Kotlin extractor: scope Object-method redeclaration recovery

Why this is needed:
- library-tests/java-kotlin-collection-type-generic-methods/test.ql regressed with extra equals(Object) rows on generic collection/map/list declaration variants.
- At the same time, java-interface-redeclares-tostring must still recover Object-method redeclarations for Java binary interfaces under K2.

What changed:
- In K2 ASM probing, treat classes with kotlin.Metadata as non-Java binaries for javaBinaryDeclaresMethod, so Java-redeclaration recovery does not fire on Kotlin binary classes.
- Keep equals(Object) K2 Any/Any? compatibility handling, but constrain the workaround to non-generic parent classes and skip it when a concrete sibling declaration already exists.
- Preserve the existing toString/hashCode redeclaration recovery path for affected Java binaries.

Effect:
- Removes the spurious equals(Object) rows in java-kotlin-collection-type-generic-methods while retaining expected Object-method extraction in java-interface-redeclares-tostring.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

CODEOWNERS

@@ -28,7 +28,6 @@
 /swift/extractor/ @github/codeql-swift @github/code-scanning-language-coverage
 /misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin @github/code-scanning-language-coverage
-/java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
 # Experimental CodeQL cryptography

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.4.38
+
+### Bug Fixes
+
+* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
+* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.
+
 ## 0.4.37
 
 ### Minor Analysis Improvements

actions/ql/lib/change-notes/2026-06-12-self_hosted_runners.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.

actions/ql/lib/change-notes/released/0.4.38.md

@@ -0,0 +1,6 @@
+## 0.4.38
+
+### Bug Fixes
+
+* GitHub Actions queries now better account for permission checks on jobs that call reusable workflows.
+* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.37
+lastReleaseVersion: 0.4.38

actions/ql/lib/codeql/actions/security/ControlChecks.qll

@@ -42,6 +42,15 @@ string actor_not_attacker_event() {
     ]
 }
 
+/**
+ * Gets the outer caller of `ej`, i.e. the `ExternalJob` that calls the
+ * reusable workflow containing `ej`. Used with transitive closure to
+ * walk up nested reusable workflow chains.
+ */
+private ExternalJob getAnOuterCaller(ExternalJob ej) {
+  result = ej.getEnclosingWorkflow().(ReusableWorkflow).getACaller()
+}
+
 /** An If node that contains an actor, user or label check */
 abstract class ControlCheck extends AstNode {
   ControlCheck() {
@@ -53,43 +62,170 @@ abstract class ControlCheck extends AstNode {
 
   predicate protects(AstNode node, Event event, string category) {
     // The check dominates the step it should protect
-    this.dominates(node) and
+    this.dominates(node, event) and
     // The check is effective against the event and category
     this.protectsCategoryAndEvent(category, event.getName()) and
     // The check can be triggered by the event
-    this.getATriggerEvent() = event
+    this.getATriggerEvent() = event and
+    // For reusable workflows, there must be no unprotected caller chain for this event.
+    (
+      not node.getEnclosingWorkflow() instanceof ReusableWorkflow
+      or
+      this.dominatesSameWorkflow(node, event)
+      or
+      not exists(ExternalJob directCaller |
+        directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
+        unprotectedCallerChain(directCaller, event, category)
+      )
+    )
   }
 
-  predicate dominates(AstNode node) {
+  /**
+   * Holds if this control check must execute and pass before `node` can run.
+   */
+  predicate dominates(AstNode node, Event event) {
+    this.dominatesSameWorkflow(node, event)
+    or
+    // When the node is inside a reusable workflow,
+    // this check dominates via at least one caller chain.
+    this.dominatesViaCaller(node, event, _)
+  }
+
+  /**
+   * Holds if this control check dominates `node` within the same workflow.
+   */
+  predicate dominatesSameWorkflow(AstNode node, Event event) {
+    this.getATriggerEvent() = event and
+    (
+      // Step-level: the check is an `if:` on the step containing `node`,
+      // or on the enclosing job, or on a needed job/step.
+      this instanceof If and
+      (
+        node.getEnclosingStep().getIf() = this or
+        node.getEnclosingJob().getIf() = this or
+        node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
+        node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
+      )
+      or
+      // Job-level: the check is an environment on the enclosing job or a needed job.
+      this instanceof Environment and
+      (
+        node.getEnclosingJob().getEnvironment() = this
+        or
+        node.getEnclosingJob().getANeededJob().getEnvironment() = this
+      )
+      or
+      // Step-level: the check is a Run/UsesStep that precedes `node`'s step
+      // in the same job, or is a step in a needed job.
+      (
+        this instanceof Run or
+        this instanceof UsesStep
+      ) and
+      (
+        this.(Step).getAFollowingStep() = node.getEnclosingStep()
+        or
+        node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this
+      )
+    )
+  }
+
+  /**
+   * Holds if this control check dominates `node` in a reusable workflow
+   * via the caller chain starting at `directCaller`.
+   */
+  predicate dominatesViaCaller(AstNode node, Event event, ExternalJob directCaller) {
+    directCaller = node.getEnclosingWorkflow().(ReusableWorkflow).getACaller() and
+    directCaller.getATriggerEvent() = event and
+    exists(ExternalJob caller |
+      caller = getAnOuterCaller*(directCaller) and
+      this.dominatesCaller(caller)
+    )
+  }
+
+  /**
+   * Holds if this control check directly dominates `caller`.
+   */
+  predicate dominatesCaller(ExternalJob caller) {
     this instanceof If and
     (
-      node.getEnclosingStep().getIf() = this or
-      node.getEnclosingJob().getIf() = this or
-      node.getEnclosingJob().getANeededJob().(LocalJob).getAStep().getIf() = this or
-      node.getEnclosingJob().getANeededJob().(LocalJob).getIf() = this
+      caller.getIf() = this or
+      caller.getANeededJob().(LocalJob).getIf() = this or
+      caller.getANeededJob().(LocalJob).getAStep().getIf() = this
     )
     or
     this instanceof Environment and
     (
-      node.getEnclosingJob().getEnvironment() = this
-      or
-      node.getEnclosingJob().getANeededJob().getEnvironment() = this
+      caller.getEnvironment() = this or
+      caller.getANeededJob().getEnvironment() = this
     )
     or
-    (
-      this instanceof Run or
-      this instanceof UsesStep
-    ) and
-    (
-      this.(Step).getAFollowingStep() = node.getEnclosingStep()
-      or
-      node.getEnclosingJob().getANeededJob().(LocalJob).getAStep() = this.(Step)
-    )
+    (this instanceof Run or this instanceof UsesStep) and
+    caller.getANeededJob().(LocalJob).getAStep() = this
   }
 
   abstract predicate protectsCategoryAndEvent(string category, string event);
 }
 
+/**
+ * Holds if this control check directly protects `caller`.
+ */
+bindingset[caller, event, category]
+private predicate protectedCaller(ExternalJob caller, Event event, string category) {
+  exists(ControlCheck check |
+    check.protectsCategoryAndEvent(category, event.getName()) and
+    check.getATriggerEvent() = event and
+    check.dominatesCaller(caller)
+  )
+}
+
+cached
+private newtype TCallerState =
+  MkCallerState(ExternalJob caller, Event event, string category) {
+    caller.getATriggerEvent() = event and
+    category = any_category()
+  }
+
+private class CallerState extends TCallerState, MkCallerState {
+  ExternalJob caller;
+  Event event;
+  string category;
+
+  CallerState() { this = MkCallerState(caller, event, category) }
+
+  ExternalJob getCaller() { result = caller }
+
+  Event getEvent() { result = event }
+
+  string getCategory() { result = category }
+
+  /**
+   * Gets an outer caller state if this caller is not protected.
+   */
+  CallerState getUnprotectedOuterState() {
+    not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
+    result = MkCallerState(getAnOuterCaller(this.getCaller()), this.getEvent(), this.getCategory())
+  }
+
+  predicate isUnprotectedOutermost() {
+    not protectedCaller(this.getCaller(), this.getEvent(), this.getCategory()) and
+    not exists(getAnOuterCaller(this.getCaller()))
+  }
+
+  string toString() { result = caller + " / " + event + " / " + category }
+}
+
+/**
+ * Holds if there is a caller path from `caller` to an outer workflow that has no protection.
+ */
+bindingset[caller, event, category]
+private predicate unprotectedCallerChain(ExternalJob caller, Event event, string category) {
+  exists(CallerState start, CallerState outermost |
+    start = MkCallerState(caller, event, category) and
+    outermost = start.getUnprotectedOuterState*() and
+    outermost.isUnprotectedOutermost()
+  )
+}
+
 abstract class AssociationCheck extends ControlCheck {
   // Checks if the actor is a MEMBER/OWNER the repo
   // - they are effective against pull requests and workflow_run (since these are triggered by pull_requests) since they can control who is making the PR

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.38-dev
+version: 0.4.39-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.6.30
+
+### Query Metadata Changes
+
+* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.
+
 ## 0.6.29
 
 ### Query Metadata Changes

actions/ql/src/Security/CWE-285/ImproperAccessControl.ql

@@ -18,7 +18,7 @@ from LocalJob job, LabelCheck check, MutableRefCheckoutStep checkout, Event even
 where
   job.isPrivileged() and
   job.getAStep() = checkout and
-  check.dominates(checkout) and
+  check.dominates(checkout, event) and
   (
     job.getATriggerEvent() = event and
     event.getName() = "pull_request_target" and

actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

@@ -34,8 +34,8 @@ where
         check instanceof AssociationCheck or
         check instanceof PermissionCheck
       ) and
-      check.dominates(checkout) and
-      date_check.dominates(checkout)
+      check.dominates(checkout, event) and
+      date_check.dominates(checkout, event)
     )
     or
     // not issue_comment triggered workflows

actions/ql/src/change-notes/released/0.6.30.md

@@ -1,4 +1,5 @@
----
-category: queryMetadata
----
+## 0.6.30
+
+### Query Metadata Changes
+
 * The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.29
+lastReleaseVersion: 0.6.30

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.30-dev
+version: 0.6.31-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml

@@ -0,0 +1,17 @@
+on:
+  workflow_call:
+    inputs:
+      COMMIT_SHA:
+        type: string
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: ${{ inputs.COMMIT_SHA }}
+      - run: |
+          npm install
+          npm run lint
+      

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested.yml

@@ -0,0 +1,13 @@
+on:
+  workflow_call:
+    inputs:
+      COMMIT_SHA:
+        type: string
+
+jobs:
+  build:
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
+
+      

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml

@@ -0,0 +1,33 @@
+on:
+  workflow_call:
+    inputs:
+      COMMIT_SHA:
+        type: string
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build_safe:
+    needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
+    with:
+      COMMIT_SHA: ${{ inputs.COMMIT_SHA }}
+  build_unsafe:
+    uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
+    with:
+      COMMIT_SHA: ${{ inputs.COMMIT_SHA }}

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_no_needs.yml

@@ -0,0 +1,31 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    runs-on: ubuntu-latest
+    #needs: is-collaborator Mistake, doesn't wait for the collaborator - no security check
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }} # should alert
+          fetch-depth: 2
+      - run: yarn test

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable.yml

@@ -0,0 +1,26 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable2.yml

@@ -0,0 +1,31 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build_unsafe:
+    # needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
+  build_safe:
+    needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable_branching_nested.yml

@@ -0,0 +1,8 @@
+on:
+  pull_request_target:
+
+jobs:
+  build:
+    uses: TestOrg/TestRepo/.github/workflows/build_nested_branching.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }}

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable_level2.yml

@@ -0,0 +1,26 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml

@@ -0,0 +1,26 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    # needs: is-collaborator
+    uses: TestOrg/TestRepo/.github/workflows/build_nested.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }}

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_permissions_check.yml

@@ -0,0 +1,41 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  build:
+    runs-on: ubuntu-latest
+    needs: is-collaborator
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }} # shouldn't alert since permission check
+          fetch-depth: 2
+      - run: yarn test
+  build_unsafe:
+    runs-on: ubuntu-latest
+    # needs: is-collaborator
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }} # should alert since no permission check
+          fetch-depth: 2
+      - run: yarn test

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/untrusted_checkout_two_callers_both_protected.yml

@@ -0,0 +1,48 @@
+on:
+  pull_request_target:                                     
+
+jobs:
+  is-collaborator-a:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  caller-a:
+    needs: is-collaborator-a
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+  is-collaborator-b:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get User Permission
+        id: checkAccess
+        uses: actions-cool/check-user-permission@cd622002ff25c2311d2e7fb82107c0d24be83f9b
+        with:
+          require: write
+          username: ${{ github.actor }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Check User Permission
+        if: steps.checkAccess.outputs.require-result == 'false'
+        run: |
+          echo "${{ github.actor }} does not have permissions on this repo."
+          echo "Current permission level is ${{ steps.checkAccess.outputs.user-permission }}"
+          exit 1
+  caller-b:
+    needs: is-collaborator-b
+    uses: TestOrg/TestRepo/.github/workflows/build.yml@main
+    with:
+      COMMIT_SHA: ${{ github.event.pull_request.head.sha }}

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -93,6 +93,8 @@ edges
 | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step |
 | .github/workflows/dependabot3.yml:20:9:25:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone |
 | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:48:9:52:57 | Run Step |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:11:9:19:6 | Uses Step: checkAccess | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build_nested_branching.yml:19:9:25:2 | Run Step |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:14:9:19:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:19:9:25:6 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/formal.yml:25:9:70:20 | Run Step |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step |
@@ -334,6 +336,17 @@ edges
 | .github/workflows/untrusted_checkout_6.yml:11:9:14:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step |
 | .github/workflows/untrusted_checkout_6.yml:14:9:17:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step |
 | .github/workflows/untrusted_checkout_6.yml:17:9:21:6 | Uses Step | .github/workflows/untrusted_checkout_6.yml:21:9:23:23 | Run Step |
+| .github/workflows/untrusted_checkout_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_no_needs.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step |
+| .github/workflows/untrusted_checkout_permission_check_reusable2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permission_check_reusable.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_level2.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permissions_check.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_permissions_check.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_permissions_check.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:31:9:32:2 | Run Step |
+| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step |
+| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:8:9:16:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:16:9:22:2 | Run Step |
+| .github/workflows/untrusted_checkout_two_callers_both_protected.yml:30:9:38:6 | Uses Step: checkAccess | .github/workflows/untrusted_checkout_two_callers_both_protected.yml:38:9:44:2 | Run Step |
 | .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step |
 | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
 | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
@@ -344,6 +357,9 @@ edges
 | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
 | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
 | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable2.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_branching_nested.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:11:9:14:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/build.yml:14:9:17:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permission_check_reusable_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
 | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
@@ -377,3 +393,5 @@ edges
 | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
 | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
 | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:26:9:31:6 | Uses Step | .github/workflows/untrusted_checkout_no_needs.yml:31:9:31:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_no_needs.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:36:9:41:6 | Uses Step | .github/workflows/untrusted_checkout_permissions_check.yml:41:9:41:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout_permissions_check.yml:2:3:2:21 | pull_request_target | pull_request_target |

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,20 @@
+## 11.0.0
+
+### Breaking Changes
+
+* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
+* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
+* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
+* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
+* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
+* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
+* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
+* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
+* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.
+
 ## 10.2.0
 
 ### Deprecated APIs

cpp/ql/lib/change-notes/released/11.0.0.md

@@ -1,6 +1,7 @@
----
-category: breaking
----
+## 11.0.0
+
+### Breaking Changes
+
 * Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
 * Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
 * Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 10.2.0
+lastReleaseVersion: 11.0.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.2.1-dev
+version: 11.0.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.6.5
+
+No user-facing changes.
+
 ## 1.6.4
 
 No user-facing changes.

cpp/ql/src/change-notes/released/1.6.5.md

@@ -0,0 +1,3 @@
+## 1.6.5
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.4
+lastReleaseVersion: 1.6.5

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.5-dev
+version: 1.6.6-dev
 groups:
   - cpp
   - queries

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.69
+
+No user-facing changes.
+
 ## 1.7.68
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.69.md

@@ -0,0 +1,3 @@
+## 1.7.69
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.68
+lastReleaseVersion: 1.7.69

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.69-dev
+version: 1.7.70-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.69
+
+No user-facing changes.
+
 ## 1.7.68
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.69.md

@@ -0,0 +1,3 @@
+## 1.7.69
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.68
+lastReleaseVersion: 1.7.69

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.69-dev
+version: 1.7.70-dev
 groups:
   - csharp
   - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 7.0.0
+
+### Breaking Changes
+
+* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
+
+### Major Analysis Improvements
+
+* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
+
+### Minor Analysis Improvements
+
+* Improved property and indexer call target resolution for partially overridden properties and indexers.
+* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
+* Improved call target resolution for ref-return properties and indexers.
+
 ## 6.0.2
 
 ### Minor Analysis Improvements

csharp/ql/lib/change-notes/2026-05-19-properties-indexers-refreturn.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Improved call target resolution for ref-return properties and indexers.

csharp/ql/lib/change-notes/2026-05-21-spanaccess-range.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.

csharp/ql/lib/change-notes/2026-05-22-property-indexer-partial-override.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Improved property and indexer call target resolution for partially overridden properties and indexers.

csharp/ql/lib/change-notes/2026-06-12-razor-page-handler-sources.md

@@ -1,4 +0,0 @@
----
-category: majorAnalysis
----
-* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.

csharp/ql/lib/change-notes/2026-06-12-restructure-operations.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.

csharp/ql/lib/change-notes/released/7.0.0.md

@@ -0,0 +1,15 @@
+## 7.0.0
+
+### Breaking Changes
+
+* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.
+
+### Major Analysis Improvements
+
+* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.
+
+### Minor Analysis Improvements
+
+* Improved property and indexer call target resolution for partially overridden properties and indexers.
+* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.
+* Improved call target resolution for ref-return properties and indexers.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.0.2
+lastReleaseVersion: 7.0.0

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 6.0.3-dev
+version: 7.0.1-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.5
+
+No user-facing changes.
+
 ## 1.7.4
 
 No user-facing changes.

csharp/ql/src/Dead Code/DeadStoreOfLocal.ql

@@ -14,54 +14,6 @@
 
 import csharp
 
-/**
- * Gets a callable that either directly captures local variable `v`, or which
- * is enclosed by the callable that declares `v` and encloses a callable that
- * captures `v`.
- */
-Callable getACapturingCallableAncestor(LocalVariable v) {
-  result = v.getACapturingCallable()
-  or
-  exists(Callable mid | mid = getACapturingCallableAncestor(v) |
-    result = mid.getEnclosingCallable() and
-    not v.getEnclosingCallable() = result
-  )
-}
-
-Expr getADelegateExpr(Callable c) {
-  c = result.(CallableAccess).getTarget()
-  or
-  result = c.(AnonymousFunctionExpr)
-}
-
-/**
- * Holds if `c` is a call where any delegate argument is evaluated immediately.
- */
-predicate nonEscapingCall(Call c) {
-  exists(string name | c.getTarget().hasName(name) |
-    name =
-      [
-        "ForEach", "Count", "Any", "All", "Average", "Aggregate", "First", "Last", "FirstOrDefault",
-        "LastOrDefault", "LongCount", "Max", "Single", "SingleOrDefault", "Sum"
-      ]
-  )
-}
-
-/**
- * Holds if `v` is a captured local variable, and one of the callables capturing
- * `v` may escape the local scope.
- */
-predicate mayEscape(LocalVariable v) {
-  exists(Callable c, Expr e, Expr succ | c = getACapturingCallableAncestor(v) |
-    e = getADelegateExpr(c) and
-    DataFlow::localExprFlow(e, succ) and
-    not succ = any(DelegateCall dc).getExpr() and
-    not succ = any(Cast cast).getExpr() and
-    not succ = any(Call call | nonEscapingCall(call)).getAnArgument() and
-    not succ = any(AssignableDefinition ad | ad.getTarget() instanceof LocalVariable).getSource()
-  )
-}
-
 class RelevantDefinition extends AssignableDefinition {
   RelevantDefinition() {
     this.(AssignableDefinitions::AssignmentDefinition).getAssignment() =
@@ -94,8 +46,6 @@ class RelevantDefinition extends AssignableDefinition {
       // SSA definitions are only created for live variables
       this = any(SsaExplicitWrite ssaDef).getDefinition()
       or
-      mayEscape(v)
-      or
       v.isCaptured()
     )
   }

csharp/ql/src/change-notes/released/1.7.5.md

@@ -0,0 +1,3 @@
+## 1.7.5
+
+No user-facing changes.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.4
+lastReleaseVersion: 1.7.5

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.5-dev
+version: 1.7.6-dev
 groups:
   - csharp
   - queries

go/extractor/go.mod

@@ -10,7 +10,7 @@ toolchain go1.26.4
 //    bazel mod tidy
 require (
 	golang.org/x/mod v0.37.0
-	golang.org/x/tools v0.46.0
+	golang.org/x/tools v0.47.0
 )
 
 require github.com/stretchr/testify v1.11.1

go/extractor/go.sum

@@ -10,8 +10,8 @@ golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
 golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
 golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
 golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/tools v0.46.0 h1:7jTurBkPZu4moS/Uy4OQT1M+QBlsj3wejyZwsT8Z7rk=
-golang.org/x/tools v0.46.0/go.mod h1:FrD85F8l+NWL+9XWBSyVSHO6Ne4jutsfIFba7AWQ5Ys=
+golang.org/x/tools v0.47.0 h1:7Kn5x/d1svx/PzryTsqeoZN4TZwqeH5pGWjefhLi/1Q=
+golang.org/x/tools v0.47.0/go.mod h1:dFHnyTvFWY212G+h7ZY4Vsp/K3U4/7W9TyVaAul8uCA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

go/ql/consistency-queries/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.0.52
+
+No user-facing changes.
+
 ## 1.0.51
 
 No user-facing changes.

go/ql/consistency-queries/change-notes/released/1.0.52.md

@@ -0,0 +1,3 @@
+## 1.0.52
+
+No user-facing changes.

go/ql/consistency-queries/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.51
+lastReleaseVersion: 1.0.52

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.52-dev
+version: 1.0.53-dev
 groups:
   - go
   - queries

go/ql/lib/CHANGELOG.md

@@ -1,3 +1,20 @@
+## 7.2.0
+
+### Deprecated APIs
+
+* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
+
+### Minor Analysis Improvements
+
+* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
+  `*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
+  variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
+  `go/log-injection` and `go/clear-text-logging` queries cover code that logs
+  through `slog`.
+* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
+* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
+* More logging functions are now recognized as not returning or panicking.
+
 ## 7.1.2
 
 No user-facing changes.

go/ql/lib/change-notes/2026-06-01-non-returning-functions.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* More logging functions are now recognized as not returning or panicking.

go/ql/lib/change-notes/2026-06-08-deprecate-functypeexpr-getresultdecl.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.

go/ql/lib/change-notes/2026-06-08-fix-result-nodes.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.

go/ql/lib/change-notes/2026-06-08-functypeexpr-getnumresult.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.

go/ql/lib/change-notes/2026-06-17-model-log-slog.md

@@ -1,8 +0,0 @@
----
-category: minorAnalysis
----
-* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
-  `*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
-  variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
-  `go/log-injection` and `go/clear-text-logging` queries cover code that logs
-  through `slog`.

go/ql/lib/change-notes/released/7.2.0.md

@@ -0,0 +1,16 @@
+## 7.2.0
+
+### Deprecated APIs
+
+* `FuncTypeExpr.getResultDecl()` has been deprecated. Use `FuncTypeExpr.getResultDecl(int i)` instead.
+
+### Minor Analysis Improvements
+
+* Added models for the `log/slog` package (Go 1.21+). Its logging functions and
+  `*slog.Logger` methods (`Debug`/`Info`/`Warn`/`Error`, their `Context`
+  variants, and `Log`/`LogAttrs`) are now recognized as logging sinks, so the
+  `go/log-injection` and `go/clear-text-logging` queries cover code that logs
+  through `slog`.
+* `DataFlow::ResultNode`s are no longer created for returned expressions in functions with named result parameters. In this case there are already result nodes corresponding to `IR::ReadResultInstruction`s at the end of the function body.
+* `FuncTypeExpr.getNumResult()` now gets the number of result parameters. It previously got the number of result declarations, which is different when one result declaration declares more than one variable, as in `x, y int`. All uses of it expected the number of result parameters. Its QLDoc has been updated.
+* More logging functions are now recognized as not returning or panicking.

go/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.1.2
+lastReleaseVersion: 7.2.0

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.1.3-dev
+version: 7.2.1-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/lib/semmle/go/security/StoredXssCustomizations.qll

@@ -33,9 +33,11 @@ module StoredXss {
         walkFn.getACall().getArgument(1) = f.getASuccessor*()
       )
       or
-      // A call to os.FileInfo.Name
-      exists(Method m | m.implements("io/fs", "FileInfo", "Name") |
-        m = this.(DataFlow::CallNode).getTarget()
+      // The return value of a call to `os.DirEntry.Name`, `os.FileInfo.Name`
+      // or `os.File.ReadDirNames`.
+      exists(DataFlow::CallNode cn, Method m | m = cn.getTarget() and this = cn.getResult(0) |
+        m.implements("io/fs", ["DirEntry", "FileInfo"], "Name") or
+        m.hasQualifiedName("os", "File", "ReadDirNames")
       )
     }
   }

go/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.6.5
+
+### Minor Analysis Improvements
+
+* The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.
+
 ## 1.6.4
 
 No user-facing changes.

go/ql/src/change-notes/released/1.6.5.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
+## 1.6.5
+
+### Minor Analysis Improvements
+
 * The query `go/unhandled-writable-file-close` ("Writable file handle closed without error handling") now produces fewer false positives. A deferred call to `Close` that is preceded on every execution path by a handled call to `Sync` on the same file handle is no longer flagged.

go/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.4
+lastReleaseVersion: 1.6.5

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.5-dev
+version: 1.6.6-dev
 groups:
   - go
   - queries

go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected

@@ -156,12 +156,3 @@ nodes
 | websocketXss.go:54:3:54:38 | ... := ...[1] | semmle.label | ... := ...[1] |
 | websocketXss.go:55:24:55:31 | gorilla3 | semmle.label | gorilla3 |
 subpaths
-testFailures
-| websocketXss.go:30:32:30:60 | comment | Missing result: Source[go/reflected-xss] |
-| websocketXss.go:31:11:31:14 | xnet [postupdate] | Unexpected result: Source |
-| websocketXss.go:34:30:34:58 | comment | Missing result: Source[go/reflected-xss] |
-| websocketXss.go:35:21:35:25 | xnet2 [postupdate] | Unexpected result: Source |
-| websocketXss.go:46:38:46:66 | comment | Missing result: Source[go/reflected-xss] |
-| websocketXss.go:47:26:47:35 | gorillaMsg [postupdate] | Unexpected result: Source |
-| websocketXss.go:50:33:50:61 | comment | Missing result: Source[go/reflected-xss] |
-| websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | Unexpected result: Source |

go/ql/test/query-tests/Security/CWE-079/StoredXss.expected

@@ -1,7 +1,9 @@
 #select
+| StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value |
 | stored.go:30:22:30:25 | name | stored.go:18:3:18:28 | ... := ...[0] | stored.go:30:22:30:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:18:3:18:28 | ... := ...[0] | stored value |
 | stored.go:61:22:61:25 | path | stored.go:59:30:59:33 | SSA def(path) | stored.go:61:22:61:25 | path | Stored cross-site scripting vulnerability due to $@. | stored.go:59:30:59:33 | SSA def(path) | stored value |
 edges
+| StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | provenance |  |
 | stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | Src:MaD:1  |
 | stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... [postupdate] | provenance | FunctionModel |
 | stored.go:25:29:25:33 | &... [postupdate] | stored.go:30:22:30:25 | name | provenance |  |
@@ -9,6 +11,8 @@ edges
 models
 | 1 | Source: database/sql; DB; true; Query; ; ; ReturnValue[0]; database; manual |
 nodes
+| StoredXss.go:13:21:13:31 | call to Name | semmle.label | call to Name |
+| StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... |
 | stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] |
 | stored.go:25:14:25:17 | rows | semmle.label | rows |
 | stored.go:25:29:25:33 | &... [postupdate] | semmle.label | &... [postupdate] |
@@ -16,5 +20,3 @@ nodes
 | stored.go:59:30:59:33 | SSA def(path) | semmle.label | SSA def(path) |
 | stored.go:61:22:61:25 | path | semmle.label | path |
 subpaths
-testFailures
-| StoredXss.go:13:39:13:63 | comment | Missing result: Alert[go/stored-xss] |

go/ql/test/query-tests/Security/CWE-079/websocketXss.go

@@ -27,12 +27,12 @@ func xss(w http.ResponseWriter, r *http.Request) {
 	origin := "test"
 	{
 		ws, _ := websocket.Dial(uri, "", origin)
-		var xnet = make([]byte, 512) // $ Source[go/reflected-xss]
-		ws.Read(xnet)
+		var xnet = make([]byte, 512)
+		ws.Read(xnet)              // $ Source[go/reflected-xss]
 		fmt.Fprintf(w, "%v", xnet) // $ Alert[go/reflected-xss]
 		codec := &websocket.Codec{Marshal: marshal, Unmarshal: unmarshal}
-		xnet2 := make([]byte, 512) // $ Source[go/reflected-xss]
-		codec.Receive(ws, xnet2)
+		xnet2 := make([]byte, 512)
+		codec.Receive(ws, xnet2)    // $ Source[go/reflected-xss]
 		fmt.Fprintf(w, "%v", xnet2) // $ Alert[go/reflected-xss]
 	}
 	{
@@ -43,12 +43,12 @@ func xss(w http.ResponseWriter, r *http.Request) {
 	{
 		dialer := gorilla.Dialer{}
 		conn, _, _ := dialer.Dial(uri, nil)
-		var gorillaMsg = make([]byte, 512) // $ Source[go/reflected-xss]
-		gorilla.ReadJSON(conn, gorillaMsg)
-		fmt.Fprintf(w, "%v", gorillaMsg) // $ Alert[go/reflected-xss]
+		var gorillaMsg = make([]byte, 512)
+		gorilla.ReadJSON(conn, gorillaMsg) // $ Source[go/reflected-xss]
+		fmt.Fprintf(w, "%v", gorillaMsg)   // $ Alert[go/reflected-xss]
 
-		gorilla2 := make([]byte, 512) // $ Source[go/reflected-xss]
-		conn.ReadJSON(gorilla2)
+		gorilla2 := make([]byte, 512)
+		conn.ReadJSON(gorilla2)        // $ Source[go/reflected-xss]
 		fmt.Fprintf(w, "%v", gorilla2) // $ Alert[go/reflected-xss]
 
 		_, gorilla3, _ := conn.ReadMessage() // $ Source[go/reflected-xss]

java/kotlin-extractor/dev/wrapper.py

@@ -75,6 +75,9 @@ def get_version():
 
 
 def install(version: str, quiet: bool):
+    if install_dir.exists():
+        return
+
     if quiet:
         info_out = subprocess.DEVNULL
         info = lambda *args: None
@@ -83,8 +86,6 @@ def install(version: str, quiet: bool):
         info = lambda *args: print(*args, file=sys.stderr)
     file = file_template.format(version=version)
     url = url_template.format(version=version)
-    if install_dir.exists():
-        shutil.rmtree(install_dir)
     install_dir.mkdir()
     zips_dir.mkdir(exist_ok=True)
     zip = zips_dir / file
@@ -156,8 +157,11 @@ def main(opts, forwarded_opts):
         selected_version = current_version or DEFAULT_VERSION
     if selected_version != current_version:
         # don't print information about install procedure unless explicitly using --select
-        install(selected_version, quiet=opts.select is None)
+        if install_dir.exists():
+            shutil.rmtree(install_dir)
         version_file.write_text(selected_version)
+    # don't print information about install procedure unless explicitly using --select
+    install(selected_version, quiet=opts.select is None)
     if opts.select and not forwarded_opts and not opts.version:
         print(f"selected {selected_version}")
         return

java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt

@@ -6,6 +6,8 @@ import com.github.codeql.utils.*
 import com.github.codeql.utils.versions.*
 import com.semmle.extractor.java.OdasaOutput
 import java.io.Closeable
+import java.nio.file.Files
+import java.nio.file.Path
 import java.util.*
 import kotlin.collections.ArrayList
 import org.jetbrains.kotlin.backend.common.extensions.IrPluginContext
@@ -50,6 +52,7 @@ import org.jetbrains.kotlin.load.java.structure.JavaMethod
 import org.jetbrains.kotlin.load.java.structure.JavaTypeParameter
 import org.jetbrains.kotlin.load.java.structure.JavaTypeParameterListOwner
 import org.jetbrains.kotlin.load.java.structure.impl.classFiles.BinaryJavaClass
+import org.jetbrains.kotlin.fir.java.VirtualFileBasedSourceElement
 import org.jetbrains.kotlin.name.FqName
 import org.jetbrains.kotlin.types.Variance
 import org.jetbrains.kotlin.util.OperatorNameConventions
@@ -161,23 +164,100 @@ open class KotlinFileExtractor(
         }
     }
 
-    private fun javaBinaryDeclaresMethod(c: IrClass, name: String) =
-        ((c.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass)?.methods?.any {
-            it.name.asString() == name
+    private fun javaBinaryDeclaresMethod(c: IrClass, name: String): Boolean? {
+        // K1 path: source is JavaSourceElement wrapping a BinaryJavaClass - inspect class metadata
+        val binaryJavaClass = (c.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass
+        if (binaryJavaClass != null) {
+            return binaryJavaClass.methods.any { it.name.asString() == name }
         }
 
+        // K2 path: binary Java classes use VirtualFileBasedSourceElement instead of
+        // JavaSourceElement. The BinaryJavaClass is not stored in the source element, so we parse
+        // the class bytes directly using ASM to check if the method is explicitly declared.
+        if (c.source is VirtualFileBasedSourceElement) {
+            val virtualFile = (c.source as VirtualFileBasedSourceElement).virtualFile
+            if (!virtualFile.name.endsWith(".class")) return null
+            return try {
+                val bytes = virtualFile.contentsToByteArray()
+                var found = false
+                var hasKotlinMetadata = false
+                val reader = org.jetbrains.org.objectweb.asm.ClassReader(bytes)
+                reader.accept(
+                    object : org.jetbrains.org.objectweb.asm.ClassVisitor(
+                        org.jetbrains.org.objectweb.asm.Opcodes.ASM9
+                    ) {
+                        override fun visitAnnotation(
+                            descriptor: String,
+                            visible: Boolean
+                        ): org.jetbrains.org.objectweb.asm.AnnotationVisitor? {
+                            if (descriptor == "Lkotlin/Metadata;") hasKotlinMetadata = true
+                            return null
+                        }
+
+                        override fun visitMethod(
+                            access: Int,
+                            methodName: String,
+                            descriptor: String,
+                            signature: String?,
+                            exceptions: Array<String>?
+                        ): org.jetbrains.org.objectweb.asm.MethodVisitor? {
+                            if (methodName == name) found = true
+                            return null
+                        }
+                    },
+                    org.jetbrains.org.objectweb.asm.ClassReader.SKIP_CODE or
+                        org.jetbrains.org.objectweb.asm.ClassReader.SKIP_DEBUG or
+                        org.jetbrains.org.objectweb.asm.ClassReader.SKIP_FRAMES
+                )
+                if (hasKotlinMetadata) false else found
+            } catch (e: Exception) {
+                logger.warn("Failed to check binary class methods for ${c.fqNameWhenAvailable}: $e")
+                null
+            }
+        }
+        return null
+    }
+
     private fun isJavaBinaryDeclaration(f: IrFunction) =
         f.parentClassOrNull?.let { javaBinaryDeclaresMethod(it, f.name.asString()) } ?: false
 
+    private fun hasConcreteSiblingObjectMethod(f: IrFunction): Boolean {
+        val parentClass = f.parentClassOrNull ?: return false
+        return parentClass.declarations
+            .asSequence()
+            .filterIsInstance<IrFunction>()
+            .filter { sibling ->
+                sibling !== f &&
+                    sibling.name == f.name &&
+                    sibling.codeQlValueParameters.size == f.codeQlValueParameters.size
+            }
+            .any { sibling ->
+                val hasInvisibleFakeVisibility =
+                    sibling.visibility.let {
+                        it is DelegatedDescriptorVisibility && it.delegate == Visibilities.InvisibleFake
+                    }
+                !sibling.isFakeOverride && !hasInvisibleFakeVisibility
+            }
+    }
+
     private fun isJavaBinaryObjectMethodRedeclaration(d: IrDeclaration) =
         when (d) {
             is IrFunction ->
+                d.parentClassOrNull?.typeParameters?.isEmpty() == true &&
                 when (d.name.asString()) {
                     "toString" -> d.codeQlValueParameters.isEmpty()
                     "hashCode" -> d.codeQlValueParameters.isEmpty()
-                    "equals" -> d.codeQlValueParameters.singleOrNull()?.type?.isNullableAny() ?: false
+                    // Under K2 (language version 2.0+), the Object.equals(Object) parameter is
+                    // typed as Any (non-nullable) rather than Any? (nullable). Accept both.
+                    "equals" ->
+                        d.codeQlValueParameters
+                            .singleOrNull()
+                            ?.type
+                            ?.let { it.isNullableAny() || it.isAny() } ?: false
                     else -> false
-                } && isJavaBinaryDeclaration(d)
+                } &&
+                    !hasConcreteSiblingObjectMethod(d) &&
+                    isJavaBinaryDeclaration(d)
             else -> false
         }
 
@@ -1312,27 +1392,28 @@ open class KotlinFileExtractor(
     ): TypeResults {
         with("value parameter", vp) {
             val location = locOverride ?: getLocation(vp, classTypeArgsIncludingOuterClasses)
+            val parentFunction = vp.parent as? IrFunction
+            val javaCallable = parentFunction?.let { getJavaCallable(it) }
             val maybeAlteredType =
-                (vp.parent as? IrFunction)?.let {
+                parentFunction?.let {
                     if (overridesCollectionsMethodWithAlteredParameterTypes(it))
                         eraseCollectionsMethodParameterType(vp.type, it.name.asString(), idx)
                     else if (
-                        (vp.parent as? IrConstructor)?.parentClassOrNull?.kind ==
+                        (parentFunction as? IrConstructor)?.parentClassOrNull?.kind ==
                             ClassKind.ANNOTATION_CLASS
                     )
                         kClassToJavaClass(vp.type)
                     else null
                 } ?: vp.type
-            val javaType =
-                (vp.parent as? IrFunction)?.let {
-                    getJavaCallable(it)?.let { jCallable ->
-                        getJavaValueParameterType(jCallable, idx)
-                    }
-                }
+            val javaType = javaCallable?.let { jCallable -> getJavaValueParameterType(jCallable, idx) }
+            val addParameterWildcardsByDefault =
+                !getInnermostWildcardSupppressionAnnotation(vp) &&
+                    !(javaCallable == null &&
+                        parentFunction?.origin == IrDeclarationOrigin.IR_EXTERNAL_JAVA_DECLARATION_STUB)
             val typeWithWildcards =
                 addJavaLoweringWildcards(
                     maybeAlteredType,
-                    !getInnermostWildcardSupppressionAnnotation(vp),
+                    addParameterWildcardsByDefault,
                     javaType
                 )
             val substitutedType =
@@ -1346,9 +1427,9 @@ open class KotlinFileExtractor(
                 vp.origin == IrDeclarationOrigin.UNDERSCORE_PARAMETER ||
                     ((vp.parent as? IrFunction)?.let { hasSynthesizedParameterNames(it) } ?: true)
             val javaParameter =
-                when (val callable = (vp.parent as? IrFunction)?.let { getJavaCallable(it) }) {
-                    is JavaConstructor -> callable.valueParameters.getOrNull(idx)
-                    is JavaMethod -> callable.valueParameters.getOrNull(idx)
+                when (javaCallable) {
+                    is JavaConstructor -> javaCallable.valueParameters.getOrNull(idx)
+                    is JavaMethod -> javaCallable.valueParameters.getOrNull(idx)
                     else -> null
                 }
             val extraAnnotations =
@@ -2874,6 +2955,45 @@ open class KotlinFileExtractor(
         return v
     }
 
+    private val sourceTextCache = mutableMapOf<String, String?>()
+
+    private fun getCurrentFileSourceText() =
+        sourceTextCache.getOrPut(filePath) {
+            runCatching { Files.readString(Path.of(filePath)) }.getOrNull()
+        }
+
+    private fun getVariableNameLocation(v: IrVariable): Label<DbLocation>? {
+        if (v.startOffset < 0 || v.endOffset < v.startOffset) return null
+
+        val source = getCurrentFileSourceText() ?: return null
+        if (v.startOffset >= source.length) return null
+
+        val name = v.name.asString()
+        if (name.isEmpty()) return null
+
+        val endExclusive = minOf(v.endOffset + 1, source.length)
+        val declarationText = source.substring(v.startOffset, endExclusive)
+        val nameOffsetInDeclaration = declarationText.indexOf(name)
+        if (nameOffsetInDeclaration < 0) return null
+
+        val nameStartOffset = v.startOffset + nameOffsetInDeclaration
+        val nameEndOffset = nameStartOffset + name.length - 1
+        return tw.getLocation(nameStartOffset, nameEndOffset)
+    }
+
+    private fun shouldUseVariableNameLocation(v: IrVariable): Boolean {
+        val initializer = v.initializer
+        return initializer is IrTypeOperatorCall && initializer.operator == IrTypeOperator.IMPLICIT_NOTNULL
+    }
+
+    private fun getVariableLocation(v: IrVariable): Label<DbLocation> {
+        if (shouldUseVariableNameLocation(v)) {
+            val nameLocation = getVariableNameLocation(v)
+            if (nameLocation != null) return nameLocation
+        }
+        return tw.getLocation(getVariableLocationProvider(v))
+    }
+
     private fun extractVariable(
         v: IrVariable,
         callable: Label<out DbCallable>,
@@ -2882,7 +3002,7 @@ open class KotlinFileExtractor(
     ) {
         with("variable", v) {
             val stmtId = tw.getFreshIdLabel<DbLocalvariabledeclstmt>()
-            val locId = tw.getLocation(getVariableLocationProvider(v))
+            val locId = getVariableLocation(v)
             tw.writeStmts_localvariabledeclstmt(stmtId, parent, idx, callable)
             tw.writeHasLocation(stmtId, locId)
             extractVariableExpr(v, callable, stmtId, 1, stmtId)
@@ -2900,7 +3020,7 @@ open class KotlinFileExtractor(
         with("variable expr", v) {
             val varId = useVariable(v)
             val exprId = tw.getFreshIdLabel<DbLocalvariabledeclexpr>()
-            val locId = tw.getLocation(getVariableLocationProvider(v))
+            val locId = getVariableLocation(v)
             val type = useType(v.type)
             tw.writeLocalvars(varId, v.name.asString(), type.javaResult.id, exprId)
             tw.writeLocalvarsKotlinType(varId, type.kotlinResult.id)
@@ -4066,6 +4186,28 @@ open class KotlinFileExtractor(
             else -> false
         }
 
+    private fun getCallResultType(c: IrCall, syntacticCallTarget: IrFunction): IrType {
+        if (syntacticCallTarget.origin != IrDeclarationOrigin.IR_EXTERNAL_JAVA_DECLARATION_STUB) {
+            return c.type
+        }
+
+        val primitiveInfo =
+            (c.type as? IrSimpleType)?.let { primitiveTypeMapping.getPrimitiveInfo(it) } ?: return c.type
+        val parentClass = syntacticCallTarget.parentClassOrNull ?: return c.type
+        val returnIsClassifier =
+            javaBinaryMethodReturnIsClassifierType(
+                parentClass,
+                getFunctionShortName(syntacticCallTarget).nameInDB,
+                syntacticCallTarget.codeQlValueParameters.size,
+                syntacticCallTarget is IrConstructor
+            )
+        return if (returnIsClassifier == true) {
+            primitiveInfo.javaClass.symbol.typeWith()
+        } else {
+            c.type
+        }
+    }
+
     private fun isGenericArrayType(typeName: String) =
         when (typeName) {
             "Array" -> true
@@ -4111,7 +4253,7 @@ open class KotlinFileExtractor(
                 extractRawMethodAccess(
                     syntacticCallTarget,
                     c,
-                    c.type,
+                    getCallResultType(c, syntacticCallTarget),
                     callable,
                     parent,
                     idx,

java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt

@@ -36,6 +36,7 @@ import org.jetbrains.kotlin.load.java.BuiltinMethodsWithSpecialGenericSignature
 import org.jetbrains.kotlin.load.java.JvmAbi
 import org.jetbrains.kotlin.load.java.sources.JavaSourceElement
 import org.jetbrains.kotlin.load.java.structure.*
+import org.jetbrains.kotlin.load.java.structure.impl.classFiles.BinaryJavaClass
 import org.jetbrains.kotlin.load.java.typeEnhancement.hasEnhancedNullability
 import org.jetbrains.kotlin.name.FqName
 import org.jetbrains.kotlin.name.NameUtils
@@ -996,7 +997,20 @@ open class KotlinUsesExtractor(
                 )
                 return null
             }
-            return extractFileClass(fqName)
+            val fileClassId = extractFileClass(fqName)
+            // Under K2, external file class members sit directly under IrExternalPackageFragment
+            // rather than under their IrClass parent. In that case the file class entity won't
+            // get a location set through the normal extractClassSource path.
+            if (d is IrMemberWithContainerSource && tw.lm.externalFileClassLocationsExtracted.add(fqName)) {
+                val binaryPath =
+                    getContainerSourceBinaryPath(d.containerSource)
+                        ?.let { normalizeExternalFileClassBinaryPath(it, fqName) }
+                if (binaryPath != null && shouldUseConcreteExternalFileClassLocation(binaryPath)) {
+                    val fileId = tw.mkFileId(binaryPath, true)
+                    tw.writeHasLocation(fileClassId, tw.getWholeFileLocation(fileId))
+                }
+            }
+            return fileClassId
         }
         return useDeclarationParent(parent, canBeTopLevel, classTypeArguments, inReceiverContext)
     }
@@ -1371,8 +1385,13 @@ open class KotlinUsesExtractor(
         parentId: Label<out DbElement>,
         classTypeArgsIncludingOuterClasses: List<IrTypeArgument>?,
         maybeParameterList: List<IrValueParameter>? = null
-    ): String =
-        getFunctionLabel(
+    ): String {
+        val javaCallable = getJavaCallable(f)
+        val addParameterWildcardsByDefault =
+            !getInnermostWildcardSupppressionAnnotation(f) &&
+                !(javaCallable == null && f.origin == IrDeclarationOrigin.IR_EXTERNAL_JAVA_DECLARATION_STUB)
+
+        return getFunctionLabel(
             f.parent,
             parentId,
             getFunctionShortName(f).nameInDB,
@@ -1382,9 +1401,10 @@ open class KotlinUsesExtractor(
             getFunctionTypeParameters(f),
             classTypeArgsIncludingOuterClasses,
             overridesCollectionsMethodWithAlteredParameterTypes(f),
-            getJavaCallable(f),
-            !getInnermostWildcardSupppressionAnnotation(f)
+            javaCallable,
+            addParameterWildcardsByDefault
         )
+    }
 
     /*
      * This function actually generates the label for a function.
@@ -1471,15 +1491,41 @@ open class KotlinUsesExtractor(
             // Finally, mimic the Java extractor's behaviour by naming functions with type
             // parameters for their erased types;
             // those without type parameters are named for the generic type.
-            val maybeErased =
+            var maybeErased =
                 if (functionTypeParameters.isEmpty()) maybeSubbed else erase(maybeSubbed)
+            // K2 compatibility: under K2, Java @NotNull reference types such as @NotNull Integer
+            // are enhanced to Kotlin primitives (e.g. kotlin.Int). But the Java extractor uses
+            // the original reference type (java.lang.Integer) in callable labels. When we detect
+            // that the original Java parameter type is a reference (classifier) type but the
+            // Kotlin IR type is a primitive, revert to the boxed Java class so both extractors
+            // produce matching callable IDs.
+            if (functionTypeParameters.isEmpty()) {
+                val primitiveInfo = (maybeErased as? IrSimpleType)?.let {
+                    primitiveTypeMapping.getPrimitiveInfo(it)
+                }
+                if (primitiveInfo != null) {
+                    val parentClass = parent as? IrClass
+                    if (parentClass != null) {
+                        val isClassifierType = javaBinaryMethodParamIsClassifierType(
+                            parentClass,
+                            name,
+                            allParamTypes.size,
+                            name == "<init>",
+                            it.index
+                        )
+                        if (isClassifierType == true) {
+                            maybeErased = primitiveInfo.javaClass.symbol.typeWith()
+                        }
+                    }
+                }
+            }
             "{${useType(maybeErased).javaResult.id}}"
         }
         val paramTypeIds =
             allParamTypes
                 .withIndex()
                 .joinToString(separator = ",", transform = getIdForFunctionLabel)
-        val labelReturnType =
+        var labelReturnType =
             if (name == "<init>") pluginContext.irBuiltIns.unitType
             else
                 erase(
@@ -1489,6 +1535,28 @@ open class KotlinUsesExtractor(
                         pluginContext
                     )
                 )
+        // K2 compatibility: same as for parameters, if the Java binary method return type is a
+        // reference type but K2 enhanced it to a Kotlin primitive, use the boxed Java class.
+        if (functionTypeParameters.isEmpty() && name != "<init>") {
+            val primitiveInfo = (labelReturnType as? IrSimpleType)?.let {
+                primitiveTypeMapping.getPrimitiveInfo(it)
+            }
+            if (primitiveInfo != null) {
+                val parentClass = parent as? IrClass
+                if (parentClass != null) {
+                    val returnIsClassifier =
+                        javaBinaryMethodReturnIsClassifierType(
+                            parentClass,
+                            name,
+                            allParamTypes.size,
+                            false
+                        )
+                    if (returnIsClassifier == true) {
+                        labelReturnType = primitiveInfo.javaClass.symbol.typeWith()
+                    }
+                }
+            }
+        }
         // Note that `addJavaLoweringWildcards` is not required here because the return type used to
         // form the function
         // label is always erased.
@@ -1594,9 +1662,23 @@ open class KotlinUsesExtractor(
     }
 
     @OptIn(ObsoleteDescriptorBasedAPI::class)
-    fun getJavaCallable(f: IrFunction) =
-        (f.descriptor.source as? JavaSourceElement)?.javaElement as? JavaMember
+    fun getJavaCallable(f: IrFunction): JavaMember? {
+        val fromDescriptor = (f.descriptor.source as? JavaSourceElement)?.javaElement as? JavaMember
+        if (fromDescriptor != null) return fromDescriptor
 
+        // K2 fallback: under K2, descriptor.source may not carry JavaSourceElement for binary Java
+        // methods. Try to get the JavaMember from the parent class's binary class directly.
+        val parentClass = f.parentClassOrNull ?: return null
+        val binaryJavaClass = (parentClass.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass
+            ?: return null
+        val name = getFunctionShortName(f).nameInDB
+        val nParams = f.codeQlValueParameters.size
+        return if (f is IrConstructor) {
+            binaryJavaClass.constructors.find { it.valueParameters.size == nParams }
+        } else {
+            binaryJavaClass.methods.find { it.name.asString() == name && it.valueParameters.size == nParams }
+        }
+    }
     fun getJavaValueParameterType(m: JavaMember, idx: Int) =
         when (m) {
             is JavaMethod -> m.valueParameters[idx].type

java/kotlin-extractor/src/main/kotlin/TrapWriter.kt

@@ -51,6 +51,13 @@ class TrapLabelManager {
      * to avoid duplication.
      */
     val fileClassLocationsExtracted = HashSet<IrFile>()
+
+    /**
+     * Tracks external file classes (by FqName) whose location has been set from a binary path.
+     * Used to avoid writing duplicate hasLocation facts for external file class entities extracted
+     * through the K2 code path where declarations sit directly under IrExternalPackageFragment.
+     */
+    val externalFileClassLocationsExtracted = HashSet<org.jetbrains.kotlin.name.FqName>()
 }
 
 /**

java/kotlin-extractor/src/main/kotlin/utils/ClassNames.kt

@@ -17,6 +17,7 @@ import org.jetbrains.kotlin.load.kotlin.JvmPackagePartSource
 import org.jetbrains.kotlin.load.kotlin.KotlinJvmBinarySourceElement
 import org.jetbrains.kotlin.load.kotlin.VirtualFileKotlinClass
 import org.jetbrains.kotlin.name.FqName
+import org.jetbrains.kotlin.serialization.deserialization.descriptors.DeserializedContainerSource
 
 // Adapted from Kotlin's interpreter/Utils.kt function 'internalName'
 // Translates class names into their JLS section 13.1 binary name,
@@ -176,15 +177,238 @@ fun getIrDeclarationBinaryPath(d: IrDeclaration): String? {
         // This is in a file class.
         val fqName = getFileClassFqName(d)
         if (fqName != null) {
+            if (d is IrMemberWithContainerSource) {
+                val containerBinaryPath = getContainerSourceBinaryPath(d.containerSource)
+                if (containerBinaryPath != null) {
+                    return normalizeExternalFileClassBinaryPath(containerBinaryPath, fqName)
+                }
+            }
             return getUnknownBinaryLocation(fqName.asString())
         }
     }
     return null
 }
 
+/**
+ * Attempts to get the binary file path from a container source (typically a
+ * [JvmPackagePartSource]). Returns null if the path is unavailable.
+ */
+fun getContainerSourceBinaryPath(containerSource: org.jetbrains.kotlin.serialization.deserialization.descriptors.DeserializedContainerSource?): String? {
+    if (containerSource !is JvmPackagePartSource) return null
+    val binaryClass = containerSource.knownJvmBinaryClass ?: return null
+    return when (binaryClass) {
+        is VirtualFileKotlinClass -> {
+            val vf = binaryClass.file
+            val path = vf.path
+            if (vf.fileSystem.protocol == StandardFileSystems.JRT_PROTOCOL)
+                "/${path.split("!/", limit = 2)[1]}"
+            else path
+        }
+        else -> binaryClass.location.takeIf { it.isNotEmpty() }
+    }
+}
+
 private fun getUnknownBinaryLocation(s: String): String {
     return "/!unknown-binary-location/${s.replace(".", "/")}.class"
 }
 
+fun normalizeExternalFileClassBinaryPath(path: String, fqName: FqName): String {
+    if (path.contains(".kotlinc_installed")) {
+        return getUnknownBinaryLocation(fqName.asString())
+    }
+    val normalizedPath = path.replace('\\', '/')
+    val classInternalPath = "${fqName.asString().replace(".", "/")}.class"
+    val classSuffix = "/$classInternalPath"
+    if (normalizedPath.endsWith(classSuffix)) {
+        val classpathRoot = normalizedPath.removeSuffix(classSuffix).substringAfterLast('/')
+        if (classpathRoot.isNotEmpty()) {
+            return "$classpathRoot/$classInternalPath"
+        }
+    }
+    return path
+}
+
+fun shouldUseConcreteExternalFileClassLocation(path: String): Boolean {
+    val normalizedPath = path.replace('\\', '/')
+    return normalizedPath.contains("/") &&
+        !normalizedPath.startsWith("/!unknown-binary-location/")
+}
+
 fun getJavaEquivalentClassId(c: IrClass) =
     c.fqNameWhenAvailable?.toUnsafe()?.let { JavaToKotlinClassMap.mapKotlinToJava(it) }
+
+/**
+ * Checks whether a specific parameter of a Java binary method (identified by [methodName] and
+ * [paramIndex]) is a reference type (as opposed to a Java primitive). This is used to detect
+ * cases where K2 FIR has enhanced a reference type parameter (e.g. `@NotNull Integer`) to a
+ * Kotlin primitive (e.g. `kotlin.Int`), so that callable labels can use the original reference
+ * type and remain compatible with the Java extractor's callable IDs.
+ *
+ * Under K1, binary Java classes use [JavaSourceElement] and we can check [BinaryJavaClass.methods]
+ * directly. Under K2, they use [VirtualFileBasedSourceElement] and we fall back to reading the
+ * class bytes with ASM.
+ *
+ * Returns `null` if the information cannot be determined.
+ */
+fun javaBinaryMethodParamIsClassifierType(
+    parentClass: IrClass,
+    methodName: String,
+    nParams: Int,
+    isConstructor: Boolean,
+    paramIndex: Int
+): Boolean? {
+    // K1 path: binary Java class has JavaSourceElement with a BinaryJavaClass.
+    val k1ParamKinds =
+        ((parentClass.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass)?.let {
+            binaryJavaClass ->
+            if (isConstructor)
+                binaryJavaClass.constructors
+                    .asSequence()
+                    .filter { it.valueParameters.size == nParams }
+                    .mapNotNull { it.valueParameters.getOrNull(paramIndex)?.type }
+                    .map { it is org.jetbrains.kotlin.load.java.structure.JavaClassifierType }
+                    .toSet()
+            else
+                binaryJavaClass.methods
+                    .asSequence()
+                    .filter { it.name.asString() == methodName && it.valueParameters.size == nParams }
+                    .mapNotNull { it.valueParameters.getOrNull(paramIndex)?.type }
+                    .map { it is org.jetbrains.kotlin.load.java.structure.JavaClassifierType }
+                    .toSet()
+        }
+    if (k1ParamKinds != null && k1ParamKinds.isNotEmpty()) {
+        return k1ParamKinds.singleOrNull()
+    }
+
+    // K2 path: binary Java class has VirtualFileBasedSourceElement
+    if (parentClass.source !is VirtualFileBasedSourceElement) return null
+    val vf = (parentClass.source as VirtualFileBasedSourceElement).virtualFile
+    if (!vf.name.endsWith(".class")) return null
+
+    return try {
+        val bytes = vf.contentsToByteArray()
+        val expectedMethodName = if (isConstructor) "<init>" else methodName
+        val descriptorKinds = mutableSetOf<Boolean>()
+        val reader = org.jetbrains.org.objectweb.asm.ClassReader(bytes)
+        reader.accept(
+            object : org.jetbrains.org.objectweb.asm.ClassVisitor(
+                org.jetbrains.org.objectweb.asm.Opcodes.ASM9
+            ) {
+                override fun visitMethod(
+                    access: Int,
+                    name: String,
+                    descriptor: String,
+                    signature: String?,
+                    exceptions: Array<String>?
+                ): org.jetbrains.org.objectweb.asm.MethodVisitor? {
+                    if (name != expectedMethodName) return null
+                    val paramDescriptors = parseAsmMethodDescriptorParams(descriptor)
+                    if (paramDescriptors.size != nParams) return null
+                    val paramDesc = paramDescriptors.getOrNull(paramIndex) ?: return null
+                    // Reference types start with 'L' or '['; Java primitives are single chars
+                    descriptorKinds.add(paramDesc.startsWith("L") || paramDesc.startsWith("["))
+                    return null
+                }
+            },
+            org.jetbrains.org.objectweb.asm.ClassReader.SKIP_CODE or
+                org.jetbrains.org.objectweb.asm.ClassReader.SKIP_DEBUG or
+                org.jetbrains.org.objectweb.asm.ClassReader.SKIP_FRAMES
+        )
+        descriptorKinds.singleOrNull()
+    } catch (e: Exception) {
+        null
+    }
+}
+
+/**
+ * Checks whether the return type of a Java binary method (identified by [methodName] and
+ * [nParams]) is a reference type (as opposed to a Java primitive).
+ *
+ * Returns `null` if the information cannot be determined.
+ */
+fun javaBinaryMethodReturnIsClassifierType(
+    parentClass: IrClass,
+    methodName: String,
+    nParams: Int,
+    isConstructor: Boolean
+): Boolean? {
+    if (isConstructor) return false
+
+    // K1 path: binary Java class has JavaSourceElement with a BinaryJavaClass.
+    val k1ReturnKinds =
+        ((parentClass.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass)?.methods
+            ?.asSequence()
+            ?.filter { it.name.asString() == methodName && it.valueParameters.size == nParams }
+            ?.map { it.returnType is org.jetbrains.kotlin.load.java.structure.JavaClassifierType }
+            ?.toSet()
+    if (k1ReturnKinds != null && k1ReturnKinds.isNotEmpty()) {
+        return k1ReturnKinds.singleOrNull()
+    }
+
+    // K2 path: binary Java class has VirtualFileBasedSourceElement
+    if (parentClass.source !is VirtualFileBasedSourceElement) return null
+    val vf = (parentClass.source as VirtualFileBasedSourceElement).virtualFile
+    if (!vf.name.endsWith(".class")) return null
+
+    return try {
+        val bytes = vf.contentsToByteArray()
+        val returnKinds = mutableSetOf<Boolean>()
+        val reader = org.jetbrains.org.objectweb.asm.ClassReader(bytes)
+        reader.accept(
+            object : org.jetbrains.org.objectweb.asm.ClassVisitor(
+                org.jetbrains.org.objectweb.asm.Opcodes.ASM9
+            ) {
+                override fun visitMethod(
+                    access: Int,
+                    name: String,
+                    descriptor: String,
+                    signature: String?,
+                    exceptions: Array<String>?
+                ): org.jetbrains.org.objectweb.asm.MethodVisitor? {
+                    if (name != methodName) return null
+                    if (parseAsmMethodDescriptorParams(descriptor).size != nParams) return null
+                    val returnDescriptor = descriptor.substring(descriptor.lastIndexOf(')') + 1)
+                    returnKinds.add(
+                        returnDescriptor.startsWith("L") || returnDescriptor.startsWith("[")
+                    )
+                    return null
+                }
+            },
+            org.jetbrains.org.objectweb.asm.ClassReader.SKIP_CODE or
+                org.jetbrains.org.objectweb.asm.ClassReader.SKIP_DEBUG or
+                org.jetbrains.org.objectweb.asm.ClassReader.SKIP_FRAMES
+        )
+        returnKinds.singleOrNull()
+    } catch (e: Exception) {
+        null
+    }
+}
+
+fun parseAsmMethodDescriptorParams(descriptor: String): List<String> {
+    val params = mutableListOf<String>()
+    var i = descriptor.indexOf('(') + 1
+    val end = descriptor.lastIndexOf(')')
+    while (i < end) {
+        when (val c = descriptor[i]) {
+            'L' -> {
+                val semi = descriptor.indexOf(';', i)
+                params.add(descriptor.substring(i, semi + 1))
+                i = semi + 1
+            }
+            '[' -> {
+                var j = i + 1
+                while (j < end && descriptor[j] == '[') j++
+                if (descriptor[j] == 'L') {
+                    val semi = descriptor.indexOf(';', j)
+                    params.add(descriptor.substring(i, semi + 1))
+                    i = semi + 1
+                } else {
+                    params.add(descriptor.substring(i, j + 1))
+                    i = j + 1
+                }
+            }
+            else -> { params.add(c.toString()); i++ }
+        }
+    }
+    return params
+}

java/ql/integration-tests/java/android-8-sample/settings.gradle

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-kotlin-build-script-no-wrapper/settings.gradle.kts

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-kotlin-build-script/settings.gradle.kts

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-no-wrapper/settings.gradle

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script-no-wrapper/build.gradle.kts

@@ -13,7 +13,9 @@ buildscript {
 
     repositories {
         google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 
     /**
@@ -39,6 +41,8 @@ buildscript {
 allprojects {
     repositories {
         google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }

java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script/build.gradle.kts

@@ -13,7 +13,9 @@ buildscript {
 
     repositories {
         google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 
     /**
@@ -39,6 +41,8 @@ buildscript {
 allprojects {
     repositories {
         google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }

java/ql/integration-tests/java/android-sample-old-style-no-wrapper/build.gradle

@@ -13,7 +13,9 @@ buildscript {
 
     repositories {
         google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 
     /**
@@ -39,6 +41,8 @@ buildscript {
 allprojects {
     repositories {
         google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }

java/ql/integration-tests/java/android-sample-old-style/build.gradle

@@ -13,7 +13,9 @@ buildscript {
 
     repositories {
         google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 
     /**
@@ -32,13 +34,15 @@ buildscript {
  * dependencies used by all modules in your project, such as third-party plugins
  * or libraries. However, you should configure module-specific dependencies in
  * each module-level build.gradle file. For new projects, Android Studio
- * includes JCenter and Google's Maven repository by default, but it does not
+ * includes Maven Central and Google's Maven repository by default, but it does not
  * configure any dependencies (unless you select a template that requires some).
  */
 
 allprojects {
     repositories {
         google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }

java/ql/integration-tests/java/android-sample/settings.gradle

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/buildless-gradle-boms/build.gradle

@@ -8,7 +8,9 @@
 apply plugin: 'java-library'
 
 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-gradle-boms/buildless-fetches.expected

@@ -1,5 +1,5 @@
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
-https://repo.maven.apache.org/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
-https://repo.maven.apache.org/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
-https://repo.maven.apache.org/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
-https://repo.maven.apache.org/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar

java/ql/integration-tests/java/buildless-gradle-classifiers/build.gradle

@@ -8,7 +8,9 @@
 apply plugin: 'java-library'
 
 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-gradle-classifiers/buildless-fetches.expected

@@ -1,2 +1,2 @@
-https://repo.maven.apache.org/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

java/ql/integration-tests/java/buildless-gradle-timeout/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/buildless-gradle/build.gradle

@@ -8,7 +8,9 @@
 apply plugin: 'java-library'
 
 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-gradle/buildless-fetches.expected

@@ -1 +1 @@
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

java/ql/integration-tests/java/buildless-proxy-gradle/build.gradle

@@ -8,7 +8,9 @@
 apply plugin: 'java-library'
 
 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }
 
 dependencies {