update codeql documentation

Merge pull request #21189 from github/release-prep/2.24.0
Release preparation for version 2.24.0
2026-05-27 09:31:30 +02:00 · 2026-01-20 22:58:44 +00:00 · 2026-01-19 07:19:55 -08:00 · 2026-01-19 15:17:11 +00:00 · 2026-01-19 15:12:05 +00:00 · 2026-01-19 14:49:14 +00:00
449 changed files with 61415 additions and 20652 deletions
--- a/.github/workflows/compile-queries.yml
+++ b/.github/workflows/compile-queries.yml
@@ -17,9 +17,41 @@ permissions:
  contents: read

 jobs:
-  compile-queries:
+  detect-changes:
    if: github.repository_owner == 'github'
+    runs-on: ubuntu-latest
+    outputs:
+      languages: ${{ steps.detect.outputs.languages }}
+    steps:
+      - uses: actions/checkout@v5
+      - name: Detect changed languages
+        id: detect
+        run: |
+          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
+            # For PRs, detect which languages have changes
+            changed_files=$(gh pr view ${{ github.event.pull_request.number }} --json files --jq '.files.[].path')
+            languages=()
+            for lang in actions cpp csharp go java javascript python ql ruby rust swift; do
+              if echo "$changed_files" | grep -qE "^($lang/|shared/)" ; then
+                languages+=("$lang")
+              fi
+            done
+            echo "languages=$(jq -c -n '$ARGS.positional' --args "${languages[@]}")" >> $GITHUB_OUTPUT
+          else
+            # For pushes to main/rc branches, run all languages
+            echo 'languages=["actions","cpp","csharp","go","java","javascript","python","ql","ruby","rust","swift"]' >> $GITHUB_OUTPUT
+          fi
+        env:
+          GH_TOKEN: ${{ github.token }}
+
+  compile-queries:
+    needs: detect-changes
+    if: github.repository_owner == 'github' && needs.detect-changes.outputs.languages != '[]'
    runs-on: ubuntu-latest-xl
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ${{ fromJson(needs.detect-changes.outputs.languages) }}

    steps:
      - uses: actions/checkout@v5
@@ -31,16 +63,16 @@ jobs:
        id: query-cache
        uses: ./.github/actions/cache-query-compilation
        with: 
-          key: all-queries
+          key: ${{ matrix.language }}-queries
      - name: check formatting
-        run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+        run: find shared ${{ matrix.language }}/ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
      - name: compile queries - check-only
        # run with --check-only if running in a PR (github.sha != main)
        if : ${{ github.event_name == 'pull_request' }}
        shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
      - name: compile queries - full
        # do full compile if running on main - this populates the cache
        if : ${{ github.event_name != 'pull_request' }}
        shell: bash
-        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
--- a/actions/ql/examples/codeql-pack.lock.yml
+++ b/actions/ql/examples/codeql-pack.lock.yml
@@ -0,0 +1,4 @@
+---
+lockVersion: 1.0.0
+dependencies: {}
+compiled: false
--- a/actions/ql/examples/qlpack.yml
+++ b/actions/ql/examples/qlpack.yml
@@ -0,0 +1,7 @@
+name: codeql/actions-examples
+groups:
+  - actions
+  - examples
+dependencies:
+  codeql/actions-all: ${workspace}
+warnOnImplicitThis: true
--- a/actions/ql/examples/snippets/uses_pinned_sha.ql
+++ b/actions/ql/examples/snippets/uses_pinned_sha.ql
@@ -0,0 +1,12 @@
+/**
+ * @name Uses step with pinned SHA
+ * @description Finds 'uses' steps where the version is a pinned SHA.
+ * @id actions/examples/uses-pinned-sha
+ * @tags example
+ */
+
+import actions
+
+from UsesStep uses
+where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}$")
+select uses, "This 'uses' step has a pinned SHA version."
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.4.26
+
+### Major Analysis Improvements
+
+* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
+
 ## 0.4.25

 No user-facing changes.
--- a/actions/ql/lib/change-notes/2025-11-28-fix-code-injection-alert-filtering.md
+++ b/actions/ql/lib/change-notes/2025-11-28-fix-code-injection-alert-filtering.md
@@ -1,4 +1,5 @@
---
-category: majorAnalysis
---
+## 0.4.26
+
+### Major Analysis Improvements
+
 * The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.25
+lastReleaseVersion: 0.4.26
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.26-dev
+version: 0.4.26
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.6.18
+
+No user-facing changes.
+
 ## 0.6.17

 No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.18.md
+++ b/actions/ql/src/change-notes/released/0.6.18.md
@@ -0,0 +1,3 @@
+## 0.6.18
+
+No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.17
+lastReleaseVersion: 0.6.18
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.18-dev
+version: 0.6.18
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/exprs.ql
+++ b/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/exprs.ql
@@ -0,0 +1,17 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location_default {
+  string toString() { none() }
+}
+
+predicate isExprWithNewBuiltin(Expr expr) {
+  exists(int kind | exprs(expr, kind, _) | 394 <= kind and kind <= 396)
+}
+
+from Expr expr, int kind, int kind_new, Location location
+where
+  exprs(expr, kind, location) and
+  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
+select expr, kind_new, location
--- a/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/old.dbscheme
+++ b/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/old.dbscheme
--- a/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties
+++ b/cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties
@@ -0,0 +1,4 @@
+description: Add new builtin operations and this parameter access table
+compatibility: partial
+exprs.rel: run exprs.qlo
+param_ref_to_this.rel: delete
--- a/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/old.dbscheme
+++ b/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/old.dbscheme
--- a/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties
+++ b/cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties
@@ -0,0 +1,2 @@
+description: Remove _Decimal{32,64,128} types
+compatibility: full
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,27 @@
+## 7.0.0
+
+### Breaking Changes
+
+* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.
+
+### Deprecated APIs
+
+* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.
+
+### New Features
+
+* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.
+* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.
+* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.
+
+### Minor Analysis Improvements
+
+* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
+
+### Bug Fixes
+
+* Fixed a bug in the `DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return `DataFlow::Node`s with incorrect indirections. If you use `getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use `DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results.
+
 ## 6.1.4

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/2026-01-02-constant-folding.md
+++ b/cpp/ql/lib/change-notes/2026-01-02-constant-folding.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
--- a/cpp/ql/lib/change-notes/released/7.0.0.md
+++ b/cpp/ql/lib/change-notes/released/7.0.0.md
@@ -0,0 +1,23 @@
+## 7.0.0
+
+### Breaking Changes
+
+* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.
+
+### Deprecated APIs
+
+* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.
+
+### New Features
+
+* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.
+* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.
+* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.
+
+### Minor Analysis Improvements
+
+* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.
+
+### Bug Fixes
+
+* Fixed a bug in the `DataFlow::BarrierGuard<...>::getABarrierNode` predicate which caused the predicate to return `DataFlow::Node`s with incorrect indirections. If you use `getABarrierNode` to implement barriers in a dataflow/taint-tracking query it may result in more query results. You can use `DataFlow::BarrierGuard<...>::getAnIndirectBarrierNode` to remove those query results.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.1.4
+lastReleaseVersion: 7.0.0
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 6.1.5-dev
+version: 7.0.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
+++ b/cpp/ql/lib/semmle/code/cpp/PrintAST.qll
@@ -1050,10 +1050,10 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
    expr.(Call).getQualifier() = ele and
    pred = "getQualifier()"
    or
-    // OverloadedArrayExpr::getArrayBase/0 and OverloadedArrayExpr::getArrayOffset/0 also consider arguments, and are already handled below.
+    // OverloadedArrayExpr::getArrayBase/0 and OverloadedArrayExpr::getArrayOffset/1 also consider arguments, and are already handled below.
    exists(int n, Expr arg | expr.(Call).getArgument(n) = arg |
      not expr.(OverloadedArrayExpr).getArrayBase() = arg and
-      not expr.(OverloadedArrayExpr).getArrayOffset() = arg and
+      not expr.(OverloadedArrayExpr).getAnArrayOffset() = arg and
      arg = ele and
      pred = "getArgument(" + n.toString() + ")"
    )
@@ -1062,7 +1062,10 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
    or
    expr.(OverloadedArrayExpr).getArrayBase() = ele and pred = "getArrayBase()"
    or
-    expr.(OverloadedArrayExpr).getArrayOffset() = ele and pred = "getArrayOffset()"
+    exists(int n |
+      expr.(OverloadedArrayExpr).getArrayOffset(n) = ele and
+      pred = "getArrayOffset(" + n.toString() + ")"
+    )
    or
    // OverloadedPointerDereferenceExpr::getExpr/0 also considers qualifiers, and is already handled above for all Call classes.
    not expr.(OverloadedPointerDereferenceExpr).getQualifier() =
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -802,15 +802,6 @@ private predicate floatingPointTypeMapping(
  // _Complex __float128
  kind = 39 and base = 2 and domain = TComplexDomain() and realKind = 38 and extended = false
  or
-  // _Decimal32
-  kind = 40 and base = 10 and domain = TRealDomain() and realKind = 40 and extended = false
-  or
-  // _Decimal64
-  kind = 41 and base = 10 and domain = TRealDomain() and realKind = 41 and extended = false
-  or
-  // _Decimal128
-  kind = 42 and base = 10 and domain = TRealDomain() and realKind = 42 and extended = false
-  or
  // _Float32
  kind = 45 and base = 2 and domain = TRealDomain() and realKind = 45 and extended = false
  or
@@ -871,9 +862,8 @@ private predicate floatingPointTypeMapping(

 /**
 * The C/C++ floating point types. See 4.5.  This includes `float`, `double` and `long double`, the
- * fixed-size floating-point types like `_Float32`, the extended-precision floating-point types like
- * `_Float64x`, and the decimal floating-point types like `_Decimal32`. It also includes the complex
- * and imaginary versions of all of these types.
+ * fixed-size floating-point types like `_Float32`, and the extended-precision floating-point types
+ * like `_Float64x`. It also includes the complex and imaginary versions of all of these types.
 */
 class FloatingPointType extends ArithmeticType {
  final int base;
@@ -991,42 +981,6 @@ class Float128Type extends RealNumberType, BinaryFloatingPointType {
  override string getAPrimaryQlClass() { result = "Float128Type" }
 }

-/**
- * The GNU C `_Decimal32` primitive type.  This is not standard C/C++.
- * ```
- * _Decimal32 d32;
- * ```
- */
-class Decimal32Type extends RealNumberType, DecimalFloatingPointType {
-  Decimal32Type() { builtintypes(underlyingElement(this), _, 40, _, _, _) }
-
-  override string getAPrimaryQlClass() { result = "Decimal32Type" }
-}
-
-/**
- * The GNU C `_Decimal64` primitive type.  This is not standard C/C++.
- * ```
- * _Decimal64 d64;
- * ```
- */
-class Decimal64Type extends RealNumberType, DecimalFloatingPointType {
-  Decimal64Type() { builtintypes(underlyingElement(this), _, 41, _, _, _) }
-
-  override string getAPrimaryQlClass() { result = "Decimal64Type" }
-}
-
-/**
- * The GNU C `_Decimal128` primitive type.  This is not standard C/C++.
- * ```
- * _Decimal128 d128;
- * ```
- */
-class Decimal128Type extends RealNumberType, DecimalFloatingPointType {
-  Decimal128Type() { builtintypes(underlyingElement(this), _, 42, _, _, _) }
-
-  override string getAPrimaryQlClass() { result = "Decimal128Type" }
-}
-
 /**
 * The C/C++ `void` type. See 4.7.
 * ```
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Access.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Access.qll
@@ -394,6 +394,11 @@ class FunctionAccess extends Access, @routineexpr {
 */
 class ParamAccessForType extends Expr, @param_ref {
  override string toString() { result = "param access" }
+
+  /**
+   * Holds if the accessed parameter is implicit object parameter of the function.
+   */
+  predicate isThisAccess() { param_ref_to_this(underlyingElement(this)) }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll
@@ -1941,3 +1941,61 @@ class BuiltInOperationIsTriviallyRelocatable extends BuiltInOperation, @istrivia

  override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyRelocatable" }
 }
+
+/**
+ * A C++ `__is_bitwise_cloneable` built-in operation.
+ *
+ * Returns `true` if an object of type `_Tp` is bitwise cloneable.
+ *
+ * ```
+ * template<typename _Tp>
+ *   struct is_bitwise_cloneable
+ *   : public integral_constant<bool, __is_bitwise_cloneable(_Tp)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsBitwiseCloneable extends BuiltInOperation, @isbitwisecloneable {
+  override string toString() { result = "__is_bitwise_cloneable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsBitwiseCloneable" }
+}
+
+/**
+ * A C++ `__is_invocable` built-in operation (used by some implementations
+ * of the `<type_traits>` header).
+ *
+ * Returns `true` if a function of type `_FTpn` can be invoked with arguments of
+ * type `_Tps`.
+ *
+ * ```
+ * template<typename _FTpn, typename... _Tps>
+ *   struct is_invocable
+ *   : public integral_constant<bool, __is_invocable(_FTpn, _Tps...)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsInvocable extends BuiltInOperation, @isinvocable {
+  override string toString() { result = "__is_invocable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsInvocable" }
+}
+
+/**
+ * A C++ `__is_nothrow_invocable` built-in operation (used by some implementations
+ * of the `<type_traits>` header).
+ *
+ * Returns `true` if a function of non-throwing type `_FTpn` can be invoked
+ * with arguments of type `_Tps`.
+ *
+ * ```
+ * template<typename _FTpn, typename... _Tps>
+ *   struct is_nothrow_invocable
+ *   : public integral_constant<bool, __is_nothrow_invocable(_FTpn, _Tps...)>
+ *   {};
+ * ```
+ */
+class BuiltInOperationIsNothrowInvocable extends BuiltInOperation, @isnothrowinvocable {
+  override string toString() { result = "__is_nothrow_invocable" }
+
+  override string getAPrimaryQlClass() { result = "BuiltInOperationIsNothrowInvocable" }
+}
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Call.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Call.qll
@@ -387,10 +387,23 @@ class OverloadedArrayExpr extends FunctionCall {

  /**
   * Gets the expression giving the index.
+   *
+   * DEPRECATED: Use getArrayOffset/1 instead.
   */
-  Expr getArrayOffset() {
-    if exists(this.getQualifier()) then result = this.getChild(0) else result = this.getChild(1)
+  deprecated Expr getArrayOffset() { result = this.getArrayOffset(0) }
+
+  /**
+   * Gets the expression giving the nth index.
+   */
+  Expr getArrayOffset(int n) {
+    n >= 0 and
+    if exists(this.getQualifier()) then result = this.getChild(n) else result = this.getChild(n + 1)
  }
+
+  /**
+   * Gets an expression giving an index.
+   */
+  Expr getAnArrayOffset() { result = this.getArrayOffset(_) }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -156,7 +156,7 @@ class Node extends TIRDataFlowNode {
   * If `isGLValue()` holds, then the type of this node
   * should be thought of as "pointer to `getType()`".
   */
-  DataFlowType getType() { none() } // overridden in subclasses
+  Type getType() { none() } // overridden in subclasses

  /** Gets the instruction corresponding to this node, if any. */
  Instruction asInstruction() { result = this.(InstructionNode).getInstruction() }
@@ -541,7 +541,7 @@ class Node extends TIRDataFlowNode {
  /**
   * Gets an upper bound on the type of this node.
   */
-  DataFlowType getTypeBound() { result = this.getType() }
+  Type getTypeBound() { result = this.getType() }

  /** Gets the location of this element. */
  cached
@@ -585,7 +585,7 @@ private class Node0 extends Node, TNode0 {

  override string toStringImpl() { result = node.toString() }

-  override DataFlowType getType() { result = node.getType() }
+  override Type getType() { result = node.getType() }

  override predicate isGLValue() { node.isGLValue() }
 }
@@ -704,7 +704,7 @@ class SsaSynthNode extends Node, TSsaSynthNode {

  override Declaration getFunction() { result = node.getBasicBlock().getEnclosingFunction() }

-  override DataFlowType getType() { result = node.getSourceVariable().getType() }
+  override Type getType() { result = node.getSourceVariable().getType() }

  override predicate isGLValue() { node.getSourceVariable().isGLValue() }

@@ -732,7 +732,7 @@ class SsaIteratorNode extends Node, TSsaIteratorNode {

  override Declaration getFunction() { result = node.getFunction() }

-  override DataFlowType getType() { result = node.getType() }
+  override Type getType() { result = node.getType() }

  final override Location getLocationImpl() { result = node.getLocation() }

@@ -792,7 +792,7 @@ class FinalGlobalValue extends Node, TFinalGlobalValue {

  override Declaration getFunction() { result = globalUse.getIRFunction().getFunction() }

-  override DataFlowType getType() {
+  override Type getType() {
    exists(int indirectionIndex |
      indirectionIndex = globalUse.getIndirectionIndex() and
      result = getTypeImpl(globalUse.getUnderlyingType(), indirectionIndex)
@@ -826,7 +826,7 @@ class InitialGlobalValue extends Node, TInitialGlobalValue {

  final override predicate isGLValue() { globalDef.getIndirectionIndex() = 0 }

-  override DataFlowType getType() { result = globalDef.getUnderlyingType() }
+  override Type getType() { result = globalDef.getUnderlyingType() }

  final override Location getLocationImpl() { result = globalDef.getLocation() }

@@ -853,7 +853,7 @@ class BodyLessParameterNodeImpl extends Node, TBodyLessParameterNodeImpl {
  /** Gets the indirection index of this node. */
  int getIndirectionIndex() { result = indirectionIndex }

-  override DataFlowType getType() {
+  override Type getType() {
    result = getTypeImpl(p.getUnderlyingType(), this.getIndirectionIndex())
  }

@@ -1117,8 +1117,8 @@ private module RawIndirectNodes {

    override predicate isGLValue() { this.getOperand().isGLValue() }

-    override DataFlowType getType() {
-      exists(int sub, DataFlowType type, boolean isGLValue |
+    override Type getType() {
+      exists(int sub, Type type, boolean isGLValue |
        type = getOperandType(this.getOperand(), isGLValue) and
        if isGLValue = true then sub = 1 else sub = 0
      |
@@ -1163,8 +1163,8 @@ private module RawIndirectNodes {

    override predicate isGLValue() { this.getInstruction().isGLValue() }

-    override DataFlowType getType() {
-      exists(int sub, DataFlowType type, boolean isGLValue |
+    override Type getType() {
+      exists(int sub, Type type, boolean isGLValue |
        type = getInstructionType(this.getInstruction(), isGLValue) and
        if isGLValue = true then sub = 1 else sub = 0
      |
@@ -1263,7 +1263,7 @@ class FinalParameterNode extends Node, TFinalParameterNode {
    result.asSourceCallable() = this.getFunction()
  }

-  override DataFlowType getType() { result = getTypeImpl(p.getUnderlyingType(), indirectionIndex) }
+  override Type getType() { result = getTypeImpl(p.getUnderlyingType(), indirectionIndex) }

  final override Location getLocationImpl() {
    // Parameters can have multiple locations. When there's a unique location we use
@@ -1539,7 +1539,7 @@ abstract class PostUpdateNode extends Node {
   */
  abstract Node getPreUpdateNode();

-  final override DataFlowType getType() { result = this.getPreUpdateNode().getType() }
+  final override Type getType() { result = this.getPreUpdateNode().getType() }
 }

 /**
@@ -1632,9 +1632,7 @@ class VariableNode extends Node, TGlobalLikeVariableNode {
    result.asSourceCallable() = v
  }

-  override DataFlowType getType() {
-    result = getTypeImpl(v.getUnderlyingType(), indirectionIndex - 1)
-  }
+  override Type getType() { result = getTypeImpl(v.getUnderlyingType(), indirectionIndex - 1) }

  final override Location getLocationImpl() {
    // Certain variables (such as parameters) can have multiple locations.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll
@@ -53,7 +53,7 @@ private module SourceVariables {
     * the type of this source variable should be thought of as "pointer
     * to `getType()`".
     */
-    DataFlowType getType() {
+    Type getType() {
      if this.isGLValue()
      then result = base.getType()
      else result = getTypeImpl(base.getType(), ind - 1)
@@ -1064,8 +1064,15 @@ module BarrierGuardWithIntParam<guardChecksNodeSig/4 guardChecksNode> {
    DataFlowIntegrationInput::Guard g, SsaImpl::Definition def, IRGuards::GuardValue val,
    int indirectionIndex
  ) {
-    IRGuards::Guards_v1::ParameterizedValidationWrapper<int, guardChecksInstr/4>::guardChecksDef(g,
-      def, val, indirectionIndex)
+    exists(Instruction e |
+      IRGuards::Guards_v1::ParameterizedValidationWrapper<int, guardChecksInstr/4>::guardChecks(g,
+        e, val, indirectionIndex)
+    |
+      indirectionIndex = 0 and
+      def.(Definition).getAUse().getDef() = e
+      or
+      def.(Definition).getAnIndirectUse(indirectionIndex).getDef() = e
+    )
  }

  Node getABarrierNode(int indirectionIndex) {
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -617,9 +617,9 @@ case @builtintype.kind of
 | 37 = @signed_int128         // signed __int128
 | 38 = @float128              // __float128
 | 39 = @complex_float128      // _Complex __float128
-| 40 = @decimal32             // _Decimal32
-| 41 = @decimal64             // _Decimal64
-| 42 = @decimal128            // _Decimal128
+// ... 40 _Decimal32
+// ... 41 _Decimal64
+// ... 42 _Decimal128
 | 43 = @char16_t
 | 44 = @char32_t
 | 45 = @std_float32           // _Float32
@@ -1902,6 +1902,9 @@ case @expr.kind of
 | 391 = @nested_requirement
 | 392 = @compound_requirement
 | 393 = @concept_id
+| 394 = @isinvocable
+| 395 = @isnothrowinvocable
+| 396 = @isbitwisecloneable
 ;

@var_args_expr = @vastartexpr
@@ -2018,6 +2021,9 @@ case @expr.kind of
            | @istriviallyequalitycomparable
            | @isscopedenum
            | @istriviallyrelocatable
+            | @isinvocable
+            | @isnothrowinvocable
+            | @isbitwisecloneable
            ;

 compound_requirement_is_noexcept(
@@ -2034,6 +2040,10 @@ new_array_allocated_type(
    int type_id: @type ref
 );

+param_ref_to_this(
+    int expr: @param_ref ref
+)
+
 /**
 * The field being initialized by an initializer expression within an aggregate
 * initializer for a class/struct/union. Position is used to sort repeated initializers.
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
--- a/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/builtintypes.ql
+++ b/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/builtintypes.ql
@@ -0,0 +1,11 @@
+class BuiltinType extends @builtintype {
+  string toString() { none() }
+}
+
+predicate isDecimalBuiltinType(BuiltinType type) { builtintypes(type, _, [40, 41, 42], _, _, _) }
+
+from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
+where
+  builtintypes(type, name, kind, size, sign, alignment) and
+  if isDecimalBuiltinType(type) then kind_new = 1 else kind_new = kind
+select type, name, kind_new, size, sign, alignment
--- a/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/old.dbscheme
+++ b/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/old.dbscheme
--- a/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/upgrade.properties
+++ b/cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/upgrade.properties
@@ -0,0 +1,3 @@
+description: Remove _Decimal{32,64,128} types
+compatibility: partial
+builtintypes.rel: run builtintypes.qlo
--- a/cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/old.dbscheme
+++ b/cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/old.dbscheme
--- a/cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties
+++ b/cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties
@@ -0,0 +1,2 @@
+description: Add new builtin operations and this parameter access table
+compatibility: backwards
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.5.9
+
+### Minor Analysis Improvements
+
+* The `cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees.
+
 ## 1.5.8

 No user-facing changes.
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -122,7 +122,8 @@ module Config implements DataFlow::ConfigSig {

  predicate isBarrier(DataFlow::Node node) {
    // Block flow if the node is guarded by any <, <= or = operations.
-    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode()
+    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getABarrierNode() or
+    node = DataFlow::BarrierGuard<lessThanOrEqual/3>::getAnIndirectBarrierNode()
  }

  predicate observeDiffInformedIncrementalMode() { any() }
--- a/cpp/ql/src/change-notes/2026-01-02-constant-comparison.md
+++ b/cpp/ql/src/change-notes/2026-01-02-constant-comparison.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 1.5.9
+
+### Minor Analysis Improvements
+
 * The `cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.8
+lastReleaseVersion: 1.5.9
--- a/cpp/ql/src/jsf/lib/section_4_21_Operators/AV_Rule_166.qll
+++ b/cpp/ql/src/jsf/lib/section_4_21_Operators/AV_Rule_166.qll
@@ -13,7 +13,7 @@ class SizeofImpureExprOperator extends SizeofExprOperator {
      not e.(OverloadedPointerDereferenceExpr).getExpr().isPure() and
      not exists(OverloadedArrayExpr op | op = e |
        op.getArrayBase().isPure() and
-        op.getArrayOffset().isPure()
+        forall(Expr offset | offset = op.getAnArrayOffset() | offset.isPure())
      )
    )
  }
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.9-dev
+version: 1.5.9
 groups:
  - cpp
  - queries
--- a/cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -78,7 +78,7 @@ module ModelGeneratorCommonInput implements ModelGeneratorCommonInputSig<Cpp::Lo
 {
  private module DataFlow = Df::DataFlow;

-  class Type = DataFlowPrivate::DataFlowType;
+  class Type = Cpp::Type;

  // Note: This also includes `this`
  class Parameter = DataFlow::ParameterNode;
--- a/cpp/ql/test/library-tests/builtins/type_traits/clang.cpp
+++ b/cpp/ql/test/library-tests/builtins/type_traits/clang.cpp
@@ -1,4 +1,4 @@
-// semmle-extractor-options: --clang --clang_version 190000
+// semmle-extractor-options: --clang --clang_version 210000

 struct S {
    void f() {}
@@ -121,3 +121,11 @@ bool b_is_scoped_enum2 = __is_scoped_enum(int);

 bool b_is_trivially_relocatable1 = __is_trivially_relocatable(int);
 bool b_is_trivially_relocatable2 = __is_trivially_relocatable(void);
+
+struct S3{
+    S3(S3 &);
+    S3& operator=(S3&);
+};
+
+bool bok_is_bitwise_cloneable1 = __is_bitwise_cloneable(int);
+bool bok_is_bitwise_cloneable2 = __is_bitwise_cloneable(S3);
--- a/cpp/ql/test/library-tests/builtins/type_traits/expr.expected
+++ b/cpp/ql/test/library-tests/builtins/type_traits/expr.expected
@@ -165,6 +165,10 @@
 | clang.cpp:122:36:122:66 | int |  | <none> |
 | clang.cpp:123:36:123:67 | __is_trivially_relocatable | void | 0 |
 | clang.cpp:123:36:123:67 | void |  | <none> |
+| clang.cpp:130:34:130:60 | __is_bitwise_cloneable | int | 1 |
+| clang.cpp:130:34:130:60 | int |  | <none> |
+| clang.cpp:131:34:131:59 | S3 |  | <none> |
+| clang.cpp:131:34:131:59 | __is_bitwise_cloneable | S3 | 0 |
 | file://:0:0:0:0 | 0 |  | 0 |
 | file://:0:0:0:0 | 0 |  | 0 |
 | file://:0:0:0:0 | 1 |  | 1 |
@@ -211,6 +215,16 @@
 | gcc.cpp:29:45:29:93 | __reference_converts_from_temporary | int &&,int && | 0 |
 | gcc.cpp:29:45:29:93 | int && |  | <none> |
 | gcc.cpp:29:45:29:93 | int && |  | <none> |
+| gcc.cpp:33:24:33:45 | __is_invocable | f_type | 1 |
+| gcc.cpp:33:24:33:45 | f_type |  | <none> |
+| gcc.cpp:34:24:34:51 | __is_invocable | f_type,bool | 0 |
+| gcc.cpp:34:24:34:51 | bool |  | <none> |
+| gcc.cpp:34:24:34:51 | f_type |  | <none> |
+| gcc.cpp:36:32:36:61 | __is_nothrow_invocable | f_type | 1 |
+| gcc.cpp:36:32:36:61 | f_type |  | <none> |
+| gcc.cpp:37:32:37:67 | __is_nothrow_invocable | f_type,bool | 0 |
+| gcc.cpp:37:32:37:67 | bool |  | <none> |
+| gcc.cpp:37:32:37:67 | f_type |  | <none> |
 | ms.cpp:38:41:38:45 | 0 |  | 0 |
 | ms.cpp:88:27:88:45 | __has_assign | empty | 0 |
 | ms.cpp:88:27:88:45 | empty |  | <none> |
--- a/cpp/ql/test/library-tests/builtins/type_traits/gcc.cpp
+++ b/cpp/ql/test/library-tests/builtins/type_traits/gcc.cpp
@@ -1,4 +1,4 @@
-// semmle-extractor-options: --gnu_version 130000
+// semmle-extractor-options: --gnu_version 150000

 __attribute__ ((aligned(8))) int v;
 bool b_has_attribute1 = __builtin_has_attribute(v, aligned);
@@ -27,3 +27,11 @@ bool b_reference_constructs_from_temporary2 = __reference_constructs_from_tempor

 bool b_reference_converts_from_temporary1 = __reference_converts_from_temporary(int&&, int);
 bool b_reference_converts_from_temporary2 = __reference_converts_from_temporary(int&&, int&&);
+
+using f_type = void(*)() noexcept;
+
+bool b_is_invocable1 = __is_invocable(f_type);
+bool b_is_invocable2 = __is_invocable(f_type, bool);
+
+bool b_is_nothrow_invocable1 = __is_nothrow_invocable(f_type);
+bool b_is_nothrow_invocable2 = __is_nothrow_invocable(f_type, bool);
--- a/cpp/ql/test/library-tests/builtins/types/types.c
+++ b/cpp/ql/test/library-tests/builtins/types/types.c
@@ -1,5 +0,0 @@
-
-_Decimal32 d32;
-_Decimal64 d64;
-_Decimal128 d128;
-
--- a/cpp/ql/test/library-tests/builtins/types/types.expected
+++ b/cpp/ql/test/library-tests/builtins/types/types.expected
@@ -1,7 +0,0 @@
-| file://:0:0:0:0 | fp_offset | file://:0:0:0:0 | unsigned int |
-| file://:0:0:0:0 | gp_offset | file://:0:0:0:0 | unsigned int |
-| file://:0:0:0:0 | overflow_arg_area | file://:0:0:0:0 | void * |
-| file://:0:0:0:0 | reg_save_area | file://:0:0:0:0 | void * |
-| types.c:2:12:2:14 | d32 | file://:0:0:0:0 | _Decimal32 |
-| types.c:3:12:3:14 | d64 | file://:0:0:0:0 | _Decimal64 |
-| types.c:4:13:4:16 | d128 | file://:0:0:0:0 | _Decimal128 |
--- a/cpp/ql/test/library-tests/builtins/types/types.ql
+++ b/cpp/ql/test/library-tests/builtins/types/types.ql
@@ -1,5 +0,0 @@
-import cpp
-
-from Variable v, Type t
-where t = v.getType()
-select v, t
--- a/cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.cpp
+++ b/cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.cpp
@@ -4,6 +4,12 @@ void sink(int);

 void testCheckArgument(int* p) {
  if (checkArgument(p)) {
-    sink(*p); // $ barrier barrier=1
+    sink(*p); // $ indirect_barrier=int barrier=int*
+  }
+}
+
+void testCheckArgument(int p) {
+  if (checkArgument(&p)) {
+    sink(p); // $ barrier=glval<int> indirect_barrier=int
  }
 }
--- a/cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.ql
+++ b/cpp/ql/test/library-tests/dataflow/ir-barrier-guards/test.ql
@@ -13,26 +13,33 @@ predicate instructionGuardChecks(IRGuardCondition gc, Instruction checked, boole

 module BarrierGuard = DataFlow::InstructionBarrierGuard<instructionGuardChecks/3>;

-predicate indirectBarrierGuard(DataFlow::Node node, int indirectionIndex) {
-  node = BarrierGuard::getAnIndirectBarrierNode(indirectionIndex)
+predicate indirectBarrierGuard(DataFlow::Node node, string s) {
+  node = BarrierGuard::getAnIndirectBarrierNode(_) and
+  if node.isGLValue()
+  then s = "glval<" + node.getType().toString().replaceAll(" ", "") + ">"
+  else s = node.getType().toString().replaceAll(" ", "")
 }

-predicate barrierGuard(DataFlow::Node node) { node = BarrierGuard::getABarrierNode() }
+predicate barrierGuard(DataFlow::Node node, string s) {
+  node = BarrierGuard::getABarrierNode() and
+  if node.isGLValue()
+  then s = "glval<" + node.getType().toString().replaceAll(" ", "") + ">"
+  else s = node.getType().toString().replaceAll(" ", "")
+}

 module Test implements TestSig {
-  string getARelevantTag() { result = "barrier" }
+  string getARelevantTag() { result = ["barrier", "indirect_barrier"] }

  predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(DataFlow::Node node |
-      barrierGuard(node) and
-      value = ""
+    exists(DataFlow::Node node, string s |
+      indirectBarrierGuard(node, s) and
+      value = s and
+      tag = "indirect_barrier"
      or
-      exists(int indirectionIndex |
-        indirectBarrierGuard(node, indirectionIndex) and
-        value = indirectionIndex.toString()
-      )
+      barrierGuard(node, s) and
+      value = s and
+      tag = "barrier"
    |
-      tag = "barrier" and
      element = node.toString() and
      location = node.getLocation()
    )
--- a/cpp/ql/test/library-tests/friends/loop/friends.expected
+++ b/cpp/ql/test/library-tests/friends/loop/friends.expected
@@ -1,9 +1,14 @@
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<D> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<T> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<T> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<D> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:6:5:6:5 | E<T>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:7:5:7:5 | E<T>'s friend | loop.cpp:7:36:7:36 | F<U> |
 | loop.cpp:11:5:11:5 | F<T>'s friend | loop.cpp:11:36:11:36 | E<U> |
--- a/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
+++ b/cpp/ql/test/library-tests/ir/ir/PrintAST.expected
@@ -24309,7 +24309,7 @@ ir.cpp:
 # 2727|         getArrayBase(): [VariableAccess] x
 # 2727|             Type = [SpecifiedType] const WithBracketOperator
 # 2727|             ValueCategory = lvalue
-# 2727|         getArrayOffset(): [VariableAccess] i
+# 2727|         getArrayOffset(0): [VariableAccess] i
 # 2727|             Type = [IntType] int
 # 2727|             ValueCategory = prvalue(load)
 # 2727|       getExpr().getFullyConverted(): [ReferenceDereferenceExpr] (reference dereference)
--- a/cpp/ql/test/library-tests/literals/literals/literals.c
+++ b/cpp/ql/test/library-tests/literals/literals/literals.c
@@ -1,6 +1,4 @@

-double dd = 1.0d;
-double dD = 1.0D;
 double df = 1.0f;
 double dF = 1.0F;
 double di = 1.0i;
--- a/cpp/ql/test/library-tests/literals/literals/literals.expected
+++ b/cpp/ql/test/library-tests/literals/literals/literals.expected
@@ -1,14 +1,12 @@
 | literals.c:2:13:2:16 | 1.0 |
 | literals.c:3:13:3:16 | 1.0 |
-| literals.c:4:13:4:16 | 1.0 |
-| literals.c:5:13:5:16 | 1.0 |
+| literals.c:4:13:4:16 | (0.0,1.0i) |
+| literals.c:5:13:5:16 | (0.0,1.0i) |
 | literals.c:6:13:6:16 | (0.0,1.0i) |
 | literals.c:7:13:7:16 | (0.0,1.0i) |
-| literals.c:8:13:8:16 | (0.0,1.0i) |
-| literals.c:9:13:9:16 | (0.0,1.0i) |
+| literals.c:8:13:8:16 | 1.0 |
+| literals.c:9:13:9:16 | 1.0 |
 | literals.c:10:13:10:16 | 1.0 |
 | literals.c:11:13:11:16 | 1.0 |
 | literals.c:12:13:12:16 | 1.0 |
 | literals.c:13:13:13:16 | 1.0 |
-| literals.c:14:13:14:16 | 1.0 |
-| literals.c:15:13:15:16 | 1.0 |
--- a/cpp/ql/test/library-tests/subscript_operator/PrintAST.expected
+++ b/cpp/ql/test/library-tests/subscript_operator/PrintAST.expected
@@ -0,0 +1,69 @@
+#-----| [CopyAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag const&)
+#-----|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const __va_list_tag &
+#-----| [MoveAssignmentOperator] __va_list_tag& __va_list_tag::operator=(__va_list_tag&&)
+#-----|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] __va_list_tag &&
+test.cpp:
+#    3| [CopyAssignmentOperator] S& S::operator=(S const&)
+#    3|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [LValueReferenceType] const S &
+#    3| [MoveAssignmentOperator] S& S::operator=(S&&)
+#    3|   <params>: 
+#-----|     getParameter(0): [Parameter] (unnamed parameter 0)
+#-----|         Type = [RValueReferenceType] S &&
+#    5| [MemberFunction] int S::operator[](int, int)
+#    5|   <params>: 
+#    5|     getParameter(0): [Parameter] i
+#    5|         Type = [IntType] int
+#    5|     getParameter(1): [Parameter] j
+#    5|         Type = [IntType] int
+#    5|   getEntryPoint(): [BlockStmt] { ... }
+#    6|     getStmt(0): [ReturnStmt] return ...
+#    6|       getExpr(): [ArrayExpr] access to array
+#    6|           Type = [IntType] int
+#    6|           ValueCategory = prvalue(load)
+#    6|         getArrayBase(): [ArrayExpr] access to array
+#    6|             Type = [ArrayType] int[2]
+#    6|             ValueCategory = lvalue
+#    6|           getArrayBase(): [ImplicitThisFieldAccess,PointerFieldAccess] xs
+#    6|               Type = [ArrayType] int[2][2]
+#    6|               ValueCategory = lvalue
+#    6|             getQualifier(): [ThisExpr] this
+#    6|                 Type = [PointerType] S *
+#    6|                 ValueCategory = prvalue(load)
+#    6|           getArrayOffset(): [VariableAccess] i
+#    6|               Type = [IntType] int
+#    6|               ValueCategory = prvalue(load)
+#-----|           getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#-----|               Type = [PointerType] int(*)[2]
+#-----|               ValueCategory = prvalue
+#    6|         getArrayOffset(): [VariableAccess] j
+#    6|             Type = [IntType] int
+#    6|             ValueCategory = prvalue(load)
+#    6|         getArrayBase().getFullyConverted(): [ArrayToPointerConversion] array to pointer conversion
+#    6|             Type = [IntPointerType] int *
+#    6|             ValueCategory = prvalue
+#   10| [TopLevelFunction] int foo(S)
+#   10|   <params>: 
+#   10|     getParameter(0): [Parameter] s
+#   10|         Type = [Struct] S
+#   10|   getEntryPoint(): [BlockStmt] { ... }
+#   11|     getStmt(0): [ReturnStmt] return ...
+#   11|       getExpr(): [OverloadedArrayExpr] call to operator[]
+#   11|           Type = [IntType] int
+#   11|           ValueCategory = prvalue
+#   11|         getArrayBase(): [VariableAccess] s
+#   11|             Type = [Struct] S
+#   11|             ValueCategory = lvalue
+#   11|         getArrayOffset(0): [Literal] 1
+#   11|             Type = [IntType] int
+#   11|             Value = [Literal] 1
+#   11|             ValueCategory = prvalue
+#   11|         getArrayOffset(1): [Literal] 2
+#   11|             Type = [IntType] int
+#   11|             Value = [Literal] 2
+#   11|             ValueCategory = prvalue
--- a/cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref
+++ b/cpp/ql/test/library-tests/subscript_operator/PrintAST.qlref
@@ -0,0 +1 @@
+semmle/code/cpp/PrintAST.ql
--- a/cpp/ql/test/library-tests/subscript_operator/test.cpp
+++ b/cpp/ql/test/library-tests/subscript_operator/test.cpp
@@ -0,0 +1,12 @@
+// semmle-extractor-options: -std=c++23
+
+struct S {
+    int xs[2][2];
+    int operator[](int i, int j) {
+        return xs[i][j];
+    }
+};
+
+int foo(S s) {
+    return s[1, 2];
+}
--- a/cpp/ql/test/library-tests/templates/type_instantiations/types.expected
+++ b/cpp/ql/test/library-tests/templates/type_instantiations/types.expected
@@ -12,9 +12,6 @@
 | file://:0:0:0:0 | _Complex float |
 | file://:0:0:0:0 | _Complex long double |
 | file://:0:0:0:0 | _Complex std::float16_t |
-| file://:0:0:0:0 | _Decimal32 |
-| file://:0:0:0:0 | _Decimal64 |
-| file://:0:0:0:0 | _Decimal128 |
 | file://:0:0:0:0 | _Float16 |
 | file://:0:0:0:0 | _Float32 |
 | file://:0:0:0:0 | _Float32x |
--- a/cpp/ql/test/library-tests/type_sizes/type_sizes.expected
+++ b/cpp/ql/test/library-tests/type_sizes/type_sizes.expected
@@ -32,9 +32,6 @@
 | file://:0:0:0:0 | _Complex float | 8 |
 | file://:0:0:0:0 | _Complex long double | 32 |
 | file://:0:0:0:0 | _Complex std::float16_t | 4 |
-| file://:0:0:0:0 | _Decimal32 | 4 |
-| file://:0:0:0:0 | _Decimal64 | 8 |
-| file://:0:0:0:0 | _Decimal128 | 16 |
 | file://:0:0:0:0 | _Float16 | 2 |
 | file://:0:0:0:0 | _Float32 | 4 |
 | file://:0:0:0:0 | _Float32x | 8 |
--- a/cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected
+++ b/cpp/ql/test/library-tests/unspecified_type/types/unspecified_type.expected
@@ -14,9 +14,6 @@
 | file://:0:0:0:0 | _Complex float | _Complex float |
 | file://:0:0:0:0 | _Complex long double | _Complex long double |
 | file://:0:0:0:0 | _Complex std::float16_t | _Complex std::float16_t |
-| file://:0:0:0:0 | _Decimal32 | _Decimal32 |
-| file://:0:0:0:0 | _Decimal64 | _Decimal64 |
-| file://:0:0:0:0 | _Decimal128 | _Decimal128 |
 | file://:0:0:0:0 | _Float16 | _Float16 |
 | file://:0:0:0:0 | _Float32 | _Float32 |
 | file://:0:0:0:0 | _Float32x | _Float32x |
--- a/cpp/ql/test/library-tests/variables/variables/types.expected
+++ b/cpp/ql/test/library-tests/variables/variables/types.expected
@@ -13,9 +13,6 @@
 | _Complex float | BinaryFloatingPointType, ComplexNumberType, GuardConditionImpl |  |  |  |  |
 | _Complex long double | BinaryFloatingPointType, ComplexNumberType, GuardConditionImpl |  |  |  |  |
 | _Complex std::float16_t | BinaryFloatingPointType, ComplexNumberType, GuardConditionImpl |  |  |  |  |
-| _Decimal32 | Decimal32Type, GuardConditionImpl |  |  |  |  |
-| _Decimal64 | Decimal64Type, GuardConditionImpl |  |  |  |  |
-| _Decimal128 | Decimal128Type, GuardConditionImpl |  |  |  |  |
 | _Float16 | BinaryFloatingPointType, GuardConditionImpl, RealNumberType |  |  |  |  |
 | _Float32 | BinaryFloatingPointType, GuardConditionImpl, RealNumberType |  |  |  |  |
 | _Float32x | BinaryFloatingPointType, GuardConditionImpl, RealNumberType |  |  |  |  |
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.57
+
+No user-facing changes.
+
 ## 1.7.56

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.57.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.57.md
@@ -0,0 +1,3 @@
+## 1.7.57
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.56
+lastReleaseVersion: 1.7.57
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.57-dev
+version: 1.7.57
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.57
+
+No user-facing changes.
+
 ## 1.7.56

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.57.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.57.md
@@ -0,0 +1,3 @@
+## 1.7.57
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.56
+lastReleaseVersion: 1.7.57
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.57-dev
+version: 1.7.57
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,22 @@
+## 5.4.5
+
+### Minor Analysis Improvements
+
+* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
+* Updated the generated .NET “models as data” runtime models to cover .NET 10.
+* C# 14: Support for *implicit* span conversions in the QL library.
+* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
+* Added autobuilder and `build-mode: none` support for `.slnx` solution files.
+* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
+* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
+
+### Bug Fixes
+
+* Fixed two issues affecting build mode `none`:
+  * Corrected version sorting logic when detecting the newest .NET framework to use.
+  * Improved stability for .NET 10 compatibility.
+* Fixed an issue where compiler-generated files were not being extracted. The extractor now runs after compilation completes to ensure all generated files are properly analyzed.
+
 ## 5.4.4

 No user-facing changes.
--- a/csharp/ql/lib/change-notes/2025-12-03-implicit-map-value-reads.md
+++ b/csharp/ql/lib/change-notes/2025-12-03-implicit-map-value-reads.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
--- a/csharp/ql/lib/change-notes/2025-12-03-run-tracer-after-compilation.md
+++ b/csharp/ql/lib/change-notes/2025-12-03-run-tracer-after-compilation.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Fixed an issue where compiler-generated files were not being extracted. The extractor now runs after compilation completes to ensure all generated files are properly analyzed.
--- a/csharp/ql/lib/change-notes/2025-12-04-bmn-dotnet-fixes.md
+++ b/csharp/ql/lib/change-notes/2025-12-04-bmn-dotnet-fixes.md
@@ -1,6 +0,0 @@
---
-category: fix
---
-* Fixed two issues affecting build mode `none`:
-  * Corrected version sorting logic when detecting the newest .NET framework to use.
-  * Improved stability for .NET 10 compatibility.
--- a/csharp/ql/lib/change-notes/2025-12-09-bmn-default-dotnet.md
+++ b/csharp/ql/lib/change-notes/2025-12-09-bmn-default-dotnet.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
--- a/csharp/ql/lib/change-notes/2025-12-11-net10-basic-support.md
+++ b/csharp/ql/lib/change-notes/2025-12-11-net10-basic-support.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
--- a/csharp/ql/lib/change-notes/2025-12-11-slnx-support.md
+++ b/csharp/ql/lib/change-notes/2025-12-11-slnx-support.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added autobuilder and `build-mode: none` support for `.slnx` solution files.
--- a/csharp/ql/lib/change-notes/2025-12-18-implicit-span-conversions.md
+++ b/csharp/ql/lib/change-notes/2025-12-18-implicit-span-conversions.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* C# 14: Support for *implicit* span conversions in the QL library.
--- a/csharp/ql/lib/change-notes/2026-01-05-net-runtime-models.md
+++ b/csharp/ql/lib/change-notes/2026-01-05-net-runtime-models.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Updated the generated .NET “models as data” runtime models to cover .NET 10.
--- a/csharp/ql/lib/change-notes/2026-01-06-paths-directives-ancillary-data.md
+++ b/csharp/ql/lib/change-notes/2026-01-06-paths-directives-ancillary-data.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
--- a/csharp/ql/lib/change-notes/released/5.4.5.md
+++ b/csharp/ql/lib/change-notes/released/5.4.5.md
@@ -0,0 +1,18 @@
+## 5.4.5
+
+### Minor Analysis Improvements
+
+* When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
+* Updated the generated .NET “models as data” runtime models to cover .NET 10.
+* C# 14: Support for *implicit* span conversions in the QL library.
+* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
+* Added autobuilder and `build-mode: none` support for `.slnx` solution files.
+* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
+* Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
+
+### Bug Fixes
+
+* Fixed two issues affecting build mode `none`:
+  * Corrected version sorting logic when detecting the newest .NET framework to use.
+  * Improved stability for .NET 10 compatibility.
+* Fixed an issue where compiler-generated files were not being extracted. The extractor now runs after compilation completes to ensure all generated files are properly analyzed.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.4
+lastReleaseVersion: 5.4.5
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.5-dev
+version: 5.4.5
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,14 @@
+## 1.6.0
+
+### Query Metadata Changes
+
+* Updated the `name`, `description`, and alert message of `cs/path-combine` to have more details about why it's a problem.
+
+### Minor Analysis Improvements
+
+* Added `NHibernate.ISession.CreateSQLQuery`, `NHibernate.IStatelessSession.CreateSQLQuery` and `NHibernate.Impl.AbstractSessionImpl.CreateSQLQuery` as SQL injection sinks.
+* The `Missing cross-site request forgery token validation` query was extended to support ASP.NET Core.
+
 ## 1.5.4

 No user-facing changes.
--- a/csharp/ql/src/change-notes/2025-12-08-csrf-aspnetcore.md
+++ b/csharp/ql/src/change-notes/2025-12-08-csrf-aspnetcore.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `Missing cross-site request forgery token validation` query was extended to support ASP.NET Core.
--- a/csharp/ql/src/change-notes/2025-12-11-nhibernate-sql-sinks.md
+++ b/csharp/ql/src/change-notes/2025-12-11-nhibernate-sql-sinks.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added `NHibernate.ISession.CreateSQLQuery`, `NHibernate.IStatelessSession.CreateSQLQuery` and `NHibernate.Impl.AbstractSessionImpl.CreateSQLQuery` as SQL injection sinks.
--- a/csharp/ql/src/change-notes/2025-12-16-path-combine-metadata.md
+++ b/csharp/ql/src/change-notes/2025-12-16-path-combine-metadata.md
@@ -1,4 +0,0 @@
---
-category: queryMetadata
---
-* Updated the `name`, `description`, and alert message of `cs/path-combine` to have more details about why it's a problem.
--- a/csharp/ql/src/change-notes/released/1.6.0.md
+++ b/csharp/ql/src/change-notes/released/1.6.0.md
@@ -0,0 +1,10 @@
+## 1.6.0
+
+### Query Metadata Changes
+
+* Updated the `name`, `description`, and alert message of `cs/path-combine` to have more details about why it's a problem.
+
+### Minor Analysis Improvements
+
+* Added `NHibernate.ISession.CreateSQLQuery`, `NHibernate.IStatelessSession.CreateSQLQuery` and `NHibernate.Impl.AbstractSessionImpl.CreateSQLQuery` as SQL injection sinks.
+* The `Missing cross-site request forgery token validation` query was extended to support ASP.NET Core.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.4
+lastReleaseVersion: 1.6.0
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.5.5-dev
+version: 1.6.0
 groups:
  - csharp
  - queries
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.1.rst
@@ -88,7 +88,7 @@ JavaScript/TypeScript
 *   Data flow is now tracked through the :code:`Promise.try` and :code:`Array.prototype.with` functions.
 *   Query :code:`js/index-out-of-bounds` no longer produces a false-positive when a strictly-less-than check overrides a previous less-than-or-equal test.
 *   The query :code:`js/remote-property-injection` now detects property injection vulnerabilities through object enumeration patterns such as :code:`Object.keys()`.
-*   The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query <https://github.com/github/codeql/pull/14342>`__!
+*   The query "Permissive CORS configuration" (:code:`js/cors-permissive-configuration`) has been promoted from experimental and is now part of the default security suite. Thank you to @maikypedia who `submitted the original experimental query <https://github.com/github/codeql/pull/14342>`__\ !

 Python
 """"""
@@ -126,7 +126,7 @@ Golang
 """"""

 *   The second argument of the :code:`CreateTemp` function, from the :code:`os` package, is no longer a path-injection sink due to proper sanitization by Go.
-*   The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or ``\`` to the beginning.
+*   The query "Uncontrolled data used in path expression" (:code:`go/path-injection`) now detects sanitizing a path by adding :code:`os.PathSeparator` or :code:`\` to the beginning.

 Java/Kotlin
 """""""""""
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.9.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.23.9.rst
@@ -0,0 +1,25 @@
+.. _codeql-cli-2.23.9:
+
+==========================
+CodeQL 2.23.9 (2026-01-09)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.23.9 runs a total of 491 security queries when configured with the Default suite (covering 166 CWE). The Extended suite enables an additional 135 queries (covering 35 more CWE).
+
+CodeQL CLI
+----------
+
+Deprecations
+~~~~~~~~~~~~
+
+*   Support for Kotlin version 1.6 and 1.7 has been deprecated and will be removed from CodeQL version 2.24.1. Starting with version 2.24.1, users will need to use Kotlin version >= 1.8 to extract Kotlin databases.
--- a/docs/codeql/codeql-overview/codeql-changelog/index.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst
@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
   :maxdepth: 1

+   codeql-cli-2.23.9
   codeql-cli-2.23.8
   codeql-cli-2.23.7
   codeql-cli-2.23.6
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.40
+
+No user-facing changes.
+
 ## 1.0.39

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.40.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.40.md
@@ -0,0 +1,3 @@
+## 1.0.40
+
+No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.39
+lastReleaseVersion: 1.0.40
--- a/Show More
+++ b/Show More