw null; }
+                public override System.Data.UpdateRowSource UpdatedRowSource { get => throw null; set => throw null; }
+            }
+
+            // Generated from `System.Data.SqlClient.SqlCommandBuilder` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlCommandBuilder : System.Data.Common.DbCommandBuilder
+            {
+                protected override void ApplyParameterInfo(System.Data.Common.DbParameter parameter, System.Data.DataRow datarow, System.Data.StatementType statementType, bool whereClause) => throw null;
+                public override System.Data.Common.CatalogLocation CatalogLocation { get => throw null; set => throw null; }
+                public override string CatalogSeparator { get => throw null; set => throw null; }
+                public System.Data.SqlClient.SqlDataAdapter DataAdapter { get => throw null; set => throw null; }
+                public static void DeriveParameters(System.Data.SqlClient.SqlCommand command) => throw null;
+                public System.Data.SqlClient.SqlCommand GetDeleteCommand() => throw null;
+                public System.Data.SqlClient.SqlCommand GetDeleteCommand(bool useColumnsForParameterNames) => throw null;
+                public System.Data.SqlClient.SqlCommand GetInsertCommand() => throw null;
+                public System.Data.SqlClient.SqlCommand GetInsertCommand(bool useColumnsForParameterNames) => throw null;
+                protected override string GetParameterName(int parameterOrdinal) => throw null;
+                protected override string GetParameterName(string parameterName) => throw null;
+                protected override string GetParameterPlaceholder(int parameterOrdinal) => throw null;
+                protected override System.Data.DataTable GetSchemaTable(System.Data.Common.DbCommand srcCommand) => throw null;
+                public System.Data.SqlClient.SqlCommand GetUpdateCommand() => throw null;
+                public System.Data.SqlClient.SqlCommand GetUpdateCommand(bool useColumnsForParameterNames) => throw null;
+                protected override System.Data.Common.DbCommand InitializeCommand(System.Data.Common.DbCommand command) => throw null;
+                public override string QuoteIdentifier(string unquotedIdentifier) => throw null;
+                public override string QuotePrefix { get => throw null; set => throw null; }
+                public override string QuoteSuffix { get => throw null; set => throw null; }
+                public override string SchemaSeparator { get => throw null; set => throw null; }
+                protected override void SetRowUpdatingHandler(System.Data.Common.DbDataAdapter adapter) => throw null;
+                public SqlCommandBuilder() => throw null;
+                public SqlCommandBuilder(System.Data.SqlClient.SqlDataAdapter adapter) => throw null;
+                public override string UnquoteIdentifier(string quotedIdentifier) => throw null;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlConnection` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlConnection : System.Data.Common.DbConnection, System.ICloneable
+            {
+                public string AccessToken { get => throw null; set => throw null; }
+                protected override System.Data.Common.DbTransaction BeginDbTransaction(System.Data.IsolationLevel isolationLevel) => throw null;
+                public System.Data.SqlClient.SqlTransaction BeginTransaction() => throw null;
+                public System.Data.SqlClient.SqlTransaction BeginTransaction(System.Data.IsolationLevel iso) => throw null;
+                public System.Data.SqlClient.SqlTransaction BeginTransaction(System.Data.IsolationLevel iso, string transactionName) => throw null;
+                public System.Data.SqlClient.SqlTransaction BeginTransaction(string transactionName) => throw null;
+                public override void ChangeDatabase(string database) => throw null;
+                public static void ChangePassword(string connectionString, System.Data.SqlClient.SqlCredential credential, System.Security.SecureString newPassword) => throw null;
+                public static void ChangePassword(string connectionString, string newPassword) => throw null;
+                public static void ClearAllPools() => throw null;
+                public static void ClearPool(System.Data.SqlClient.SqlConnection connection) => throw null;
+                public System.Guid ClientConnectionId { get => throw null; }
+                object System.ICloneable.Clone() => throw null;
+                public override void Close() => throw null;
+                public override string ConnectionString { get => throw null; set => throw null; }
+                public override int ConnectionTimeout { get => throw null; }
+                public System.Data.SqlClient.SqlCommand CreateCommand() => throw null;
+                protected override System.Data.Common.DbCommand CreateDbCommand() => throw null;
+                public System.Data.SqlClient.SqlCredential Credential { get => throw null; set => throw null; }
+                public override string DataSource { get => throw null; }
+                public override string Database { get => throw null; }
+                protected override void Dispose(bool disposing) => throw null;
+                public bool FireInfoMessageEventOnUserErrors { get => throw null; set => throw null; }
+                public override System.Data.DataTable GetSchema() => throw null;
+                public override System.Data.DataTable GetSchema(string collectionName) => throw null;
+                public override System.Data.DataTable GetSchema(string collectionName, string[] restrictionValues) => throw null;
+                public event System.Data.SqlClient.SqlInfoMessageEventHandler InfoMessage;
+                public override void Open() => throw null;
+                public override System.Threading.Tasks.Task OpenAsync(System.Threading.CancellationToken cancellationToken) => throw null;
+                public int PacketSize { get => throw null; }
+                public void ResetStatistics() => throw null;
+                public System.Collections.IDictionary RetrieveStatistics() => throw null;
+                public override string ServerVersion { get => throw null; }
+                public SqlConnection() => throw null;
+                public SqlConnection(string connectionString) => throw null;
+                public SqlConnection(string connectionString, System.Data.SqlClient.SqlCredential credential) => throw null;
+                public override System.Data.ConnectionState State { get => throw null; }
+                public bool StatisticsEnabled { get => throw null; set => throw null; }
+                public string WorkstationId { get => throw null; }
+            }
+
+            // Generated from `System.Data.SqlClient.SqlConnectionStringBuilder` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlConnectionStringBuilder : System.Data.Common.DbConnectionStringBuilder
+            {
+                public System.Data.SqlClient.ApplicationIntent ApplicationIntent { get => throw null; set => throw null; }
+                public string ApplicationName { get => throw null; set => throw null; }
+                public string AttachDBFilename { get => throw null; set => throw null; }
+                public override void Clear() => throw null;
+                public int ConnectRetryCount { get => throw null; set => throw null; }
+                public int ConnectRetryInterval { get => throw null; set => throw null; }
+                public int ConnectTimeout { get => throw null; set => throw null; }
+                public override bool ContainsKey(string keyword) => throw null;
+                public string CurrentLanguage { get => throw null; set => throw null; }
+                public string DataSource { get => throw null; set => throw null; }
+                public bool Encrypt { get => throw null; set => throw null; }
+                public bool Enlist { get => throw null; set => throw null; }
+                public string FailoverPartner { get => throw null; set => throw null; }
+                public string InitialCatalog { get => throw null; set => throw null; }
+                public bool IntegratedSecurity { get => throw null; set => throw null; }
+                public override object this[string keyword] { get => throw null; set => throw null; }
+                public override System.Collections.ICollection Keys { get => throw null; }
+                public int LoadBalanceTimeout { get => throw null; set => throw null; }
+                public int MaxPoolSize { get => throw null; set => throw null; }
+                public int MinPoolSize { get => throw null; set => throw null; }
+                public bool MultiSubnetFailover { get => throw null; set => throw null; }
+                public bool MultipleActiveResultSets { get => throw null; set => throw null; }
+                public int PacketSize { get => throw null; set => throw null; }
+                public string Password { get => throw null; set => throw null; }
+                public bool PersistSecurityInfo { get => throw null; set => throw null; }
+                public System.Data.SqlClient.PoolBlockingPeriod PoolBlockingPeriod { get => throw null; set => throw null; }
+                public bool Pooling { get => throw null; set => throw null; }
+                public override bool Remove(string keyword) => throw null;
+                public bool Replication { get => throw null; set => throw null; }
+                public override bool ShouldSerialize(string keyword) => throw null;
+                public SqlConnectionStringBuilder() => throw null;
+                public SqlConnectionStringBuilder(string connectionString) => throw null;
+                public string TransactionBinding { get => throw null; set => throw null; }
+                public bool TrustServerCertificate { get => throw null; set => throw null; }
+                public override bool TryGetValue(string keyword, out object value) => throw null;
+                public string TypeSystemVersion { get => throw null; set => throw null; }
+                public string UserID { get => throw null; set => throw null; }
+                public bool UserInstance { get => throw null; set => throw null; }
+                public override System.Collections.ICollection Values { get => throw null; }
+                public string WorkstationID { get => throw null; set => throw null; }
+            }
+
+            // Generated from `System.Data.SqlClient.SqlCredential` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlCredential
+            {
+                public System.Security.SecureString Password { get => throw null; }
+                public SqlCredential(string userId, System.Security.SecureString password) => throw null;
+                public string UserId { get => throw null; }
+            }
+
+            // Generated from `System.Data.SqlClient.SqlDataAdapter` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlDataAdapter : System.Data.Common.DbDataAdapter, System.Data.IDataAdapter, System.Data.IDbDataAdapter, System.ICloneable
+            {
+                object System.ICloneable.Clone() => throw null;
+                public System.Data.SqlClient.SqlCommand DeleteCommand { get => throw null; set => throw null; }
+                System.Data.IDbCommand System.Data.IDbDataAdapter.DeleteCommand { get => throw null; set => throw null; }
+                public System.Data.SqlClient.SqlCommand InsertCommand { get => throw null; set => throw null; }
+                System.Data.IDbCommand System.Data.IDbDataAdapter.InsertCommand { get => throw null; set => throw null; }
+                protected override void OnRowUpdated(System.Data.Common.RowUpdatedEventArgs value) => throw null;
+                protected override void OnRowUpdating(System.Data.Common.RowUpdatingEventArgs value) => throw null;
+                public event System.Data.SqlClient.SqlRowUpdatedEventHandler RowUpdated;
+                public event System.Data.SqlClient.SqlRowUpdatingEventHandler RowUpdating;
+                public System.Data.SqlClient.SqlCommand SelectCommand { get => throw null; set => throw null; }
+                System.Data.IDbCommand System.Data.IDbDataAdapter.SelectCommand { get => throw null; set => throw null; }
+                public SqlDataAdapter() => throw null;
+                public SqlDataAdapter(System.Data.SqlClient.SqlCommand selectCommand) => throw null;
+                public SqlDataAdapter(string selectCommandText, System.Data.SqlClient.SqlConnection selectConnection) => throw null;
+                public SqlDataAdapter(string selectCommandText, string selectConnectionString) => throw null;
+                public override int UpdateBatchSize { get => throw null; set => throw null; }
+                public System.Data.SqlClient.SqlCommand UpdateCommand { get => throw null; set => throw null; }
+                System.Data.IDbCommand System.Data.IDbDataAdapter.UpdateCommand { get => throw null; set => throw null; }
+            }
+
+            // Generated from `System.Data.SqlClient.SqlDataReader` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlDataReader : System.Data.Common.DbDataReader, System.Data.Common.IDbColumnSchemaGenerator, System.IDisposable
+            {
+                protected System.Data.SqlClient.SqlConnection Connection { get => throw null; }
+                public override int Depth { get => throw null; }
+                public override int FieldCount { get => throw null; }
+                public override bool GetBoolean(int i) => throw null;
+                public override System.Byte GetByte(int i) => throw null;
+                public override System.Int64 GetBytes(int i, System.Int64 dataIndex, System.Byte[] buffer, int bufferIndex, int length) => throw null;
+                public override System.Char GetChar(int i) => throw null;
+                public override System.Int64 GetChars(int i, System.Int64 dataIndex, System.Char[] buffer, int bufferIndex, int length) => throw null;
+                public System.Collections.ObjectModel.ReadOnlyCollection<System.Data.Common.DbColumn> GetColumnSchema() => throw null;
+                public override string GetDataTypeName(int i) => throw null;
+                public override System.DateTime GetDateTime(int i) => throw null;
+                public virtual System.DateTimeOffset GetDateTimeOffset(int i) => throw null;
+                public override System.Decimal GetDecimal(int i) => throw null;
+                public override double GetDouble(int i) => throw null;
+                public override System.Collections.IEnumerator GetEnumerator() => throw null;
+                public override System.Type GetFieldType(int i) => throw null;
+                public override T GetFieldValue<T>(int i) => throw null;
+                public override System.Threading.Tasks.Task<T> GetFieldValueAsync<T>(int i, System.Threading.CancellationToken cancellationToken) => throw null;
+                public override float GetFloat(int i) => throw null;
+                public override System.Guid GetGuid(int i) => throw null;
+                public override System.Int16 GetInt16(int i) => throw null;
+                public override int GetInt32(int i) => throw null;
+                public override System.Int64 GetInt64(int i) => throw null;
+                public override string GetName(int i) => throw null;
+                public override int GetOrdinal(string name) => throw null;
+                public override System.Type GetProviderSpecificFieldType(int i) => throw null;
+                public override object GetProviderSpecificValue(int i) => throw null;
+                public override int GetProviderSpecificValues(object[] values) => throw null;
+                public override System.Data.DataTable GetSchemaTable() => throw null;
+                public virtual System.Data.SqlTypes.SqlBinary GetSqlBinary(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlBoolean GetSqlBoolean(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlByte GetSqlByte(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlBytes GetSqlBytes(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlChars GetSqlChars(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlDateTime GetSqlDateTime(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlDecimal GetSqlDecimal(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlDouble GetSqlDouble(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlGuid GetSqlGuid(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlInt16 GetSqlInt16(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlInt32 GetSqlInt32(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlInt64 GetSqlInt64(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlMoney GetSqlMoney(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlSingle GetSqlSingle(int i) => throw null;
+                public virtual System.Data.SqlTypes.SqlString GetSqlString(int i) => throw null;
+                public virtual object GetSqlValue(int i) => throw null;
+                public virtual int GetSqlValues(object[] values) => throw null;
+                public virtual System.Data.SqlTypes.SqlXml GetSqlXml(int i) => throw null;
+                public override System.IO.Stream GetStream(int i) => throw null;
+                public override string GetString(int i) => throw null;
+                public override System.IO.TextReader GetTextReader(int i) => throw null;
+                public virtual System.TimeSpan GetTimeSpan(int i) => throw null;
+                public override object GetValue(int i) => throw null;
+                public override int GetValues(object[] values) => throw null;
+                public virtual System.Xml.XmlReader GetXmlReader(int i) => throw null;
+                public override bool HasRows { get => throw null; }
+                public override bool IsClosed { get => throw null; }
+                protected internal bool IsCommandBehavior(System.Data.CommandBehavior condition) => throw null;
+                public override bool IsDBNull(int i) => throw null;
+                public override System.Threading.Tasks.Task<bool> IsDBNullAsync(int i, System.Threading.CancellationToken cancellationToken) => throw null;
+                public override object this[int i] { get => throw null; }
+                public override object this[string name] { get => throw null; }
+                public override bool NextResult() => throw null;
+                public override System.Threading.Tasks.Task<bool> NextResultAsync(System.Threading.CancellationToken cancellationToken) => throw null;
+                public override bool Read() => throw null;
+                public override System.Threading.Tasks.Task<bool> ReadAsync(System.Threading.CancellationToken cancellationToken) => throw null;
+                public override int RecordsAffected { get => throw null; }
+                public override int VisibleFieldCount { get => throw null; }
+            }
+
+            // Generated from `System.Data.SqlClient.SqlDependency` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlDependency
+            {
+                public void AddCommandDependency(System.Data.SqlClient.SqlCommand command) => throw null;
+                public bool HasChanges { get => throw null; }
+                public string Id { get => throw null; }
+                public event System.Data.SqlClient.OnChangeEventHandler OnChange;
+                public SqlDependency() => throw null;
+                public SqlDependency(System.Data.SqlClient.SqlCommand command) => throw null;
+                public SqlDependency(System.Data.SqlClient.SqlCommand command, string options, int timeout) => throw null;
+                public static bool Start(string connectionString) => throw null;
+                public static bool Start(string connectionString, string queue) => throw null;
+                public static bool Stop(string connectionString) => throw null;
+                public static bool Stop(string connectionString, string queue) => throw null;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlError` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlError
+            {
+                public System.Byte Class { get => throw null; }
+                public int LineNumber { get => throw null; }
+                public string Message { get => throw null; }
+                public int Number { get => throw null; }
+                public string Procedure { get => throw null; }
+                public string Server { get => throw null; }
+                public string Source { get => throw null; }
+                public System.Byte State { get => throw null; }
+                public override string ToString() => throw null;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlErrorCollection` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlErrorCollection : System.Collections.ICollection, System.Collections.IEnumerable
+            {
+                public void CopyTo(System.Array array, int index) => throw null;
+                public void CopyTo(System.Data.SqlClient.SqlError[] array, int index) => throw null;
+                public int Count { get => throw null; }
+                public System.Collections.IEnumerator GetEnumerator() => throw null;
+                bool System.Collections.ICollection.IsSynchronized { get => throw null; }
+                public System.Data.SqlClient.SqlError this[int index] { get => throw null; }
+                object System.Collections.ICollection.SyncRoot { get => throw null; }
+            }
+
+            // Generated from `System.Data.SqlClient.SqlException` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlException : System.Data.Common.DbException
+            {
+                public System.Byte Class { get => throw null; }
+                public System.Guid ClientConnectionId { get => throw null; }
+                public System.Data.SqlClient.SqlErrorCollection Errors { get => throw null; }
+                public override void GetObjectData(System.Runtime.Serialization.SerializationInfo si, System.Runtime.Serialization.StreamingContext context) => throw null;
+                public int LineNumber { get => throw null; }
+                public int Number { get => throw null; }
+                public string Procedure { get => throw null; }
+                public string Server { get => throw null; }
+                public override string Source { get => throw null; }
+                public System.Byte State { get => throw null; }
+                public override string ToString() => throw null;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlInfoMessageEventArgs` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlInfoMessageEventArgs : System.EventArgs
+            {
+                public System.Data.SqlClient.SqlErrorCollection Errors { get => throw null; }
+                public string Message { get => throw null; }
+                public string Source { get => throw null; }
+                public override string ToString() => throw null;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlInfoMessageEventHandler` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public delegate void SqlInfoMessageEventHandler(object sender, System.Data.SqlClient.SqlInfoMessageEventArgs e);
+
+            // Generated from `System.Data.SqlClient.SqlNotificationEventArgs` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlNotificationEventArgs : System.EventArgs
+            {
+                public System.Data.SqlClient.SqlNotificationInfo Info { get => throw null; }
+                public System.Data.SqlClient.SqlNotificationSource Source { get => throw null; }
+                public SqlNotificationEventArgs(System.Data.SqlClient.SqlNotificationType type, System.Data.SqlClient.SqlNotificationInfo info, System.Data.SqlClient.SqlNotificationSource source) => throw null;
+                public System.Data.SqlClient.SqlNotificationType Type { get => throw null; }
+            }
+
+            // Generated from `System.Data.SqlClient.SqlNotificationInfo` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public enum SqlNotificationInfo
+            {
+                AlreadyChanged,
+                Alter,
+                Delete,
+                Drop,
+                Error,
+                Expired,
+                Insert,
+                Invalid,
+                Isolation,
+                Merge,
+                Options,
+                PreviousFire,
+                Query,
+                Resource,
+                Restart,
+                TemplateLimit,
+                Truncate,
+                Unknown,
+                Update,
+            }
+
+            // Generated from `System.Data.SqlClient.SqlNotificationSource` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public enum SqlNotificationSource
+            {
+                Client,
+                Data,
+                Database,
+                Environment,
+                Execution,
+                Object,
+                Owner,
+                Statement,
+                System,
+                Timeout,
+                Unknown,
+            }
+
+            // Generated from `System.Data.SqlClient.SqlNotificationType` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public enum SqlNotificationType
+            {
+                Change,
+                Subscribe,
+                Unknown,
+            }
+
+            // Generated from `System.Data.SqlClient.SqlParameter` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlParameter : System.Data.Common.DbParameter, System.ICloneable
+            {
+                object System.ICloneable.Clone() => throw null;
+                public System.Data.SqlTypes.SqlCompareOptions CompareInfo { get => throw null; set => throw null; }
+                public override System.Data.DbType DbType { get => throw null; set => throw null; }
+                public override System.Data.ParameterDirection Direction { get => throw null; set => throw null; }
+                public override bool IsNullable { get => throw null; set => throw null; }
+                public int LocaleId { get => throw null; set => throw null; }
+                public int Offset { get => throw null; set => throw null; }
+                public override string ParameterName { get => throw null; set => throw null; }
+                public System.Byte Precision { get => throw null; set => throw null; }
+                public override void ResetDbType() => throw null;
+                public void ResetSqlDbType() => throw null;
+                public System.Byte Scale { get => throw null; set => throw null; }
+                public override int Size { get => throw null; set => throw null; }
+                public override string SourceColumn { get => throw null; set => throw null; }
+                public override bool SourceColumnNullMapping { get => throw null; set => throw null; }
+                public override System.Data.DataRowVersion SourceVersion { get => throw null; set => throw null; }
+                public System.Data.SqlDbType SqlDbType { get => throw null; set => throw null; }
+                public SqlParameter() => throw null;
+                public SqlParameter(string parameterName, System.Data.SqlDbType dbType) => throw null;
+                public SqlParameter(string parameterName, System.Data.SqlDbType dbType, int size) => throw null;
+                public SqlParameter(string parameterName, System.Data.SqlDbType dbType, int size, System.Data.ParameterDirection direction, bool isNullable, System.Byte precision, System.Byte scale, string sourceColumn, System.Data.DataRowVersion sourceVersion, object value) => throw null;
+                public SqlParameter(string parameterName, System.Data.SqlDbType dbType, int size, System.Data.ParameterDirection direction, System.Byte precision, System.Byte scale, string sourceColumn, System.Data.DataRowVersion sourceVersion, bool sourceColumnNullMapping, object value, string xmlSchemaCollectionDatabase, string xmlSchemaCollectionOwningSchema, string xmlSchemaCollectionName) => throw null;
+                public SqlParameter(string parameterName, System.Data.SqlDbType dbType, int size, string sourceColumn) => throw null;
+                public SqlParameter(string parameterName, object value) => throw null;
+                public object SqlValue { get => throw null; set => throw null; }
+                public override string ToString() => throw null;
+                public string TypeName { get => throw null; set => throw null; }
+                public string UdtTypeName { get => throw null; set => throw null; }
+                public override object Value { get => throw null; set => throw null; }
+                public string XmlSchemaCollectionDatabase { get => throw null; set => throw null; }
+                public string XmlSchemaCollectionName { get => throw null; set => throw null; }
+                public string XmlSchemaCollectionOwningSchema { get => throw null; set => throw null; }
+            }
+
+            // Generated from `System.Data.SqlClient.SqlParameterCollection` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlParameterCollection : System.Data.Common.DbParameterCollection
+            {
+                public System.Data.SqlClient.SqlParameter Add(System.Data.SqlClient.SqlParameter value) => throw null;
+                public override int Add(object value) => throw null;
+                public System.Data.SqlClient.SqlParameter Add(string parameterName, System.Data.SqlDbType sqlDbType) => throw null;
+                public System.Data.SqlClient.SqlParameter Add(string parameterName, System.Data.SqlDbType sqlDbType, int size) => throw null;
+                public System.Data.SqlClient.SqlParameter Add(string parameterName, System.Data.SqlDbType sqlDbType, int size, string sourceColumn) => throw null;
+                public override void AddRange(System.Array values) => throw null;
+                public void AddRange(System.Data.SqlClient.SqlParameter[] values) => throw null;
+                public System.Data.SqlClient.SqlParameter AddWithValue(string parameterName, object value) => throw null;
+                public override void Clear() => throw null;
+                public bool Contains(System.Data.SqlClient.SqlParameter value) => throw null;
+                public override bool Contains(object value) => throw null;
+                public override bool Contains(string value) => throw null;
+                public override void CopyTo(System.Array array, int index) => throw null;
+                public void CopyTo(System.Data.SqlClient.SqlParameter[] array, int index) => throw null;
+                public override int Count { get => throw null; }
+                public override System.Collections.IEnumerator GetEnumerator() => throw null;
+                protected override System.Data.Common.DbParameter GetParameter(int index) => throw null;
+                protected override System.Data.Common.DbParameter GetParameter(string parameterName) => throw null;
+                public int IndexOf(System.Data.SqlClient.SqlParameter value) => throw null;
+                public override int IndexOf(object value) => throw null;
+                public override int IndexOf(string parameterName) => throw null;
+                public void Insert(int index, System.Data.SqlClient.SqlParameter value) => throw null;
+                public override void Insert(int index, object value) => throw null;
+                public override bool IsFixedSize { get => throw null; }
+                public override bool IsReadOnly { get => throw null; }
+                public System.Data.SqlClient.SqlParameter this[int index] { get => throw null; set => throw null; }
+                public System.Data.SqlClient.SqlParameter this[string parameterName] { get => throw null; set => throw null; }
+                public void Remove(System.Data.SqlClient.SqlParameter value) => throw null;
+                public override void Remove(object value) => throw null;
+                public override void RemoveAt(int index) => throw null;
+                public override void RemoveAt(string parameterName) => throw null;
+                protected override void SetParameter(int index, System.Data.Common.DbParameter value) => throw null;
+                protected override void SetParameter(string parameterName, System.Data.Common.DbParameter value) => throw null;
+                public override object SyncRoot { get => throw null; }
+            }
+
+            // Generated from `System.Data.SqlClient.SqlRowUpdatedEventArgs` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlRowUpdatedEventArgs : System.Data.Common.RowUpdatedEventArgs
+            {
+                public System.Data.SqlClient.SqlCommand Command { get => throw null; }
+                public SqlRowUpdatedEventArgs(System.Data.DataRow row, System.Data.IDbCommand command, System.Data.StatementType statementType, System.Data.Common.DataTableMapping tableMapping) : base(default(System.Data.DataRow), default(System.Data.IDbCommand), default(System.Data.StatementType), default(System.Data.Common.DataTableMapping)) => throw null;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlRowUpdatedEventHandler` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public delegate void SqlRowUpdatedEventHandler(object sender, System.Data.SqlClient.SqlRowUpdatedEventArgs e);
+
+            // Generated from `System.Data.SqlClient.SqlRowUpdatingEventArgs` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlRowUpdatingEventArgs : System.Data.Common.RowUpdatingEventArgs
+            {
+                protected override System.Data.IDbCommand BaseCommand { get => throw null; set => throw null; }
+                public System.Data.SqlClient.SqlCommand Command { get => throw null; set => throw null; }
+                public SqlRowUpdatingEventArgs(System.Data.DataRow row, System.Data.IDbCommand command, System.Data.StatementType statementType, System.Data.Common.DataTableMapping tableMapping) : base(default(System.Data.DataRow), default(System.Data.IDbCommand), default(System.Data.StatementType), default(System.Data.Common.DataTableMapping)) => throw null;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlRowUpdatingEventHandler` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public delegate void SqlRowUpdatingEventHandler(object sender, System.Data.SqlClient.SqlRowUpdatingEventArgs e);
+
+            // Generated from `System.Data.SqlClient.SqlRowsCopiedEventArgs` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlRowsCopiedEventArgs : System.EventArgs
+            {
+                public bool Abort { get => throw null; set => throw null; }
+                public System.Int64 RowsCopied { get => throw null; }
+                public SqlRowsCopiedEventArgs(System.Int64 rowsCopied) => throw null;
+            }
+
+            // Generated from `System.Data.SqlClient.SqlRowsCopiedEventHandler` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public delegate void SqlRowsCopiedEventHandler(object sender, System.Data.SqlClient.SqlRowsCopiedEventArgs e);
+
+            // Generated from `System.Data.SqlClient.SqlTransaction` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlTransaction : System.Data.Common.DbTransaction
+            {
+                public override void Commit() => throw null;
+                public System.Data.SqlClient.SqlConnection Connection { get => throw null; }
+                protected override System.Data.Common.DbConnection DbConnection { get => throw null; }
+                protected override void Dispose(bool disposing) => throw null;
+                public override System.Data.IsolationLevel IsolationLevel { get => throw null; }
+                public override void Rollback() => throw null;
+                public void Rollback(string transactionName) => throw null;
+                public void Save(string savePointName) => throw null;
+            }
+
+        }
+        namespace SqlTypes
+        {
+            // Generated from `System.Data.SqlTypes.SqlFileStream` in `System.Data.SqlClient, Version=4.6.1.3, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a`
+            public class SqlFileStream : System.IO.Stream
+            {
+                public override bool CanRead { get => throw null; }
+                public override bool CanSeek { get => throw null; }
+                public override bool CanWrite { get => throw null; }
+                public override void Flush() => throw null;
+                public override System.Int64 Length { get => throw null; }
+                public string Name { get => throw null; }
+                public override System.Int64 Position { get => throw null; set => throw null; }
+                public override int Read(System.Byte[] buffer, int offset, int count) => throw null;
+                public override System.Int64 Seek(System.Int64 offset, System.IO.SeekOrigin origin) => throw null;
+                public override void SetLength(System.Int64 value) => throw null;
+                public SqlFileStream(string path, System.Byte[] transactionContext, System.IO.FileAccess access) => throw null;
+                public SqlFileStream(string path, System.Byte[] transactionContext, System.IO.FileAccess access, System.IO.FileOptions options, System.Int64 allocationSize) => throw null;
+                public System.Byte[] TransactionContext { get => throw null; }
+                public override void Write(System.Byte[] buffer, int offset, int count) => throw null;
+            }
+
+        }
+    }
+}

csharp/ql/test/resources/stubs/System.Data.SqlClient/4.8.3/System.Data.SqlClient.csproj

@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net5.0</TargetFramework>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <OutputPath>bin\</OutputPath>
+    <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../Microsoft.Win32.Registry/4.7.0/Microsoft.Win32.Registry.csproj" />
+    <ProjectReference Include="../../System.Security.Principal.Windows/4.7.0/System.Security.Principal.Windows.csproj" />
+    <ProjectReference Include="../../runtime.native.System.Data.SqlClient.sni/4.7.0/runtime.native.System.Data.SqlClient.sni.csproj" />
+    <ProjectReference Include="../../_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj" />
+  </ItemGroup>
+</Project>

csharp/ql/test/resources/stubs/System.Security.AccessControl/4.7.0/System.Security.AccessControl.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net5.0</TargetFramework>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <OutputPath>bin\</OutputPath>
+    <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../Microsoft.NETCore.Platforms/3.1.0/Microsoft.NETCore.Platforms.csproj" />
+    <ProjectReference Include="../../System.Security.Principal.Windows/4.7.0/System.Security.Principal.Windows.csproj" />
+    <ProjectReference Include="../../_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj" />
+  </ItemGroup>
+</Project>

csharp/ql/test/resources/stubs/System.Security.Principal.Windows/4.7.0/System.Security.Principal.Windows.csproj

@@ -0,0 +1,12 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net5.0</TargetFramework>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <OutputPath>bin\</OutputPath>
+    <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj" />
+  </ItemGroup>
+</Project>

csharp/ql/test/resources/stubs/System.Web.cs

@@ -169,14 +169,6 @@ namespace System.Web
         public HttpServerUtility Server => null;
     }
 
-    public class HttpUtility
-    {
-        public static string HtmlEncode(object value) => null;
-        public static string HtmlEncode(string value) => null;
-        public static string UrlEncode(string value) => null;
-        public static string HtmlAttributeEncode(string value) => null;
-    }
-
     public class HttpCookie
     {
         public HttpCookie(string name)

csharp/ql/test/resources/stubs/runtime.native.System.Data.SqlClient.sni/4.7.0/runtime.native.System.Data.SqlClient.sni.csproj

@@ -0,0 +1,15 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net5.0</TargetFramework>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <OutputPath>bin\</OutputPath>
+    <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../runtime.win-arm64.runtime.native.System.Data.SqlClient.sni/4.4.0/runtime.win-arm64.runtime.native.System.Data.SqlClient.sni.csproj" />
+    <ProjectReference Include="../../runtime.win-x64.runtime.native.System.Data.SqlClient.sni/4.4.0/runtime.win-x64.runtime.native.System.Data.SqlClient.sni.csproj" />
+    <ProjectReference Include="../../runtime.win-x86.runtime.native.System.Data.SqlClient.sni/4.4.0/runtime.win-x86.runtime.native.System.Data.SqlClient.sni.csproj" />
+    <ProjectReference Include="../../_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj" />
+  </ItemGroup>
+</Project>

csharp/ql/test/resources/stubs/runtime.win-arm64.runtime.native.System.Data.SqlClient.sni/4.4.0/runtime.win-arm64.runtime.native.System.Data.SqlClient.sni.csproj

@@ -0,0 +1,12 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net5.0</TargetFramework>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <OutputPath>bin\</OutputPath>
+    <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj" />
+  </ItemGroup>
+</Project>

csharp/ql/test/resources/stubs/runtime.win-x64.runtime.native.System.Data.SqlClient.sni/4.4.0/runtime.win-x64.runtime.native.System.Data.SqlClient.sni.csproj

@@ -0,0 +1,12 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net5.0</TargetFramework>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <OutputPath>bin\</OutputPath>
+    <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj" />
+  </ItemGroup>
+</Project>

csharp/ql/test/resources/stubs/runtime.win-x86.runtime.native.System.Data.SqlClient.sni/4.4.0/runtime.win-x86.runtime.native.System.Data.SqlClient.sni.csproj

@@ -0,0 +1,12 @@
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+    <TargetFramework>net5.0</TargetFramework>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
+    <OutputPath>bin\</OutputPath>
+    <AppendTargetFrameworkToOutputPath>false</AppendTargetFrameworkToOutputPath>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="../../_frameworks/Microsoft.NETCore.App/Microsoft.NETCore.App.csproj" />
+  </ItemGroup>
+</Project>

csharp/ql/test/shared/FlowSummaries.qll

@@ -12,17 +12,18 @@ abstract class IncludeSummarizedCallable extends RelevantSummarizedCallable {
       concat(Parameter p, int i |
         p = this.getParameter(i)
       |
-        p.getType().getQualifiedName(), ", " order by i
+        p.getType().getQualifiedName(), "," order by i
       )
   }
 
-  /* Gets a string representing, whether the declaring type is an interface. */
+  predicate isAbstractOrInterface() {
+    this.getDeclaringType() instanceof Interface or
+    this.(Modifiable).isAbstract()
+  }
+
+  /** Gets a string representing, whether the declaring type is an interface. */
   private string getCallableOverride() {
-    if
-      this.getDeclaringType() instanceof Interface or
-      this.(Modifiable).isAbstract()
-    then result = "true"
-    else result = "false"
+    if this.isAbstractOrInterface() then result = "true" else result = "false"
   }
 
   /** Gets a string representing the callable in semi-colon separated format for use in flow summaries. */

csharp/upgrades/CHANGELOG.md

@@ -1 +0,0 @@
-## 0.0.4

csharp/upgrades/change-notes/released/0.0.4.md

@@ -1 +0,0 @@
-## 0.0.4

csharp/upgrades/codeql-pack.release.yml

@@ -1,2 +0,0 @@
----
-lastReleaseVersion: 0.0.4

csharp/upgrades/qlpack.yml

@@ -1,5 +1,4 @@
 name: codeql/csharp-upgrades
-groups: csharp
-version: 0.0.4
 upgrades: .
+version: 0.0.2
 library: true

java/documentation/library-coverage/coverage.csv

@@ -94,9 +94,9 @@ play.mvc,,4,,,,,,,,,,,,,,,,,,,,,,4,,
 ratpack.core.form,,,3,,,,,,,,,,,,,,,,,,,,,,3,
 ratpack.core.handling,,6,4,,,,,,,,,,,,,,,,,,,,,6,4,
 ratpack.core.http,,10,10,,,,,,,,,,,,,,,,,,,,,10,10,
-ratpack.exec,,,26,,,,,,,,,,,,,,,,,,,,,,,26
+ratpack.exec,,,48,,,,,,,,,,,,,,,,,,,,,,,48
 ratpack.form,,,3,,,,,,,,,,,,,,,,,,,,,,3,
-ratpack.func,,,5,,,,,,,,,,,,,,,,,,,,,,,5
+ratpack.func,,,35,,,,,,,,,,,,,,,,,,,,,,,35
 ratpack.handling,,6,4,,,,,,,,,,,,,,,,,,,,,6,4,
 ratpack.http,,10,10,,,,,,,,,,,,,,,,,,,,,10,10,
-ratpack.util,,,5,,,,,,,,,,,,,,,,,,,,,,,5
+ratpack.util,,,35,,,,,,,,,,,,,,,,,,,,,,,35

java/documentation/library-coverage/coverage.rst

@@ -18,6 +18,6 @@ Java framework & library support
    Java Standard Library,``java.*``,3,524,30,13,,,7,,,10
    Java extensions,"``javax.*``, ``jakarta.*``",54,552,32,,,4,,1,1,2
    `Spring <https://spring.io/>`_,``org.springframework.*``,29,469,91,,,,19,14,,29
-   Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.opensymphony.xwork2.ognl``, ``com.unboundid.ldap.sdk``, ``flexjson``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jooq``, ``org.mvel2``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``",39,99,151,,,,14,18,,
-   Totals,,175,5369,431,13,6,10,107,33,1,66
+   Others,"``cn.hutool.core.codec``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.fasterxml.jackson.core``, ``com.fasterxml.jackson.databind``, ``com.opensymphony.xwork2.ognl``, ``com.unboundid.ldap.sdk``, ``flexjson``, ``groovy.lang``, ``groovy.util``, ``jodd.json``, ``net.sf.saxon.s9api``, ``ognl``, ``org.apache.commons.codec``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.ognl``, ``org.apache.directory.ldap.client.api``, ``org.apache.ibatis.jdbc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.codehaus.groovy.control``, ``org.dom4j``, ``org.hibernate``, ``org.jooq``, ``org.mvel2``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``",39,181,151,,,,14,18,,
+   Totals,,175,5451,431,13,6,10,107,33,1,66
 

java/ql/lib/CHANGELOG.md

@@ -1,7 +0,0 @@
-## 0.0.4
-
-### Bug Fixes
-
-* `CharacterLiteral`'s `getCodePointValue` predicate now returns the correct value for UTF-16 surrogates.
-* The `RangeAnalysis` module and the `java/constant-comparison` queries no longer raise false alerts regarding comparisons with Unicode surrogate character literals.
-* The predicate `Method.overrides(Method)` was accidentally transitive. This has been fixed. This fix also affects `Method.overridesOrInstantiates(Method)` and `Method.getASourceOverriddenMethod()`.

java/ql/lib/change-notes/released/0.0.4.md

@@ -1,7 +0,0 @@
-## 0.0.4
-
-### Bug Fixes
-
-* `CharacterLiteral`'s `getCodePointValue` predicate now returns the correct value for UTF-16 surrogates.
-* The `RangeAnalysis` module and the `java/constant-comparison` queries no longer raise false alerts regarding comparisons with Unicode surrogate character literals.
-* The predicate `Method.overrides(Method)` was accidentally transitive. This has been fixed. This fix also affects `Method.overridesOrInstantiates(Method)` and `Method.getASourceOverriddenMethod()`.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +0,0 @@
----
-lastReleaseVersion: 0.0.4

java/ql/lib/qlpack.yml

@@ -1,8 +1,7 @@
 name: codeql/java-all
-version: 0.0.4
-groups: java
+version: 0.0.2
 dbscheme: config/semmlecode.dbscheme
 extractor: java
 library: true
 dependencies:
-    codeql/java-upgrades: 0.0.3
+    codeql/java-upgrades: 0.0.2

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }
 

java/ql/lib/semmle/code/java/dataflow/internal/DataFlowImpl2.qll

@@ -1012,6 +1012,9 @@ private module Stage2 {
 
   private predicate flowIntoCall = flowIntoCallNodeCand1/5;
 
+  bindingset[node, ap]
+  private predicate filter(NodeEx node, Ap ap) { any() }
+
   bindingset[ap, contentType]
   private predicate typecheckStore(Ap ap, DataFlowType contentType) { any() }
 
@@ -1020,6 +1023,13 @@ private module Stage2 {
     PrevStage::revFlow(node, _, _, apa, config)
   }
 
+  bindingset[result, apa]
+  private ApApprox unbindApa(ApApprox apa) {
+    exists(ApApprox apa0 |
+      apa = pragma[only_bind_into](apa0) and result = pragma[only_bind_into](apa0)
+    )
+  }
+
   pragma[nomagic]
   private predicate flowThroughOutOfCall(
     DataFlowCall call, CcCall ccc, RetNodeEx ret, NodeEx out, boolean allowsFieldFlow,
@@ -1042,6 +1052,13 @@ private module Stage2 {
    */
   pragma[nomagic]
   predicate fwdFlow(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
+    fwdFlow0(node, cc, argAp, ap, config) and
+    flowCand(node, unbindApa(getApprox(ap)), config) and
+    filter(node, ap)
+  }
+
+  pragma[nomagic]
+  private predicate fwdFlow0(NodeEx node, Cc cc, ApOption argAp, Ap ap, Configuration config) {
     flowCand(node, _, config) and
     sourceNode(node, config) and
     (if hasSourceCallCtx(config) then cc = ccSomeCall() else cc = ccNone()) and
@@ -1112,7 +1129,7 @@ private module Stage2 {
   ) {
     exists(DataFlowType contentType |
       fwdFlow(node1, cc, argAp, ap1, config) and
-      PrevStage::storeStepCand(node1, getApprox(ap1), tc, node2, contentType, config) and
+      PrevStage::storeStepCand(node1, unbindApa(getApprox(ap1)), tc, node2, contentType, config) and
       typecheckStore(ap1, contentType)
     )
   }
@@ -1189,7 +1206,7 @@ private module Stage2 {
   ) {
     exists(ParamNodeEx p |
       fwdFlowIn(call, p, cc, _, argAp, ap, config) and
-      PrevStage::parameterMayFlowThrough(p, _, getApprox(ap), config)
+      PrevStage::parameterMayFlowThrough(p, _, unbindApa(getApprox(ap)), config)
     )
   }