Merge branch 'main' into redsun82/rust-compress-trap

Merge pull request #21864 from github/post-release-prep/codeql-cli-2.25.5
Post-release preparation for codeql-cli-2.25.5
2026-05-26 17:11:24 +02:00 · 2026-05-26 16:56:54 +02:00 · 2026-05-22 17:41:38 +02:00 · 2026-05-22 16:32:30 +02:00 · 2026-05-22 16:08:45 +02:00 · 2026-05-22 15:46:06 +02:00
209 changed files with 12609 additions and 1451 deletions
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.4.36
+
+### Minor Analysis Improvements
+
+* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
+
 ## 0.4.35

 No user-facing changes.
--- a/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md
+++ b/actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
-* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
+## 0.4.36
+
+### Minor Analysis Improvements
+
+* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.35
+lastReleaseVersion: 0.4.36
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.36-dev
+version: 0.4.37-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,17 @@
+## 0.6.28
+
+### Query Metadata Changes
+
+* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
+
+### Minor Analysis Improvements
+
+* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
+
+### Bug Fixes
+
+* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
+
 ## 0.6.27

 No user-facing changes.
--- a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md
+++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
--- a/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md
+++ b/actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md
@@ -1,4 +0,0 @@
---
-category: queryMetadata
---
-* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
--- a/actions/ql/src/change-notes/2026-04-20-unpinned-tag-composite-actions.md
+++ b/actions/ql/src/change-notes/2026-04-20-unpinned-tag-composite-actions.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
--- a/actions/ql/src/change-notes/released/0.6.28.md
+++ b/actions/ql/src/change-notes/released/0.6.28.md
@@ -0,0 +1,13 @@
+## 0.6.28
+
+### Query Metadata Changes
+
+* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
+
+### Minor Analysis Improvements
+
+* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
+
+### Bug Fixes
+
+* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.27
+lastReleaseVersion: 0.6.28
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.28-dev
+version: 0.6.29-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/old.dbscheme
+++ b/cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/old.dbscheme
--- a/cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties
+++ b/cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties
@@ -0,0 +1,6 @@
+description: Capture information about one template being generated from another
+compatibility: full
+class_template_generated_from.rel: delete
+function_template_generated_from.rel: delete
+variable_template_generated_from.rel: delete
+alias_template_generated_from.rel: delete
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 10.1.1
+
+### Minor Analysis Improvements
+
+* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.
+
 ## 10.1.0

 ### New Features
--- a/cpp/ql/lib/change-notes/2026-05-15-secure-scanf.md
+++ b/cpp/ql/lib/change-notes/2026-05-15-secure-scanf.md
@@ -0,0 +1,5 @@
+---
+category: minorAnalysis
+---
+* Added flow source models for `scanf_s` and related functions.
+* Added a `Call` column to `LocalFlowSourceFunction::hasLocalFlowSource` and `RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a `Call` column continue to be supported.
--- a/cpp/ql/lib/change-notes/2026-05-21-generated-from.md
+++ b/cpp/ql/lib/change-notes/2026-05-21-generated-from.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a `getOriginalTemplate` predicate to `TemplateClass`, `TemplateFunction`, `TemplateVariable`, and `AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.
--- a/cpp/ql/lib/change-notes/2026-05-15-hasSocketInput-for-fscanf.md
+++ b/cpp/ql/lib/change-notes/2026-05-15-hasSocketInput-for-fscanf.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
-* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.
+## 10.1.1
+
+### Minor Analysis Improvements
+
+* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 10.1.0
+lastReleaseVersion: 10.1.1
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.1.1-dev
+version: 10.1.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Class.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Class.qll
@@ -856,8 +856,10 @@ class AbstractClass extends Class {

 /**
 * A class template (this class also finds partial specializations
- * of class templates).  For example in the following code there is a
- * `MyTemplateClass<T>` template:
+ * of class templates).
+ *
+ * For example in the following code there is a `MyTemplateClass<T>`
+ * template:
 * ```
 * template<class T>
 * class MyTemplateClass {
@@ -893,6 +895,29 @@ class TemplateClass extends Class {
  }

  override string getAPrimaryQlClass() { result = "TemplateClass" }
+
+  /**
+   * Gets the class member template this template was generated from.
+   *
+   * This predicate only has results for templates that are members of class
+   * template instantiations. For example, for `MyTemplateClass<int>::C<S>`
+   * in the following code, the result is `MyTemplateClass<T>::C<S>`.
+   * ```cpp
+   * template<class T>
+   * class MyTemplateClass {
+   *   template<class S>
+   *   class C {
+   *     ...
+   *   };
+   * };
+   *
+   * template
+   * class MyTemplateClass<int>;
+   * ```
+   */
+  TemplateClass getOriginalTemplate() {
+    class_template_generated_from(underlyingElement(this), unresolveElement(result))
+  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/Function.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -828,6 +828,27 @@ class TemplateFunction extends Function {
   * such things -- see FunctionTemplateSpecialization for further details.
   */
  FunctionTemplateSpecialization getASpecialization() { result.getPrimaryTemplate() = this }
+
+  /**
+   * Gets the class member template this template was generated from.
+   *
+   * This predicate only has results for templates that are members of class
+   * template instantiations. For example, for `MyTemplateClass<int>::f<S>`
+   * in the following code, the result is `MyTemplateClass<T>::f<S>`.
+   * ```cpp
+   * template<class T>
+   * class MyTemplateClass {
+   *   template<class S>
+   *   S f();
+   * };
+   *
+   * template
+   * class MyTemplateClass<int>;
+   * ```
+   */
+  TemplateFunction getOriginalTemplate() {
+    function_template_generated_from(underlyingElement(this), unresolveElement(result))
+  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/TypedefType.qll
+++ b/cpp/ql/lib/semmle/code/cpp/TypedefType.qll
@@ -130,6 +130,27 @@ class AliasTemplateType extends TypeAliasType {
   * ```
   */
  TypeAliasType getAnInstantiation() { result.isConstructedFrom(this) }
+
+  /**
+   * Gets the class member template this template was generated from.
+   *
+   * This predicate only has results for templates that are members of class
+   * template instantiations. For example, for `MyTemplateClass<int>::t<S>`
+   * in the following code, the result is `MyTemplateClass<T>::t<S>`.
+   * ```cpp
+   * template<class T>
+   * class MyTemplateClass {
+   *   template<class S>
+   *   using t = S;
+   * };
+   *
+   * template
+   * class MyTemplateClass<int>;
+   * ```
+   */
+  AliasTemplateType getOriginalTemplate() {
+    alias_template_generated_from(underlyingElement(this), unresolveElement(result))
+  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/Variable.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Variable.qll
@@ -614,6 +614,27 @@ class TemplateVariable extends Variable {
    result.isConstructedFrom(this) and
    not result.isSpecialization()
  }
+
+  /**
+   * Gets the class member template this template was generated from.
+   *
+   * This predicate only has results for templates that are members of class
+   * template instantiations. For example, for `MyTemplateClass<int>::x<S>`
+   * in the following code, the result is `MyTemplateClass<T>::x<S>`.
+   * ```cpp
+   * template<class T>
+   * class MyTemplateClass {
+   *   template<class S>
+   *   static S x;
+   * };
+   *
+   * template
+   * class MyTemplateClass<int>;
+   * ```
+   */
+  TemplateVariable getOriginalTemplate() {
+    variable_template_generated_from(underlyingElement(this), unresolveElement(result))
+  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll
@@ -25,6 +25,15 @@ abstract class ScanfFunction extends Function {
   * (rather than a `char*`).
   */
  predicate isWideCharDefault() { exists(this.getName().indexOf("wscanf")) }
+
+  /** Holds if this is one of the `scanf_s` variants. */
+  predicate isSVariant() {
+    exists(string name | name = this.getName() |
+      name.matches("%\\_s")
+      or
+      name.matches("%\\_s\\_l")
+    )
+  }
 }

 /**
@@ -34,8 +43,12 @@ class Scanf extends ScanfFunction instanceof TopLevelFunction {
  Scanf() {
    this.hasGlobalOrStdOrBslName("scanf") or // scanf(format, args...)
    this.hasGlobalOrStdOrBslName("wscanf") or // wscanf(format, args...)
+    this.hasGlobalOrStdOrBslName("scanf_s") or // scanf_s(format, args...)
+    this.hasGlobalOrStdOrBslName("wscanf_s") or // wscanf_s(format, args...)
    this.hasGlobalName("_scanf_l") or // _scanf_l(format, locale, args...)
-    this.hasGlobalName("_wscanf_l")
+    this.hasGlobalName("_wscanf_l") or // _wscanf_l(format, locale, args...)
+    this.hasGlobalName("_scanf_s_l") or // _scanf_s_l(format, locale, args...)
+    this.hasGlobalName("_wscanf_s_l") // _wscanf_s_l(format, locale, args...)
  }

  override int getInputParameterIndex() { none() }
@@ -50,8 +63,12 @@ class Fscanf extends ScanfFunction instanceof TopLevelFunction {
  Fscanf() {
    this.hasGlobalOrStdOrBslName("fscanf") or // fscanf(src_stream, format, args...)
    this.hasGlobalOrStdOrBslName("fwscanf") or // fwscanf(src_stream, format, args...)
+    this.hasGlobalOrStdOrBslName("fscanf_s") or // fscanf_s(src_stream, format, args...)
+    this.hasGlobalOrStdOrBslName("fwscanf_s") or // fwscanf_s(src_stream, format, args...)
    this.hasGlobalName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
-    this.hasGlobalName("_fwscanf_l")
+    this.hasGlobalName("_fwscanf_l") or // _fwscanf_l(src_stream, format, locale, args...)
+    this.hasGlobalName("_fscanf_s_l") or // _fscanf_s_l(src_stream, format, locale, args...)
+    this.hasGlobalName("_fwscanf_s_l") // _fwscanf_s_l(src_stream, format, locale, args...)
  }

  override int getInputParameterIndex() { result = 0 }
@@ -66,8 +83,12 @@ class Sscanf extends ScanfFunction instanceof TopLevelFunction {
  Sscanf() {
    this.hasGlobalOrStdOrBslName("sscanf") or // sscanf(src_stream, format, args...)
    this.hasGlobalOrStdOrBslName("swscanf") or // swscanf(src, format, args...)
+    this.hasGlobalOrStdOrBslName("sscanf_s") or // sscanf_s(src, format, args...)
+    this.hasGlobalOrStdOrBslName("swscanf_s") or // swscanf_s(src, format, args...)
    this.hasGlobalName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
-    this.hasGlobalName("_swscanf_l")
+    this.hasGlobalName("_swscanf_l") or // _swscanf_l(src, format, locale, args...)
+    this.hasGlobalName("_sscanf_s_l") or // _sscanf_s_l(src, format, locale, args...)
+    this.hasGlobalName("_swscanf_s_l") // _swscanf_s_l(src, format, locale, args...)
  }

  override int getInputParameterIndex() { result = 0 }
@@ -97,6 +118,14 @@ class Snscanf extends ScanfFunction instanceof TopLevelFunction {
  int getInputLengthParameterIndex() { result = 1 }
 }

+private predicate isCharLike(Type t) { t instanceof CharType or t instanceof Wchar_t }
+
+private predicate isStringLike(Type t) {
+  isCharLike(t.(PointerType).getBaseType())
+  or
+  isCharLike(t.(ArrayType).getBaseType())
+}
+
 /**
 * A call to one of the `scanf` functions.
 */
@@ -130,14 +159,40 @@ class ScanfFunctionCall extends FunctionCall {
   */
  predicate isWideCharDefault() { this.getScanfFunction().isWideCharDefault() }

+  bindingset[this, k]
+  pragma[inline_late]
+  private predicate isSizeArgument(int k) {
+    // The first vararg is never the size argument since a size argument must
+    // always follow a string buffer argument.
+    k > 0 and
+    isStringLike(this.getArgument(this.getScanfFunction().getNumberOfParameters() + k - 1)
+          .getUnspecifiedType())
+  }
+
  /**
   * Gets the output argument at position `n` in the vararg list of this call.
   *
   * The range of `n` is from `0` to `this.getNumberOfOutputArguments() - 1`.
   */
  Expr getOutputArgument(int n) {
-    result = this.getArgument(this.getTarget().getNumberOfParameters() + n) and
-    n >= 0
+    exists(ScanfFunction target | target = this.getScanfFunction() |
+      // If this is an S variant then every string buffer argument has a
+      // corresponding size argument immediately following it, so we need to
+      // skip over those size arguments when counting the output arguments.
+      if target.isSVariant()
+      then
+        result =
+          rank[n + 1](Expr arg, int k |
+            k >= 0 and
+            arg = this.getArgument(target.getNumberOfParameters() + k) and
+            not this.isSizeArgument(k)
+          |
+            arg order by k
+          )
+      else (
+        n >= 0 and result = this.getArgument(target.getNumberOfParameters() + n)
+      )
+    )
  }

  /**
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll
@@ -30,7 +30,10 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
    (
      if exists(this.getLengthParameterIndex())
      then result = this.getLengthParameterIndex() + 2
-      else result = 2
+      else
+        if exists(this.(ScanfFunction).getInputParameterIndex())
+        then result = 2
+        else result = 1
    )
  }

@@ -69,13 +72,24 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
  }
 }

+private predicate hasFlowSource(
+  ScanfFunction func, ScanfFunctionCall call, FunctionOutput output, string description
+) {
+  exists(int n, Expr arg |
+    call.getScanfFunction() = func and
+    call.getOutputArgument(_) = arg and
+    call.getArgument(n) = arg and
+    output.isParameterDeref(n) and
+    description = "value read by " + func.getName()
+  )
+}
+
 /**
 * The standard function `scanf` and its assorted variants
 */
 private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction instanceof Scanf {
-  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
-    description = "value read by " + this.getName()
+  override predicate hasLocalFlowSource(Call call, FunctionOutput output, string description) {
+    hasFlowSource(this, call, output, description)
  }
 }

@@ -83,9 +97,8 @@ private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction ins
 * The standard function `fscanf` and its assorted variants
 */
 private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction instanceof Fscanf {
-  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
-    description = "value read by " + this.getName()
+  override predicate hasRemoteFlowSource(Call call, FunctionOutput output, string description) {
+    hasFlowSource(this, call, output, description)
  }

  override predicate hasSocketInput(FunctionInput input) {
--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll
@@ -18,7 +18,17 @@ abstract class RemoteFlowSourceFunction extends Function {
  /**
   * Holds if remote data described by `description` flows from `output` of a call to this function.
   */
-  abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
+  predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    this.hasRemoteFlowSource(_, output, description)
+  }
+
+  /**
+   * Holds if remote data described by `description` flows from `output` of `call` to this function.
+   */
+  predicate hasRemoteFlowSource(Call call, FunctionOutput output, string description) {
+    call.getTarget() = this and
+    this.hasRemoteFlowSource(output, description)
+  }

  /**
   * Holds if remote data from this source comes from a socket or stream
@@ -35,7 +45,17 @@ abstract class LocalFlowSourceFunction extends Function {
  /**
   * Holds if data described by `description` flows from `output` of a call to this function.
   */
-  abstract predicate hasLocalFlowSource(FunctionOutput output, string description);
+  predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    this.hasLocalFlowSource(_, output, description)
+  }
+
+  /**
+   * Holds if data described by `description` flows from `output` of `call` to this function.
+   */
+  predicate hasLocalFlowSource(Call call, FunctionOutput output, string description) {
+    call.getTarget() = this and
+    this.hasLocalFlowSource(output, description)
+  }
 }

 /** A library function that sends data over a network connection. */
--- a/cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll
+++ b/cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll
@@ -28,8 +28,7 @@ private class RemoteModelSource extends RemoteFlowSource {

  RemoteModelSource() {
    exists(CallInstruction call, RemoteFlowSourceFunction func, FunctionOutput output |
-      call.getStaticCallTarget() = func and
-      func.hasRemoteFlowSource(output, sourceType) and
+      func.hasRemoteFlowSource(call.getConvertedResultExpression(), output, sourceType) and
      this = callOutput(call, output)
    )
  }
@@ -46,7 +45,7 @@ private class LocalModelSource extends LocalFlowSource {
  LocalModelSource() {
    exists(CallInstruction call, LocalFlowSourceFunction func, FunctionOutput output |
      call.getStaticCallTarget() = func and
-      func.hasLocalFlowSource(output, sourceType) and
+      func.hasLocalFlowSource(call.getConvertedResultExpression(), output, sourceType) and
      this = callOutput(call, output)
    )
  }
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -912,6 +912,10 @@ class_template_argument_value(
    int index: int ref,
    int arg_value: @expr ref
 );
+class_template_generated_from(
+    unique int template: @usertype ref,
+    int from: @usertype ref
+)

@user_or_decltype = @usertype | @decltype;

@@ -943,6 +947,10 @@ function_template_argument_value(
    int index: int ref,
    int arg_value: @expr ref
 );
+function_template_generated_from(
+    unique int template: @function ref,
+    int from: @function ref
+);

 is_variable_template(unique int id: @variable ref);
 variable_instantiation(
@@ -959,6 +967,10 @@ variable_template_argument_value(
    int index: int ref,
    int arg_value: @expr ref
 );
+variable_template_generated_from(
+    unique int template: @variable ref,
+    int from: @variable ref
+);

 is_alias_template(unique int id: @usertype ref);
 alias_instantiation(
@@ -966,15 +978,19 @@ alias_instantiation(
    int from: @usertype ref
 );
 alias_template_argument(
-    int variable_id: @usertype ref,
+    int type_id: @usertype ref,
    int index: int ref,
    int arg_type: @type ref
 );
 alias_template_argument_value(
-    int variable_id: @usertype ref,
+    int type_id: @usertype ref,
    int index: int ref,
    int arg_value: @expr ref
 );
+alias_template_generated_from(
+    unique int template: @usertype ref,
+    int from: @usertype ref
+);

 template_template_instantiation(
    int to: @usertype ref,
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
--- a/cpp/ql/lib/upgrades/837c4e02326aee4582405d069263092e80a15d82/old.dbscheme
+++ b/cpp/ql/lib/upgrades/837c4e02326aee4582405d069263092e80a15d82/old.dbscheme
--- a/cpp/ql/lib/upgrades/837c4e02326aee4582405d069263092e80a15d82/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/837c4e02326aee4582405d069263092e80a15d82/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/837c4e02326aee4582405d069263092e80a15d82/upgrade.properties
+++ b/cpp/ql/lib/upgrades/837c4e02326aee4582405d069263092e80a15d82/upgrade.properties
@@ -0,0 +1,2 @@
+description: Capture information about one template being generated from another
+compatibility: backwards
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.6.3
+
+### Minor Analysis Improvements
+
+* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.
+
 ## 1.6.2

 No user-facing changes.
--- a/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
+++ b/cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll
@@ -44,10 +44,7 @@ class ExternalApiDataNode extends DataFlow::Node {
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) {
-    exists(RemoteFlowSourceFunction remoteFlow |
-      remoteFlow = source.asExpr().(Call).getTarget() and
-      remoteFlow.hasRemoteFlowSource(_, _)
-    )
+    any(RemoteFlowSourceFunction remoteFlow).hasRemoteFlowSource(source.asExpr(), _, _)
  }

  predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -94,9 +94,8 @@ class Recv extends SendRecv instanceof RemoteFlowSourceFunction {
  }

  override Expr getDataExpr(Call call) {
-    call.getTarget() = this and
    exists(FunctionOutput output, int arg |
-      super.hasRemoteFlowSource(output, _) and
+      super.hasRemoteFlowSource(call, output, _) and
      output.isParameterDeref(arg) and
      result = call.getArgument(arg)
    )
--- a/cpp/ql/src/change-notes/2026-05-15-cleartext-transmission-fp.md
+++ b/cpp/ql/src/change-notes/2026-05-15-cleartext-transmission-fp.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
-* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.
+## 1.6.3
+
+### Minor Analysis Improvements
+
+* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.2
+lastReleaseVersion: 1.6.3
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.3-dev
+version: 1.6.4-dev
 groups:
  - cpp
  - queries
--- a/cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp
+++ b/cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp
@@ -131,3 +131,112 @@ void test_strsafe_gets() {
 		StringCchGetsExA(dest, sizeof(dest), &end, &remaining, 0); // $ local_source
 	}
 }
+
+int scanf_s(const char *format, ...);
+int fscanf_s(FILE *stream, const char *format, ...);
+
+void test_scanf_s(FILE *stream) {
+  {
+  int n1, n2;
+  scanf_s(
+    "%d %d",
+    &n1, // $ local_source
+    &n2); // $ local_source
+  }
+
+  {
+  int n;
+  fscanf_s(stream, "%d", &n); // $ remote_source
+  }
+
+  {
+  int n1, n2;
+  char buf[256];
+  scanf_s("%d %s %d",
+    &n1, // $ local_source
+    buf, // $ local_source
+    256,
+    &n2); // $ local_source
+  }
+
+  {
+  int n1, n2;
+  char buf[256];
+  fscanf_s(stream, "%d %s %d",
+    &n1, // $ remote_source
+    buf, // $ remote_source
+    256,
+    &n2); // $ remote_source
+  }
+}
+
+typedef void *locale_t;
+
+int wscanf_s(const wchar_t *format, ...);
+int _scanf_s_l(const char *format, locale_t locale, ...);
+int _wscanf_s_l(const wchar_t *format, locale_t locale, ...);
+int fwscanf_s(FILE *stream, const wchar_t *format, ...);
+int _fscanf_s_l(FILE *stream, const char *format, locale_t locale, ...);
+int _fwscanf_s_l(FILE *stream, const wchar_t *format, locale_t locale, ...);
+
+void test_additional_scanf_s_variants(FILE *stream, locale_t locale) {
+  {
+  int n1, n2;
+  wchar_t buf[256];
+  wscanf_s(L"%d %s %d",
+    &n1, // $ local_source
+    buf, // $ local_source
+    256,
+    &n2); // $ local_source
+  }
+
+  {
+  int n1, n2;
+  char buf[256];
+  _scanf_s_l("%d %s %d", locale,
+    &n1, // $ local_source
+    buf, // $ local_source
+    256,
+    &n2); // $ local_source
+  }
+
+  {
+  int n1, n2;
+  wchar_t buf[256];
+  _wscanf_s_l(L"%d %s %d", locale,
+    &n1, // $ local_source
+    buf, // $ local_source
+    256,
+    &n2); // $ local_source
+  }
+
+  {
+  int n1, n2;
+  wchar_t buf[256];
+  fwscanf_s(stream, L"%d %s %d",
+    &n1, // $ remote_source
+    buf, // $ remote_source
+    256,
+    &n2); // $ remote_source
+  }
+
+  {
+  int n1, n2;
+  char buf[256];
+  _fscanf_s_l(stream, "%d %s %d", locale,
+    &n1, // $ remote_source
+    buf, // $ remote_source
+    256,
+    &n2); // $ remote_source
+  }
+
+  {
+  int n1, n2;
+  wchar_t buf[256];
+  _fwscanf_s_l(stream, L"%d %s %d", locale,
+    &n1, // $ remote_source
+    buf, // $ remote_source
+    256,
+    &n2); // $ remote_source
+  }
+}
--- a/cpp/ql/test/library-tests/scanf/scanfFormatLiteral.expected
+++ b/cpp/ql/test/library-tests/scanf/scanfFormatLiteral.expected
@@ -1,5 +1,8 @@
-| test.c:18:2:18:6 | call to scanf | 0 | s | 0 | 0 |
-| test.c:19:2:19:7 | call to fscanf | 0 | s | 10 | 10 |
-| test.c:19:2:19:7 | call to fscanf | 1 | i | 0 | 0 |
-| test.c:20:2:20:7 | call to sscanf | 0 | s | 0 | 0 |
-| test.c:21:2:21:8 | call to swscanf | 0 | s | 10 | 10 |
+| test.c:19:2:19:6 | call to scanf | 0 | s | 0 | 0 |
+| test.c:20:2:20:7 | call to fscanf | 0 | s | 10 | 10 |
+| test.c:20:2:20:7 | call to fscanf | 1 | i | 0 | 0 |
+| test.c:21:2:21:7 | call to sscanf | 0 | s | 0 | 0 |
+| test.c:22:2:22:8 | call to swscanf | 0 | s | 10 | 10 |
+| test.c:23:2:23:8 | call to scanf_s | 0 | d | 0 | 0 |
+| test.c:23:2:23:8 | call to scanf_s | 1 | s | 0 | 0 |
+| test.c:23:2:23:8 | call to scanf_s | 2 | d | 0 | 0 |
--- a/cpp/ql/test/library-tests/scanf/scanfFunctionCall.expected
+++ b/cpp/ql/test/library-tests/scanf/scanfFunctionCall.expected
@@ -1,5 +1,6 @@
 | ms.cpp:17:3:17:8 | call to sscanf | 0 | 1 | ms.cpp:17:24:17:30 | %I64i | non-wide |
-| test.c:18:2:18:6 | call to scanf | 0 | 0 | test.c:18:8:18:11 | %s | non-wide |
-| test.c:19:2:19:7 | call to fscanf | 0 | 1 | test.c:19:15:19:23 | %10s %i | non-wide |
-| test.c:20:2:20:7 | call to sscanf | 0 | 1 | test.c:20:19:20:28 | %*i%s%*s | non-wide |
-| test.c:21:2:21:8 | call to swscanf | 0 | 1 | test.c:21:21:21:26 | %10s | wide |
+| test.c:19:2:19:6 | call to scanf | 0 | 0 | test.c:19:8:19:11 | %s | non-wide |
+| test.c:20:2:20:7 | call to fscanf | 0 | 1 | test.c:20:15:20:23 | %10s %i | non-wide |
+| test.c:21:2:21:7 | call to sscanf | 0 | 1 | test.c:21:19:21:28 | %*i%s%*s | non-wide |
+| test.c:22:2:22:8 | call to swscanf | 0 | 1 | test.c:22:21:22:26 | %10s | wide |
+| test.c:23:2:23:8 | call to scanf_s | 0 | 0 | test.c:23:10:23:19 | %d %s %d | non-wide |
--- a/cpp/ql/test/library-tests/scanf/scanfFunctionCallOutput.expected
+++ b/cpp/ql/test/library-tests/scanf/scanfFunctionCallOutput.expected
@@ -0,0 +1,9 @@
+| ms.cpp:17:3:17:8 | call to sscanf | ms.cpp:17:33:17:36 | & ... | 0 |
+| test.c:19:2:19:6 | call to scanf | test.c:19:14:19:19 | buffer | 0 |
+| test.c:20:2:20:7 | call to fscanf | test.c:20:26:20:31 | buffer | 0 |
+| test.c:20:2:20:7 | call to fscanf | test.c:20:34:20:34 | i | 1 |
+| test.c:21:2:21:7 | call to sscanf | test.c:21:31:21:36 | buffer | 0 |
+| test.c:22:2:22:8 | call to swscanf | test.c:22:29:22:35 | wbuffer | 0 |
+| test.c:23:2:23:8 | call to scanf_s | test.c:23:22:23:23 | & ... | 0 |
+| test.c:23:2:23:8 | call to scanf_s | test.c:23:26:23:31 | buffer | 1 |
+| test.c:23:2:23:8 | call to scanf_s | test.c:23:38:23:40 | & ... | 2 |
--- a/cpp/ql/test/library-tests/scanf/scanfFunctionCallOutput.ql
+++ b/cpp/ql/test/library-tests/scanf/scanfFunctionCallOutput.ql
@@ -0,0 +1,5 @@
+import semmle.code.cpp.commons.Scanf
+
+from ScanfFunctionCall sfc, Expr e, int n
+where e = sfc.getOutputArgument(n)
+select sfc, e, n
--- a/cpp/ql/test/library-tests/scanf/test.c
+++ b/cpp/ql/test/library-tests/scanf/test.c
@@ -7,18 +7,20 @@ int scanf(const char *format, ...);
 int fscanf(FILE *stream, const char *format, ...);
 int sscanf(const char *s, const char *format, ...);
 int swscanf(const wchar_t* ws, const wchar_t* format, ...);
+int scanf_s(const char *format, ...);

 int main(int argc, char *argv[])
 {
 	char buffer[256];
 	wchar_t wbuffer[256];
 	FILE *file;
-	int i;
+	int i, i2;

 	scanf("%s", buffer);
 	fscanf(file, "%10s %i", buffer, i);
 	sscanf("Hello.", "%*i%s%*s", buffer);
 	swscanf(L"Hello.", "%10s", wbuffer);
+	scanf_s("%d %s %d", &i, buffer, 10, &i2);

 	return 0;
 }
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs
@@ -32,9 +32,13 @@ namespace Semmle.Extraction.CSharp.Entities
        {
            var assembly = Assembly.CreateOutputAssembly(Context);

-            trapFile.compilations(this, FileUtils.ConvertToUnix(cwd));
+            var path = Context.ExtractionContext.PathTransformer.Transform(cwd);
+            trapFile.compilations(this, path.Value);
            trapFile.compilation_assembly(this, assembly);

+            // Ensure that a `Folder` entity exists
+            Folder.Create(Context, path);
+
            // Arguments
            var expandedIndex = 0;
            for (var i = 0; i < args.Length; i++)
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Factory.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Factory.cs
@@ -58,10 +58,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                        return Invocation.Create(info);

                    case SyntaxKind.PostIncrementExpression:
-                        return PostfixUnary.Create(info.SetKind(ExprKind.POST_INCR), ((PostfixUnaryExpressionSyntax)info.Node).Operand);
+                        return PostfixUnary.Create(info.SetKind(ExprKind.POST_INCR));

                    case SyntaxKind.PostDecrementExpression:
-                        return PostfixUnary.Create(info.SetKind(ExprKind.POST_DECR), ((PostfixUnaryExpressionSyntax)info.Node).Operand);
+                        return PostfixUnary.Create(info.SetKind(ExprKind.POST_DECR));

                    case SyntaxKind.AwaitExpression:
                        return Await.Create(info);
@@ -109,10 +109,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                        return MemberAccess.Create(info, (MemberAccessExpressionSyntax)info.Node);

                    case SyntaxKind.UnaryMinusExpression:
-                        return Unary.Create(info.SetKind(ExprKind.MINUS));
+                        return PrefixUnary.Create(info.SetKind(ExprKind.MINUS));

                    case SyntaxKind.UnaryPlusExpression:
-                        return Unary.Create(info.SetKind(ExprKind.PLUS));
+                        return PrefixUnary.Create(info.SetKind(ExprKind.PLUS));

                    case SyntaxKind.SimpleLambdaExpression:
                        return Lambda.Create(info, (SimpleLambdaExpressionSyntax)info.Node);
@@ -146,16 +146,16 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                        return Name.Create(info);

                    case SyntaxKind.LogicalNotExpression:
-                        return Unary.Create(info.SetKind(ExprKind.LOG_NOT));
+                        return PrefixUnary.Create(info.SetKind(ExprKind.LOG_NOT));

                    case SyntaxKind.BitwiseNotExpression:
-                        return Unary.Create(info.SetKind(ExprKind.BIT_NOT));
+                        return PrefixUnary.Create(info.SetKind(ExprKind.BIT_NOT));

                    case SyntaxKind.PreIncrementExpression:
-                        return Unary.Create(info.SetKind(ExprKind.PRE_INCR));
+                        return PrefixUnary.Create(info.SetKind(ExprKind.PRE_INCR));

                    case SyntaxKind.PreDecrementExpression:
-                        return Unary.Create(info.SetKind(ExprKind.PRE_DECR));
+                        return PrefixUnary.Create(info.SetKind(ExprKind.PRE_DECR));

                    case SyntaxKind.ThisExpression:
                        return This.CreateExplicit(info);
@@ -164,10 +164,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                        return PropertyFieldAccess.Create(info);

                    case SyntaxKind.AddressOfExpression:
-                        return Unary.Create(info.SetKind(ExprKind.ADDRESS_OF));
+                        return PrefixUnary.Create(info.SetKind(ExprKind.ADDRESS_OF));

                    case SyntaxKind.PointerIndirectionExpression:
-                        return Unary.Create(info.SetKind(ExprKind.POINTER_INDIRECTION));
+                        return PrefixUnary.Create(info.SetKind(ExprKind.POINTER_INDIRECTION));

                    case SyntaxKind.DefaultExpression:
                        return Default.Create(info);
@@ -248,13 +248,13 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                        return RangeExpression.Create(info);

                    case SyntaxKind.IndexExpression:
-                        return Unary.Create(info.SetKind(ExprKind.INDEX));
+                        return PrefixUnary.Create(info.SetKind(ExprKind.INDEX));

                    case SyntaxKind.SwitchExpression:
                        return Switch.Create(info);

                    case SyntaxKind.SuppressNullableWarningExpression:
-                        return PostfixUnary.Create(info.SetKind(ExprKind.SUPPRESS_NULLABLE_WARNING), ((PostfixUnaryExpressionSyntax)info.Node).Operand);
+                        return PostfixUnary.Create(info.SetKind(ExprKind.SUPPRESS_NULLABLE_WARNING));

                    case SyntaxKind.WithExpression:
                        return WithExpression.Create(info);
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PostfixUnary.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PostfixUnary.cs
@@ -4,29 +4,30 @@ using Semmle.Extraction.Kinds;

 namespace Semmle.Extraction.CSharp.Entities.Expressions
 {
-    internal class PostfixUnary : Expression<ExpressionSyntax>
+    internal class PostfixUnary : Expression<PostfixUnaryExpressionSyntax>
    {
-        private PostfixUnary(ExpressionNodeInfo info, ExprKind kind, ExpressionSyntax operand)
+        private PostfixUnary(ExpressionNodeInfo info, ExprKind kind)
            : base(info.SetKind(UnaryOperatorKind(info.Context, kind, info.Node)))
        {
-            this.operand = operand;
            operatorKind = kind;
        }

-        private readonly ExpressionSyntax operand;
        private readonly ExprKind operatorKind;

-        public static Expression Create(ExpressionNodeInfo info, ExpressionSyntax operand) => new PostfixUnary(info, info.Kind, operand).TryPopulate();
+        public static Expression Create(ExpressionNodeInfo info) => new PostfixUnary(info, info.Kind).TryPopulate();

        protected override void PopulateExpression(TextWriter trapFile)
        {
-            Create(Context, operand, this, 0);
+            Create(Context, Syntax.Operand, this, 0);

-            if ((operatorKind == ExprKind.POST_INCR || operatorKind == ExprKind.POST_DECR) &&
-                Kind == ExprKind.OPERATOR_INVOCATION)
+            if (Kind == ExprKind.OPERATOR_INVOCATION)
            {
                AddOperatorCall(trapFile, Syntax);
-                trapFile.mutator_invocation_mode(this, 2);
+
+                if (operatorKind == ExprKind.POST_INCR || operatorKind == ExprKind.POST_DECR)
+                {
+                    trapFile.mutator_invocation_mode(this, 2);
+                }
            }
        }
    }
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PrefixUnary.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/PrefixUnary.cs
@@ -0,0 +1,34 @@
+using System.IO;
+using Microsoft.CodeAnalysis.CSharp.Syntax;
+using Semmle.Extraction.Kinds;
+
+namespace Semmle.Extraction.CSharp.Entities.Expressions
+{
+    internal class PrefixUnary : Expression<PrefixUnaryExpressionSyntax>
+    {
+        private PrefixUnary(ExpressionNodeInfo info, ExprKind kind)
+            : base(info.SetKind(UnaryOperatorKind(info.Context, info.Kind, info.Node)))
+        {
+            operatorKind = kind;
+        }
+
+        private readonly ExprKind operatorKind;
+
+        public static Expression Create(ExpressionNodeInfo info) => new PrefixUnary(info, info.Kind).TryPopulate();
+
+        protected override void PopulateExpression(TextWriter trapFile)
+        {
+            Create(Context, Syntax.Operand, this, 0);
+
+            if (Kind == ExprKind.OPERATOR_INVOCATION)
+            {
+                AddOperatorCall(trapFile, Syntax);
+
+                if (operatorKind == ExprKind.PRE_INCR || operatorKind == ExprKind.PRE_DECR)
+                {
+                    trapFile.mutator_invocation_mode(this, 1);
+                }
+            }
+        }
+    }
+}
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Unary.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Unary.cs
@@ -1,36 +0,0 @@
-using System.IO;
-using Microsoft.CodeAnalysis.CSharp.Syntax;
-using Semmle.Extraction.Kinds;
-
-namespace Semmle.Extraction.CSharp.Entities.Expressions
-{
-    internal class Unary : Expression<PrefixUnaryExpressionSyntax>
-    {
-        private Unary(ExpressionNodeInfo info, ExprKind kind)
-            : base(info.SetKind(UnaryOperatorKind(info.Context, info.Kind, info.Node)))
-        {
-            operatorKind = kind;
-        }
-
-        private readonly ExprKind operatorKind;
-
-        public static Unary Create(ExpressionNodeInfo info)
-        {
-            var ret = new Unary(info, info.Kind);
-            ret.TryPopulate();
-            return ret;
-        }
-
-        protected override void PopulateExpression(TextWriter trapFile)
-        {
-            Create(Context, Syntax.Operand, this, 0);
-            AddOperatorCall(trapFile, Syntax);
-
-            if ((operatorKind == ExprKind.PRE_INCR || operatorKind == ExprKind.PRE_DECR) &&
-                Kind == ExprKind.OPERATOR_INVOCATION)
-            {
-                trapFile.mutator_invocation_mode(this, 1);
-            }
-        }
-    }
-}
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.67
+
+No user-facing changes.
+
 ## 1.7.66

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.67.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.67.md
@@ -0,0 +1,3 @@
+## 1.7.67
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.66
+lastReleaseVersion: 1.7.67
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.67-dev
+version: 1.7.68-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.67
+
+No user-facing changes.
+
 ## 1.7.66

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.67.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.67.md
@@ -0,0 +1,3 @@
+## 1.7.67
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.66
+lastReleaseVersion: 1.7.67
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.67-dev
+version: 1.7.68-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 6.0.1
+
+No user-facing changes.
+
 ## 6.0.0

 ### Breaking Changes
--- a/csharp/ql/lib/change-notes/2026-05-20-csharp14-dotnet10.md
+++ b/csharp/ql/lib/change-notes/2026-05-20-csharp14-dotnet10.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Full support for C# 14 / .NET 10. All new language features are now supported by the extractor. The QL library and data flow analysis now support the new C# 14 language constructs and include generated Models as Data (MaD) models for the .NET 10 runtime.
--- a/csharp/ql/lib/change-notes/released/6.0.1.md
+++ b/csharp/ql/lib/change-notes/released/6.0.1.md
@@ -0,0 +1,3 @@
+## 6.0.1
+
+No user-facing changes.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.0.0
+lastReleaseVersion: 6.0.1
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 6.0.1-dev
+version: 6.0.2-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.3
+
+No user-facing changes.
+
 ## 1.7.2

 No user-facing changes.
--- a/csharp/ql/src/change-notes/released/1.7.3.md
+++ b/csharp/ql/src/change-notes/released/1.7.3.md
@@ -0,0 +1,3 @@
+## 1.7.3
+
+No user-facing changes.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.2
+lastReleaseVersion: 1.7.3
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.3-dev
+version: 1.7.4-dev
 groups:
  - csharp
  - queries
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.5.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.5.rst
@@ -0,0 +1,88 @@
+.. _codeql-cli-2.25.5:
+
+==========================
+CodeQL 2.25.5 (2026-05-21)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.25.5 runs a total of 496 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 131 queries (covering 32 more CWE).
+
+CodeQL CLI
+----------
+
+There are no user-facing CLI changes in this release.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Fixed help file descriptions for queries: :code:`actions/untrusted-checkout/critical`, :code:`actions/untrusted-checkout/high`, :code:`actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The 'Cleartext transmission of sensitive information' query (:code:`cpp/cleartext-transmission`) no longer raises an alert on calls to :code:`fscanf` (and variants) when the call reads from an "obviously local" :code:`FILE` stream such as :code:`stdin`.
+
+Java/Kotlin
+"""""""""""
+
+*   The :code:`java/zipslip` query no longer reports archive entry names that flow only to read-only path sinks such as :code:`ClassLoader.getResource`, :code:`FileInputStream`, and :code:`FileReader`. The query now restricts its sinks to the :code:`path-injection` kind and deliberately excludes the new :code:`path-injection[read]` sub-kind, matching the Zip Slip threat model of unsafe archive extraction.
+
+GitHub Actions
+""""""""""""""
+
+*   The :code:`actions/unpinned-tag` query now analyzes composite action metadata (:code:`action.yml`\ /\ :code:`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Adjusted the name of :code:`actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
+
+Language Libraries
+------------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`RemoteFlowSourceFunction` model for :code:`fscanf` (and variants) now implements :code:`hasSocketInput` to reflect that these functions may read from a socket.
+
+Java/Kotlin
+"""""""""""
+
+*   Introduced a new sink kind :code:`path-injection[read]` for Models-as-Data rows that only read from a path (such as :code:`ClassLoader.getResource`, :code:`FileInputStream`, :code:`FileReader`, :code:`Files.readAllBytes`, and related APIs). The general :code:`java/path-injection` query continues to consider both :code:`path-injection` and :code:`path-injection[read]` sinks.
+
+GitHub Actions
+""""""""""""""
+
+*   Altered 2 patterns in the :code:`poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and :code:`go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: :code:`actions/untrusted-checkout/high`, :code:`actions/untrusted-checkout/critical`, :code:`actions/untrusted-checkout-toctou/high`, :code:`actions/untrusted-checkout-toctou/critical`, :code:`actions/cache-poisoning/poisonable-step`, :code:`actions/cache-poisoning/direct-cache` and :code:`actions/artifact-poisoning/path-traversal`.
+
+New Features
+~~~~~~~~~~~~
+
+Swift
+"""""
+
+*   The :code:`TypeDecl` class now defines a :code:`getDeclaredInterfaceType` predicate, which yields the declared interface type of the type declaration.
--- a/docs/codeql/codeql-overview/codeql-changelog/index.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst
@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
   :maxdepth: 1

+   codeql-cli-2.25.5
   codeql-cli-2.25.4
   codeql-cli-2.25.3
   codeql-cli-2.25.2
--- a/docs/codeql/reusables/supported-versions-compilers.rst
+++ b/docs/codeql/reusables/supported-versions-compilers.rst
@@ -11,23 +11,23 @@
   Microsoft extensions (up to VS 2022),

   Arm Compiler 5 [5]_","``.cpp``, ``.c++``, ``.cxx``, ``.hpp``, ``.hh``, ``.h++``, ``.hxx``, ``.c``, ``.cc``, ``.h``"
-   C#,C# up to 14 [6]_,"Microsoft Visual Studio up to 2019 with .NET up to 4.8,
+   C#,C# up to 14,"Microsoft Visual Studio up to 2019 with .NET up to 4.8,

   .NET Core up to 3.1

-   .NET 5, .NET 6, .NET 7, .NET 8, .NET 9, .NET 10 [6]_","``.sln``, ``.slnx``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
+   .NET 5, .NET 6, .NET 7, .NET 8, .NET 9, .NET 10","``.sln``, ``.slnx``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
   GitHub Actions,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``"
   Go (aka Golang), "Go up to 1.26", "Go 1.11 or more recent", ``.go``
-   Java,"Java 7 to 26 [7]_","javac (OpenJDK and Oracle JDK),
+   Java,"Java 7 to 26 [6]_","javac (OpenJDK and Oracle JDK),

-   Eclipse compiler for Java (ECJ) [8]_",``.java``
+   Eclipse compiler for Java (ECJ) [7]_",``.java``
   Kotlin,"Kotlin 1.8.0 to 2.3.2\ *x*","kotlinc",``.kt``
-   JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [9]_"
-   Python [10]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13",Not applicable,``.py``
-   Ruby [11]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
-   Rust [12]_,"Rust editions 2021 and 2024","Rust compiler","``.rs``, ``Cargo.toml``"
-   Swift [13]_ [14]_,"Swift 5.4-6.3","Swift compiler","``.swift``"
-   TypeScript [15]_,"2.6-5.9",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
+   JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [8]_"
+   Python [9]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13",Not applicable,``.py``
+   Ruby [10]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
+   Rust [11]_,"Rust editions 2021 and 2024","Rust compiler","``.rs``, ``Cargo.toml``"
+   Swift [12]_ [13]_,"Swift 5.4-6.3","Swift compiler","``.swift``"
+   TypeScript [14]_,"2.6-5.9",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"

 .. container:: footnote-group

@@ -36,13 +36,12 @@
    .. [3] Objective-C, Objective-C++, C++/CLI, and C++/CX are not supported.
    .. [4] Support for the clang-cl compiler is preliminary.
    .. [5] Support for the Arm Compiler (armcc) is preliminary.
-    .. [6] Support for .NET 10 is preliminary and code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
-    .. [7] Builds that execute on Java 7 to 26 can be analyzed. The analysis understands standard language features in Java 8 to 26; "preview" and "incubator" features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code.
-    .. [8] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
-    .. [9] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
-    .. [10] The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python.
-    .. [11] Requires glibc 2.17.
-    .. [12] Requires ``rustup`` and ``cargo`` to be installed. Features from nightly toolchains are not supported.
-    .. [13] Support for the analysis of Swift requires macOS.
-    .. [14] Embedded Swift is not supported.
-    .. [15] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default.
+    .. [6] Builds that execute on Java 7 to 26 can be analyzed. The analysis understands standard language features in Java 8 to 26; "preview" and "incubator" features are not supported. Source code using Java language versions older than Java 8 are analyzed as Java 8 code.
+    .. [7] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
+    .. [8] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
+    .. [9] The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python.
+    .. [10] Requires glibc 2.17.
+    .. [11] Requires ``rustup`` and ``cargo`` to be installed. Features from nightly toolchains are not supported.
+    .. [12] Support for the analysis of Swift requires macOS.
+    .. [13] Embedded Swift is not supported.
+    .. [14] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default.
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.50
+
+No user-facing changes.
+
 ## 1.0.49

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.50.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.50.md
@@ -0,0 +1,3 @@
+## 1.0.50
+
+No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.49
+lastReleaseVersion: 1.0.50
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.50-dev
+version: 1.0.51-dev
 groups:
  - go
  - queries
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 7.1.1
+
+No user-facing changes.
+
 ## 7.1.0

 ### New Features
--- a/go/ql/lib/change-notes/released/7.1.1.md
+++ b/go/ql/lib/change-notes/released/7.1.1.md
@@ -0,0 +1,3 @@
+## 7.1.1
+
+No user-facing changes.
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.1.0
+lastReleaseVersion: 7.1.1
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.1.1-dev
+version: 7.1.2-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.6.3
+
+No user-facing changes.
+
 ## 1.6.2

 No user-facing changes.
--- a/go/ql/src/change-notes/released/1.6.3.md
+++ b/go/ql/src/change-notes/released/1.6.3.md
@@ -0,0 +1,3 @@
+## 1.6.3
+
+No user-facing changes.
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.2
+lastReleaseVersion: 1.6.3
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.3-dev
+version: 1.6.4-dev
 groups:
  - go
  - queries
--- a/java/ql/lib/CHANGELOG.md
+++ b/java/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 9.1.1
+
+### Minor Analysis Improvements
+
+* Introduced a new sink kind `path-injection[read]` for Models-as-Data rows that only read from a path (such as `ClassLoader.getResource`, `FileInputStream`, `FileReader`, `Files.readAllBytes`, and related APIs). The general `java/path-injection` query continues to consider both `path-injection` and `path-injection[read]` sinks.
+
 ## 9.1.0

 ### New Features
--- a/java/ql/lib/change-notes/2026-04-21-path-injection-read-subkind.md
+++ b/java/ql/lib/change-notes/2026-04-21-path-injection-read-subkind.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 9.1.1
+
+### Minor Analysis Improvements
+
 * Introduced a new sink kind `path-injection[read]` for Models-as-Data rows that only read from a path (such as `ClassLoader.getResource`, `FileInputStream`, `FileReader`, `Files.readAllBytes`, and related APIs). The general `java/path-injection` query continues to consider both `path-injection` and `path-injection[read]` sinks.
--- a/java/ql/lib/codeql-pack.release.yml
+++ b/java/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 9.1.0
+lastReleaseVersion: 9.1.1
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 9.1.1-dev
+version: 9.1.2-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/CHANGELOG.md
+++ b/java/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 1.11.3
+
+### Minor Analysis Improvements
+
+* The `java/zipslip` query no longer reports archive entry names that flow only to read-only path sinks such as `ClassLoader.getResource`, `FileInputStream`, and `FileReader`. The query now restricts its sinks to the `path-injection` kind and deliberately excludes the new `path-injection[read]` sub-kind, matching the Zip Slip threat model of unsafe archive extraction.
+
 ## 1.11.2

 No user-facing changes.
--- a/java/ql/src/change-notes/2026-04-21-zipslip-exclude-read-sinks.md
+++ b/java/ql/src/change-notes/2026-04-21-zipslip-exclude-read-sinks.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 1.11.3
+
+### Minor Analysis Improvements
+
 * The `java/zipslip` query no longer reports archive entry names that flow only to read-only path sinks such as `ClassLoader.getResource`, `FileInputStream`, and `FileReader`. The query now restricts its sinks to the `path-injection` kind and deliberately excludes the new `path-injection[read]` sub-kind, matching the Zip Slip threat model of unsafe archive extraction.
--- a/java/ql/src/codeql-pack.release.yml
+++ b/java/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.11.2
+lastReleaseVersion: 1.11.3
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.11.3-dev
+version: 1.11.4-dev
 groups:
  - java
  - queries
--- a/javascript/ql/lib/CHANGELOG.md
+++ b/javascript/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 2.7.1
+
+No user-facing changes.
+
 ## 2.7.0

 ### New Features
--- a/javascript/ql/lib/change-notes/released/2.7.1.md
+++ b/javascript/ql/lib/change-notes/released/2.7.1.md
@@ -0,0 +1,3 @@
+## 2.7.1
+
+No user-facing changes.
--- a/javascript/ql/lib/codeql-pack.release.yml
+++ b/javascript/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.7.0
+lastReleaseVersion: 2.7.1
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.7.1-dev
+version: 2.7.2-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/src/CHANGELOG.md
+++ b/javascript/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 2.3.10
+
+No user-facing changes.
+
 ## 2.3.9

 No user-facing changes.
--- a/javascript/ql/src/change-notes/released/2.3.10.md
+++ b/javascript/ql/src/change-notes/released/2.3.10.md
@@ -0,0 +1,3 @@
+## 2.3.10
+
+No user-facing changes.
--- a/javascript/ql/src/codeql-pack.release.yml
+++ b/javascript/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 2.3.9
+lastReleaseVersion: 2.3.10
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.3.10-dev
+version: 2.3.11-dev
 groups:
  - javascript
  - queries
--- a/misc/suite-helpers/CHANGELOG.md
+++ b/misc/suite-helpers/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.0.50
+
+No user-facing changes.
+
 ## 1.0.49

 No user-facing changes.
--- a/misc/suite-helpers/change-notes/released/1.0.50.md
+++ b/misc/suite-helpers/change-notes/released/1.0.50.md
@@ -0,0 +1,3 @@
+## 1.0.50
+
+No user-facing changes.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Paolo Tranquilli	90c91fa36d	Merge branch 'main' into redsun82/rust-compress-trap	2026-05-26 16:56:54 +02:00
Óscar San José	491c373e07	Merge pull request #21864 from github/post-release-prep/codeql-cli-2.25.5 Post-release preparation for codeql-cli-2.25.5	2026-05-22 17:41:38 +02:00
Óscar San José	996e79131e	Merge branch 'main' into post-release-prep/codeql-cli-2.25.5	2026-05-22 16:32:30 +02:00
Tom Hvitved	688695cd57	Merge pull request #21876 from hvitved/dense-rank-short-circuit Util: Short-circuit `rank` usage in dense ranking library	2026-05-22 16:08:45 +02:00
Jeroen Ketema	3c4e22a8ba	Merge pull request #21870 from jketema/jketema/generated C++: Add ability to see if one template was generated from another	2026-05-22 15:46:06 +02:00
Tom Hvitved	c70007607a	Merge pull request #21850 from hvitved/type-inference-unify-base-type Type inference: Unify `getABaseTypeMention` and `conditionSatisfiesConstraint`	2026-05-22 13:44:18 +02:00
Tom Hvitved	9685755479	Merge pull request #21865 from hvitved/csharp/compilation-cwd-folder C#: Ensure that `Folder` entities exist for `Compilation` entities	2026-05-22 13:42:35 +02:00
Mathias Vorreiter Pedersen	a7405bddaa	Merge pull request #21856 from MathiasVP/scanf-safe-functions C++: Model secure versions of `scanf` as flow sources	2026-05-22 12:34:54 +01:00
Jeroen Ketema	8ad461be98	C++: Add change note	2026-05-22 13:13:27 +02:00
Jeroen Ketema	0e6257de2d	C++: Fix QLDoc wording	2026-05-22 13:13:25 +02:00
Jeroen Ketema	77f6caca00	C++: Update stats file	2026-05-22 13:13:24 +02:00
Jeroen Ketema	f98dfcd0a5	C++: Add upgrade and downgrade scripts	2026-05-22 13:13:22 +02:00
Jeroen Ketema	a027665ab4	C++: Add ability to see if one template was generated from another	2026-05-22 13:13:21 +02:00
Óscar San José	de1cb26a93	Merge pull request #21890 from github/codeql-spark-run-26283874463 Update changelog documentation site for codeql-cli-2.25.5	2026-05-22 13:11:25 +02:00
github-actions[bot]	9599f01ae0	update codeql documentation	2026-05-22 11:02:30 +00:00
Michael Nebel	5a219d1527	Merge pull request #21845 from michaelnebel/csharp/unaryoperatorcleanup C#: Unary expression cleanup in the extractor.	2026-05-22 11:06:02 +02:00
Tom Hvitved	ec7e38cd4d	C#: Ensure that `Folder` entities exist for `Compilation` entities	2026-05-22 11:03:15 +02:00
Michael Nebel	871f307fa4	Merge pull request #21871 from michaelnebel/csharp14/updatedocumentation C# 14: Update documentation and claim C# 14 / .NET 10 support.	2026-05-22 10:54:36 +02:00
Tom Hvitved	3ee45ff4b9	Apply suggestion from @geoffw0 Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>	2026-05-22 10:07:52 +02:00
Tom Hvitved	6d6e9c0d47	Util: Only compute dense ranks when needed	2026-05-22 08:59:01 +02:00
Mathias Vorreiter Pedersen	a33af09244	C++: Add models for _fscanf_s_l, fwscanf_s and _fwscanf_s_l.	2026-05-20 18:59:04 +01:00
Mathias Vorreiter Pedersen	25d20399f3	C++: Add models for _scanf_s_l, wscanf_s and _wscanf_s_l.	2026-05-20 18:43:07 +01:00
Mathias Vorreiter Pedersen	e6c5f944ba	C++: Add missing format string part in test.	2026-05-20 18:13:35 +01:00
Michael Nebel	e408540d36	Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-05-20 11:08:41 +02:00
Michael Nebel	462a7bc423	C#: Add change-note.	2026-05-20 10:59:52 +02:00
Michael Nebel	422a6bd670	C#: Remove the prelim C# 14 footnote from the documentation.	2026-05-20 10:59:10 +02:00
Michael Nebel	30a5769e20	C#: Simplify and streamline the implementation of Prefix and Postfix unary expressions.	2026-05-19 14:20:53 +02:00
Michael Nebel	a72cef6fda	C#: Rename Unary to PrefixUnary.	2026-05-19 14:20:50 +02:00
Michael Nebel	dc80a029cb	C#: Streamline the AddOperatorCall logic for prefix and postfix unary operators.	2026-05-19 14:20:44 +02:00
github-actions[bot]	9f64000962	Post-release preparation for codeql-cli-2.25.5	2026-05-18 15:20:31 +00:00
Mathias Vorreiter Pedersen	19781e53e7	C++: Add change notes.	2026-05-18 14:06:21 +01:00
Mathias Vorreiter Pedersen	5f10a88208	C++: Handle size arguments in 'getOutputArgument'.	2026-05-18 14:06:18 +01:00
Mathias Vorreiter Pedersen	5add24be59	C++: Add scanf_s models.	2026-05-18 14:06:16 +01:00
Mathias Vorreiter Pedersen	16235d7aca	C++: Add a 'call' column to 'hasRemoteFlowSource' and 'hasLocalFlowSource' to support modeling of 'scanf_s'.	2026-05-18 14:06:05 +01:00
Óscar San José	b551e89ea8	Merge pull request #21859 from github/release-prep/2.25.5 Release preparation for version 2.25.5	2026-05-18 14:10:35 +02:00
github-actions[bot]	e38616a2ef	Release preparation for version 2.25.5	2026-05-18 12:05:32 +00:00
Mathias Vorreiter Pedersen	2902a19a50	C++: Add more scanf testing.	2026-05-18 10:58:50 +01:00
Tom Hvitved	7f1bebe8ba	Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-05-17 20:29:19 +02:00
Tom Hvitved	3f7b50ebba	Type inference: Unify `getABaseTypeMention` and `conditionSatisfiesConstraint`	2026-05-13 16:24:36 +02:00
Paolo Tranquilli	a845fd0a83	Rust: switch on TRAP compression	2026-01-07 09:42:36 +01:00