Add additional Python prompt-injection sinks for uncovered SDK methods

Cover prompt-carrying public API methods that were missing from the
framework models:

- OpenAI: videos.create/create_and_poll/edit/remix/extend (Sora, user),
  beta.realtime.sessions.create instructions (system), and role-filtered
  beta.threads.messages.create content (Assistants API).
- Anthropic: legacy completions.create prompt (user).
- agents: Agent.as_tool tool_description (system).
- Google GenAI: caches.create CreateCachedContentConfig system_instruction
  (system) and contents (user).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

.github/workflows/go-version-update.yml

@@ -0,0 +1,208 @@
+name: Update Go version
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 3 * * 1"  # Run weekly on Mondays at 3 AM UTC (1 = Monday)
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-go-version:
+    name: Check and update Go version
+    if: github.repository == 'github/codeql'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Fetch latest Go version
+        id: fetch-version
+        run: |
+          LATEST_GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq -r '.[0].version')
+          
+          if [ -z "$LATEST_GO_VERSION" ] || [ "$LATEST_GO_VERSION" = "null" ]; then
+            echo "Error: Failed to fetch latest Go version from go.dev"
+            exit 1
+          fi
+          
+          echo "Latest Go version from go.dev: $LATEST_GO_VERSION"
+          echo "version=$LATEST_GO_VERSION" >> $GITHUB_OUTPUT
+          
+          # Extract version numbers (e.g., go1.26.0 -> 1.26.0)
+          LATEST_VERSION_NUM=$(echo $LATEST_GO_VERSION | sed 's/^go//')
+          echo "version_num=$LATEST_VERSION_NUM" >> $GITHUB_OUTPUT
+          
+          # Extract major.minor version (e.g., 1.26.0 -> 1.26)
+          LATEST_MAJOR_MINOR=$(echo $LATEST_VERSION_NUM | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
+          echo "major_minor=$LATEST_MAJOR_MINOR" >> $GITHUB_OUTPUT
+
+      - name: Check current Go version
+        id: current-version
+        run: |
+          CURRENT_VERSION=$(sed -n 's/.*go_sdk\.download(version = \"\([^\"]*\)\".*/\1/p' MODULE.bazel)
+          
+          if [ -z "$CURRENT_VERSION" ]; then
+            echo "Error: Could not extract Go version from MODULE.bazel"
+            exit 1
+          fi
+          
+          echo "Current Go version in MODULE.bazel: $CURRENT_VERSION"
+          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          
+          # Extract major.minor version
+          CURRENT_MAJOR_MINOR=$(echo $CURRENT_VERSION | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
+          echo "major_minor=$CURRENT_MAJOR_MINOR" >> $GITHUB_OUTPUT
+
+      - name: Compare versions
+        id: compare
+        run: |
+          LATEST="${{ steps.fetch-version.outputs.version_num }}"
+          CURRENT="${{ steps.current-version.outputs.version }}"
+          
+          echo "Latest: $LATEST"
+          echo "Current: $CURRENT"
+          
+          if [ "$LATEST" = "$CURRENT" ]; then
+            echo "Go version is up to date"
+            echo "needs_update=false" >> $GITHUB_OUTPUT
+          else
+            echo "Go version needs update from $CURRENT to $LATEST"
+            echo "needs_update=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Update Go version in files
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
+          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
+          CURRENT_MAJOR_MINOR="${{ steps.current-version.outputs.major_minor }}"
+          
+          echo "Updating from $CURRENT_VERSION to $LATEST_VERSION_NUM"
+          
+          # Escape dots in current version strings for use in sed patterns
+          CURRENT_VERSION_ESCAPED=$(echo "$CURRENT_VERSION" | sed 's/\./\\./g')
+          CURRENT_MAJOR_MINOR_ESCAPED=$(echo "$CURRENT_MAJOR_MINOR" | sed 's/\./\\./g')
+          
+          # Update MODULE.bazel
+          sed -i "s/go_sdk\.download(version = \"$CURRENT_VERSION_ESCAPED\")/go_sdk.download(version = \"$LATEST_VERSION_NUM\")/" MODULE.bazel
+          if ! grep -q "go_sdk.download(version = \"$LATEST_VERSION_NUM\")" MODULE.bazel; then
+            echo "Error: Failed to update MODULE.bazel"
+            exit 1
+          fi
+          
+          # Update go/extractor/go.mod
+          if ! sed -i "s/^go $CURRENT_MAJOR_MINOR_ESCAPED\$/go $LATEST_MAJOR_MINOR/" go/extractor/go.mod; then
+            echo "Warning: Failed to update go directive in go.mod"
+          fi
+          if ! sed -i "s/^toolchain go$CURRENT_VERSION_ESCAPED\$/toolchain go$LATEST_VERSION_NUM/" go/extractor/go.mod; then
+            echo "Warning: Failed to update toolchain in go.mod"
+          fi
+          
+          # Update go/extractor/autobuilder/build-environment.go
+          if ! sed -i "s/var maxGoVersion = util\.NewSemVer(\"$CURRENT_MAJOR_MINOR_ESCAPED\")/var maxGoVersion = util.NewSemVer(\"$LATEST_MAJOR_MINOR\")/" go/extractor/autobuilder/build-environment.go; then
+            echo "Warning: Failed to update build-environment.go"
+          fi
+          
+          # Update go/actions/test/action.yml
+          if ! sed -i "s/default: \"~$CURRENT_VERSION_ESCAPED\"/default: \"~$LATEST_VERSION_NUM\"/" go/actions/test/action.yml; then
+            echo "Warning: Failed to update action.yml"
+          fi
+          
+          # Show what changed
+          git diff
+
+      - name: Check for changes
+        id: check-changes
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          if git diff --quiet; then
+            echo "No changes detected"
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "Changes detected"
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check for existing PR
+        if: steps.check-changes.outputs.has_changes == 'true'
+        id: check-pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
+          
+          if [ -n "$PR_NUMBER" ]; then
+            echo "Existing PR found: #$PR_NUMBER"
+            echo "pr_exists=true" >> $GITHUB_OUTPUT
+            echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+          else
+            echo "No existing PR found"
+            echo "pr_exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Commit and push changes
+        if: steps.check-changes.outputs.has_changes == 'true'
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
+          
+          # Create or switch to branch
+          git checkout -B "$BRANCH_NAME"
+          
+          # Stage and commit changes
+          git add MODULE.bazel go/extractor/go.mod go/extractor/autobuilder/build-environment.go go/actions/test/action.yml
+          git commit -m "Go: Update to $LATEST_VERSION_NUM"
+          
+          # Push changes
+          git push --force-with-lease origin "$BRANCH_NAME"
+
+      - name: Create or update PR
+        if: steps.check-changes.outputs.has_changes == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
+          
+          PR_TITLE="Go: Update to $LATEST_VERSION_NUM"
+          
+          PR_BODY=$(cat <<EOF
+          This PR updates Go from $CURRENT_VERSION to $LATEST_VERSION_NUM.
+
+          Updated files:
+          - \`MODULE.bazel\` - go_sdk.download version
+          - \`go/extractor/go.mod\` - go directive and toolchain
+          - \`go/extractor/autobuilder/build-environment.go\` - maxGoVersion (only if MAJOR.MINOR changes)
+          - \`go/actions/test/action.yml\` - default go-test-version
+
+          This PR was automatically created by the [Go version update workflow](https://github.com/${{ github.repository }}/blob/main/.github/workflows/go-version-update.yml).
+          EOF
+          )
+          
+          if [ "${{ steps.check-pr.outputs.pr_exists }}" = "true" ]; then
+            echo "Updating existing PR #${{ steps.check-pr.outputs.pr_number }}"
+            gh pr edit "${{ steps.check-pr.outputs.pr_number }}" --title "$PR_TITLE" --body "$PR_BODY"
+          else
+            echo "Creating new PR"
+            gh pr create \
+              --title "$PR_TITLE" \
+              --body "$PR_BODY" \
+              --base main \
+              --head "$BRANCH_NAME" \
+              --label "Go"
+          fi

CODEOWNERS

@@ -2,7 +2,7 @@
 * @github/code-scanning-alert-coverage
 
 # CodeQL language libraries
-/actions/ @github/codeql-dynamic
+/actions/ @github/code-scanning-alert-coverage
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
 /csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor @github/code-scanning-language-coverage
@@ -59,9 +59,5 @@ MODULE.bazel @github/codeql-ci-reviewers
 /.github/workflows/rust.yml @github/codeql-rust
 /.github/workflows/swift.yml @github/codeql-swift
 
-# Misc
-/misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
-/misc/scripts/generate-code-scanning-query-list.py @RasmusWL
-
 # .devcontainer
 /.devcontainer/ @github/codeql-ci-reviewers

MODULE.bazel

@@ -273,7 +273,7 @@ use_repo(
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.26.0")
+go_sdk.download(version = "1.26.4")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,15 @@
+## 0.4.37
+
+### Minor Analysis Improvements
+
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+
+## 0.4.36
+
+### Minor Analysis Improvements
+
+* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
+
 ## 0.4.35
 
 No user-facing changes.

actions/ql/lib/change-notes/2026-05-12-improved-alphanumeric-regex.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.

actions/ql/lib/change-notes/2026-06-12-self_hosted_runners.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.

actions/ql/lib/change-notes/released/0.4.36.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
-* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
+## 0.4.36
+
+### Minor Analysis Improvements
+
+* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.

actions/ql/lib/change-notes/released/0.4.37.md

@@ -0,0 +1,5 @@
+## 0.4.37
+
+### Minor Analysis Improvements
+
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.35
+lastReleaseVersion: 0.4.37

actions/ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -1920,3 +1920,5 @@ private YamlMappingLikeNode resolveMatrixAccessPath(
     else result = resolveMatrixAccessPath(newRoot, rest)
   )
 }
+
+class Comment = YamlComment;

actions/ql/lib/codeql/actions/ast/internal/Yaml.qll

@@ -52,6 +52,12 @@ private module YamlSig implements LibYaml::InputSig {
   class ParseErrorBase extends LocatableBase, @yaml_error {
     string getMessage() { yaml_errors(this, result) }
   }
+
+  class CommentBase extends LocatableBase, @yaml_comment {
+    string getText() { yaml_comments(this, result, _) }
+
+    override string toString() { yaml_comments(this, _, result) }
+  }
 }
 
 import LibYaml::Make<YamlSig>

actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll

@@ -2,10 +2,12 @@ import actions
 
 bindingset[runner]
 predicate isGithubHostedRunner(string runner) {
-  // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images
-  runner
-      .toLowerCase()
-      .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest))$")
+  // The list of github hosted repos:
+  // https://github.com/actions/runner-images/blob/main/README.md#available-images
+  // https://docs.github.com/en/enterprise-cloud@latest/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories
+  runner.toLowerCase().regexpMatch("^ubuntu-([0-9.]+|latest|slim)(-arm)?$") or
+  runner.toLowerCase().regexpMatch("^macos-([0-9]+|latest)(-x?large|-intel)?$") or
+  runner.toLowerCase().regexpMatch("^windows-([0-9.]+|latest)(-vs[0-9.]+)?(-arm)?$")
 }
 
 bindingset[runner]

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.36-dev
+version: 0.4.38-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,36 @@
+## 0.6.29
+
+### Query Metadata Changes
+
+* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.
+
+### Major Analysis Improvements
+
+* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
+
+### Minor Analysis Improvements
+
+* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.
+* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
+
+### Bug Fixes
+
+* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on a minor point, added one more listed resource and added one more recommendation for things to check.
+
+## 0.6.28
+
+### Query Metadata Changes
+
+* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
+
+### Minor Analysis Improvements
+
+* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
+
+### Bug Fixes
+
+* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
+
 ## 0.6.27
 
 No user-facing changes.

actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql

@@ -1,8 +1,8 @@
 /**
- * @name Checkout of untrusted code in a trusted context
- * @description Privileged workflows have read/write access to the base repository and access to secrets.
- *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
- *              that is able to push to the base repository and to access secrets.
+ * @name Checkout of untrusted code in a non-privileged context
+ * @description Checking out and running the build script from a fork executes untrusted code. Even in a
+ *              non-privileged workflow, this can be abused, for example to compromise self-hosted runners
+ *              or to poison caches and artifacts that are later consumed by privileged workflows.
  * @kind problem
  * @problem.severity warning
  * @precision medium
@@ -20,4 +20,4 @@ from PRHeadCheckoutStep checkout
 where
   // the checkout occurs in a non-privileged context
   inNonPrivilegedContext(checkout)
-select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow."
+select checkout, "Potential unsafe checkout of untrusted pull request on non-privileged workflow."

actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 

actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md

@@ -1,4 +0,0 @@
----
-category: queryMetadata
----
-* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.

actions/ql/src/change-notes/2026-04-20-unpinned-tag-composite-actions.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.

actions/ql/src/change-notes/2026-05-05-untrusted-checkout-high.md

@@ -1,4 +0,0 @@
----
-category: majorAnalysis
----
-* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.

actions/ql/src/change-notes/2026-05-12-sha256-pinned-actions.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.

actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-alert.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.

actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-helpfile.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.

actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-metadata.md

@@ -1,4 +0,0 @@
----
-category: queryMetadata
----
-* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.

actions/ql/src/change-notes/2026-06-04-untrusted-checkout-medium-metadata.md

@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.

actions/ql/src/change-notes/released/0.6.28.md

@@ -0,0 +1,13 @@
+## 0.6.28
+
+### Query Metadata Changes
+
+* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
+
+### Minor Analysis Improvements
+
+* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
+
+### Bug Fixes
+
+* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 

actions/ql/src/change-notes/released/0.6.29.md

@@ -0,0 +1,18 @@
+## 0.6.29
+
+### Query Metadata Changes
+
+* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.
+
+### Major Analysis Improvements
+
+* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
+
+### Minor Analysis Improvements
+
+* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.
+* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
+
+### Bug Fixes
+
+* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on a minor point, added one more listed resource and added one more recommendation for things to check.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.27
+lastReleaseVersion: 0.6.29

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.28-dev
+version: 0.6.30-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test3.yml

@@ -0,0 +1,43 @@
+name: test
+
+on:
+  pull_request:
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+          - ubuntu-22.04
+          - ubuntu-22.04-arm
+          - ubuntu-26.04
+          - ubuntu-26.04-arm
+          - ubuntu-slim
+          - macos-26
+          - macos-26-xlarge
+          - macos-26-intel
+          - macos-26-large
+          - macos-latest-large
+          - macos-15-large
+          - macos-15
+          - macos-15-intel
+          - macos-latest
+          - macos-15
+          - macos-15-xlarge
+          - macos-14-large
+          - macos-14
+          - macos-14-xlarge
+          - windows-2025-vs2026
+          - windows-latest
+          - windows-2025
+          - windows-2022
+          - windows-11
+          - windows-11-arm
+          - windows-11-vs2026-arm
+    runs-on: ${{ matrix.os }}
+    steps:
+      - run: cmd

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected

@@ -1,10 +1,10 @@
-| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/test9.yml:11:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/test9.yml:11:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |

config/identical-files.json

@@ -11,10 +11,6 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
-  "Bound Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
-  ],
   "ModulusAnalysis Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"

cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/upgrade.properties

@@ -0,0 +1,2 @@
+description: Fix NameQualifier inconsistency
+compatibility: full

cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties

@@ -0,0 +1,6 @@
+description: Capture information about one template being generated from another
+compatibility: full
+class_template_generated_from.rel: delete
+function_template_generated_from.rel: delete
+variable_template_generated_from.rel: delete
+alias_template_generated_from.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,25 @@
+## 10.2.0
+
+### Deprecated APIs
+
+* The `UsingAliasTypedefType` class has been deprecated. Use `TypeAliasType` instead.
+
+### New Features
+
+* Added a `getOriginalTemplate` predicate to `TemplateClass`, `TemplateFunction`, `TemplateVariable`, and `AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.
+* Added `AliasTemplateType` and `AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.
+
+### Minor Analysis Improvements
+
+* Added flow source models for `scanf_s` and related functions.
+* Added a `Call` column to `LocalFlowSourceFunction::hasLocalFlowSource` and `RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a `Call` column continue to be supported.
+
+## 10.1.1
+
+### Minor Analysis Improvements
+
+* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.
+
 ## 10.1.0
 
 ### New Features

cpp/ql/lib/DefaultOptions.qll

@@ -30,8 +30,6 @@ class Options extends string {
   predicate overrideReturnsNull(Call call) {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup")
-    or
-    CustomOptions::overrideReturnsNull(call) // old Options.qll
   }
 
   /**
@@ -45,8 +43,6 @@ class Options extends string {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup") and
     nullValue(call.getArgument(0))
-    or
-    CustomOptions::returnsNull(call) // old Options.qll
   }
 
   /**
@@ -65,8 +61,6 @@ class Options extends string {
     f.hasGlobalOrStdName([
         "exit", "_exit", "_Exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
       ])
-    or
-    CustomOptions::exits(f) // old Options.qll
   }
 
   /**
@@ -79,8 +73,7 @@ class Options extends string {
    * runtime, the program's behavior is undefined)
    */
   predicate exprExits(Expr e) {
-    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0 or
-    CustomOptions::exprExits(e) // old Options.qll
+    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0
   }
 
   /**
@@ -88,10 +81,7 @@ class Options extends string {
    *
    * By default holds only for `fgets`.
    */
-  predicate alwaysCheckReturnValue(Function f) {
-    f.hasGlobalOrStdName("fgets") or
-    CustomOptions::alwaysCheckReturnValue(f) // old Options.qll
-  }
+  predicate alwaysCheckReturnValue(Function f) { f.hasGlobalOrStdName("fgets") }
 
   /**
    * Holds if it is reasonable to ignore the return value of function
@@ -107,8 +97,6 @@ class Options extends string {
     // common way of sleeping using select:
     fc.getTarget().hasGlobalName("select") and
     fc.getArgument(0).getValue() = "0"
-    or
-    CustomOptions::okToIgnoreReturnValue(fc) // old Options.qll
   }
 }
 

cpp/ql/lib/Options.qll

@@ -98,57 +98,3 @@ class CustomMutexType extends MutexType {
    */
   override predicate unlockAccess(FunctionCall fc, Expr arg) { none() }
 }
-
-/**
- * DEPRECATED: customize `CustomOptions.overrideReturnsNull` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate overrideReturnsNull(Call call) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.returnsNull` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate returnsNull(Call call) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.exits` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate exits(Function f) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.exprExits` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate exprExits(Expr e) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.alwaysCheckReturnValue` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate alwaysCheckReturnValue(Function f) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.okToIgnoreReturnValue` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate okToIgnoreReturnValue(FunctionCall fc) { none() }

cpp/ql/lib/change-notes/2026-05-16-alias-template.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added `AliasTemplateType` and `AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.

cpp/ql/lib/change-notes/2026-05-18-alias-type.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* The `UsingAliasTypedefType` class has been deprecated. Use `TypeAliasType` instead.

cpp/ql/lib/change-notes/2026-05-27-deprecated-removal.md

@@ -0,0 +1,15 @@
+---
+category: breaking
+---
+* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
+* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
+* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
+* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
+* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
+* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
+* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
+* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
+* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.

cpp/ql/lib/change-notes/released/10.1.1.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
-* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.
+## 10.1.1
+
+### Minor Analysis Improvements
+
+* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.

cpp/ql/lib/change-notes/released/10.2.0.md

@@ -0,0 +1,15 @@
+## 10.2.0
+
+### Deprecated APIs
+
+* The `UsingAliasTypedefType` class has been deprecated. Use `TypeAliasType` instead.
+
+### New Features
+
+* Added a `getOriginalTemplate` predicate to `TemplateClass`, `TemplateFunction`, `TemplateVariable`, and `AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.
+* Added `AliasTemplateType` and `AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.
+
+### Minor Analysis Improvements
+
+* Added flow source models for `scanf_s` and related functions.
+* Added a `Call` column to `LocalFlowSourceFunction::hasLocalFlowSource` and `RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a `Call` column continue to be supported.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 10.1.0
+lastReleaseVersion: 10.2.0

cpp/ql/lib/cpp.qll

@@ -32,7 +32,6 @@ import semmle.code.cpp.Class
 import semmle.code.cpp.Struct
 import semmle.code.cpp.Union
 import semmle.code.cpp.Enum
-import semmle.code.cpp.Member
 import semmle.code.cpp.Field
 import semmle.code.cpp.Function
 import semmle.code.cpp.MemberFunction

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.1.1-dev
+version: 10.2.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Class.qll

@@ -856,8 +856,10 @@ class AbstractClass extends Class {
 
 /**
  * A class template (this class also finds partial specializations
- * of class templates).  For example in the following code there is a
- * `MyTemplateClass<T>` template:
+ * of class templates).
+ *
+ * For example in the following code there is a `MyTemplateClass<T>`
+ * template:
  * ```
  * template<class T>
  * class MyTemplateClass {
@@ -893,6 +895,29 @@ class TemplateClass extends Class {
   }
 
   override string getAPrimaryQlClass() { result = "TemplateClass" }
+
+  /**
+   * Gets the class member template this template was generated from.
+   *
+   * This predicate only has results for templates that are members of class
+   * template instantiations. For example, for `MyTemplateClass<int>::C<S>`
+   * in the following code, the result is `MyTemplateClass<T>::C<S>`.
+   * ```cpp
+   * template<class T>
+   * class MyTemplateClass {
+   *   template<class S>
+   *   class C {
+   *     ...
+   *   };
+   * };
+   *
+   * template
+   * class MyTemplateClass<int>;
+   * ```
+   */
+  TemplateClass getOriginalTemplate() {
+    class_template_generated_from(underlyingElement(this), unresolveElement(result))
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -828,6 +828,27 @@ class TemplateFunction extends Function {
    * such things -- see FunctionTemplateSpecialization for further details.
    */
   FunctionTemplateSpecialization getASpecialization() { result.getPrimaryTemplate() = this }
+
+  /**
+   * Gets the class member template this template was generated from.
+   *
+   * This predicate only has results for templates that are members of class
+   * template instantiations. For example, for `MyTemplateClass<int>::f<S>`
+   * in the following code, the result is `MyTemplateClass<T>::f<S>`.
+   * ```cpp
+   * template<class T>
+   * class MyTemplateClass {
+   *   template<class S>
+   *   S f();
+   * };
+   *
+   * template
+   * class MyTemplateClass<int>;
+   * ```
+   */
+  TemplateFunction getOriginalTemplate() {
+    function_template_generated_from(underlyingElement(this), unresolveElement(result))
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -148,28 +148,3 @@ class UnknownLocation extends Location {
     this.getFile().getAbsolutePath() = "" and locations_default(this, _, 0, 0, 0, 0)
   }
 }
-
-/**
- * A dummy location which is used when something doesn't have a location in
- * the source code but needs to have a `Location` associated with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownDefaultLocation extends UnknownLocation { }
-
-/**
- * A dummy location which is used when an expression doesn't have a
- * location in the source code but needs to have a `Location` associated
- * with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownExprLocation extends UnknownLocation { }
-
-/**
- * A dummy location which is used when a statement doesn't have a location
- * in the source code but needs to have a `Location` associated with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownStmtLocation extends UnknownLocation { }

cpp/ql/lib/semmle/code/cpp/Member.qll

@@ -1,6 +0,0 @@
-/**
- * DEPRECATED: import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly as required.
- */
-
-import semmle.code.cpp.Element
-import semmle.code.cpp.Type

cpp/ql/lib/semmle/code/cpp/TemplateParameter.qll

@@ -35,13 +35,6 @@ class NonTypeTemplateParameter extends Literal, TemplateParameterImpl {
   override string getAPrimaryQlClass() { result = "NonTypeTemplateParameter" }
 }
 
-/**
- * A C++ `typename` (or `class`) template parameter.
- *
- * DEPRECATED: Use `TypeTemplateParameter` instead.
- */
-deprecated class TemplateParameter = TypeTemplateParameter;
-
 /**
  * A C++ `typename` (or `class`) template parameter.
  *

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -1071,7 +1071,7 @@ class NullPointerType extends BuiltInType {
  * const float fa[40];
  * ```
  */
-class DerivedType extends Type, @derivedtype {
+class DerivedType extends Type, NameQualifyingElement, @derivedtype {
   override string toString() { result = this.getName() }
 
   override string getName() { derivedtypes(underlyingElement(this), result, _, _) }

cpp/ql/lib/semmle/code/cpp/TypedefType.qll

@@ -130,6 +130,27 @@ class AliasTemplateType extends TypeAliasType {
    * ```
    */
   TypeAliasType getAnInstantiation() { result.isConstructedFrom(this) }
+
+  /**
+   * Gets the class member template this template was generated from.
+   *
+   * This predicate only has results for templates that are members of class
+   * template instantiations. For example, for `MyTemplateClass<int>::t<S>`
+   * in the following code, the result is `MyTemplateClass<T>::t<S>`.
+   * ```cpp
+   * template<class T>
+   * class MyTemplateClass {
+   *   template<class S>
+   *   using t = S;
+   * };
+   *
+   * template
+   * class MyTemplateClass<int>;
+   * ```
+   */
+  AliasTemplateType getOriginalTemplate() {
+    alias_template_generated_from(underlyingElement(this), unresolveElement(result))
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -614,6 +614,27 @@ class TemplateVariable extends Variable {
     result.isConstructedFrom(this) and
     not result.isSpecialization()
   }
+
+  /**
+   * Gets the class member template this template was generated from.
+   *
+   * This predicate only has results for templates that are members of class
+   * template instantiations. For example, for `MyTemplateClass<int>::x<S>`
+   * in the following code, the result is `MyTemplateClass<T>::x<S>`.
+   * ```cpp
+   * template<class T>
+   * class MyTemplateClass {
+   *   template<class S>
+   *   static S x;
+   * };
+   *
+   * template
+   * class MyTemplateClass<int>;
+   * ```
+   */
+  TemplateVariable getOriginalTemplate() {
+    variable_template_generated_from(underlyingElement(this), unresolveElement(result))
+  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll

@@ -25,6 +25,15 @@ abstract class ScanfFunction extends Function {
    * (rather than a `char*`).
    */
   predicate isWideCharDefault() { exists(this.getName().indexOf("wscanf")) }
+
+  /** Holds if this is one of the `scanf_s` variants. */
+  predicate isSVariant() {
+    exists(string name | name = this.getName() |
+      name.matches("%\\_s")
+      or
+      name.matches("%\\_s\\_l")
+    )
+  }
 }
 
 /**
@@ -34,8 +43,12 @@ class Scanf extends ScanfFunction instanceof TopLevelFunction {
   Scanf() {
     this.hasGlobalOrStdOrBslName("scanf") or // scanf(format, args...)
     this.hasGlobalOrStdOrBslName("wscanf") or // wscanf(format, args...)
+    this.hasGlobalOrStdOrBslName("scanf_s") or // scanf_s(format, args...)
+    this.hasGlobalOrStdOrBslName("wscanf_s") or // wscanf_s(format, args...)
     this.hasGlobalName("_scanf_l") or // _scanf_l(format, locale, args...)
-    this.hasGlobalName("_wscanf_l")
+    this.hasGlobalName("_wscanf_l") or // _wscanf_l(format, locale, args...)
+    this.hasGlobalName("_scanf_s_l") or // _scanf_s_l(format, locale, args...)
+    this.hasGlobalName("_wscanf_s_l") // _wscanf_s_l(format, locale, args...)
   }
 
   override int getInputParameterIndex() { none() }
@@ -50,8 +63,12 @@ class Fscanf extends ScanfFunction instanceof TopLevelFunction {
   Fscanf() {
     this.hasGlobalOrStdOrBslName("fscanf") or // fscanf(src_stream, format, args...)
     this.hasGlobalOrStdOrBslName("fwscanf") or // fwscanf(src_stream, format, args...)
+    this.hasGlobalOrStdOrBslName("fscanf_s") or // fscanf_s(src_stream, format, args...)
+    this.hasGlobalOrStdOrBslName("fwscanf_s") or // fwscanf_s(src_stream, format, args...)
     this.hasGlobalName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
-    this.hasGlobalName("_fwscanf_l")
+    this.hasGlobalName("_fwscanf_l") or // _fwscanf_l(src_stream, format, locale, args...)
+    this.hasGlobalName("_fscanf_s_l") or // _fscanf_s_l(src_stream, format, locale, args...)
+    this.hasGlobalName("_fwscanf_s_l") // _fwscanf_s_l(src_stream, format, locale, args...)
   }
 
   override int getInputParameterIndex() { result = 0 }
@@ -66,8 +83,12 @@ class Sscanf extends ScanfFunction instanceof TopLevelFunction {
   Sscanf() {
     this.hasGlobalOrStdOrBslName("sscanf") or // sscanf(src_stream, format, args...)
     this.hasGlobalOrStdOrBslName("swscanf") or // swscanf(src, format, args...)
+    this.hasGlobalOrStdOrBslName("sscanf_s") or // sscanf_s(src, format, args...)
+    this.hasGlobalOrStdOrBslName("swscanf_s") or // swscanf_s(src, format, args...)
     this.hasGlobalName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
-    this.hasGlobalName("_swscanf_l")
+    this.hasGlobalName("_swscanf_l") or // _swscanf_l(src, format, locale, args...)
+    this.hasGlobalName("_sscanf_s_l") or // _sscanf_s_l(src, format, locale, args...)
+    this.hasGlobalName("_swscanf_s_l") // _swscanf_s_l(src, format, locale, args...)
   }
 
   override int getInputParameterIndex() { result = 0 }
@@ -97,6 +118,14 @@ class Snscanf extends ScanfFunction instanceof TopLevelFunction {
   int getInputLengthParameterIndex() { result = 1 }
 }
 
+private predicate isCharLike(Type t) { t instanceof CharType or t instanceof Wchar_t }
+
+private predicate isStringLike(Type t) {
+  isCharLike(t.(PointerType).getBaseType())
+  or
+  isCharLike(t.(ArrayType).getBaseType())
+}
+
 /**
  * A call to one of the `scanf` functions.
  */
@@ -130,14 +159,40 @@ class ScanfFunctionCall extends FunctionCall {
    */
   predicate isWideCharDefault() { this.getScanfFunction().isWideCharDefault() }
 
+  bindingset[this, k]
+  pragma[inline_late]
+  private predicate isSizeArgument(int k) {
+    // The first vararg is never the size argument since a size argument must
+    // always follow a string buffer argument.
+    k > 0 and
+    isStringLike(this.getArgument(this.getScanfFunction().getNumberOfParameters() + k - 1)
+          .getUnspecifiedType())
+  }
+
   /**
    * Gets the output argument at position `n` in the vararg list of this call.
    *
    * The range of `n` is from `0` to `this.getNumberOfOutputArguments() - 1`.
    */
   Expr getOutputArgument(int n) {
-    result = this.getArgument(this.getTarget().getNumberOfParameters() + n) and
-    n >= 0
+    exists(ScanfFunction target | target = this.getScanfFunction() |
+      // If this is an S variant then every string buffer argument has a
+      // corresponding size argument immediately following it, so we need to
+      // skip over those size arguments when counting the output arguments.
+      if target.isSVariant()
+      then
+        result =
+          rank[n + 1](Expr arg, int k |
+            k >= 0 and
+            arg = this.getArgument(target.getNumberOfParameters() + k) and
+            not this.isSizeArgument(k)
+          |
+            arg order by k
+          )
+      else (
+        n >= 0 and result = this.getArgument(target.getNumberOfParameters() + n)
+      )
+    )
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -276,6 +276,45 @@ private predicate isClassConstructedFrom(Class c, Class templateClass) {
   not c.isConstructedFrom(_) and c = templateClass
 }
 
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClassOld(Class c) {
+  not c.isFromUninstantiatedTemplate(_) and
+  isClassConstructedFrom(c, result)
+}
+
+private TemplateClass getOriginalClassTemplate(TemplateClass tc) {
+  result = tc.getOriginalTemplate()
+  or
+  not exists(tc.getOriginalTemplate()) and
+  result = tc
+}
+
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClassNew(Class c) {
+  not c.isFromUninstantiatedTemplate(_) and
+  exists(Class mid |
+    c.isConstructedFrom(mid)
+    or
+    not c.isConstructedFrom(_) and c = mid
+  |
+    result = getOriginalClassTemplate(mid)
+    or
+    not mid instanceof TemplateClass and mid = result
+  )
+}
+
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClass(Class c) {
+  // The `Class::getOriginalTemplate` predicate was introduced in CodeQL
+  // version 2.25.6 and the upgrade script leaves the
+  // `class_template_generated_from` extensionals empty if the database
+  // was generated with an older extractor. So we use the old implementation
+  // if the `class_template_generated_from` extensional is empty.
+  if class_template_generated_from(_, _)
+  then result = getFullyTemplatedClassNew(c)
+  else result = getFullyTemplatedClassOld(c)
+}
+
 /**
  * Holds if `f` is an instantiation of a function template `templateFunc`, or
  * holds with `f = templateFunc` if `f` is not an instantiation of any function
@@ -292,7 +331,7 @@ private predicate isFunctionConstructedFrom(Function f, Function templateFunc) {
 }
 
 /** Gets the fully templated version of `f`. */
-Function getFullyTemplatedFunction(Function f) {
+private Function getFullyTemplatedFunctionOld(Function f) {
   not f.isFromUninstantiatedTemplate(_) and
   (
     exists(Class c, Class templateClass, int i |
@@ -306,13 +345,46 @@ Function getFullyTemplatedFunction(Function f) {
   )
 }
 
+private TemplateFunction getOriginalFunctionTemplate(TemplateFunction tf) {
+  result = tf.getOriginalTemplate()
+  or
+  not exists(tf.getOriginalTemplate()) and
+  result = tf
+}
+
+/** Gets the fully templated version of `f`. */
+private Function getFullyTemplatedFunctionNew(Function f) {
+  not f.isFromUninstantiatedTemplate(_) and
+  exists(Function mid |
+    f.isConstructedFrom(mid)
+    or
+    not f.isConstructedFrom(_) and f = mid
+  |
+    result = getOriginalFunctionTemplate(mid)
+    or
+    not mid instanceof TemplateFunction and mid = result
+  )
+}
+
+/** Gets the fully templated version of `f`. */
+Function getFullyTemplatedFunction(Function f) {
+  // The `Function::getOriginalTemplate` predicate was introduced in CodeQL
+  // version 2.25.6 and the upgrade script leaves the
+  // `function_template_generated_from` extensionals empty if the database
+  // was generated with an older extractor. So we use the old implementation
+  // if the `function_template_generated_from` extensional is empty.
+  if function_template_generated_from(_, _)
+  then result = getFullyTemplatedFunctionNew(f)
+  else result = getFullyTemplatedFunctionOld(f)
+}
+
 /** Prefixes `const` to `s` if `t` is const, or returns `s` otherwise. */
 bindingset[s, t]
 private string withConst(string s, Type t) {
   if t.isConst() then result = "const " + s else result = s
 }
 
-/** Prefixes `volatile` to `s` if `t` is const, or returns `s` otherwise. */
+/** Prefixes `volatile` to `s` if `t` is volatile, or returns `s` otherwise. */
 bindingset[s, t]
 private string withVolatile(string s, Type t) {
   if t.isVolatile() then result = "volatile " + s else result = s
@@ -490,7 +562,7 @@ pragma[nomagic]
 private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
   // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
-    isClassConstructedFrom(f.getDeclaringType(), template) and
+    template = getFullyTemplatedClass(f.getDeclaringType()) and
     remaining = getNumberOfSupportedClassTemplateArguments(template) and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
@@ -502,7 +574,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   or
   exists(string mid, TypeTemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
-    isClassConstructedFrom(f.getDeclaringType(), template) and
+    template = getFullyTemplatedClass(f.getDeclaringType()) and
     tp = getSupportedClassTemplateArgument(template, remaining)
   |
     result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())

cpp/ql/lib/semmle/code/cpp/internal/ResolveClass.qll

@@ -1,59 +1,5 @@
 import semmle.code.cpp.Type
 
-/** For upgraded databases without mangled name info. */
-pragma[noinline]
-private string getTopLevelClassName(@usertype c) {
-  not mangled_name(_, _, _) and
-  isClass(c) and
-  usertypes(c, result, _) and
-  not namespacembrs(_, c) and // not in a namespace
-  not member(_, _, c) and // not in some structure
-  not class_instantiation(c, _) // not a template instantiation
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `d` is a unique complete class named `name`.
- */
-pragma[noinline]
-private predicate existsCompleteWithName(string name, @usertype d) {
-  not mangled_name(_, _, _) and
-  is_complete(d) and
-  name = getTopLevelClassName(d) and
-  onlyOneCompleteClassExistsWithName(name)
-}
-
-/** For upgraded databases without mangled name info. */
-pragma[noinline]
-private predicate onlyOneCompleteClassExistsWithName(string name) {
-  not mangled_name(_, _, _) and
-  strictcount(@usertype c | is_complete(c) and getTopLevelClassName(c) = name) = 1
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `c` is an incomplete class named `name`.
- */
-pragma[noinline]
-private predicate existsIncompleteWithName(string name, @usertype c) {
-  not mangled_name(_, _, _) and
-  not is_complete(c) and
-  name = getTopLevelClassName(c)
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `c` is an incomplete class, and there exists a unique complete class `d`
- * with the same name.
- */
-private predicate oldHasCompleteTwin(@usertype c, @usertype d) {
-  not mangled_name(_, _, _) and
-  exists(string name |
-    existsIncompleteWithName(name, c) and
-    existsCompleteWithName(name, d)
-  )
-}
-
 pragma[noinline]
 private @mangledname getClassMangledName(@usertype c) {
   isClass(c) and
@@ -103,10 +49,7 @@ private module Cached {
   @usertype resolveClass(@usertype c) {
     hasCompleteTwin(c, result)
     or
-    oldHasCompleteTwin(c, result)
-    or
     not hasCompleteTwin(c, _) and
-    not oldHasCompleteTwin(c, _) and
     result = c
   }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll

@@ -30,7 +30,10 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
     (
       if exists(this.getLengthParameterIndex())
       then result = this.getLengthParameterIndex() + 2
-      else result = 2
+      else
+        if exists(this.(ScanfFunction).getInputParameterIndex())
+        then result = 2
+        else result = 1
     )
   }
 
@@ -69,13 +72,24 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
   }
 }
 
+private predicate hasFlowSource(
+  ScanfFunction func, ScanfFunctionCall call, FunctionOutput output, string description
+) {
+  exists(int n, Expr arg |
+    call.getScanfFunction() = func and
+    call.getOutputArgument(_) = arg and
+    call.getArgument(n) = arg and
+    output.isParameterDeref(n) and
+    description = "value read by " + func.getName()
+  )
+}
+
 /**
  * The standard function `scanf` and its assorted variants
  */
 private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction instanceof Scanf {
-  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
-    description = "value read by " + this.getName()
+  override predicate hasLocalFlowSource(Call call, FunctionOutput output, string description) {
+    hasFlowSource(this, call, output, description)
   }
 }
 
@@ -83,9 +97,8 @@ private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction ins
  * The standard function `fscanf` and its assorted variants
  */
 private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction instanceof Fscanf {
-  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
-    description = "value read by " + this.getName()
+  override predicate hasRemoteFlowSource(Call call, FunctionOutput output, string description) {
+    hasFlowSource(this, call, output, description)
   }
 
   override predicate hasSocketInput(FunctionInput input) {

cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll

@@ -18,7 +18,17 @@ abstract class RemoteFlowSourceFunction extends Function {
   /**
    * Holds if remote data described by `description` flows from `output` of a call to this function.
    */
-  abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
+  predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    this.hasRemoteFlowSource(_, output, description)
+  }
+
+  /**
+   * Holds if remote data described by `description` flows from `output` of `call` to this function.
+   */
+  predicate hasRemoteFlowSource(Call call, FunctionOutput output, string description) {
+    call.getTarget() = this and
+    this.hasRemoteFlowSource(output, description)
+  }
 
   /**
    * Holds if remote data from this source comes from a socket or stream
@@ -35,7 +45,17 @@ abstract class LocalFlowSourceFunction extends Function {
   /**
    * Holds if data described by `description` flows from `output` of a call to this function.
    */
-  abstract predicate hasLocalFlowSource(FunctionOutput output, string description);
+  predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    this.hasLocalFlowSource(_, output, description)
+  }
+
+  /**
+   * Holds if data described by `description` flows from `output` of `call` to this function.
+   */
+  predicate hasLocalFlowSource(Call call, FunctionOutput output, string description) {
+    call.getTarget() = this and
+    this.hasLocalFlowSource(output, description)
+  }
 }
 
 /** A library function that sends data over a network connection. */

cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll

@@ -28,8 +28,7 @@ private class RemoteModelSource extends RemoteFlowSource {
 
   RemoteModelSource() {
     exists(CallInstruction call, RemoteFlowSourceFunction func, FunctionOutput output |
-      call.getStaticCallTarget() = func and
-      func.hasRemoteFlowSource(output, sourceType) and
+      func.hasRemoteFlowSource(call.getConvertedResultExpression(), output, sourceType) and
       this = callOutput(call, output)
     )
   }
@@ -46,7 +45,7 @@ private class LocalModelSource extends LocalFlowSource {
   LocalModelSource() {
     exists(CallInstruction call, LocalFlowSourceFunction func, FunctionOutput output |
       call.getStaticCallTarget() = func and
-      func.hasLocalFlowSource(output, sourceType) and
+      func.hasLocalFlowSource(call.getConvertedResultExpression(), output, sourceType) and
       this = callOutput(call, output)
     )
   }

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -912,6 +912,10 @@ class_template_argument_value(
     int index: int ref,
     int arg_value: @expr ref
 );
+class_template_generated_from(
+    unique int template: @usertype ref,
+    int from: @usertype ref
+)
 
 @user_or_decltype = @usertype | @decltype;
 
@@ -943,6 +947,10 @@ function_template_argument_value(
     int index: int ref,
     int arg_value: @expr ref
 );
+function_template_generated_from(
+    unique int template: @function ref,
+    int from: @function ref
+);
 
 is_variable_template(unique int id: @variable ref);
 variable_instantiation(
@@ -959,6 +967,10 @@ variable_template_argument_value(
     int index: int ref,
     int arg_value: @expr ref
 );
+variable_template_generated_from(
+    unique int template: @variable ref,
+    int from: @variable ref
+);
 
 is_alias_template(unique int id: @usertype ref);
 alias_instantiation(
@@ -966,15 +978,19 @@ alias_instantiation(
     int from: @usertype ref
 );
 alias_template_argument(
-    int variable_id: @usertype ref,
+    int type_id: @usertype ref,
     int index: int ref,
     int arg_type: @type ref
 );
 alias_template_argument_value(
-    int variable_id: @usertype ref,
+    int type_id: @usertype ref,
     int index: int ref,
     int arg_value: @expr ref
 );
+alias_template_generated_from(
+    unique int template: @usertype ref,
+    int from: @usertype ref
+);
 
 template_template_instantiation(
     int to: @usertype ref,
@@ -1414,7 +1430,8 @@ specialnamequalifyingelements(
 @namequalifyingelement = @namespace
                        | @specialnamequalifyingelement
                        | @usertype
-                       | @decltype;
+                       | @decltype
+                       | @derivedtype;
 
 namequalifiers(
     unique int id: @namequalifier,

cpp/ql/lib/upgrades/837c4e02326aee4582405d069263092e80a15d82/upgrade.properties

@@ -0,0 +1,2 @@
+description: Capture information about one template being generated from another
+compatibility: backwards

cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties

@@ -0,0 +1,2 @@
+description: Fix NameQualifier inconsistency
+compatibility: full

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 1.6.4
+
+No user-facing changes.
+
+## 1.6.3
+
+### Minor Analysis Improvements
+
+* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.
+
 ## 1.6.2
 
 No user-facing changes.

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll

@@ -44,10 +44,7 @@ class ExternalApiDataNode extends DataFlow::Node {
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    exists(RemoteFlowSourceFunction remoteFlow |
-      remoteFlow = source.asExpr().(Call).getTarget() and
-      remoteFlow.hasRemoteFlowSource(_, _)
-    )
+    any(RemoteFlowSourceFunction remoteFlow).hasRemoteFlowSource(source.asExpr(), _, _)
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -94,9 +94,8 @@ class Recv extends SendRecv instanceof RemoteFlowSourceFunction {
   }
 
   override Expr getDataExpr(Call call) {
-    call.getTarget() = this and
     exists(FunctionOutput output, int arg |
-      super.hasRemoteFlowSource(output, _) and
+      super.hasRemoteFlowSource(call, output, _) and
       output.isParameterDeref(arg) and
       result = call.getArgument(arg)
     )

cpp/ql/src/change-notes/released/1.6.3.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
-* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.
+## 1.6.3
+
+### Minor Analysis Improvements
+
+* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.

cpp/ql/src/change-notes/released/1.6.4.md

@@ -0,0 +1,3 @@
+## 1.6.4
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.2
+lastReleaseVersion: 1.6.4

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.3-dev
+version: 1.6.5-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -51,13 +51,16 @@ models
 | 50 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
 | 51 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
 | 52 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
-| 53 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
-| 54 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
-| 55 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
-| 56 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
-| 57 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
+| 53 | Summary: ; TemplateClass1; true; templateFunction2<U,V>; (U,V); ; Argument[1]; ReturnValue; value; manual |
+| 54 | Summary: ; TemplateClass1<T>; false; templateFunction<U>; (T,U); ; Argument[0]; ReturnValue; value; manual |
+| 55 | Summary: ; TemplateClass2<T,U>; true; function; (U,T); ; Argument[1]; ReturnValue; value; manual |
+| 56 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 57 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 58 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
+| 59 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
+| 60 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
 edges
-| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:57 |
+| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:60 |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:32  |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:32 Sink:MaD:2 |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
@@ -66,24 +69,24 @@ edges
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance |  |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:57 |
-| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:56 |
-| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:53 |
-| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:54 |
-| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:55 |
+| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:60 |
+| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:59 |
+| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:56 |
+| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:57 |
+| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:58 |
 | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue in ReadToEnd [element] | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:253:48:253:60 | *call to GetBodyStream | provenance | Src:MaD:29  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:257:5:257:8 | *resp | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:262:5:262:8 | *resp | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:266:38:266:41 | *resp | provenance |  |
 | azure.cpp:257:5:257:8 | *resp | azure.cpp:113:16:113:19 | [summary param] this in Read | provenance |  |
-| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:53 |
+| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:56 |
 | azure.cpp:257:16:257:21 | Read output argument | azure.cpp:258:10:258:16 | * ... | provenance |  |
 | azure.cpp:262:5:262:8 | *resp | azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | provenance |  |
-| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:54 |
+| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:57 |
 | azure.cpp:262:23:262:28 | ReadToCount output argument | azure.cpp:263:10:263:16 | * ... | provenance |  |
 | azure.cpp:266:38:266:41 | *resp | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance |  |
-| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:55 |
+| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:58 |
 | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance |  |
 | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:267:10:267:12 | vec [element] | provenance |  |
 | azure.cpp:267:10:267:12 | vec [element] | azure.cpp:267:10:267:12 | vec | provenance |  |
@@ -100,11 +103,11 @@ edges
 | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | provenance | Src:MaD:26  |
 | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:282:21:282:23 | *call to get | provenance |  |
 | azure.cpp:282:21:282:23 | *call to get | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance |  |
-| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:55 |
+| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:58 |
 | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:10:282:38 | call to ReadToEnd | provenance |  |
 | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance |  |
 | azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:62:10:62:14 | [summary param] this in Value | provenance |  |
-| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:56 |
+| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:59 |
 | azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:24:289:56 | call to GetHeader | provenance |  |
 | azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:32:289:40 | call to GetHeader | provenance | Src:MaD:30  |
 | azure.cpp:289:63:289:65 | call to Value | azure.cpp:289:63:289:65 | call to Value | provenance |  |
@@ -180,6 +183,39 @@ edges
 | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | test.cpp:119:10:119:11 | y2 | provenance | Sink:MaD:1 |
 | test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | provenance |  |
 | test.cpp:118:44:118:44 | *x | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance | MaD:48 |
+| test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | provenance | MaD:54 |
+| test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | provenance | MaD:53 |
+| test.cpp:133:10:133:18 | call to ymlSource | test.cpp:133:10:133:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:133:10:133:18 | call to ymlSource | test.cpp:134:45:134:45 | x | provenance |  |
+| test.cpp:134:13:134:43 | call to templateFunction | test.cpp:134:13:134:43 | call to templateFunction | provenance |  |
+| test.cpp:134:13:134:43 | call to templateFunction | test.cpp:135:10:135:10 | y | provenance | Sink:MaD:1 |
+| test.cpp:134:45:134:45 | x | test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | provenance |  |
+| test.cpp:134:45:134:45 | x | test.cpp:134:13:134:43 | call to templateFunction | provenance | MaD:54 |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:55 |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:55 |
+| test.cpp:146:10:146:18 | call to ymlSource | test.cpp:146:10:146:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:146:10:146:18 | call to ymlSource | test.cpp:148:26:148:26 | x | provenance |  |
+| test.cpp:148:10:148:27 | call to function | test.cpp:148:10:148:27 | call to function | provenance |  |
+| test.cpp:148:10:148:27 | call to function | test.cpp:149:10:149:10 | z | provenance | Sink:MaD:1 |
+| test.cpp:148:26:148:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | provenance |  |
+| test.cpp:148:26:148:26 | x | test.cpp:148:10:148:27 | call to function | provenance | MaD:55 |
+| test.cpp:155:10:155:18 | call to ymlSource | test.cpp:155:10:155:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:155:10:155:18 | call to ymlSource | test.cpp:157:26:157:26 | x | provenance |  |
+| test.cpp:157:13:157:20 | call to function | test.cpp:157:13:157:20 | call to function | provenance |  |
+| test.cpp:157:13:157:20 | call to function | test.cpp:158:10:158:10 | z | provenance | Sink:MaD:1 |
+| test.cpp:157:26:157:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | provenance |  |
+| test.cpp:157:26:157:26 | x | test.cpp:157:13:157:20 | call to function | provenance | MaD:55 |
+| test.cpp:164:34:164:34 | x | test.cpp:165:69:165:69 | x | provenance |  |
+| test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:164:7:164:7 | *templateFunction3 | provenance |  |
+| test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 | provenance |  |
+| test.cpp:165:69:165:69 | x | test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | provenance |  |
+| test.cpp:165:69:165:69 | x | test.cpp:165:12:165:64 | call to templateFunction2 | provenance | MaD:53 |
+| test.cpp:170:10:170:18 | call to ymlSource | test.cpp:170:10:170:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:170:10:170:18 | call to ymlSource | test.cpp:172:51:172:51 | x | provenance |  |
+| test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 | provenance |  |
+| test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:173:10:173:10 | y | provenance | Sink:MaD:1 |
+| test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | provenance |  |
+| test.cpp:172:51:172:51 | x | test.cpp:172:13:172:44 | call to templateFunction3 | provenance | MaD:53 |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:33 |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance |  |
@@ -483,6 +519,43 @@ nodes
 | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | semmle.label | call to callWithNonTypeTemplate |
 | test.cpp:118:44:118:44 | *x | semmle.label | *x |
 | test.cpp:119:10:119:11 | y2 | semmle.label | y2 |
+| test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | semmle.label | [summary param] 0 in templateFunction |
+| test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | semmle.label | [summary] to write: ReturnValue in templateFunction |
+| test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | semmle.label | [summary param] 1 in templateFunction2 |
+| test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | semmle.label | [summary] to write: ReturnValue in templateFunction2 |
+| test.cpp:133:10:133:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:133:10:133:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:134:13:134:43 | call to templateFunction | semmle.label | call to templateFunction |
+| test.cpp:134:13:134:43 | call to templateFunction | semmle.label | call to templateFunction |
+| test.cpp:134:45:134:45 | x | semmle.label | x |
+| test.cpp:135:10:135:10 | y | semmle.label | y |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | semmle.label | [summary param] 1 in function |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | semmle.label | [summary param] 1 in function |
+| test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | semmle.label | [summary] to write: ReturnValue in function |
+| test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | semmle.label | [summary] to write: ReturnValue in function |
+| test.cpp:146:10:146:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:146:10:146:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:148:10:148:27 | call to function | semmle.label | call to function |
+| test.cpp:148:10:148:27 | call to function | semmle.label | call to function |
+| test.cpp:148:26:148:26 | x | semmle.label | x |
+| test.cpp:149:10:149:10 | z | semmle.label | z |
+| test.cpp:155:10:155:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:155:10:155:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:157:13:157:20 | call to function | semmle.label | call to function |
+| test.cpp:157:13:157:20 | call to function | semmle.label | call to function |
+| test.cpp:157:26:157:26 | x | semmle.label | x |
+| test.cpp:158:10:158:10 | z | semmle.label | z |
+| test.cpp:164:7:164:7 | *templateFunction3 | semmle.label | *templateFunction3 |
+| test.cpp:164:34:164:34 | x | semmle.label | x |
+| test.cpp:165:12:165:64 | call to templateFunction2 | semmle.label | call to templateFunction2 |
+| test.cpp:165:12:165:64 | call to templateFunction2 | semmle.label | call to templateFunction2 |
+| test.cpp:165:69:165:69 | x | semmle.label | x |
+| test.cpp:170:10:170:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:170:10:170:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:172:13:172:44 | call to templateFunction3 | semmle.label | call to templateFunction3 |
+| test.cpp:172:13:172:44 | call to templateFunction3 | semmle.label | call to templateFunction3 |
+| test.cpp:172:51:172:51 | x | semmle.label | x |
+| test.cpp:173:10:173:10 | y | semmle.label | y |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | semmle.label | [summary param] *0 in CommandLineToArgvA |
 | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | semmle.label | [summary] to write: ReturnValue[**] in CommandLineToArgvA |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
@@ -688,6 +761,11 @@ subpaths
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
 | test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate |
+| test.cpp:134:45:134:45 | x | test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | test.cpp:134:13:134:43 | call to templateFunction |
+| test.cpp:148:26:148:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | test.cpp:148:10:148:27 | call to function |
+| test.cpp:157:26:157:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | test.cpp:157:13:157:20 | call to function |
+| test.cpp:165:69:165:69 | x | test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 |
+| test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | test.cpp:164:7:164:7 | *templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |
 | windows.cpp:537:40:537:41 | *& ... | windows.cpp:473:17:473:37 | [summary param] *1 in RtlCopyVolatileMemory | windows.cpp:473:17:473:37 | [summary param] *0 in RtlCopyVolatileMemory [Return] | windows.cpp:537:27:537:37 | RtlCopyVolatileMemory output argument |
 | windows.cpp:542:38:542:39 | *& ... | windows.cpp:479:17:479:35 | [summary param] *1 in RtlCopyDeviceMemory | windows.cpp:479:17:479:35 | [summary param] *0 in RtlCopyDeviceMemory [Return] | windows.cpp:542:25:542:35 | RtlCopyDeviceMemory output argument |

cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml

@@ -18,4 +18,7 @@ extensions:
       - ["", "", False, "ymlStepManual_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["", "", False, "ymlStepGenerated_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
       - ["", "", False, "callWithArgument", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]
-      - ["", "", False, "callWithNonTypeTemplate<T>", "(const T &)", "", "Argument[*0]", "ReturnValue", "value", "manual"]
+      - ["", "", False, "callWithNonTypeTemplate<T>", "(const T &)", "", "Argument[*0]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass1<T>", False, "templateFunction<U>", "(T,U)", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass1", True, "templateFunction2<U,V>", "(U,V)", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass2<T,U>", True, "function", "(U,T)", "", "Argument[1]", "ReturnValue", "value", "manual"]

cpp/ql/test/library-tests/dataflow/external-models/sinks.expected

@@ -15,3 +15,7 @@
 | test.cpp:89:11:89:11 | y | test-sink |
 | test.cpp:116:10:116:11 | y1 | test-sink |
 | test.cpp:119:10:119:11 | y2 | test-sink |
+| test.cpp:135:10:135:10 | y | test-sink |
+| test.cpp:149:10:149:10 | z | test-sink |
+| test.cpp:158:10:158:10 | z | test-sink |
+| test.cpp:173:10:173:10 | y | test-sink |

cpp/ql/test/library-tests/dataflow/external-models/sources.expected

@@ -9,6 +9,10 @@
 | test.cpp:56:8:56:16 | call to ymlSource | local |
 | test.cpp:94:10:94:18 | call to ymlSource | local |
 | test.cpp:114:10:114:18 | call to ymlSource | local |
+| test.cpp:133:10:133:18 | call to ymlSource | local |
+| test.cpp:146:10:146:18 | call to ymlSource | local |
+| test.cpp:155:10:155:18 | call to ymlSource | local |
+| test.cpp:170:10:170:18 | call to ymlSource | local |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | local |
 | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | local |
 | windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | local |

cpp/ql/test/library-tests/dataflow/external-models/test.cpp

@@ -118,3 +118,57 @@ void test_callWithNonTypeTemplate() {
 	int y2 = callWithNonTypeTemplate<int, 10>(x);
 	ymlSink(y2); // $ ir
 }
+
+template<class T>
+struct TemplateClass1 {
+  template<class U>
+  U templateFunction(T, U);
+
+	template<class U, class V>
+  V templateFunction2(U, V);
+};
+
+void test_template_function_in_template_class() {
+	TemplateClass1<int> b;
+	int x = ymlSource();
+	auto y = b.templateFunction<unsigned long>(x, 0UL);
+	ymlSink(y); // $ ir
+}
+
+template<class S, class T>
+struct TemplateClass2 {
+	T function(T, S);
+};
+
+template<class V> using PartialInstantiationOfTemplateClass2 = TemplateClass2<int, V>;
+
+void test_partial_class_instantiation() {
+	int x = ymlSource();
+	PartialInstantiationOfTemplateClass2<unsigned long> y;
+	int z = y.function(0UL, x);
+	ymlSink(z); // $ ir
+}
+
+template<class V> struct DeriveFromFromPartialTemplateInstantiation : TemplateClass2<int, V> { };
+
+void test_inheritance() {
+	int x = ymlSource();
+	DeriveFromFromPartialTemplateInstantiation<long> y;
+	auto z = y.function(0L, x);
+	ymlSink(z); // $ ir
+}
+
+template<class T>
+struct Class1 : TemplateClass1<T> {
+  template<class U>
+  int templateFunction3(U u, int x) {
+    return TemplateClass1<T>::template templateFunction2<U, int>(u, x);
+  }
+};
+
+void test_class1() {
+	int x = ymlSource();
+	Class1<int> c;
+	auto y = c.templateFunction3<unsigned long>(0UL, x);
+	ymlSink(y); // $ ir
+}

cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp

@@ -131,3 +131,112 @@ void test_strsafe_gets() {
 		StringCchGetsExA(dest, sizeof(dest), &end, &remaining, 0); // $ local_source
 	}
 }
+
+int scanf_s(const char *format, ...);
+int fscanf_s(FILE *stream, const char *format, ...);
+
+void test_scanf_s(FILE *stream) {
+  {
+  int n1, n2;
+  scanf_s(
+    "%d %d",
+    &n1, // $ local_source
+    &n2); // $ local_source
+  }
+
+  {
+  int n;
+  fscanf_s(stream, "%d", &n); // $ remote_source
+  }
+
+  {
+  int n1, n2;
+  char buf[256];
+  scanf_s("%d %s %d",
+    &n1, // $ local_source
+    buf, // $ local_source
+    256,
+    &n2); // $ local_source
+  }
+
+  {
+  int n1, n2;
+  char buf[256];
+  fscanf_s(stream, "%d %s %d",
+    &n1, // $ remote_source
+    buf, // $ remote_source
+    256,
+    &n2); // $ remote_source
+  }
+}
+
+typedef void *locale_t;
+
+int wscanf_s(const wchar_t *format, ...);
+int _scanf_s_l(const char *format, locale_t locale, ...);
+int _wscanf_s_l(const wchar_t *format, locale_t locale, ...);
+int fwscanf_s(FILE *stream, const wchar_t *format, ...);
+int _fscanf_s_l(FILE *stream, const char *format, locale_t locale, ...);
+int _fwscanf_s_l(FILE *stream, const wchar_t *format, locale_t locale, ...);
+
+void test_additional_scanf_s_variants(FILE *stream, locale_t locale) {
+  {
+  int n1, n2;
+  wchar_t buf[256];
+  wscanf_s(L"%d %s %d",
+    &n1, // $ local_source
+    buf, // $ local_source
+    256,
+    &n2); // $ local_source
+  }
+
+  {
+  int n1, n2;
+  char buf[256];
+  _scanf_s_l("%d %s %d", locale,
+    &n1, // $ local_source
+    buf, // $ local_source
+    256,
+    &n2); // $ local_source
+  }
+
+  {
+  int n1, n2;
+  wchar_t buf[256];
+  _wscanf_s_l(L"%d %s %d", locale,
+    &n1, // $ local_source
+    buf, // $ local_source
+    256,
+    &n2); // $ local_source
+  }
+
+  {
+  int n1, n2;
+  wchar_t buf[256];
+  fwscanf_s(stream, L"%d %s %d",
+    &n1, // $ remote_source
+    buf, // $ remote_source
+    256,
+    &n2); // $ remote_source
+  }
+
+  {
+  int n1, n2;
+  char buf[256];
+  _fscanf_s_l(stream, "%d %s %d", locale,
+    &n1, // $ remote_source
+    buf, // $ remote_source
+    256,
+    &n2); // $ remote_source
+  }
+
+  {
+  int n1, n2;
+  wchar_t buf[256];
+  _fwscanf_s_l(stream, L"%d %s %d", locale,
+    &n1, // $ remote_source
+    buf, // $ remote_source
+    256,
+    &n2); // $ remote_source
+  }
+}

cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected

@@ -27383,54 +27383,55 @@ getParameterTypeName
 | stl.h:91:24:91:33 | operator++ | 0 | int |
 | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & |
 | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & |
-| stl.h:148:3:148:14 | basic_string | 0 | const class:2 & |
-| stl.h:149:33:149:44 | basic_string | 0 | const class:0 * |
-| stl.h:149:33:149:44 | basic_string | 1 | const class:2 & |
-| stl.h:151:16:151:20 | c_str | 0 | func:0 |
-| stl.h:151:16:151:20 | c_str | 1 | func:0 |
-| stl.h:151:16:151:20 | c_str | 2 | const class:2 & |
+| stl.h:147:12:147:23 | basic_string | 0 | const class:2 & |
+| stl.h:148:3:148:14 | basic_string | 0 | const class:0 * |
+| stl.h:148:3:148:14 | basic_string | 1 | const class:2 & |
+| stl.h:149:33:149:44 | basic_string | 0 | func:0 |
+| stl.h:149:33:149:44 | basic_string | 1 | func:0 |
+| stl.h:149:33:149:44 | basic_string | 2 | const class:2 & |
+| stl.h:165:8:165:16 | push_back | 0 | class:0 |
 | stl.h:173:13:173:22 | operator[] | 0 | size_type |
 | stl.h:175:13:175:14 | at | 0 | size_type |
-| stl.h:176:35:176:44 | operator+= | 0 | size_type |
-| stl.h:176:35:176:44 | operator+= | 0 | size_type |
-| stl.h:177:17:177:26 | operator+= | 0 | const func:0 & |
-| stl.h:178:17:178:22 | append | 0 | const class:0 * |
-| stl.h:179:17:179:22 | append | 0 | const basic_string & |
-| stl.h:180:17:180:22 | append | 0 | const class:0 * |
-| stl.h:181:47:181:52 | append | 0 | size_type |
-| stl.h:181:47:181:52 | append | 1 | class:0 |
-| stl.h:182:17:182:22 | assign | 0 | func:0 |
-| stl.h:182:17:182:22 | assign | 1 | func:0 |
-| stl.h:183:17:183:22 | assign | 0 | const basic_string & |
-| stl.h:184:47:184:52 | assign | 0 | size_type |
-| stl.h:184:47:184:52 | assign | 1 | class:0 |
-| stl.h:185:17:185:22 | insert | 0 | func:0 |
-| stl.h:185:17:185:22 | insert | 1 | func:0 |
+| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & |
+| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & |
+| stl.h:177:17:177:26 | operator+= | 0 | const class:0 * |
+| stl.h:178:17:178:22 | append | 0 | const basic_string & |
+| stl.h:179:17:179:22 | append | 0 | const class:0 * |
+| stl.h:180:17:180:22 | append | 0 | size_type |
+| stl.h:180:17:180:22 | append | 1 | class:0 |
+| stl.h:181:47:181:52 | append | 0 | func:0 |
+| stl.h:181:47:181:52 | append | 1 | func:0 |
+| stl.h:182:17:182:22 | assign | 0 | const basic_string & |
+| stl.h:183:17:183:22 | assign | 0 | size_type |
+| stl.h:183:17:183:22 | assign | 1 | class:0 |
+| stl.h:184:47:184:52 | assign | 0 | func:0 |
+| stl.h:184:47:184:52 | assign | 1 | func:0 |
+| stl.h:185:17:185:22 | insert | 0 | size_type |
+| stl.h:185:17:185:22 | insert | 1 | const basic_string & |
 | stl.h:186:17:186:22 | insert | 0 | size_type |
-| stl.h:186:17:186:22 | insert | 1 | const basic_string & |
+| stl.h:186:17:186:22 | insert | 1 | size_type |
+| stl.h:186:17:186:22 | insert | 2 | class:0 |
 | stl.h:187:17:187:22 | insert | 0 | size_type |
-| stl.h:187:17:187:22 | insert | 1 | size_type |
-| stl.h:187:17:187:22 | insert | 2 | class:0 |
-| stl.h:188:12:188:17 | insert | 0 | size_type |
-| stl.h:188:12:188:17 | insert | 1 | const class:0 * |
+| stl.h:187:17:187:22 | insert | 1 | const class:0 * |
+| stl.h:188:12:188:17 | insert | 0 | const_iterator |
+| stl.h:188:12:188:17 | insert | 1 | size_type |
+| stl.h:188:12:188:17 | insert | 2 | class:0 |
 | stl.h:189:42:189:47 | insert | 0 | const_iterator |
-| stl.h:189:42:189:47 | insert | 1 | size_type |
-| stl.h:189:42:189:47 | insert | 2 | class:0 |
-| stl.h:190:17:190:23 | replace | 0 | const_iterator |
-| stl.h:190:17:190:23 | replace | 1 | func:0 |
-| stl.h:190:17:190:23 | replace | 2 | func:0 |
+| stl.h:189:42:189:47 | insert | 1 | func:0 |
+| stl.h:189:42:189:47 | insert | 2 | func:0 |
+| stl.h:190:17:190:23 | replace | 0 | size_type |
+| stl.h:190:17:190:23 | replace | 1 | size_type |
+| stl.h:190:17:190:23 | replace | 2 | const basic_string & |
 | stl.h:191:17:191:23 | replace | 0 | size_type |
 | stl.h:191:17:191:23 | replace | 1 | size_type |
-| stl.h:191:17:191:23 | replace | 2 | const basic_string & |
-| stl.h:192:13:192:16 | copy | 0 | size_type |
+| stl.h:191:17:191:23 | replace | 2 | size_type |
+| stl.h:191:17:191:23 | replace | 3 | class:0 |
+| stl.h:192:13:192:16 | copy | 0 | class:0 * |
 | stl.h:192:13:192:16 | copy | 1 | size_type |
 | stl.h:192:13:192:16 | copy | 2 | size_type |
-| stl.h:192:13:192:16 | copy | 3 | class:0 |
-| stl.h:193:8:193:12 | clear | 0 | class:0 * |
-| stl.h:193:8:193:12 | clear | 1 | size_type |
-| stl.h:193:8:193:12 | clear | 2 | size_type |
-| stl.h:195:8:195:11 | swap | 0 | size_type |
-| stl.h:195:8:195:11 | swap | 1 | size_type |
+| stl.h:194:16:194:21 | substr | 0 | size_type |
+| stl.h:194:16:194:21 | substr | 1 | size_type |
+| stl.h:195:8:195:11 | swap | 0 | basic_string & |
 | stl.h:198:94:198:102 | operator+ | 0 | const basic_string & |
 | stl.h:198:94:198:102 | operator+ | 1 | const basic_string & |
 | stl.h:199:94:199:102 | operator+ | 0 | const basic_string & |

cpp/ql/test/library-tests/friends/loop/friends.expected

@@ -1,14 +1,14 @@
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<D> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:29 | E<D> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<T> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:29 | F<D> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:29 | E<C> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<T> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<D> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:29 | F<D> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:29 | E<C> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:29 | E<D> |
 | loop.cpp:6:5:6:5 | E<T>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:7:5:7:5 | E<T>'s friend | loop.cpp:7:36:7:36 | F<U> |
 | loop.cpp:11:5:11:5 | F<T>'s friend | loop.cpp:11:36:11:36 | E<U> |

cpp/ql/test/library-tests/name_qualifiers/NameQualifiers1.expected

@@ -1,3 +1,7 @@
+| inconsistency2.cpp:3:3:3:5 | T:: | inconsistency2.cpp:3:3:3:6 | x | inconsistency2.cpp:2:20:2:20 | T |
+| inconsistency2.cpp:3:3:3:11 | const s:: | inconsistency2.cpp:3:3:3:6 | x | file://:0:0:0:0 | const s |
+| inconsistency.cpp:7:20:7:22 | S:: | inconsistency.cpp:7:20:7:23 | (int)... | inconsistency.cpp:4:8:4:8 | S |
+| inconsistency.cpp:7:20:7:22 | S:: | inconsistency.cpp:7:20:7:23 | A | inconsistency.cpp:4:8:4:8 | S |
 | name_qualifiers.cpp:29:7:29:8 | :: | name_qualifiers.cpp:29:7:29:9 | x | file://:0:0:0:0 | (global namespace) |
 | name_qualifiers.cpp:31:7:31:10 | N1:: | name_qualifiers.cpp:31:7:31:12 | nx | name_qualifiers.cpp:4:11:4:12 | N1 |
 | name_qualifiers.cpp:34:7:34:8 | :: | name_qualifiers.cpp:34:9:34:12 | N1:: | file://:0:0:0:0 | (global namespace) |

cpp/ql/test/library-tests/name_qualifiers/NameQualifiers1.ql

@@ -1,7 +1,5 @@
 import cpp
 
 from NameQualifier nq, Location l
-where
-  l = nq.getQualifiedElement().getLocation() and
-  l.getFile().getShortName() = "name_qualifiers"
+where l = nq.getQualifiedElement().getLocation()
 select nq, nq.getQualifiedElement(), nq.getQualifyingElement()

cpp/ql/test/library-tests/name_qualifiers/inconsistency.cpp

@@ -1,8 +1,8 @@
 // This file is present to test whether name-qualifying an enum constant leads to a database inconsistency.
-// As such, there is no QL part of the test.
+
 
 struct S { enum E { A }; };
 
-static int f() {
+static void f() {
   switch(0) { case S::A: break; }
 }

cpp/ql/test/library-tests/name_qualifiers/inconsistency2.cpp

@@ -0,0 +1,12 @@
+namespace {
+template <typename T> T f() {
+  T::x;
+  return {};
+}
+struct s {
+  static int x;
+};
+struct t {
+  s x = f<const s>();
+};
+}

cpp/ql/test/library-tests/scanf/scanfFormatLiteral.expected

@@ -1,5 +1,8 @@
-| test.c:18:2:18:6 | call to scanf | 0 | s | 0 | 0 |
-| test.c:19:2:19:7 | call to fscanf | 0 | s | 10 | 10 |
-| test.c:19:2:19:7 | call to fscanf | 1 | i | 0 | 0 |
-| test.c:20:2:20:7 | call to sscanf | 0 | s | 0 | 0 |
-| test.c:21:2:21:8 | call to swscanf | 0 | s | 10 | 10 |
+| test.c:19:2:19:6 | call to scanf | 0 | s | 0 | 0 |
+| test.c:20:2:20:7 | call to fscanf | 0 | s | 10 | 10 |
+| test.c:20:2:20:7 | call to fscanf | 1 | i | 0 | 0 |
+| test.c:21:2:21:7 | call to sscanf | 0 | s | 0 | 0 |
+| test.c:22:2:22:8 | call to swscanf | 0 | s | 10 | 10 |
+| test.c:23:2:23:8 | call to scanf_s | 0 | d | 0 | 0 |
+| test.c:23:2:23:8 | call to scanf_s | 1 | s | 0 | 0 |
+| test.c:23:2:23:8 | call to scanf_s | 2 | d | 0 | 0 |

cpp/ql/test/library-tests/scanf/scanfFunctionCall.expected

@@ -1,5 +1,6 @@
 | ms.cpp:17:3:17:8 | call to sscanf | 0 | 1 | ms.cpp:17:24:17:30 | %I64i | non-wide |
-| test.c:18:2:18:6 | call to scanf | 0 | 0 | test.c:18:8:18:11 | %s | non-wide |
-| test.c:19:2:19:7 | call to fscanf | 0 | 1 | test.c:19:15:19:23 | %10s %i | non-wide |
-| test.c:20:2:20:7 | call to sscanf | 0 | 1 | test.c:20:19:20:28 | %*i%s%*s | non-wide |
-| test.c:21:2:21:8 | call to swscanf | 0 | 1 | test.c:21:21:21:26 | %10s | wide |
+| test.c:19:2:19:6 | call to scanf | 0 | 0 | test.c:19:8:19:11 | %s | non-wide |
+| test.c:20:2:20:7 | call to fscanf | 0 | 1 | test.c:20:15:20:23 | %10s %i | non-wide |
+| test.c:21:2:21:7 | call to sscanf | 0 | 1 | test.c:21:19:21:28 | %*i%s%*s | non-wide |
+| test.c:22:2:22:8 | call to swscanf | 0 | 1 | test.c:22:21:22:26 | %10s | wide |
+| test.c:23:2:23:8 | call to scanf_s | 0 | 0 | test.c:23:10:23:19 | %d %s %d | non-wide |

cpp/ql/test/library-tests/scanf/scanfFunctionCallOutput.expected

@@ -0,0 +1,9 @@
+| ms.cpp:17:3:17:8 | call to sscanf | ms.cpp:17:33:17:36 | & ... | 0 |
+| test.c:19:2:19:6 | call to scanf | test.c:19:14:19:19 | buffer | 0 |
+| test.c:20:2:20:7 | call to fscanf | test.c:20:26:20:31 | buffer | 0 |
+| test.c:20:2:20:7 | call to fscanf | test.c:20:34:20:34 | i | 1 |
+| test.c:21:2:21:7 | call to sscanf | test.c:21:31:21:36 | buffer | 0 |
+| test.c:22:2:22:8 | call to swscanf | test.c:22:29:22:35 | wbuffer | 0 |
+| test.c:23:2:23:8 | call to scanf_s | test.c:23:22:23:23 | & ... | 0 |
+| test.c:23:2:23:8 | call to scanf_s | test.c:23:26:23:31 | buffer | 1 |
+| test.c:23:2:23:8 | call to scanf_s | test.c:23:38:23:40 | & ... | 2 |

cpp/ql/test/library-tests/scanf/scanfFunctionCallOutput.ql

@@ -0,0 +1,5 @@
+import semmle.code.cpp.commons.Scanf
+
+from ScanfFunctionCall sfc, Expr e, int n
+where e = sfc.getOutputArgument(n)
+select sfc, e, n

cpp/ql/test/library-tests/scanf/test.c

@@ -7,18 +7,20 @@ int scanf(const char *format, ...);
 int fscanf(FILE *stream, const char *format, ...);
 int sscanf(const char *s, const char *format, ...);
 int swscanf(const wchar_t* ws, const wchar_t* format, ...);
+int scanf_s(const char *format, ...);
 
 int main(int argc, char *argv[])
 {
 	char buffer[256];
 	wchar_t wbuffer[256];
 	FILE *file;
-	int i;
+	int i, i2;
 
 	scanf("%s", buffer);
 	fscanf(file, "%10s %i", buffer, i);
 	sscanf("Hello.", "%*i%s%*s", buffer);
 	swscanf(L"Hello.", "%10s", wbuffer);
+	scanf_s("%d %s %d", &i, buffer, 10, &i2);
 
 	return 0;
 }

csharp/downgrades/d13c4c187d7318fd2b8f35c7e8d7f4dc26be68b1/upgrade.properties

@@ -0,0 +1,2 @@
+description: Restructure and rename types related to operations.
+compatibility: full

csharp/extractor/Semmle.Extraction.CSharp/CodeAnalysisExtensions/SymbolExtensions.cs

@@ -664,7 +664,7 @@ namespace Semmle.Extraction.CSharp
                 // Find the (possibly unbound) original extension method that maps to this implementation (if any).
                 var unboundDeclaration = extensions.SelectMany(e => e.GetMembers())
                     .OfType<IMethodSymbol>()
-                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation, method.ConstructedFrom));
+                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation?.ConstructedFrom, method.ConstructedFrom));
 
                 var isFullyConstructed = method.IsBoundGenericMethod();
                 if (isFullyConstructed && unboundDeclaration?.ContainingType is INamedTypeSymbol extensionType)

csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs

@@ -69,6 +69,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
 
             Overrides(trapFile);
+            ExtractRefReturn(trapFile, Symbol, this);
 
             if (Symbol.FromSource() && !HasBody)
             {

csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs

@@ -32,9 +32,13 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             var assembly = Assembly.CreateOutputAssembly(Context);
 
-            trapFile.compilations(this, FileUtils.ConvertToUnix(cwd));
+            var path = Context.ExtractionContext.PathTransformer.Transform(cwd);
+            trapFile.compilations(this, path.Value);
             trapFile.compilation_assembly(this, assembly);
 
+            // Ensure that a `Folder` entity exists
+            Folder.Create(Context, path);
+
             // Arguments
             var expandedIndex = 0;
             for (var i = 0; i < args.Length; i++)