Add Avro MaD models for testing

actions/ql/lib/CHANGELOG.md

@@ -1,9 +1,3 @@
-## 0.4.36
-
-### Minor Analysis Improvements
-
-* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
-
 ## 0.4.35
 
 No user-facing changes.

actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md

@@ -1,5 +1,4 @@
-## 0.4.36
-
-### Minor Analysis Improvements
-
-* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
+---
+category: minorAnalysis
+---
+* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.36
+lastReleaseVersion: 0.4.35

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.37-dev
+version: 0.4.36-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,17 +1,3 @@
-## 0.6.28
-
-### Query Metadata Changes
-
-* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
-
-### Minor Analysis Improvements
-
-* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
-
-### Bug Fixes
-
-* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
-
 ## 0.6.27
 
 No user-facing changes.

actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md

@@ -27,7 +27,7 @@ Certain triggers automatically grant a workflow elevated privileges:
   * An attacker forks the repository and adds malicious code (e.g., in the build script)
   * The attacker opens a PR from the fork, and, if needed, comments on the PR
   * The workflow in the base repository checks out the forked code
-  * The workflow runs the malicious code
+  * The workflow runs, (e.g. the build script etc.), which contains the malicious code
 
 Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 
@@ -41,8 +41,6 @@ The best practice is to handle the potentially untrusted pull request via the **
 
 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
 
-Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
-
 ## Example
 
 ### Incorrect Usage
@@ -165,5 +163,4 @@ jobs:
 
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 - Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
-- Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
 - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).

actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql

@@ -52,5 +52,4 @@ where
   not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and
   not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout"))
 select checkout, checkout, poisonable,
-  "Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@).",
-  event, event.getName()
+  "Potential execution of untrusted code on a privileged workflow ($@)", event, event.getName()

actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md

@@ -27,7 +27,7 @@ Certain triggers automatically grant a workflow elevated privileges:
   * An attacker forks the repository and adds malicious code (e.g., in the build script)
   * The attacker opens a PR from the fork, and, if needed, comments on the PR
   * The workflow in the base repository checks out the forked code
-  * The workflow runs the malicious code
+  * The workflow runs, (e.g. the build script etc.), which contains the malicious code
 
 Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 
@@ -41,8 +41,6 @@ The best practice is to handle the potentially untrusted pull request via the **
 
 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
 
-Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
-
 ## Example
 
 ### Incorrect Usage
@@ -165,5 +163,4 @@ jobs:
 
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 - Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
-- Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
 - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).

actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in a privileged context
+ * @name Checkout of untrusted code in privileged context without privileged context use
  * @description Privileged workflows have read/write access to the base repository and access to secrets.
  *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
  *              that is able to push to the base repository and to access secrets.
@@ -42,6 +42,5 @@ where
     not event.getName() = "issue_comment" and
     not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
   )
-select checkout,
-  "Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@).",
-  event, event.getName()
+select checkout, "Potential execution of untrusted code on a privileged workflow ($@)", event,
+  event.getName()

actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md

@@ -27,7 +27,7 @@ Certain triggers automatically grant a workflow elevated privileges:
   * An attacker forks the repository and adds malicious code (e.g., in the build script)
   * The attacker opens a PR from the fork, and, if needed, comments on the PR
   * The workflow in the base repository checks out the forked code
-  * The workflow runs the malicious code
+  * The workflow runs, (e.g. the build script etc.), which contains the malicious code
 
 Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 
@@ -41,8 +41,6 @@ The best practice is to handle the potentially untrusted pull request via the **
 
 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
 
-Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
-
 ## Example
 
 ### Incorrect Usage
@@ -165,5 +163,4 @@ jobs:
 
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 - Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
-- Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
 - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).

actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql

@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in a trusted context
+ * @name Checkout of untrusted code in trusted context
  * @description Privileged workflows have read/write access to the base repository and access to secrets.
  *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
  *              that is able to push to the base repository and to access secrets.

actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 

actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md

@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.

actions/ql/src/change-notes/2026-04-20-unpinned-tag-composite-actions.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.

actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-alert.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.

actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-helpfile.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.

actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-metadata.md

@@ -1,4 +0,0 @@
----
-category: queryMetadata
----
-* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.

actions/ql/src/change-notes/released/0.6.28.md

@@ -1,13 +0,0 @@
-## 0.6.28
-
-### Query Metadata Changes
-
-* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
-
-### Minor Analysis Improvements
-
-* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
-
-### Bug Fixes
-
-* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.28
+lastReleaseVersion: 0.6.27

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.29-dev
+version: 0.6.28-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -338,42 +338,42 @@ edges
 | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
 | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
 #select
-| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
-| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
-| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
-| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
-| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
-| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
-| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
-| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
-| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
-| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target |
-| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment |
-| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run |
-| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target |
-| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
-| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
+| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
+| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
+| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
+| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
+| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
+| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target |
+| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment |
+| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run |
+| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target |
+| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected

@@ -1,23 +1,23 @@
-| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit2.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test13.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout2.yml:1:5:1:17 | issue_comment | issue_comment |
-| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit2.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test13.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout2.yml:1:5:1:17 | issue_comment | issue_comment |
+| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |

cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties

@@ -1,6 +0,0 @@
-description: Capture information about one template being generated from another
-compatibility: full
-class_template_generated_from.rel: delete
-function_template_generated_from.rel: delete
-variable_template_generated_from.rel: delete
-alias_template_generated_from.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,9 +1,3 @@
-## 10.1.1
-
-### Minor Analysis Improvements
-
-* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.
-
 ## 10.1.0
 
 ### New Features

cpp/ql/lib/DefaultOptions.qll

@@ -30,6 +30,8 @@ class Options extends string {
   predicate overrideReturnsNull(Call call) {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup")
+    or
+    CustomOptions::overrideReturnsNull(call) // old Options.qll
   }
 
   /**
@@ -43,6 +45,8 @@ class Options extends string {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup") and
     nullValue(call.getArgument(0))
+    or
+    CustomOptions::returnsNull(call) // old Options.qll
   }
 
   /**
@@ -61,6 +65,8 @@ class Options extends string {
     f.hasGlobalOrStdName([
         "exit", "_exit", "_Exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
       ])
+    or
+    CustomOptions::exits(f) // old Options.qll
   }
 
   /**
@@ -73,7 +79,8 @@ class Options extends string {
    * runtime, the program's behavior is undefined)
    */
   predicate exprExits(Expr e) {
-    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0
+    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0 or
+    CustomOptions::exprExits(e) // old Options.qll
   }
 
   /**
@@ -81,7 +88,10 @@ class Options extends string {
    *
    * By default holds only for `fgets`.
    */
-  predicate alwaysCheckReturnValue(Function f) { f.hasGlobalOrStdName("fgets") }
+  predicate alwaysCheckReturnValue(Function f) {
+    f.hasGlobalOrStdName("fgets") or
+    CustomOptions::alwaysCheckReturnValue(f) // old Options.qll
+  }
 
   /**
    * Holds if it is reasonable to ignore the return value of function
@@ -97,6 +107,8 @@ class Options extends string {
     // common way of sleeping using select:
     fc.getTarget().hasGlobalName("select") and
     fc.getArgument(0).getValue() = "0"
+    or
+    CustomOptions::okToIgnoreReturnValue(fc) // old Options.qll
   }
 }
 

cpp/ql/lib/Options.qll

@@ -98,3 +98,57 @@ class CustomMutexType extends MutexType {
    */
   override predicate unlockAccess(FunctionCall fc, Expr arg) { none() }
 }
+
+/**
+ * DEPRECATED: customize `CustomOptions.overrideReturnsNull` instead.
+ *
+ * This predicate is required to support backwards compatibility for
+ * older `Options.qll` files.  It should not be removed or modified by
+ * end users.
+ */
+predicate overrideReturnsNull(Call call) { none() }
+
+/**
+ * DEPRECATED: customize `CustomOptions.returnsNull` instead.
+ *
+ * This predicate is required to support backwards compatibility for
+ * older `Options.qll` files.  It should not be removed or modified by
+ * end users.
+ */
+predicate returnsNull(Call call) { none() }
+
+/**
+ * DEPRECATED: customize `CustomOptions.exits` instead.
+ *
+ * This predicate is required to support backwards compatibility for
+ * older `Options.qll` files.  It should not be removed or modified by
+ * end users.
+ */
+predicate exits(Function f) { none() }
+
+/**
+ * DEPRECATED: customize `CustomOptions.exprExits` instead.
+ *
+ * This predicate is required to support backwards compatibility for
+ * older `Options.qll` files.  It should not be removed or modified by
+ * end users.
+ */
+predicate exprExits(Expr e) { none() }
+
+/**
+ * DEPRECATED: customize `CustomOptions.alwaysCheckReturnValue` instead.
+ *
+ * This predicate is required to support backwards compatibility for
+ * older `Options.qll` files.  It should not be removed or modified by
+ * end users.
+ */
+predicate alwaysCheckReturnValue(Function f) { none() }
+
+/**
+ * DEPRECATED: customize `CustomOptions.okToIgnoreReturnValue` instead.
+ *
+ * This predicate is required to support backwards compatibility for
+ * older `Options.qll` files.  It should not be removed or modified by
+ * end users.
+ */
+predicate okToIgnoreReturnValue(FunctionCall fc) { none() }

cpp/ql/lib/change-notes/2026-05-15-hasSocketInput-for-fscanf.md

@@ -1,5 +1,4 @@
-## 10.1.1
-
-### Minor Analysis Improvements
-
-* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.
+---
+category: minorAnalysis
+---
+* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.

cpp/ql/lib/change-notes/2026-05-15-secure-scanf.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Added flow source models for `scanf_s` and related functions.
-* Added a `Call` column to `LocalFlowSourceFunction::hasLocalFlowSource` and `RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a `Call` column continue to be supported.

cpp/ql/lib/change-notes/2026-05-21-generated-from.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a `getOriginalTemplate` predicate to `TemplateClass`, `TemplateFunction`, `TemplateVariable`, and `AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.

cpp/ql/lib/change-notes/2026-05-27-deprecated-removal.md

@@ -1,15 +0,0 @@
----
-category: breaking
----
-* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
-* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
-* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
-* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
-* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
-* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
-* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
-* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
-* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
-* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
-* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
-* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 10.1.1
+lastReleaseVersion: 10.1.0

cpp/ql/lib/cpp.qll

@@ -32,6 +32,7 @@ import semmle.code.cpp.Class
 import semmle.code.cpp.Struct
 import semmle.code.cpp.Union
 import semmle.code.cpp.Enum
+import semmle.code.cpp.Member
 import semmle.code.cpp.Field
 import semmle.code.cpp.Function
 import semmle.code.cpp.MemberFunction

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.1.2-dev
+version: 10.1.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Class.qll

@@ -856,10 +856,8 @@ class AbstractClass extends Class {
 
 /**
  * A class template (this class also finds partial specializations
- * of class templates).
- *
- * For example in the following code there is a `MyTemplateClass<T>`
- * template:
+ * of class templates).  For example in the following code there is a
+ * `MyTemplateClass<T>` template:
  * ```
  * template<class T>
  * class MyTemplateClass {
@@ -895,29 +893,6 @@ class TemplateClass extends Class {
   }
 
   override string getAPrimaryQlClass() { result = "TemplateClass" }
-
-  /**
-   * Gets the class member template this template was generated from.
-   *
-   * This predicate only has results for templates that are members of class
-   * template instantiations. For example, for `MyTemplateClass<int>::C<S>`
-   * in the following code, the result is `MyTemplateClass<T>::C<S>`.
-   * ```cpp
-   * template<class T>
-   * class MyTemplateClass {
-   *   template<class S>
-   *   class C {
-   *     ...
-   *   };
-   * };
-   *
-   * template
-   * class MyTemplateClass<int>;
-   * ```
-   */
-  TemplateClass getOriginalTemplate() {
-    class_template_generated_from(underlyingElement(this), unresolveElement(result))
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -828,27 +828,6 @@ class TemplateFunction extends Function {
    * such things -- see FunctionTemplateSpecialization for further details.
    */
   FunctionTemplateSpecialization getASpecialization() { result.getPrimaryTemplate() = this }
-
-  /**
-   * Gets the class member template this template was generated from.
-   *
-   * This predicate only has results for templates that are members of class
-   * template instantiations. For example, for `MyTemplateClass<int>::f<S>`
-   * in the following code, the result is `MyTemplateClass<T>::f<S>`.
-   * ```cpp
-   * template<class T>
-   * class MyTemplateClass {
-   *   template<class S>
-   *   S f();
-   * };
-   *
-   * template
-   * class MyTemplateClass<int>;
-   * ```
-   */
-  TemplateFunction getOriginalTemplate() {
-    function_template_generated_from(underlyingElement(this), unresolveElement(result))
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -148,3 +148,28 @@ class UnknownLocation extends Location {
     this.getFile().getAbsolutePath() = "" and locations_default(this, _, 0, 0, 0, 0)
   }
 }
+
+/**
+ * A dummy location which is used when something doesn't have a location in
+ * the source code but needs to have a `Location` associated with it.
+ *
+ * DEPRECATED: use `UnknownLocation`
+ */
+deprecated class UnknownDefaultLocation extends UnknownLocation { }
+
+/**
+ * A dummy location which is used when an expression doesn't have a
+ * location in the source code but needs to have a `Location` associated
+ * with it.
+ *
+ * DEPRECATED: use `UnknownLocation`
+ */
+deprecated class UnknownExprLocation extends UnknownLocation { }
+
+/**
+ * A dummy location which is used when a statement doesn't have a location
+ * in the source code but needs to have a `Location` associated with it.
+ *
+ * DEPRECATED: use `UnknownLocation`
+ */
+deprecated class UnknownStmtLocation extends UnknownLocation { }

cpp/ql/lib/semmle/code/cpp/Member.qll

@@ -0,0 +1,6 @@
+/**
+ * DEPRECATED: import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly as required.
+ */
+
+import semmle.code.cpp.Element
+import semmle.code.cpp.Type

cpp/ql/lib/semmle/code/cpp/TemplateParameter.qll

@@ -35,6 +35,13 @@ class NonTypeTemplateParameter extends Literal, TemplateParameterImpl {
   override string getAPrimaryQlClass() { result = "NonTypeTemplateParameter" }
 }
 
+/**
+ * A C++ `typename` (or `class`) template parameter.
+ *
+ * DEPRECATED: Use `TypeTemplateParameter` instead.
+ */
+deprecated class TemplateParameter = TypeTemplateParameter;
+
 /**
  * A C++ `typename` (or `class`) template parameter.
  *

cpp/ql/lib/semmle/code/cpp/TypedefType.qll

@@ -130,27 +130,6 @@ class AliasTemplateType extends TypeAliasType {
    * ```
    */
   TypeAliasType getAnInstantiation() { result.isConstructedFrom(this) }
-
-  /**
-   * Gets the class member template this template was generated from.
-   *
-   * This predicate only has results for templates that are members of class
-   * template instantiations. For example, for `MyTemplateClass<int>::t<S>`
-   * in the following code, the result is `MyTemplateClass<T>::t<S>`.
-   * ```cpp
-   * template<class T>
-   * class MyTemplateClass {
-   *   template<class S>
-   *   using t = S;
-   * };
-   *
-   * template
-   * class MyTemplateClass<int>;
-   * ```
-   */
-  AliasTemplateType getOriginalTemplate() {
-    alias_template_generated_from(underlyingElement(this), unresolveElement(result))
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -614,27 +614,6 @@ class TemplateVariable extends Variable {
     result.isConstructedFrom(this) and
     not result.isSpecialization()
   }
-
-  /**
-   * Gets the class member template this template was generated from.
-   *
-   * This predicate only has results for templates that are members of class
-   * template instantiations. For example, for `MyTemplateClass<int>::x<S>`
-   * in the following code, the result is `MyTemplateClass<T>::x<S>`.
-   * ```cpp
-   * template<class T>
-   * class MyTemplateClass {
-   *   template<class S>
-   *   static S x;
-   * };
-   *
-   * template
-   * class MyTemplateClass<int>;
-   * ```
-   */
-  TemplateVariable getOriginalTemplate() {
-    variable_template_generated_from(underlyingElement(this), unresolveElement(result))
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll

@@ -25,15 +25,6 @@ abstract class ScanfFunction extends Function {
    * (rather than a `char*`).
    */
   predicate isWideCharDefault() { exists(this.getName().indexOf("wscanf")) }
-
-  /** Holds if this is one of the `scanf_s` variants. */
-  predicate isSVariant() {
-    exists(string name | name = this.getName() |
-      name.matches("%\\_s")
-      or
-      name.matches("%\\_s\\_l")
-    )
-  }
 }
 
 /**
@@ -43,12 +34,8 @@ class Scanf extends ScanfFunction instanceof TopLevelFunction {
   Scanf() {
     this.hasGlobalOrStdOrBslName("scanf") or // scanf(format, args...)
     this.hasGlobalOrStdOrBslName("wscanf") or // wscanf(format, args...)
-    this.hasGlobalOrStdOrBslName("scanf_s") or // scanf_s(format, args...)
-    this.hasGlobalOrStdOrBslName("wscanf_s") or // wscanf_s(format, args...)
     this.hasGlobalName("_scanf_l") or // _scanf_l(format, locale, args...)
-    this.hasGlobalName("_wscanf_l") or // _wscanf_l(format, locale, args...)
-    this.hasGlobalName("_scanf_s_l") or // _scanf_s_l(format, locale, args...)
-    this.hasGlobalName("_wscanf_s_l") // _wscanf_s_l(format, locale, args...)
+    this.hasGlobalName("_wscanf_l")
   }
 
   override int getInputParameterIndex() { none() }
@@ -63,12 +50,8 @@ class Fscanf extends ScanfFunction instanceof TopLevelFunction {
   Fscanf() {
     this.hasGlobalOrStdOrBslName("fscanf") or // fscanf(src_stream, format, args...)
     this.hasGlobalOrStdOrBslName("fwscanf") or // fwscanf(src_stream, format, args...)
-    this.hasGlobalOrStdOrBslName("fscanf_s") or // fscanf_s(src_stream, format, args...)
-    this.hasGlobalOrStdOrBslName("fwscanf_s") or // fwscanf_s(src_stream, format, args...)
     this.hasGlobalName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
-    this.hasGlobalName("_fwscanf_l") or // _fwscanf_l(src_stream, format, locale, args...)
-    this.hasGlobalName("_fscanf_s_l") or // _fscanf_s_l(src_stream, format, locale, args...)
-    this.hasGlobalName("_fwscanf_s_l") // _fwscanf_s_l(src_stream, format, locale, args...)
+    this.hasGlobalName("_fwscanf_l")
   }
 
   override int getInputParameterIndex() { result = 0 }
@@ -83,12 +66,8 @@ class Sscanf extends ScanfFunction instanceof TopLevelFunction {
   Sscanf() {
     this.hasGlobalOrStdOrBslName("sscanf") or // sscanf(src_stream, format, args...)
     this.hasGlobalOrStdOrBslName("swscanf") or // swscanf(src, format, args...)
-    this.hasGlobalOrStdOrBslName("sscanf_s") or // sscanf_s(src, format, args...)
-    this.hasGlobalOrStdOrBslName("swscanf_s") or // swscanf_s(src, format, args...)
     this.hasGlobalName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
-    this.hasGlobalName("_swscanf_l") or // _swscanf_l(src, format, locale, args...)
-    this.hasGlobalName("_sscanf_s_l") or // _sscanf_s_l(src, format, locale, args...)
-    this.hasGlobalName("_swscanf_s_l") // _swscanf_s_l(src, format, locale, args...)
+    this.hasGlobalName("_swscanf_l")
   }
 
   override int getInputParameterIndex() { result = 0 }
@@ -118,14 +97,6 @@ class Snscanf extends ScanfFunction instanceof TopLevelFunction {
   int getInputLengthParameterIndex() { result = 1 }
 }
 
-private predicate isCharLike(Type t) { t instanceof CharType or t instanceof Wchar_t }
-
-private predicate isStringLike(Type t) {
-  isCharLike(t.(PointerType).getBaseType())
-  or
-  isCharLike(t.(ArrayType).getBaseType())
-}
-
 /**
  * A call to one of the `scanf` functions.
  */
@@ -159,40 +130,14 @@ class ScanfFunctionCall extends FunctionCall {
    */
   predicate isWideCharDefault() { this.getScanfFunction().isWideCharDefault() }
 
-  bindingset[this, k]
-  pragma[inline_late]
-  private predicate isSizeArgument(int k) {
-    // The first vararg is never the size argument since a size argument must
-    // always follow a string buffer argument.
-    k > 0 and
-    isStringLike(this.getArgument(this.getScanfFunction().getNumberOfParameters() + k - 1)
-          .getUnspecifiedType())
-  }
-
   /**
    * Gets the output argument at position `n` in the vararg list of this call.
    *
    * The range of `n` is from `0` to `this.getNumberOfOutputArguments() - 1`.
    */
   Expr getOutputArgument(int n) {
-    exists(ScanfFunction target | target = this.getScanfFunction() |
-      // If this is an S variant then every string buffer argument has a
-      // corresponding size argument immediately following it, so we need to
-      // skip over those size arguments when counting the output arguments.
-      if target.isSVariant()
-      then
-        result =
-          rank[n + 1](Expr arg, int k |
-            k >= 0 and
-            arg = this.getArgument(target.getNumberOfParameters() + k) and
-            not this.isSizeArgument(k)
-          |
-            arg order by k
-          )
-      else (
-        n >= 0 and result = this.getArgument(target.getNumberOfParameters() + n)
-      )
-    )
+    result = this.getArgument(this.getTarget().getNumberOfParameters() + n) and
+    n >= 0
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/internal/ResolveClass.qll

@@ -1,5 +1,59 @@
 import semmle.code.cpp.Type
 
+/** For upgraded databases without mangled name info. */
+pragma[noinline]
+private string getTopLevelClassName(@usertype c) {
+  not mangled_name(_, _, _) and
+  isClass(c) and
+  usertypes(c, result, _) and
+  not namespacembrs(_, c) and // not in a namespace
+  not member(_, _, c) and // not in some structure
+  not class_instantiation(c, _) // not a template instantiation
+}
+
+/**
+ * For upgraded databases without mangled name info.
+ * Holds if `d` is a unique complete class named `name`.
+ */
+pragma[noinline]
+private predicate existsCompleteWithName(string name, @usertype d) {
+  not mangled_name(_, _, _) and
+  is_complete(d) and
+  name = getTopLevelClassName(d) and
+  onlyOneCompleteClassExistsWithName(name)
+}
+
+/** For upgraded databases without mangled name info. */
+pragma[noinline]
+private predicate onlyOneCompleteClassExistsWithName(string name) {
+  not mangled_name(_, _, _) and
+  strictcount(@usertype c | is_complete(c) and getTopLevelClassName(c) = name) = 1
+}
+
+/**
+ * For upgraded databases without mangled name info.
+ * Holds if `c` is an incomplete class named `name`.
+ */
+pragma[noinline]
+private predicate existsIncompleteWithName(string name, @usertype c) {
+  not mangled_name(_, _, _) and
+  not is_complete(c) and
+  name = getTopLevelClassName(c)
+}
+
+/**
+ * For upgraded databases without mangled name info.
+ * Holds if `c` is an incomplete class, and there exists a unique complete class `d`
+ * with the same name.
+ */
+private predicate oldHasCompleteTwin(@usertype c, @usertype d) {
+  not mangled_name(_, _, _) and
+  exists(string name |
+    existsIncompleteWithName(name, c) and
+    existsCompleteWithName(name, d)
+  )
+}
+
 pragma[noinline]
 private @mangledname getClassMangledName(@usertype c) {
   isClass(c) and
@@ -49,7 +103,10 @@ private module Cached {
   @usertype resolveClass(@usertype c) {
     hasCompleteTwin(c, result)
     or
+    oldHasCompleteTwin(c, result)
+    or
     not hasCompleteTwin(c, _) and
+    not oldHasCompleteTwin(c, _) and
     result = c
   }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll

@@ -30,10 +30,7 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
     (
       if exists(this.getLengthParameterIndex())
       then result = this.getLengthParameterIndex() + 2
-      else
-        if exists(this.(ScanfFunction).getInputParameterIndex())
-        then result = 2
-        else result = 1
+      else result = 2
     )
   }
 
@@ -72,24 +69,13 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
   }
 }
 
-private predicate hasFlowSource(
-  ScanfFunction func, ScanfFunctionCall call, FunctionOutput output, string description
-) {
-  exists(int n, Expr arg |
-    call.getScanfFunction() = func and
-    call.getOutputArgument(_) = arg and
-    call.getArgument(n) = arg and
-    output.isParameterDeref(n) and
-    description = "value read by " + func.getName()
-  )
-}
-
 /**
  * The standard function `scanf` and its assorted variants
  */
 private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction instanceof Scanf {
-  override predicate hasLocalFlowSource(Call call, FunctionOutput output, string description) {
-    hasFlowSource(this, call, output, description)
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
+    description = "value read by " + this.getName()
   }
 }
 
@@ -97,8 +83,9 @@ private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction ins
  * The standard function `fscanf` and its assorted variants
  */
 private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction instanceof Fscanf {
-  override predicate hasRemoteFlowSource(Call call, FunctionOutput output, string description) {
-    hasFlowSource(this, call, output, description)
+  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
+    description = "value read by " + this.getName()
   }
 
   override predicate hasSocketInput(FunctionInput input) {

cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll

@@ -18,17 +18,7 @@ abstract class RemoteFlowSourceFunction extends Function {
   /**
    * Holds if remote data described by `description` flows from `output` of a call to this function.
    */
-  predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    this.hasRemoteFlowSource(_, output, description)
-  }
-
-  /**
-   * Holds if remote data described by `description` flows from `output` of `call` to this function.
-   */
-  predicate hasRemoteFlowSource(Call call, FunctionOutput output, string description) {
-    call.getTarget() = this and
-    this.hasRemoteFlowSource(output, description)
-  }
+  abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
 
   /**
    * Holds if remote data from this source comes from a socket or stream
@@ -45,17 +35,7 @@ abstract class LocalFlowSourceFunction extends Function {
   /**
    * Holds if data described by `description` flows from `output` of a call to this function.
    */
-  predicate hasLocalFlowSource(FunctionOutput output, string description) {
-    this.hasLocalFlowSource(_, output, description)
-  }
-
-  /**
-   * Holds if data described by `description` flows from `output` of `call` to this function.
-   */
-  predicate hasLocalFlowSource(Call call, FunctionOutput output, string description) {
-    call.getTarget() = this and
-    this.hasLocalFlowSource(output, description)
-  }
+  abstract predicate hasLocalFlowSource(FunctionOutput output, string description);
 }
 
 /** A library function that sends data over a network connection. */

cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll

@@ -28,7 +28,8 @@ private class RemoteModelSource extends RemoteFlowSource {
 
   RemoteModelSource() {
     exists(CallInstruction call, RemoteFlowSourceFunction func, FunctionOutput output |
-      func.hasRemoteFlowSource(call.getConvertedResultExpression(), output, sourceType) and
+      call.getStaticCallTarget() = func and
+      func.hasRemoteFlowSource(output, sourceType) and
       this = callOutput(call, output)
     )
   }
@@ -45,7 +46,7 @@ private class LocalModelSource extends LocalFlowSource {
   LocalModelSource() {
     exists(CallInstruction call, LocalFlowSourceFunction func, FunctionOutput output |
       call.getStaticCallTarget() = func and
-      func.hasLocalFlowSource(call.getConvertedResultExpression(), output, sourceType) and
+      func.hasLocalFlowSource(output, sourceType) and
       this = callOutput(call, output)
     )
   }

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -912,10 +912,6 @@ class_template_argument_value(
     int index: int ref,
     int arg_value: @expr ref
 );
-class_template_generated_from(
-    unique int template: @usertype ref,
-    int from: @usertype ref
-)
 
 @user_or_decltype = @usertype | @decltype;
 
@@ -947,10 +943,6 @@ function_template_argument_value(
     int index: int ref,
     int arg_value: @expr ref
 );
-function_template_generated_from(
-    unique int template: @function ref,
-    int from: @function ref
-);
 
 is_variable_template(unique int id: @variable ref);
 variable_instantiation(
@@ -967,10 +959,6 @@ variable_template_argument_value(
     int index: int ref,
     int arg_value: @expr ref
 );
-variable_template_generated_from(
-    unique int template: @variable ref,
-    int from: @variable ref
-);
 
 is_alias_template(unique int id: @usertype ref);
 alias_instantiation(
@@ -978,19 +966,15 @@ alias_instantiation(
     int from: @usertype ref
 );
 alias_template_argument(
-    int type_id: @usertype ref,
+    int variable_id: @usertype ref,
     int index: int ref,
     int arg_type: @type ref
 );
 alias_template_argument_value(
-    int type_id: @usertype ref,
+    int variable_id: @usertype ref,
     int index: int ref,
     int arg_value: @expr ref
 );
-alias_template_generated_from(
-    unique int template: @usertype ref,
-    int from: @usertype ref
-);
 
 template_template_instantiation(
     int to: @usertype ref,

cpp/ql/lib/upgrades/837c4e02326aee4582405d069263092e80a15d82/upgrade.properties

@@ -1,2 +0,0 @@
-description: Capture information about one template being generated from another
-compatibility: backwards

cpp/ql/src/CHANGELOG.md

@@ -1,9 +1,3 @@
-## 1.6.3
-
-### Minor Analysis Improvements
-
-* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.
-
 ## 1.6.2
 
 No user-facing changes.

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll

@@ -44,7 +44,10 @@ class ExternalApiDataNode extends DataFlow::Node {
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    any(RemoteFlowSourceFunction remoteFlow).hasRemoteFlowSource(source.asExpr(), _, _)
+    exists(RemoteFlowSourceFunction remoteFlow |
+      remoteFlow = source.asExpr().(Call).getTarget() and
+      remoteFlow.hasRemoteFlowSource(_, _)
+    )
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -94,8 +94,9 @@ class Recv extends SendRecv instanceof RemoteFlowSourceFunction {
   }
 
   override Expr getDataExpr(Call call) {
+    call.getTarget() = this and
     exists(FunctionOutput output, int arg |
-      super.hasRemoteFlowSource(call, output, _) and
+      super.hasRemoteFlowSource(output, _) and
       output.isParameterDeref(arg) and
       result = call.getArgument(arg)
     )

cpp/ql/src/change-notes/2026-05-15-cleartext-transmission-fp.md

@@ -1,5 +1,4 @@
-## 1.6.3
-
-### Minor Analysis Improvements
-
-* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.
+---
+category: minorAnalysis
+---
+* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.3
+lastReleaseVersion: 1.6.2

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.4-dev
+version: 1.6.3-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp

@@ -131,112 +131,3 @@ void test_strsafe_gets() {
 		StringCchGetsExA(dest, sizeof(dest), &end, &remaining, 0); // $ local_source
 	}
 }
-
-int scanf_s(const char *format, ...);
-int fscanf_s(FILE *stream, const char *format, ...);
-
-void test_scanf_s(FILE *stream) {
-  {
-  int n1, n2;
-  scanf_s(
-    "%d %d",
-    &n1, // $ local_source
-    &n2); // $ local_source
-  }
-
-  {
-  int n;
-  fscanf_s(stream, "%d", &n); // $ remote_source
-  }
-
-  {
-  int n1, n2;
-  char buf[256];
-  scanf_s("%d %s %d",
-    &n1, // $ local_source
-    buf, // $ local_source
-    256,
-    &n2); // $ local_source
-  }
-
-  {
-  int n1, n2;
-  char buf[256];
-  fscanf_s(stream, "%d %s %d",
-    &n1, // $ remote_source
-    buf, // $ remote_source
-    256,
-    &n2); // $ remote_source
-  }
-}
-
-typedef void *locale_t;
-
-int wscanf_s(const wchar_t *format, ...);
-int _scanf_s_l(const char *format, locale_t locale, ...);
-int _wscanf_s_l(const wchar_t *format, locale_t locale, ...);
-int fwscanf_s(FILE *stream, const wchar_t *format, ...);
-int _fscanf_s_l(FILE *stream, const char *format, locale_t locale, ...);
-int _fwscanf_s_l(FILE *stream, const wchar_t *format, locale_t locale, ...);
-
-void test_additional_scanf_s_variants(FILE *stream, locale_t locale) {
-  {
-  int n1, n2;
-  wchar_t buf[256];
-  wscanf_s(L"%d %s %d",
-    &n1, // $ local_source
-    buf, // $ local_source
-    256,
-    &n2); // $ local_source
-  }
-
-  {
-  int n1, n2;
-  char buf[256];
-  _scanf_s_l("%d %s %d", locale,
-    &n1, // $ local_source
-    buf, // $ local_source
-    256,
-    &n2); // $ local_source
-  }
-
-  {
-  int n1, n2;
-  wchar_t buf[256];
-  _wscanf_s_l(L"%d %s %d", locale,
-    &n1, // $ local_source
-    buf, // $ local_source
-    256,
-    &n2); // $ local_source
-  }
-
-  {
-  int n1, n2;
-  wchar_t buf[256];
-  fwscanf_s(stream, L"%d %s %d",
-    &n1, // $ remote_source
-    buf, // $ remote_source
-    256,
-    &n2); // $ remote_source
-  }
-
-  {
-  int n1, n2;
-  char buf[256];
-  _fscanf_s_l(stream, "%d %s %d", locale,
-    &n1, // $ remote_source
-    buf, // $ remote_source
-    256,
-    &n2); // $ remote_source
-  }
-
-  {
-  int n1, n2;
-  wchar_t buf[256];
-  _fwscanf_s_l(stream, L"%d %s %d", locale,
-    &n1, // $ remote_source
-    buf, // $ remote_source
-    256,
-    &n2); // $ remote_source
-  }
-}

cpp/ql/test/library-tests/friends/loop/friends.expected

@@ -1,14 +1,14 @@
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<D> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:29 | E<D> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<D> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<T> |
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:29 | F<D> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:29 | E<C> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<D> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<T> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:29 | F<D> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<D> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:29 | E<C> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:29 | E<D> |
 | loop.cpp:6:5:6:5 | E<T>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:7:5:7:5 | E<T>'s friend | loop.cpp:7:36:7:36 | F<U> |
 | loop.cpp:11:5:11:5 | F<T>'s friend | loop.cpp:11:36:11:36 | E<U> |

cpp/ql/test/library-tests/scanf/scanfFormatLiteral.expected

@@ -1,8 +1,5 @@
-| test.c:19:2:19:6 | call to scanf | 0 | s | 0 | 0 |
-| test.c:20:2:20:7 | call to fscanf | 0 | s | 10 | 10 |
-| test.c:20:2:20:7 | call to fscanf | 1 | i | 0 | 0 |
-| test.c:21:2:21:7 | call to sscanf | 0 | s | 0 | 0 |
-| test.c:22:2:22:8 | call to swscanf | 0 | s | 10 | 10 |
-| test.c:23:2:23:8 | call to scanf_s | 0 | d | 0 | 0 |
-| test.c:23:2:23:8 | call to scanf_s | 1 | s | 0 | 0 |
-| test.c:23:2:23:8 | call to scanf_s | 2 | d | 0 | 0 |
+| test.c:18:2:18:6 | call to scanf | 0 | s | 0 | 0 |
+| test.c:19:2:19:7 | call to fscanf | 0 | s | 10 | 10 |
+| test.c:19:2:19:7 | call to fscanf | 1 | i | 0 | 0 |
+| test.c:20:2:20:7 | call to sscanf | 0 | s | 0 | 0 |
+| test.c:21:2:21:8 | call to swscanf | 0 | s | 10 | 10 |

cpp/ql/test/library-tests/scanf/scanfFunctionCall.expected

@@ -1,6 +1,5 @@
 | ms.cpp:17:3:17:8 | call to sscanf | 0 | 1 | ms.cpp:17:24:17:30 | %I64i | non-wide |
-| test.c:19:2:19:6 | call to scanf | 0 | 0 | test.c:19:8:19:11 | %s | non-wide |
-| test.c:20:2:20:7 | call to fscanf | 0 | 1 | test.c:20:15:20:23 | %10s %i | non-wide |
-| test.c:21:2:21:7 | call to sscanf | 0 | 1 | test.c:21:19:21:28 | %*i%s%*s | non-wide |
-| test.c:22:2:22:8 | call to swscanf | 0 | 1 | test.c:22:21:22:26 | %10s | wide |
-| test.c:23:2:23:8 | call to scanf_s | 0 | 0 | test.c:23:10:23:19 | %d %s %d | non-wide |
+| test.c:18:2:18:6 | call to scanf | 0 | 0 | test.c:18:8:18:11 | %s | non-wide |
+| test.c:19:2:19:7 | call to fscanf | 0 | 1 | test.c:19:15:19:23 | %10s %i | non-wide |
+| test.c:20:2:20:7 | call to sscanf | 0 | 1 | test.c:20:19:20:28 | %*i%s%*s | non-wide |
+| test.c:21:2:21:8 | call to swscanf | 0 | 1 | test.c:21:21:21:26 | %10s | wide |

cpp/ql/test/library-tests/scanf/scanfFunctionCallOutput.expected

@@ -1,9 +0,0 @@
-| ms.cpp:17:3:17:8 | call to sscanf | ms.cpp:17:33:17:36 | & ... | 0 |
-| test.c:19:2:19:6 | call to scanf | test.c:19:14:19:19 | buffer | 0 |
-| test.c:20:2:20:7 | call to fscanf | test.c:20:26:20:31 | buffer | 0 |
-| test.c:20:2:20:7 | call to fscanf | test.c:20:34:20:34 | i | 1 |
-| test.c:21:2:21:7 | call to sscanf | test.c:21:31:21:36 | buffer | 0 |
-| test.c:22:2:22:8 | call to swscanf | test.c:22:29:22:35 | wbuffer | 0 |
-| test.c:23:2:23:8 | call to scanf_s | test.c:23:22:23:23 | & ... | 0 |
-| test.c:23:2:23:8 | call to scanf_s | test.c:23:26:23:31 | buffer | 1 |
-| test.c:23:2:23:8 | call to scanf_s | test.c:23:38:23:40 | & ... | 2 |

cpp/ql/test/library-tests/scanf/scanfFunctionCallOutput.ql

@@ -1,5 +0,0 @@
-import semmle.code.cpp.commons.Scanf
-
-from ScanfFunctionCall sfc, Expr e, int n
-where e = sfc.getOutputArgument(n)
-select sfc, e, n

cpp/ql/test/library-tests/scanf/test.c

@@ -7,20 +7,18 @@ int scanf(const char *format, ...);
 int fscanf(FILE *stream, const char *format, ...);
 int sscanf(const char *s, const char *format, ...);
 int swscanf(const wchar_t* ws, const wchar_t* format, ...);
-int scanf_s(const char *format, ...);
 
 int main(int argc, char *argv[])
 {
 	char buffer[256];
 	wchar_t wbuffer[256];
 	FILE *file;
-	int i, i2;
+	int i;
 
 	scanf("%s", buffer);
 	fscanf(file, "%10s %i", buffer, i);
 	sscanf("Hello.", "%*i%s%*s", buffer);
 	swscanf(L"Hello.", "%10s", wbuffer);
-	scanf_s("%d %s %d", &i, buffer, 10, &i2);
 
 	return 0;
 }

csharp/extractor/Semmle.Extraction.CSharp/CodeAnalysisExtensions/SymbolExtensions.cs

@@ -664,7 +664,7 @@ namespace Semmle.Extraction.CSharp
                 // Find the (possibly unbound) original extension method that maps to this implementation (if any).
                 var unboundDeclaration = extensions.SelectMany(e => e.GetMembers())
                     .OfType<IMethodSymbol>()
-                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation?.ConstructedFrom, method.ConstructedFrom));
+                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation, method.ConstructedFrom));
 
                 var isFullyConstructed = method.IsBoundGenericMethod();
                 if (isFullyConstructed && unboundDeclaration?.ContainingType is INamedTypeSymbol extensionType)

csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs

@@ -69,7 +69,6 @@ namespace Semmle.Extraction.CSharp.Entities
             }
 
             Overrides(trapFile);
-            ExtractRefReturn(trapFile, Symbol, this);
 
             if (Symbol.FromSource() && !HasBody)
             {

csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs

@@ -32,13 +32,9 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             var assembly = Assembly.CreateOutputAssembly(Context);
 
-            var path = Context.ExtractionContext.PathTransformer.Transform(cwd);
-            trapFile.compilations(this, path.Value);
+            trapFile.compilations(this, FileUtils.ConvertToUnix(cwd));
             trapFile.compilation_assembly(this, assembly);
 
-            // Ensure that a `Folder` entity exists
-            Folder.Create(Context, path);
-
             // Arguments
             var expandedIndex = 0;
             for (var i = 0; i < args.Length; i++)

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Factory.cs

@@ -58,10 +58,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         return Invocation.Create(info);
 
                     case SyntaxKind.PostIncrementExpression:
-                        return PostfixUnary.Create(info.SetKind(ExprKind.POST_INCR));
+                        return PostfixUnary.Create(info.SetKind(ExprKind.POST_INCR), ((PostfixUnaryExpressionSyntax)info.Node).Operand);
 
                     case SyntaxKind.PostDecrementExpression:
-                        return PostfixUnary.Create(info.SetKind(ExprKind.POST_DECR));
+                        return PostfixUnary.Create(info.SetKind(ExprKind.POST_DECR), ((PostfixUnaryExpressionSyntax)info.Node).Operand);
 
                     case SyntaxKind.AwaitExpression:
                         return Await.Create(info);
@@ -109,10 +109,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         return MemberAccess.Create(info, (MemberAccessExpressionSyntax)info.Node);
 
                     case SyntaxKind.UnaryMinusExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.MINUS));
+                        return Unary.Create(info.SetKind(ExprKind.MINUS));
 
                     case SyntaxKind.UnaryPlusExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.PLUS));
+                        return Unary.Create(info.SetKind(ExprKind.PLUS));
 
                     case SyntaxKind.SimpleLambdaExpression:
                         return Lambda.Create(info, (SimpleLambdaExpressionSyntax)info.Node);
@@ -146,16 +146,16 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         return Name.Create(info);
 
                     case SyntaxKind.LogicalNotExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.LOG_NOT));
+                        return Unary.Create(info.SetKind(ExprKind.LOG_NOT));
 
                     case SyntaxKind.BitwiseNotExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.BIT_NOT));
+                        return Unary.Create(info.SetKind(ExprKind.BIT_NOT));
 
                     case SyntaxKind.PreIncrementExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.PRE_INCR));
+                        return Unary.Create(info.SetKind(ExprKind.PRE_INCR));
 
                     case SyntaxKind.PreDecrementExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.PRE_DECR));
+                        return Unary.Create(info.SetKind(ExprKind.PRE_DECR));
 
                     case SyntaxKind.ThisExpression:
                         return This.CreateExplicit(info);
@@ -164,10 +164,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         return PropertyFieldAccess.Create(info);
 
                     case SyntaxKind.AddressOfExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.ADDRESS_OF));
+                        return Unary.Create(info.SetKind(ExprKind.ADDRESS_OF));
 
                     case SyntaxKind.PointerIndirectionExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.POINTER_INDIRECTION));
+                        return Unary.Create(info.SetKind(ExprKind.POINTER_INDIRECTION));
 
                     case SyntaxKind.DefaultExpression:
                         return Default.Create(info);
@@ -248,13 +248,13 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         return RangeExpression.Create(info);
 
                     case SyntaxKind.IndexExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.INDEX));
+                        return Unary.Create(info.SetKind(ExprKind.INDEX));
 
                     case SyntaxKind.SwitchExpression:
                         return Switch.Create(info);
 
                     case SyntaxKind.SuppressNullableWarningExpression:
-                        return PostfixUnary.Create(info.SetKind(ExprKind.SUPPRESS_NULLABLE_WARNING));
+                        return PostfixUnary.Create(info.SetKind(ExprKind.SUPPRESS_NULLABLE_WARNING), ((PostfixUnaryExpressionSyntax)info.Node).Operand);
 
                     case SyntaxKind.WithExpression:
                         return WithExpression.Create(info);

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PostfixUnary.cs

@@ -4,30 +4,29 @@ using Semmle.Extraction.Kinds;
 
 namespace Semmle.Extraction.CSharp.Entities.Expressions
 {
-    internal class PostfixUnary : Expression<PostfixUnaryExpressionSyntax>
+    internal class PostfixUnary : Expression<ExpressionSyntax>
     {
-        private PostfixUnary(ExpressionNodeInfo info, ExprKind kind)
+        private PostfixUnary(ExpressionNodeInfo info, ExprKind kind, ExpressionSyntax operand)
             : base(info.SetKind(UnaryOperatorKind(info.Context, kind, info.Node)))
         {
+            this.operand = operand;
             operatorKind = kind;
         }
 
+        private readonly ExpressionSyntax operand;
         private readonly ExprKind operatorKind;
 
-        public static Expression Create(ExpressionNodeInfo info) => new PostfixUnary(info, info.Kind).TryPopulate();
+        public static Expression Create(ExpressionNodeInfo info, ExpressionSyntax operand) => new PostfixUnary(info, info.Kind, operand).TryPopulate();
 
         protected override void PopulateExpression(TextWriter trapFile)
         {
-            Create(Context, Syntax.Operand, this, 0);
+            Create(Context, operand, this, 0);
 
-            if (Kind == ExprKind.OPERATOR_INVOCATION)
+            if ((operatorKind == ExprKind.POST_INCR || operatorKind == ExprKind.POST_DECR) &&
+                Kind == ExprKind.OPERATOR_INVOCATION)
             {
                 AddOperatorCall(trapFile, Syntax);
-
-                if (operatorKind == ExprKind.POST_INCR || operatorKind == ExprKind.POST_DECR)
-                {
-                    trapFile.mutator_invocation_mode(this, 2);
-                }
+                trapFile.mutator_invocation_mode(this, 2);
             }
         }
     }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PrefixUnary.cs

@@ -1,34 +0,0 @@
-using System.IO;
-using Microsoft.CodeAnalysis.CSharp.Syntax;
-using Semmle.Extraction.Kinds;
-
-namespace Semmle.Extraction.CSharp.Entities.Expressions
-{
-    internal class PrefixUnary : Expression<PrefixUnaryExpressionSyntax>
-    {
-        private PrefixUnary(ExpressionNodeInfo info, ExprKind kind)
-            : base(info.SetKind(UnaryOperatorKind(info.Context, info.Kind, info.Node)))
-        {
-            operatorKind = kind;
-        }
-
-        private readonly ExprKind operatorKind;
-
-        public static Expression Create(ExpressionNodeInfo info) => new PrefixUnary(info, info.Kind).TryPopulate();
-
-        protected override void PopulateExpression(TextWriter trapFile)
-        {
-            Create(Context, Syntax.Operand, this, 0);
-
-            if (Kind == ExprKind.OPERATOR_INVOCATION)
-            {
-                AddOperatorCall(trapFile, Syntax);
-
-                if (operatorKind == ExprKind.PRE_INCR || operatorKind == ExprKind.PRE_DECR)
-                {
-                    trapFile.mutator_invocation_mode(this, 1);
-                }
-            }
-        }
-    }
-}

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Unary.cs

@@ -0,0 +1,36 @@
+using System.IO;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Semmle.Extraction.Kinds;
+
+namespace Semmle.Extraction.CSharp.Entities.Expressions
+{
+    internal class Unary : Expression<PrefixUnaryExpressionSyntax>
+    {
+        private Unary(ExpressionNodeInfo info, ExprKind kind)
+            : base(info.SetKind(UnaryOperatorKind(info.Context, info.Kind, info.Node)))
+        {
+            operatorKind = kind;
+        }
+
+        private readonly ExprKind operatorKind;
+
+        public static Unary Create(ExpressionNodeInfo info)
+        {
+            var ret = new Unary(info, info.Kind);
+            ret.TryPopulate();
+            return ret;
+        }
+
+        protected override void PopulateExpression(TextWriter trapFile)
+        {
+            Create(Context, Syntax.Operand, this, 0);
+            AddOperatorCall(trapFile, Syntax);
+
+            if ((operatorKind == ExprKind.PRE_INCR || operatorKind == ExprKind.PRE_DECR) &&
+                Kind == ExprKind.OPERATOR_INVOCATION)
+            {
+                trapFile.mutator_invocation_mode(this, 1);
+            }
+        }
+    }
+}

csharp/paket.dependencies

@@ -4,7 +4,7 @@ source https://api.nuget.org/v3/index.json
 # behave like nuget in choosing transitive dependency versions
 strategy: max
 
-nuget Basic.CompilerLog.Util 0.9.39
+nuget Basic.CompilerLog.Util 0.9.25
 nuget Mono.Posix.NETStandard
 nuget Newtonsoft.Json
 nuget NuGet.Versioning
@@ -12,7 +12,7 @@ nuget xunit
 nuget xunit.runner.visualstudio
 nuget xunit.runner.utility
 nuget Microsoft.NET.Test.Sdk
-nuget Microsoft.CodeAnalysis.CSharp 5.3.0
-nuget Microsoft.CodeAnalysis 5.3.0
-nuget Microsoft.Build 18.6.3
+nuget Microsoft.CodeAnalysis.CSharp 5.0.0
+nuget Microsoft.CodeAnalysis 5.0.0
+nuget Microsoft.Build 18.0.2
 nuget Microsoft.VisualStudio.SolutionPersistence

csharp/paket.lock

@@ -3,42 +3,45 @@ STRATEGY: MAX
 RESTRICTION: == net10.0
 NUGET
   remote: https://api.nuget.org/v3/index.json
-    Basic.CompilerLog.Util (0.9.39)
+    Basic.CompilerLog.Util (0.9.25)
       MessagePack (>= 3.1.4)
-      Microsoft.Bcl.Memory (>= 10.0.7)
+      Microsoft.Bcl.Memory (>= 9.0.10)
       Microsoft.CodeAnalysis (>= 4.8)
       Microsoft.CodeAnalysis.CSharp (>= 4.8)
       Microsoft.CodeAnalysis.VisualBasic (>= 4.8)
-      Microsoft.Extensions.ObjectPool (>= 10.0.7)
-      MSBuild.StructuredLogger (>= 2.3.178)
+      Microsoft.Extensions.ObjectPool (>= 9.0.10)
+      MSBuild.StructuredLogger (>= 2.3.71)
+      NaturalSort.Extension (>= 4.4)
+      NuGet.Versioning (>= 6.14)
     Humanizer.Core (3.0.10)
-    MessagePack (3.1.6)
-      MessagePack.Annotations (>= 3.1.6)
-      MessagePackAnalyzer (>= 3.1.6)
+    MessagePack (3.1.4)
+      MessagePack.Annotations (>= 3.1.4)
+      MessagePackAnalyzer (>= 3.1.4)
       Microsoft.NET.StringTools (>= 17.11.4)
-    MessagePack.Annotations (3.1.6)
-    MessagePackAnalyzer (3.1.6)
+    MessagePack.Annotations (3.1.4)
+    MessagePackAnalyzer (3.1.4)
     Microsoft.Bcl.AsyncInterfaces (10.0.8)
     Microsoft.Bcl.Memory (10.0.8)
-    Microsoft.Build (18.6.3)
-      Microsoft.Build.Framework (>= 18.6.3)
-      System.Configuration.ConfigurationManager (>= 10.0.3)
-      System.Diagnostics.EventLog (>= 10.0.3)
-      System.Reflection.MetadataLoadContext (>= 10.0.3)
-      System.Security.Cryptography.ProtectedData (>= 10.0.3)
-    Microsoft.Build.Framework (18.6.3)
-      Microsoft.NET.StringTools (>= 18.6.3)
-    Microsoft.Build.Utilities.Core (18.6.3)
-      Microsoft.Build.Framework (>= 18.6.3)
-      System.Configuration.ConfigurationManager (>= 10.0.3)
-      System.Diagnostics.EventLog (>= 10.0.3)
-      System.Security.Cryptography.ProtectedData (>= 10.0.3)
-    Microsoft.CodeAnalysis (5.3)
+    Microsoft.Build (18.0.2)
+      Microsoft.Build.Framework (>= 18.0.2)
+      Microsoft.NET.StringTools (>= 18.0.2)
+      System.Configuration.ConfigurationManager (>= 9.0)
+      System.Diagnostics.EventLog (>= 9.0)
+      System.Reflection.MetadataLoadContext (>= 9.0)
+      System.Security.Cryptography.ProtectedData (>= 9.0.6)
+    Microsoft.Build.Framework (18.4)
+    Microsoft.Build.Utilities.Core (18.4)
+      Microsoft.Build.Framework (>= 18.4)
+      Microsoft.NET.StringTools (>= 18.4)
+      System.Configuration.ConfigurationManager (>= 10.0.1)
+      System.Diagnostics.EventLog (>= 10.0.1)
+      System.Security.Cryptography.ProtectedData (>= 10.0.1)
+    Microsoft.CodeAnalysis (5.0)
       Humanizer.Core (>= 2.14.1)
       Microsoft.Bcl.AsyncInterfaces (>= 9.0)
-      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.CSharp.Workspaces (5.3)
-      Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.3)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.CSharp.Workspaces (5.0)
+      Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.0)
       System.Buffers (>= 4.6)
       System.Collections.Immutable (>= 9.0)
       System.Composition (>= 9.0)
@@ -51,36 +54,36 @@ NUGET
       System.Threading.Channels (>= 8.0)
       System.Threading.Tasks.Extensions (>= 4.6)
     Microsoft.CodeAnalysis.Analyzers (5.3)
-    Microsoft.CodeAnalysis.Common (5.3)
-      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-    Microsoft.CodeAnalysis.CSharp (5.3)
-      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.3)
-    Microsoft.CodeAnalysis.CSharp.Workspaces (5.3)
+    Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+    Microsoft.CodeAnalysis.CSharp (5.0)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Common (5.0)
+    Microsoft.CodeAnalysis.CSharp.Workspaces (5.0)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.3)
-      Microsoft.CodeAnalysis.CSharp (5.3)
-      Microsoft.CodeAnalysis.Workspaces.Common (5.3)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.CSharp (5.0)
+      Microsoft.CodeAnalysis.Workspaces.Common (5.0)
       System.Composition (>= 9.0)
-    Microsoft.CodeAnalysis.VisualBasic (5.3)
-      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.3)
-    Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.3)
+    Microsoft.CodeAnalysis.VisualBasic (5.0)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Common (5.0)
+    Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.0)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.3)
-      Microsoft.CodeAnalysis.VisualBasic (5.3)
-      Microsoft.CodeAnalysis.Workspaces.Common (5.3)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.VisualBasic (5.0)
+      Microsoft.CodeAnalysis.Workspaces.Common (5.0)
       System.Composition (>= 9.0)
-    Microsoft.CodeAnalysis.Workspaces.Common (5.3)
+    Microsoft.CodeAnalysis.Workspaces.Common (5.0)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
-      Microsoft.CodeAnalysis.Common (5.3)
+      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
+      Microsoft.CodeAnalysis.Common (5.0)
       System.Composition (>= 9.0)
     Microsoft.CodeCoverage (18.5.1)
     Microsoft.Extensions.ObjectPool (10.0.8)
-    Microsoft.NET.StringTools (18.6.3)
+    Microsoft.NET.StringTools (18.4)
     Microsoft.NET.Test.Sdk (18.5.1)
       Microsoft.CodeCoverage (>= 18.5.1)
       Microsoft.TestPlatform.TestHost (>= 18.5.1)
@@ -94,6 +97,7 @@ NUGET
     MSBuild.StructuredLogger (2.3.204)
       Microsoft.Build.Framework (>= 17.5)
       Microsoft.Build.Utilities.Core (>= 17.5)
+    NaturalSort.Extension (4.4.1)
     Newtonsoft.Json (13.0.4)
     NuGet.Versioning (7.6)
     System.Buffers (4.6.1)

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.7.67
-
-No user-facing changes.
-
 ## 1.7.66
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.67.md

@@ -1,3 +0,0 @@
-## 1.7.67
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.67
+lastReleaseVersion: 1.7.66

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.68-dev
+version: 1.7.67-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.7.67
-
-No user-facing changes.
-
 ## 1.7.66
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.67.md

@@ -1,3 +0,0 @@
-## 1.7.67
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.67
+lastReleaseVersion: 1.7.66

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.68-dev
+version: 1.7.67-dev
 groups:
   - csharp
   - solorigate

csharp/ql/integration-tests/posix/standalone_dependencies_executing_runtime/Assemblies.expected

@@ -22,6 +22,7 @@
 | [...]/csharp/tools/[...]/Microsoft.Win32.Primitives.dll |
 | [...]/csharp/tools/[...]/Microsoft.Win32.Registry.dll |
 | [...]/csharp/tools/[...]/Mono.Posix.NETStandard.dll |
+| [...]/csharp/tools/[...]/NaturalSort.Extension.dll |
 | [...]/csharp/tools/[...]/Newtonsoft.Json.dll |
 | [...]/csharp/tools/[...]/NuGet.Versioning.dll |
 | [...]/csharp/tools/[...]/StructuredLogger.dll |

csharp/ql/lib/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 6.0.1
-
-No user-facing changes.
-
 ## 6.0.0
 
 ### Breaking Changes

csharp/ql/lib/change-notes/2026-05-19-properties-indexers-refreturn.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Improved call target resolution for ref-return properties and indexers.

csharp/ql/lib/change-notes/2026-05-20-csharp14-dotnet10.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Full support for C# 14 / .NET 10. All new language features are now supported by the extractor. The QL library and data flow analysis now support the new C# 14 language constructs and include generated Models as Data (MaD) models for the .NET 10 runtime.

csharp/ql/lib/change-notes/released/6.0.1.md

@@ -1,3 +0,0 @@
-## 6.0.1
-
-No user-facing changes.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.0.1
+lastReleaseVersion: 6.0.0

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 6.0.2-dev
+version: 6.0.1-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/exprs/Call.qll

@@ -766,16 +766,7 @@ class PropertyCall extends AccessorCall, PropertyAccessExpr {
   }
 
   override Accessor getWriteTarget() {
-    this instanceof AssignableWrite and
-    exists(Property p | p = this.getProperty() |
-      result = p.getSetter()
-      or
-      result =
-        any(Getter g |
-          g = p.getGetter() and
-          g.getAnnotatedReturnType().isRef()
-        )
-    )
+    this instanceof AssignableWrite and result = this.getProperty().getSetter()
   }
 
   override Expr getArgument(int i) {
@@ -810,16 +801,7 @@ class IndexerCall extends AccessorCall, IndexerAccessExpr {
   }
 
   override Accessor getWriteTarget() {
-    this instanceof AssignableWrite and
-    exists(Indexer i | i = this.getIndexer() |
-      result = i.getSetter()
-      or
-      result =
-        any(Getter g |
-          g = i.getGetter() and
-          g.getAnnotatedReturnType().isRef()
-        )
-    )
+    this instanceof AssignableWrite and result = this.getIndexer().getSetter()
   }
 
   override Expr getArgument(int i) {

csharp/ql/src/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.7.3
-
-No user-facing changes.
-
 ## 1.7.2
 
 No user-facing changes.

csharp/ql/src/change-notes/released/1.7.3.md

@@ -1,3 +0,0 @@
-## 1.7.3
-
-No user-facing changes.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.3
+lastReleaseVersion: 1.7.2

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.4-dev
+version: 1.7.3-dev
 groups:
   - csharp
   - queries

csharp/ql/test/library-tests/csharp8/NullableRefTypes.expected

@@ -227,7 +227,7 @@ returnTypes
 | NullableRefTypes.cs:107:26:107:36 | ReturnsRef5 | readonly MyClass! |
 | NullableRefTypes.cs:108:26:108:36 | ReturnsRef6 | readonly MyClass! |
 | NullableRefTypes.cs:110:10:110:20 | Parameters1 | Void! |
-| NullableRefTypes.cs:113:32:113:44 | get_RefProperty | ref MyClass! |
+| NullableRefTypes.cs:113:32:113:44 | get_RefProperty | MyClass! |
 | NullableRefTypes.cs:116:7:116:23 | <object initializer> | Void |
 | NullableRefTypes.cs:116:7:116:23 | ToStringWithTypes | Void! |
 | NullableRefTypes.cs:136:7:136:24 | <object initializer> | Void |

csharp/ql/test/library-tests/encoding/SBCS.cs

@@ -1,4 +1,4 @@
-class SBCS
+class SBCS
 {
-    string sbcs = "<22>";
+    string sbcs = "<22>";
 }

csharp/ql/test/library-tests/indexers/Indexers13.expected

@@ -1,4 +0,0 @@
-| indexers.cs:24:21:24:24 | Item | indexers.cs:62:22:62:29 | access to indexer | indexers.cs:26:13:26:15 | get_Item |
-| indexers.cs:24:21:24:24 | Item | indexers.cs:65:25:65:32 | access to indexer | indexers.cs:34:13:34:15 | set_Item |
-| indexers.cs:143:24:143:27 | Item | indexers.cs:156:13:156:16 | access to indexer | indexers.cs:145:13:145:15 | get_Item |
-| indexers.cs:143:24:143:27 | Item | indexers.cs:157:21:157:24 | access to indexer | indexers.cs:145:13:145:15 | get_Item |

csharp/ql/test/library-tests/indexers/Indexers13.ql

@@ -1,8 +0,0 @@
-import csharp
-
-from IndexerCall ic, Indexer i, Accessor target
-where
-  ic.getIndexer() = i and
-  ic.getTarget() = target and
-  i.fromSource()
-select i, ic, target

csharp/ql/test/library-tests/indexers/PrintAst.expected

@@ -360,57 +360,3 @@ indexers.cs:
 #  130|         4: [BlockStmt] {...}
 #  130|           0: [ReturnStmt] return ...;
 #  130|             0: [IntLiteral] 0
-#  134|   5: [RefStruct] S
-#  136|     6: [Field] x
-#  136|       -1: [TypeMention] int
-#  138|     7: [InstanceConstructor] S
-#-----|       2: (Parameters)
-#  138|         0: [Parameter] v
-#  138|           -1: [TypeMention] int
-#  139|       4: [BlockStmt] {...}
-#  140|         0: [ExprStmt] ...;
-#  140|           0: [AssignExpr] ... = ...
-#  140|             0: [FieldAccess] access to field x
-#  140|             1: [RefExpr] ref ...
-#  140|               0: [ParameterAccess] access to parameter v
-#  143|     8: [Indexer] Item
-#  143|       -1: [TypeMention] int
-#-----|       1: (Parameters)
-#  143|         0: [Parameter] i
-#  143|           -1: [TypeMention] int
-#  145|       3: [Getter] get_Item
-#-----|         2: (Parameters)
-#  143|           0: [Parameter] i
-#  145|         4: [BlockStmt] {...}
-#  145|           0: [ReturnStmt] return ...;
-#  145|             0: [RefExpr] ref ...
-#  145|               0: [FieldAccess] access to field x
-#  149|   6: [Class] TestRefReturns
-#  151|     6: [Method] M
-#  151|       -1: [TypeMention] Void
-#  152|       4: [BlockStmt] {...}
-#  153|         0: [LocalVariableDeclStmt] ... ...;
-#  153|           0: [LocalVariableDeclAndInitExpr] Int32 a = ...
-#  153|             -1: [TypeMention] int
-#  153|             0: [LocalVariableAccess] access to local variable a
-#  153|             1: [IntLiteral] 0
-#  155|         1: [LocalVariableDeclStmt] ... ...;
-#  155|           0: [LocalVariableDeclAndInitExpr] S s = ...
-#  155|             -1: [TypeMention] S
-#  155|             0: [LocalVariableAccess] access to local variable s
-#  155|             1: [ObjectCreation] object creation of type S
-#  155|               -1: [TypeMention] S
-#  155|               0: [LocalVariableAccess] access to local variable a
-#  156|         2: [ExprStmt] ...;
-#  156|           0: [AssignExpr] ... = ...
-#  156|             0: [IndexerCall] access to indexer
-#  156|               -1: [LocalVariableAccess] access to local variable s
-#  156|               0: [IntLiteral] 0
-#  156|             1: [IntLiteral] 1
-#  157|         3: [LocalVariableDeclStmt] ... ...;
-#  157|           0: [LocalVariableDeclAndInitExpr] Int32 x = ...
-#  157|             -1: [TypeMention] int
-#  157|             0: [LocalVariableAccess] access to local variable x
-#  157|             1: [IndexerCall] access to indexer
-#  157|               -1: [LocalVariableAccess] access to local variable s
-#  157|               0: [IntLiteral] 0