C++: Update stats

.bazelversion

@@ -1 +1 @@
-8.4.2
+8.1.1

.github/dependabot.yml

@@ -40,8 +40,3 @@ updates:
       - dependency-name: "*"
     reviewers:
       - "github/codeql-go"
-
-  - package-ecosystem: bazel
-    directory: "/"
-    schedule:
-      interval: weekly

.github/workflows/codeql-analysis.yml

@@ -34,7 +34,7 @@ jobs:
     - name: Setup dotnet
       uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 10.0.100
+        dotnet-version: 9.0.300
 
     - name: Checkout repository
       uses: actions/checkout@v5

.github/workflows/compile-queries.yml

@@ -17,41 +17,9 @@ permissions:
   contents: read
 
 jobs:
-  detect-changes:
-    if: github.repository_owner == 'github'
-    runs-on: ubuntu-latest
-    outputs:
-      languages: ${{ steps.detect.outputs.languages }}
-    steps:
-      - uses: actions/checkout@v5
-      - name: Detect changed languages
-        id: detect
-        run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            # For PRs, detect which languages have changes
-            changed_files=$(gh pr view ${{ github.event.pull_request.number }} --json files --jq '.files.[].path')
-            languages=()
-            for lang in actions cpp csharp go java javascript python ql ruby rust swift; do
-              if echo "$changed_files" | grep -qE "^($lang/|shared/)" ; then
-                languages+=("$lang")
-              fi
-            done
-            echo "languages=$(jq -c -n '$ARGS.positional' --args "${languages[@]}")" >> $GITHUB_OUTPUT
-          else
-            # For pushes to main/rc branches, run all languages
-            echo 'languages=["actions","cpp","csharp","go","java","javascript","python","ql","ruby","rust","swift"]' >> $GITHUB_OUTPUT
-          fi
-        env:
-          GH_TOKEN: ${{ github.token }}
-
   compile-queries:
-    needs: detect-changes
-    if: github.repository_owner == 'github' && needs.detect-changes.outputs.languages != '[]'
+    if: github.repository_owner == 'github'
     runs-on: ubuntu-latest-xl
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ${{ fromJson(needs.detect-changes.outputs.languages) }}
 
     steps:
       - uses: actions/checkout@v5
@@ -63,16 +31,16 @@ jobs:
         id: query-cache
         uses: ./.github/actions/cache-query-compilation
         with: 
-          key: ${{ matrix.language }}-queries
+          key: all-queries
       - name: check formatting
-        run: find shared ${{ matrix.language }}/ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
+        run: find shared */ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
       - name: compile queries - check-only
         # run with --check-only if running in a PR (github.sha != main)
         if : ${{ github.event_name == 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
       - name: compile queries - full
         # do full compile if running on main - this populates the cache
         if : ${{ github.event_name != 'pull_request' }}
         shell: bash
-        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
+        run: codeql query compile -q -j0 */ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000

.github/workflows/csharp-qltest.yml

@@ -43,14 +43,14 @@ jobs:
       - name: Setup dotnet
         uses: actions/setup-dotnet@v4
         with:
-          dotnet-version: 10.0.100
+          dotnet-version: 9.0.300
       - name: Extractor unit tests
         run: |
           dotnet tool restore
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.Cpp.Tests
         shell: bash
   stubgentest:
     runs-on: ubuntu-latest

MODULE.bazel

@@ -23,10 +23,10 @@ bazel_dep(name = "rules_shell", version = "0.5.0")
 bazel_dep(name = "bazel_skylib", version = "1.8.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
-bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
+bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
-bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
+bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
 bazel_dep(name = "rules_rust", version = "0.66.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
@@ -172,7 +172,7 @@ http_archive(
 )
 
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
-dotnet.toolchain(dotnet_version = "10.0.100")
+dotnet.toolchain(dotnet_version = "9.0.300")
 use_repo(dotnet, "dotnet_toolchains")
 
 register_toolchains("@dotnet_toolchains//:all")
@@ -274,11 +274,11 @@ ripunzip_archive = use_repo_rule("//misc/ripunzip:ripunzip.bzl", "ripunzip_archi
 # go to https://github.com/GoogleChrome/ripunzip/releases to find latest version and corresponding sha256s
 ripunzip_archive(
     name = "ripunzip",
-    sha256_linux = "71482d7a7e4ea9176d5596161c49250c34b136b157c45f632b1111323fbfc0de",
-    sha256_macos_arm = "604194ab13f0aba3972995d995f11002b8fc285c8170401fcd46655065df20c9",
-    sha256_macos_intel = "65367b94fd579d93d46f2d2595cc4c9a60cfcf497e3c824f9d1a7b80fa8bd38a",
-    sha256_windows = "ac3874075def2b9e5074a3b5945005ab082cc6e689e1de658da8965bc23e643e",
-    version = "2.0.4",
+    sha256_linux = "ee0e8a957687a5dc3a66b2a4b25883bf762df4c9c07f0651af527a32a405054b",
+    sha256_macos_arm = "8a88eea54eac232d162a72a42065e0429b82dbf4f05e9642915dff9d7a81f846",
+    sha256_macos_intel = "4457a18bfcc5feabe09f5ea3d1157128e07b4873392cb404a870e611924abf64",
+    sha256_windows = "66d0c1375301bf5ab815348048f43b110631d3fa7200acd50d50a8ed8655ca62",
+    version = "2.0.3",
 )
 
 register_toolchains(

actions/ql/examples/codeql-pack.lock.yml

@@ -1,4 +0,0 @@
----
-lockVersion: 1.0.0
-dependencies: {}
-compiled: false

actions/ql/examples/qlpack.yml

@@ -1,7 +0,0 @@
-name: codeql/actions-examples
-groups:
-  - actions
-  - examples
-dependencies:
-  codeql/actions-all: ${workspace}
-warnOnImplicitThis: true

actions/ql/examples/snippets/uses_pinned_sha.ql

@@ -1,12 +0,0 @@
-/**
- * @name Uses step with pinned SHA
- * @description Finds 'uses' steps where the version is a pinned SHA.
- * @id actions/examples/uses-pinned-sha
- * @tags example
- */
-
-import actions
-
-from UsesStep uses
-where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}$")
-select uses, "This 'uses' step has a pinned SHA version."

actions/ql/lib/CHANGELOG.md

@@ -1,19 +1,3 @@
-## 0.4.25
-
-No user-facing changes.
-
-## 0.4.24
-
-No user-facing changes.
-
-## 0.4.23
-
-No user-facing changes.
-
-## 0.4.22
-
-No user-facing changes.
-
 ## 0.4.21
 
 No user-facing changes.

actions/ql/lib/change-notes/2025-11-28-fix-code-injection-alert-filtering.md

@@ -1,4 +0,0 @@
----
-category: majorAnalysis
----
-* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.

actions/ql/lib/change-notes/released/0.4.22.md

@@ -1,3 +0,0 @@
-## 0.4.22
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.23.md

@@ -1,3 +0,0 @@
-## 0.4.23
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.24.md

@@ -1,3 +0,0 @@
-## 0.4.24
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.25.md

@@ -1,3 +0,0 @@
-## 0.4.25
-
-No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.25
+lastReleaseVersion: 0.4.21

actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll

@@ -19,7 +19,12 @@ class CodeInjectionSink extends DataFlow::Node {
 Event getRelevantCriticalEventForSink(DataFlow::Node sink) {
   inPrivilegedContext(sink.asExpr(), result) and
   not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection")) and
-  not isGithubScriptUsingToJson(sink.asExpr())
+  // exclude cases where the sink is a JS script and the expression uses toJson
+  not exists(UsesStep script |
+    script.getCallee() = "actions/github-script" and
+    script.getArgumentExpr("script") = sink.asExpr() and
+    exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
+  )
 }
 
 /**
@@ -86,38 +91,3 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
 module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
-
-/**
- * Holds if there is a code injection flow from `source` to `sink` with
- * critical severity, linked by `event`.
- */
-predicate criticalSeverityCodeInjection(
-  CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
-) {
-  CodeInjectionFlow::flowPath(source, sink) and
-  event = getRelevantCriticalEventForSink(sink.getNode()) and
-  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
-}
-
-/**
- * Holds if there is a code injection flow from `source` to `sink` with medium severity.
- */
-predicate mediumSeverityCodeInjection(
-  CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
-) {
-  CodeInjectionFlow::flowPath(source, sink) and
-  not criticalSeverityCodeInjection(source, sink, _) and
-  not isGithubScriptUsingToJson(sink.getNode().asExpr())
-}
-
-/**
- * Holds if `expr` is the `script` input to `actions/github-script` and it uses
- * `toJson`.
- */
-predicate isGithubScriptUsingToJson(Expression expr) {
-  exists(UsesStep script |
-    script.getCallee() = "actions/github-script" and
-    script.getArgumentExpr("script") = expr and
-    exists(getAToJsonReferenceExpression(expr.getExpression(), _))
-  )
-}

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.26-dev
+version: 0.4.22-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,19 +1,3 @@
-## 0.6.17
-
-No user-facing changes.
-
-## 0.6.16
-
-No user-facing changes.
-
-## 0.6.15
-
-No user-facing changes.
-
-## 0.6.14
-
-No user-facing changes.
-
 ## 0.6.13
 
 No user-facing changes.

actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql

@@ -20,7 +20,10 @@ import CodeInjectionFlow::PathGraph
 import codeql.actions.security.ControlChecks
 
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
-where criticalSeverityCodeInjection(source, sink, event)
+where
+  CodeInjectionFlow::flowPath(source, sink) and
+  event = getRelevantCriticalEventForSink(sink.getNode()) and
+  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
 select sink.getNode(), source, sink,
   "Potential code injection in $@, which may be controlled by an external user ($@).", sink,
   sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()

actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql

@@ -19,7 +19,15 @@ import codeql.actions.security.CodeInjectionQuery
 import CodeInjectionFlow::PathGraph
 
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
-where mediumSeverityCodeInjection(source, sink)
+where
+  CodeInjectionFlow::flowPath(source, sink) and
+  inNonPrivilegedContext(sink.getNode().asExpr()) and
+  // exclude cases where the sink is a JS script and the expression uses toJson
+  not exists(UsesStep script |
+    script.getCallee() = "actions/github-script" and
+    script.getArgumentExpr("script") = sink.getNode().asExpr() and
+    exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
+  )
 select sink.getNode(), source, sink,
   "Potential code injection in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()

actions/ql/src/Security/CWE-275/MissingActionsPermissions.md

@@ -2,8 +2,6 @@
 
 If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the `write` permission only to a specific types as `issues: write` or `pull-requests: write`.
 
-Note that this query cannot check whether the organization or repository token settings are set to read-only. However, even if they are, it is recommended to define explicit permissions (`contents: read` and `packages: read` are equivalent to the read-only default) so that (a) the actual needs of the workflow are documented, and (b) the permissions will remain restricted if the default is subsequently changed, or the workflow is copied to a different repository or organization.
-
 ## Recommendation
 
 Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task.

actions/ql/src/change-notes/released/0.6.14.md

@@ -1,3 +0,0 @@
-## 0.6.14
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.15.md

@@ -1,3 +0,0 @@
-## 0.6.15
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.16.md

@@ -1,3 +0,0 @@
-## 0.6.16
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.17.md

@@ -1,3 +0,0 @@
-## 0.6.17
-
-No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.17
+lastReleaseVersion: 0.6.13

actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql

@@ -1,5 +1,5 @@
 /**
- * @name Artifact Poisoning (Path Traversal)
+ * @name Artifact Poisoning (Path Traversal).
  * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
  * @kind problem
  * @problem.severity error

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.18-dev
+version: 0.6.14-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml

@@ -1,18 +0,0 @@
-on:
-  push:
-  workflow_dispatch:
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.commits[11].message }}'
-    - run: echo '${{ github.event.commits[11].author.email }}'
-    - run: echo '${{ github.event.commits[11].author.name }}'
-    - run: echo '${{ github.event.head_commit.message }}'
-    - run: echo '${{ github.event.head_commit.author.email }}'
-    - run: echo '${{ github.event.head_commit.author.name }}'
-    - run: echo '${{ github.event.head_commit.committer.email }}'
-    - run: echo '${{ github.event.head_commit.committer.name }}'
-    - run: echo '${{ github.event.commits[11].committer.email }}'
-    - run: echo '${{ github.event.commits[11].committer.name }}'

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected

@@ -435,16 +435,6 @@ nodes
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
-| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message |
-| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email |
-| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name |
-| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
-| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email |
-| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name |
-| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email |
-| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
-| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
-| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
 | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint |
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
 | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

@@ -435,16 +435,6 @@ nodes
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
-| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message |
-| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email |
-| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name |
-| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
-| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email |
-| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name |
-| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email |
-| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
-| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
-| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
 | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint |
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
 | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
@@ -729,16 +719,6 @@ subpaths
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
-| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} |
-| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} |
-| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} |
-| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
-| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} |
-| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} |
-| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} |
-| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} |
-| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} |
-| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} |
 | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} |
 | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} |
@@ -749,10 +729,6 @@ subpaths
 | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
-| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
-| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
-| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
-| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
 | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |

config/identical-files.json

@@ -276,13 +276,5 @@
   "Python model summaries test extension": [
     "python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
     "python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
-  ],
-  "XML discard predicates": [
-    "javascript/ql/lib/semmle/javascript/internal/OverlayXml.qll",
-    "java/ql/lib/semmle/code/java/internal/OverlayXml.qll",
-    "go/ql/lib/semmle/go/internal/OverlayXml.qll",
-    "python/ql/lib/semmle/python/internal/OverlayXml.qll",
-    "csharp/ql/lib/semmle/code/csharp/internal/OverlayXml.qll",
-    "cpp/ql/lib/semmle/code/cpp/internal/OverlayXml.qll"
   ]
 }

cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/exprs.ql

@@ -1,17 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class Location extends @location_default {
-  string toString() { none() }
-}
-
-predicate isExprWithNewBuiltin(Expr expr) {
-  exists(int kind | exprs(expr, kind, _) | 394 <= kind and kind <= 396)
-}
-
-from Expr expr, int kind, int kind_new, Location location
-where
-  exprs(expr, kind, location) and
-  if isExprWithNewBuiltin(expr) then kind_new = 1 else kind_new = kind
-select expr, kind_new, location

cpp/downgrades/1402ab319d20cdc9289deb7bfc1c70f36be44d44/upgrade.properties

@@ -1,4 +0,0 @@
-description: Add new builtin operations and this parameter access table
-compatibility: partial
-exprs.rel: run exprs.qlo
-param_ref_to_this.rel: delete

cpp/downgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties

@@ -1,2 +0,0 @@
-description: Remove _Decimal{32,64,128} types
-compatibility: full

cpp/ql/lib/CHANGELOG.md

@@ -1,21 +1,3 @@
-## 6.1.4
-
-No user-facing changes.
-
-## 6.1.3
-
-No user-facing changes.
-
-## 6.1.2
-
-No user-facing changes.
-
-## 6.1.1
-
-### Minor Analysis Improvements
-
-* The class `DataFlow::FieldContent` now covers both `union` and `struct`/`class` types. A new predicate `FieldContent.getAField` has been added to access the union members associated with the `FieldContent`. The old `FieldContent` has been renamed to `NonUnionFieldContent`.
-
 ## 6.1.0
 
 ### New Features

cpp/ql/lib/change-notes/2025-11-19-content.md

@@ -1,5 +1,4 @@
-## 6.1.1
-
-### Minor Analysis Improvements
-
-* The class `DataFlow::FieldContent` now covers both `union` and `struct`/`class` types. A new predicate `FieldContent.getAField` has been added to access the union members associated with the `FieldContent`. The old `FieldContent` has been renamed to `NonUnionFieldContent`.
+---
+category: minorAnalysis
+---
+* The class `DataFlow::FieldContent` now covers both `union` and `struct`/`class` types. A new predicate `FieldContent.getAField` has been added to access the union members associated with the `FieldContent`. The old `FieldContent` has been renamed to `NonUnionFieldContent`.

cpp/ql/lib/change-notes/2026-01-02-constant-folding.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.

cpp/ql/lib/change-notes/2026-01-02-decimal-removal.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-* The `_Decimal32`, `_Decimal64`, and `_Decimal128` types are no longer exposed as builtin types. Support for these gcc-specific types was incomplete, and are generally not used in C/C++ codebases.

cpp/ql/lib/change-notes/2026-01-08-multidimensional-subscript-operator-1.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Predicates `getArrayOffset/1` and `getAnArrayOffset` have been added to the `OverloadedArrayExpr` class to support C++23 multidimensional subscript operators.

cpp/ql/lib/change-notes/2026-01-08-multidimensional-subscript-operator-2.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* The `OverloadedArrayExpr::getArrayOffset/0` predicate has been deprecated. Use `OverloadedArrayExpr::getArrayOffset/1` and `OverloadedArrayExpr::getAnArrayOffset` instead.

cpp/ql/lib/change-notes/2026-01-09-builtins.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added subclasses of `BuiltInOperations` for the `__is_bitwise_cloneable`, `__is_invocable`, and `__is_nothrow_invocable` builtin operations.

cpp/ql/lib/change-notes/2026-01-09-this-access.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a `isThisAccess` predicate to `ParamAccessForType` that holds when the access is to the implicit object parameter.

cpp/ql/lib/change-notes/released/6.1.2.md

@@ -1,3 +0,0 @@
-## 6.1.2
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/6.1.3.md

@@ -1,3 +0,0 @@
-## 6.1.3
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/6.1.4.md

@@ -1,3 +0,0 @@
-## 6.1.4
-
-No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.1.4
+lastReleaseVersion: 6.1.0

cpp/ql/lib/cpp.qll

@@ -74,4 +74,3 @@ import semmle.code.cpp.Preprocessor
 import semmle.code.cpp.Iteration
 import semmle.code.cpp.NameQualifiers
 import DefaultOptions
-private import semmle.code.cpp.internal.Overlay

cpp/ql/lib/ext/empty.model.yml

@@ -9,14 +9,6 @@ extensions:
       pack: codeql/cpp-all
       extensible: sinkModel
     data: []
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: barrierModel
-    data: []
-  - addsTo:
-      pack: codeql/cpp-all
-      extensible: barrierGuardModel
-    data: []
   - addsTo:
       pack: codeql/cpp-all
       extensible: summaryModel

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 6.1.5-dev
+version: 6.1.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/PrintAST.qll

@@ -1050,10 +1050,10 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     expr.(Call).getQualifier() = ele and
     pred = "getQualifier()"
     or
-    // OverloadedArrayExpr::getArrayBase/0 and OverloadedArrayExpr::getArrayOffset/1 also consider arguments, and are already handled below.
+    // OverloadedArrayExpr::getArrayBase/0 and OverloadedArrayExpr::getArrayOffset/0 also consider arguments, and are already handled below.
     exists(int n, Expr arg | expr.(Call).getArgument(n) = arg |
       not expr.(OverloadedArrayExpr).getArrayBase() = arg and
-      not expr.(OverloadedArrayExpr).getAnArrayOffset() = arg and
+      not expr.(OverloadedArrayExpr).getArrayOffset() = arg and
       arg = ele and
       pred = "getArgument(" + n.toString() + ")"
     )
@@ -1062,10 +1062,7 @@ private predicate namedExprChildPredicates(Expr expr, Element ele, string pred)
     or
     expr.(OverloadedArrayExpr).getArrayBase() = ele and pred = "getArrayBase()"
     or
-    exists(int n |
-      expr.(OverloadedArrayExpr).getArrayOffset(n) = ele and
-      pred = "getArrayOffset(" + n.toString() + ")"
-    )
+    expr.(OverloadedArrayExpr).getArrayOffset() = ele and pred = "getArrayOffset()"
     or
     // OverloadedPointerDereferenceExpr::getExpr/0 also considers qualifiers, and is already handled above for all Call classes.
     not expr.(OverloadedPointerDereferenceExpr).getQualifier() =

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -802,6 +802,15 @@ private predicate floatingPointTypeMapping(
   // _Complex __float128
   kind = 39 and base = 2 and domain = TComplexDomain() and realKind = 38 and extended = false
   or
+  // _Decimal32
+  kind = 40 and base = 10 and domain = TRealDomain() and realKind = 40 and extended = false
+  or
+  // _Decimal64
+  kind = 41 and base = 10 and domain = TRealDomain() and realKind = 41 and extended = false
+  or
+  // _Decimal128
+  kind = 42 and base = 10 and domain = TRealDomain() and realKind = 42 and extended = false
+  or
   // _Float32
   kind = 45 and base = 2 and domain = TRealDomain() and realKind = 45 and extended = false
   or
@@ -862,8 +871,9 @@ private predicate floatingPointTypeMapping(
 
 /**
  * The C/C++ floating point types. See 4.5.  This includes `float`, `double` and `long double`, the
- * fixed-size floating-point types like `_Float32`, and the extended-precision floating-point types
- * like `_Float64x`. It also includes the complex and imaginary versions of all of these types.
+ * fixed-size floating-point types like `_Float32`, the extended-precision floating-point types like
+ * `_Float64x`, and the decimal floating-point types like `_Decimal32`. It also includes the complex
+ * and imaginary versions of all of these types.
  */
 class FloatingPointType extends ArithmeticType {
   final int base;
@@ -981,6 +991,42 @@ class Float128Type extends RealNumberType, BinaryFloatingPointType {
   override string getAPrimaryQlClass() { result = "Float128Type" }
 }
 
+/**
+ * The GNU C `_Decimal32` primitive type.  This is not standard C/C++.
+ * ```
+ * _Decimal32 d32;
+ * ```
+ */
+class Decimal32Type extends RealNumberType, DecimalFloatingPointType {
+  Decimal32Type() { builtintypes(underlyingElement(this), _, 40, _, _, _) }
+
+  override string getAPrimaryQlClass() { result = "Decimal32Type" }
+}
+
+/**
+ * The GNU C `_Decimal64` primitive type.  This is not standard C/C++.
+ * ```
+ * _Decimal64 d64;
+ * ```
+ */
+class Decimal64Type extends RealNumberType, DecimalFloatingPointType {
+  Decimal64Type() { builtintypes(underlyingElement(this), _, 41, _, _, _) }
+
+  override string getAPrimaryQlClass() { result = "Decimal64Type" }
+}
+
+/**
+ * The GNU C `_Decimal128` primitive type.  This is not standard C/C++.
+ * ```
+ * _Decimal128 d128;
+ * ```
+ */
+class Decimal128Type extends RealNumberType, DecimalFloatingPointType {
+  Decimal128Type() { builtintypes(underlyingElement(this), _, 42, _, _, _) }
+
+  override string getAPrimaryQlClass() { result = "Decimal128Type" }
+}
+
 /**
  * The C/C++ `void` type. See 4.7.
  * ```

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -15,17 +15,16 @@
  * reading.
  * 1. The `namespace` column selects a namespace.
  * 2. The `type` column selects a type within that namespace. This column can
- *    introduce template type names that can be mentioned in the `signature` column.
+ *    introduce template names that can be mentioned in the `signature` column.
  *    For example, `vector<T,Allocator>` introduces the template names `T` and
- *    `Allocator`. Non-type template parameters cannot be specified.
+ *    `Allocator`.
  * 3. The `subtypes` is a boolean that indicates whether to jump to an
  *    arbitrary subtype of that type. Set this to `false` if leaving the `type`
  *    blank (for example, a free function).
  * 4. The `name` column optionally selects a specific named member of the type.
- *    Like the `type` column, this column can introduce template type names
- *    that can be mentioned in the `signature` column. For example,
- *    `insert<InputIt>` introduces the template name `InputIt`. Non-type
- *    template parameters cannot be specified.
+ *    Like the `type` column, this column can introduce template names that can
+ *    be mentioned in the `signature` column. For example, `insert<InputIt>`
+ *    introduces the template name `InputIt`.
  * 5. The `signature` column optionally restricts the named member. If
  *    `signature` is blank then no such filtering is done. The format of the
  *    signature is a comma-separated list of types enclosed in parentheses. The
@@ -101,10 +100,9 @@ private import internal.FlowSummaryImpl
 private import internal.FlowSummaryImpl::Public
 private import internal.FlowSummaryImpl::Private
 private import internal.FlowSummaryImpl::Private::External
-private import internal.ExternalFlowExtensions::Extensions as Extensions
+private import internal.ExternalFlowExtensions as Extensions
 private import codeql.mad.ModelValidation as SharedModelVal
 private import codeql.util.Unit
-private import codeql.mad.static.ModelsAsData as SharedMaD
 
 /**
  * A unit class for adding additional source model rows.
@@ -145,81 +143,134 @@ predicate sinkModel(string row) { any(SinkModelCsv s).row(row) }
 /** Holds if `row` is a summary model. */
 predicate summaryModel(string row) { any(SummaryModelCsv s).row(row) }
 
-private module MadInput implements SharedMaD::InputSig {
-  /** Holds if a source model exists for the given parameters. */
-  predicate additionalSourceModel(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string output, string kind, string provenance, string model
-  ) {
-    exists(string row |
-      sourceModel(row) and
-      row.splitAt(";", 0) = namespace and
-      row.splitAt(";", 1) = type and
-      row.splitAt(";", 2) = subtypes.toString() and
-      subtypes = [true, false] and
-      row.splitAt(";", 3) = name and
-      row.splitAt(";", 4) = signature and
-      row.splitAt(";", 5) = ext and
-      row.splitAt(";", 6) = output and
-      row.splitAt(";", 7) = kind
-    ) and
-    provenance = "manual" and
-    model = ""
-  }
-
-  /** Holds if a sink model exists for the given parameters. */
-  predicate additionalSinkModel(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string input, string kind, string provenance, string model
-  ) {
-    exists(string row |
-      sinkModel(row) and
-      row.splitAt(";", 0) = namespace and
-      row.splitAt(";", 1) = type and
-      row.splitAt(";", 2) = subtypes.toString() and
-      subtypes = [true, false] and
-      row.splitAt(";", 3) = name and
-      row.splitAt(";", 4) = signature and
-      row.splitAt(";", 5) = ext and
-      row.splitAt(";", 6) = input and
-      row.splitAt(";", 7) = kind
-    ) and
-    provenance = "manual" and
-    model = ""
-  }
-
-  /**
-   * Holds if a summary model exists for the given parameters.
-   *
-   * This predicate does not expand `@` to `*`s.
-   */
-  predicate additionalSummaryModel(
-    string namespace, string type, boolean subtypes, string name, string signature, string ext,
-    string input, string output, string kind, string provenance, string model
-  ) {
-    exists(string row |
-      summaryModel(row) and
-      row.splitAt(";", 0) = namespace and
-      row.splitAt(";", 1) = type and
-      row.splitAt(";", 2) = subtypes.toString() and
-      subtypes = [true, false] and
-      row.splitAt(";", 3) = name and
-      row.splitAt(";", 4) = signature and
-      row.splitAt(";", 5) = ext and
-      row.splitAt(";", 6) = input and
-      row.splitAt(";", 7) = output and
-      row.splitAt(";", 8) = kind
-    ) and
-    provenance = "manual" and
-    model = ""
-  }
-
-  string namespaceSegmentSeparator() { result = "::" }
+/** Holds if a source model exists for the given parameters. */
+predicate sourceModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string output, string kind, string provenance, string model
+) {
+  exists(string row |
+    sourceModel(row) and
+    row.splitAt(";", 0) = namespace and
+    row.splitAt(";", 1) = type and
+    row.splitAt(";", 2) = subtypes.toString() and
+    subtypes = [true, false] and
+    row.splitAt(";", 3) = name and
+    row.splitAt(";", 4) = signature and
+    row.splitAt(";", 5) = ext and
+    row.splitAt(";", 6) = output and
+    row.splitAt(";", 7) = kind
+  ) and
+  provenance = "manual" and
+  model = ""
+  or
+  exists(QlBuiltins::ExtensionId madId |
+    Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind,
+      provenance, madId) and
+    model = "MaD:" + madId.toString()
+  )
 }
 
-private module MaD = SharedMaD::ModelsAsData<Extensions, MadInput>;
+/** Holds if a sink model exists for the given parameters. */
+predicate sinkModel(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string kind, string provenance, string model
+) {
+  exists(string row |
+    sinkModel(row) and
+    row.splitAt(";", 0) = namespace and
+    row.splitAt(";", 1) = type and
+    row.splitAt(";", 2) = subtypes.toString() and
+    subtypes = [true, false] and
+    row.splitAt(";", 3) = name and
+    row.splitAt(";", 4) = signature and
+    row.splitAt(";", 5) = ext and
+    row.splitAt(";", 6) = input and
+    row.splitAt(";", 7) = kind
+  ) and
+  provenance = "manual" and
+  model = ""
+  or
+  exists(QlBuiltins::ExtensionId madId |
+    Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance,
+      madId) and
+    model = "MaD:" + madId.toString()
+  )
+}
 
-import MaD
+/**
+ * Holds if a summary model exists for the given parameters.
+ *
+ * This predicate does not expand `@` to `*`s.
+ */
+private predicate summaryModel0(
+  string namespace, string type, boolean subtypes, string name, string signature, string ext,
+  string input, string output, string kind, string provenance, string model
+) {
+  exists(string row |
+    summaryModel(row) and
+    row.splitAt(";", 0) = namespace and
+    row.splitAt(";", 1) = type and
+    row.splitAt(";", 2) = subtypes.toString() and
+    subtypes = [true, false] and
+    row.splitAt(";", 3) = name and
+    row.splitAt(";", 4) = signature and
+    row.splitAt(";", 5) = ext and
+    row.splitAt(";", 6) = input and
+    row.splitAt(";", 7) = output and
+    row.splitAt(";", 8) = kind
+  ) and
+  provenance = "manual" and
+  model = ""
+  or
+  exists(QlBuiltins::ExtensionId madId |
+    Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
+      provenance, madId) and
+    model = "MaD:" + madId.toString()
+  )
+}
+
+/**
+ * Holds if the given extension tuple `madId` should pretty-print as `model`.
+ *
+ * This predicate should only be used in tests.
+ */
+predicate interpretModelForTest(QlBuiltins::ExtensionId madId, string model) {
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string output, string kind, string provenance
+  |
+    Extensions::sourceModel(namespace, type, subtypes, name, signature, ext, output, kind,
+      provenance, madId)
+  |
+    model =
+      "Source: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + signature + "; "
+        + ext + "; " + output + "; " + kind + "; " + provenance
+  )
+  or
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string input, string kind, string provenance
+  |
+    Extensions::sinkModel(namespace, type, subtypes, name, signature, ext, input, kind, provenance,
+      madId)
+  |
+    model =
+      "Sink: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + signature + "; " +
+        ext + "; " + input + "; " + kind + "; " + provenance
+  )
+  or
+  exists(
+    string namespace, string type, boolean subtypes, string name, string signature, string ext,
+    string input, string output, string kind, string provenance
+  |
+    Extensions::summaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind,
+      provenance, madId)
+  |
+    model =
+      "Summary: " + namespace + "; " + type + "; " + subtypes + "; " + name + "; " + signature +
+        "; " + ext + "; " + input + "; " + output + "; " + kind + "; " + provenance
+  )
+}
 
 /**
  * Holds if `input` is `input0`, but with all occurrences of `@` replaced
@@ -242,13 +293,69 @@ predicate summaryModel(
   string input, string output, string kind, string provenance, string model
 ) {
   exists(string input0, string output0 |
-    MaD::summaryModel(namespace, type, subtypes, name, signature, ext, input0, output0, kind,
+    summaryModel0(namespace, type, subtypes, name, signature, ext, input0, output0, kind,
       provenance, model) and
     expandInputAndOutput(input0, input, output0, output,
       [0 .. Private::getMaxElementContentIndirectionIndex() - 1])
   )
 }
 
+private predicate relevantNamespace(string namespace) {
+  sourceModel(namespace, _, _, _, _, _, _, _, _, _) or
+  sinkModel(namespace, _, _, _, _, _, _, _, _, _) or
+  summaryModel(namespace, _, _, _, _, _, _, _, _, _, _)
+}
+
+private predicate namespaceLink(string shortns, string longns) {
+  relevantNamespace(shortns) and
+  relevantNamespace(longns) and
+  longns.prefix(longns.indexOf("::")) = shortns
+}
+
+private predicate canonicalNamespace(string namespace) {
+  relevantNamespace(namespace) and not namespaceLink(_, namespace)
+}
+
+private predicate canonicalNamespaceLink(string namespace, string subns) {
+  canonicalNamespace(namespace) and
+  (subns = namespace or namespaceLink(namespace, subns))
+}
+
+/**
+ * Holds if MaD framework coverage of `namespace` is `n` api endpoints of the
+ * kind `(kind, part)`, and `namespaces` is the number of subnamespaces of
+ * `namespace` which have MaD framework coverage (including `namespace`
+ * itself).
+ */
+predicate modelCoverage(string namespace, int namespaces, string kind, string part, int n) {
+  namespaces = strictcount(string subns | canonicalNamespaceLink(namespace, subns)) and
+  (
+    part = "source" and
+    n =
+      strictcount(string subns, string type, boolean subtypes, string name, string signature,
+        string ext, string output, string provenance, string model |
+        canonicalNamespaceLink(namespace, subns) and
+        sourceModel(subns, type, subtypes, name, signature, ext, output, kind, provenance, model)
+      )
+    or
+    part = "sink" and
+    n =
+      strictcount(string subns, string type, boolean subtypes, string name, string signature,
+        string ext, string input, string provenance, string model |
+        canonicalNamespaceLink(namespace, subns) and
+        sinkModel(subns, type, subtypes, name, signature, ext, input, kind, provenance, model)
+      )
+    or
+    part = "summary" and
+    n =
+      strictcount(string subns, string type, boolean subtypes, string name, string signature,
+        string ext, string input, string output, string provenance |
+        canonicalNamespaceLink(namespace, subns) and
+        summaryModel(subns, type, subtypes, name, signature, ext, input, output, kind, provenance, _)
+      )
+  )
+}
+
 /** Provides a query predicate to check the CSV data for validation errors. */
 module CsvValidation {
   private string getInvalidModelInput() {
@@ -526,28 +633,6 @@ string getParameterTypeWithoutTemplateArguments(Function f, int n, boolean canon
   canonical = true
 }
 
-/**
- * Gets the largest index of a template parameter of `templateFunction` that
- * is a type template parameter.
- */
-private int getLastTypeTemplateFunctionParameterIndex(Function templateFunction) {
-  result =
-    max(int index | templateFunction.getTemplateArgument(index) instanceof TypeTemplateParameter)
-}
-
-/** Gets the number of supported template parameters for `templateFunction`. */
-private int getNumberOfSupportedFunctionTemplateArguments(Function templateFunction) {
-  result = count(int i | exists(getSupportedFunctionTemplateArgument(templateFunction, i)) | i)
-}
-
-/** Gets the `i`'th supported template parameter for `templateFunction`. */
-private Locatable getSupportedFunctionTemplateArgument(Function templateFunction, int i) {
-  result = templateFunction.getTemplateArgument(i) and
-  // We don't yet support non-type template parameters in the middle of a
-  // template parameter list
-  i <= getLastTypeTemplateFunctionParameterIndex(templateFunction)
-}
-
 /**
  * Normalize the `n`'th parameter of `f` by replacing template names
  * with `func:N` (where `N` is the index of the template).
@@ -555,41 +640,18 @@ private Locatable getSupportedFunctionTemplateArgument(Function templateFunction
 private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remaining) {
   exists(Function templateFunction |
     templateFunction = getFullyTemplatedFunction(f) and
-    remaining = getNumberOfSupportedFunctionTemplateArguments(templateFunction) and
+    remaining = templateFunction.getNumberOfTemplateArguments() and
     result = getParameterTypeWithoutTemplateArguments(templateFunction, n, _)
   )
   or
   exists(string mid, TypeTemplateParameter tp, Function templateFunction |
     mid = getTypeNameWithoutFunctionTemplates(f, n, remaining + 1) and
     templateFunction = getFullyTemplatedFunction(f) and
-    tp = getSupportedFunctionTemplateArgument(templateFunction, remaining)
-  |
+    tp = templateFunction.getTemplateArgument(remaining) and
     result = mid.replaceAll(tp.getName(), "func:" + remaining.toString())
   )
 }
 
-/**
- * Gets the largest index of a template parameter of `templateClass` that
- * is a type template parameter.
- */
-private int getLastTypeTemplateClassParameterIndex(Class templateClass) {
-  result =
-    max(int index | templateClass.getTemplateArgument(index) instanceof TypeTemplateParameter)
-}
-
-/** Gets the `i`'th supported template parameter for `templateClass`. */
-private Locatable getSupportedClassTemplateArgument(Class templateClass, int i) {
-  result = templateClass.getTemplateArgument(i) and
-  // We don't yet support non-type template parameters in the middle of a
-  // template parameter list
-  i <= getLastTypeTemplateClassParameterIndex(templateClass)
-}
-
-/** Gets the number of supported template parameters for `templateClass`. */
-private int getNumberOfSupportedClassTemplateArguments(Class templateClass) {
-  result = count(int i | exists(getSupportedClassTemplateArgument(templateClass, i)) | i)
-}
-
 /**
  * Normalize the `n`'th parameter of `f` by replacing template names
  * with `class:N` (where `N` is the index of the template).
@@ -599,7 +661,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
     isClassConstructedFrom(f.getDeclaringType(), template) and
-    remaining = getNumberOfSupportedClassTemplateArguments(template) and
+    remaining = template.getNumberOfTemplateArguments() and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
   or
@@ -611,8 +673,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   exists(string mid, TypeTemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
     isClassConstructedFrom(f.getDeclaringType(), template) and
-    tp = getSupportedClassTemplateArgument(template, remaining)
-  |
+    tp = template.getTemplateArgument(remaining) and
     result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())
   )
 }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll

@@ -2,8 +2,6 @@
  * This module provides extensible predicates for defining MaD models.
  */
 
-private import codeql.mad.static.ModelsAsData as SharedMaD
-
 /**
  * Holds if an external source model exists for the given parameters.
  */
@@ -20,22 +18,6 @@ extensible predicate sinkModel(
   string input, string kind, string provenance, QlBuiltins::ExtensionId madId
 );
 
-/**
- * Holds if a barrier model exists for the given parameters.
- */
-extensible predicate barrierModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string output, string kind, string provenance, QlBuiltins::ExtensionId madId
-);
-
-/**
- * Holds if a barrier guard model exists for the given parameters.
- */
-extensible predicate barrierGuardModel(
-  string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
-);
-
 /**
  * Holds if an external summary model exists for the given parameters.
  */
@@ -43,16 +25,3 @@ extensible predicate summaryModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
   string input, string output, string kind, string provenance, QlBuiltins::ExtensionId madId
 );
-
-/**
- * Holds if a neutral model exists for the given parameters.
- */
-extensible predicate neutralModel(
-  string namespace, string type, string name, string signature, string kind, string provenance
-);
-
-module Extensions implements SharedMaD::ExtensionsSig {
-  import ExternalFlowExtensions
-
-  predicate namespaceGrouping(string group, string namespace) { none() }
-}

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -148,19 +148,6 @@ module SourceSinkInterpretationInput implements
     )
   }
 
-  predicate barrierElement(
-    Element n, string output, string kind, Public::Provenance provenance, string model
-  ) {
-    none()
-  }
-
-  predicate barrierGuardElement(
-    Element n, string input, Public::AcceptingValue acceptingvalue, string kind,
-    Public::Provenance provenance, string model
-  ) {
-    none()
-  }
-
   private newtype TInterpretNode =
     TElement_(Element n) or
     TNode_(Node n)

cpp/ql/lib/semmle/code/cpp/exprs/Access.qll

@@ -394,11 +394,6 @@ class FunctionAccess extends Access, @routineexpr {
  */
 class ParamAccessForType extends Expr, @param_ref {
   override string toString() { result = "param access" }
-
-  /**
-   * Holds if the accessed parameter is implicit object parameter of the function.
-   */
-  predicate isThisAccess() { param_ref_to_this(underlyingElement(this)) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/exprs/BuiltInOperations.qll

@@ -1941,61 +1941,3 @@ class BuiltInOperationIsTriviallyRelocatable extends BuiltInOperation, @istrivia
 
   override string getAPrimaryQlClass() { result = "BuiltInOperationIsTriviallyRelocatable" }
 }
-
-/**
- * A C++ `__is_bitwise_cloneable` built-in operation.
- *
- * Returns `true` if an object of type `_Tp` is bitwise cloneable.
- *
- * ```
- * template<typename _Tp>
- *   struct is_bitwise_cloneable
- *   : public integral_constant<bool, __is_bitwise_cloneable(_Tp)>
- *   {};
- * ```
- */
-class BuiltInOperationIsBitwiseCloneable extends BuiltInOperation, @isbitwisecloneable {
-  override string toString() { result = "__is_bitwise_cloneable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsBitwiseCloneable" }
-}
-
-/**
- * A C++ `__is_invocable` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a function of type `_FTpn` can be invoked with arguments of
- * type `_Tps`.
- *
- * ```
- * template<typename _FTpn, typename... _Tps>
- *   struct is_invocable
- *   : public integral_constant<bool, __is_invocable(_FTpn, _Tps...)>
- *   {};
- * ```
- */
-class BuiltInOperationIsInvocable extends BuiltInOperation, @isinvocable {
-  override string toString() { result = "__is_invocable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsInvocable" }
-}
-
-/**
- * A C++ `__is_nothrow_invocable` built-in operation (used by some implementations
- * of the `<type_traits>` header).
- *
- * Returns `true` if a function of non-throwing type `_FTpn` can be invoked
- * with arguments of type `_Tps`.
- *
- * ```
- * template<typename _FTpn, typename... _Tps>
- *   struct is_nothrow_invocable
- *   : public integral_constant<bool, __is_nothrow_invocable(_FTpn, _Tps...)>
- *   {};
- * ```
- */
-class BuiltInOperationIsNothrowInvocable extends BuiltInOperation, @isnothrowinvocable {
-  override string toString() { result = "__is_nothrow_invocable" }
-
-  override string getAPrimaryQlClass() { result = "BuiltInOperationIsNothrowInvocable" }
-}

cpp/ql/lib/semmle/code/cpp/exprs/Call.qll

@@ -387,23 +387,10 @@ class OverloadedArrayExpr extends FunctionCall {
 
   /**
    * Gets the expression giving the index.
-   *
-   * DEPRECATED: Use getArrayOffset/1 instead.
    */
-  deprecated Expr getArrayOffset() { result = this.getArrayOffset(0) }
-
-  /**
-   * Gets the expression giving the nth index.
-   */
-  Expr getArrayOffset(int n) {
-    n >= 0 and
-    if exists(this.getQualifier()) then result = this.getChild(n) else result = this.getChild(n + 1)
+  Expr getArrayOffset() {
+    if exists(this.getQualifier()) then result = this.getChild(0) else result = this.getChild(1)
   }
-
-  /**
-   * Gets an expression giving an index.
-   */
-  Expr getAnArrayOffset() { result = this.getArrayOffset(_) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/internal/Overlay.qll

@@ -1,80 +0,0 @@
-/**
- * Defines entity discard predicates for C++ overlay analysis.
- */
-
-private import OverlayXml
-
-/**
- * Holds always for the overlay variant and never for the base variant.
- * This local predicate is used to define local predicates that behave
- * differently for the base and overlay variant.
- */
-overlay[local]
-predicate isOverlay() { databaseMetadata("isOverlay", "true") }
-
-overlay[local]
-private string getLocationFilePath(@location_default loc) {
-  exists(@file file | locations_default(loc, file, _, _, _, _) | files(file, result))
-}
-
-/**
- * Gets the file path for an element with a single location.
- */
-overlay[local]
-private string getSingleLocationFilePath(@element e) {
-  exists(@location_default loc |
-    var_decls(e, _, _, _, loc)
-    or
-    fun_decls(e, _, _, _, loc)
-    or
-    type_decls(e, _, loc)
-    or
-    namespace_decls(e, _, loc, _)
-    or
-    macroinvocations(e, _, loc, _)
-    or
-    preprocdirects(e, _, loc)
-  |
-    result = getLocationFilePath(loc)
-  )
-}
-
-/**
- * Gets the file path for an element with potentially multiple locations.
- */
-overlay[local]
-private string getMultiLocationFilePath(@element e) {
-  exists(@location_default loc |
-    exists(@var_decl vd | var_decls(vd, e, _, _, loc))
-    or
-    exists(@fun_decl fd | fun_decls(fd, e, _, _, loc))
-    or
-    exists(@type_decl td | type_decls(td, e, loc))
-    or
-    exists(@namespace_decl nd | namespace_decls(nd, e, loc, _))
-  |
-    result = getLocationFilePath(loc)
-  )
-}
-
-/**
- * A local helper predicate that holds in the base variant and never in the
- * overlay variant.
- */
-overlay[local]
-private predicate holdsInBase() { not isOverlay() }
-
-/**
- * Discards an element from the base variant if:
- * - It has a single location in a changed file, or
- * - All of its locations are in changed files.
- */
-overlay[discard_entity]
-private predicate discardElement(@element e) {
-  holdsInBase() and
-  (
-    overlayChangedFiles(getSingleLocationFilePath(e))
-    or
-    forex(string path | path = getMultiLocationFilePath(e) | overlayChangedFiles(path))
-  )
-}

cpp/ql/lib/semmle/code/cpp/internal/OverlayXml.qll

@@ -1,46 +0,0 @@
-overlay[local]
-module;
-
-/**
- * A local predicate that always holds for the overlay variant and never holds for the base variant.
- * This is used to define local predicates that behave differently for the base and overlay variant.
- */
-private predicate isOverlay() { databaseMetadata("isOverlay", "true") }
-
-private string getXmlFile(@xmllocatable locatable) {
-  exists(@location_default location, @file file | xmllocations(locatable, location) |
-    locations_default(location, file, _, _, _, _) and
-    files(file, result)
-  )
-}
-
-private string getXmlFileInBase(@xmllocatable locatable) {
-  not isOverlay() and
-  result = getXmlFile(locatable)
-}
-
-/**
- * Holds if the given `file` was extracted as part of the overlay and was extracted by the HTML/XML
- * extractor.
- */
-private predicate overlayXmlExtracted(string file) {
-  isOverlay() and
-  exists(@xmllocatable locatable |
-    not files(locatable, _) and not xmlNs(locatable, _, _, _) and file = getXmlFile(locatable)
-  )
-}
-
-/**
- * Holds if the given XML `locatable` should be discarded, because it is part of the overlay base
- * and is in a file that was also extracted as part of the overlay database.
- */
-overlay[discard_entity]
-private predicate discardXmlLocatable(@xmllocatable locatable) {
-  exists(string file | file = getXmlFileInBase(locatable) |
-    overlayChangedFiles(file)
-    or
-    // The HTML/XML extractor is currently not incremental and may extract more files than those
-    // included in overlayChangedFiles.
-    overlayXmlExtracted(file)
-  )
-}

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -2078,151 +2078,38 @@ predicate localExprFlow(Expr e1, Expr e2) {
   localExprFlowPlus(e1, e2)
 }
 
-/**
- * A canonical representation of a field.
- *
- * For performance reasons we want a unique `Content` that represents
- * a given field across any template instantiation of a class.
- *
- * This is possible in _almost_ all cases, but there are cases where it is
- * not possible to map between a field in the uninstantiated template to a
- * field in the instantiated template. This happens in the case of local class
- * definitions (because the local class is not the template that constructs
- * the instantiation - it is the enclosing function). So this abstract class
- * has two implementations: a non-local case (where we can represent a
- * canonical field as the field declaration from an uninstantiated class
- * template or a non-templated class), and a local case (where we simply use
- * the field from the instantiated class).
- */
-abstract private class CanonicalField extends Field {
-  /** Gets a field represented by this canonical field. */
-  abstract Field getAField();
-
-  /**
-   * Gets a class that declares a field represented by this canonical field.
-   */
-  abstract Class getADeclaringType();
-
-  /**
-   * Gets a type that this canonical field may have. Note that this may
-   * not be a unique type. For example, consider this case:
-   * ```
-   * template<typename T>
-   * struct S { T x; };
-   *
-   * S<int> s1;
-   * S<char> s2;
-   * ```
-   * In this case the canonical field corresponding to `S::x` has two types:
-   * `int` and `char`.
-   */
-  Type getAType() { result = this.getAField().getType() }
-
-  Type getAnUnspecifiedType() { result = this.getAType().getUnspecifiedType() }
-}
-
-private class NonLocalCanonicalField extends CanonicalField {
-  Class declaringType;
-
-  NonLocalCanonicalField() {
-    declaringType = this.getDeclaringType() and
-    not declaringType.isFromTemplateInstantiation(_) and
-    not declaringType.isLocal() // handled in LocalCanonicalField
-  }
-
-  override Field getAField() {
-    exists(Class c | result.getDeclaringType() = c |
-      // Either the declaring class of the field is a template instantiation
-      // that has been constructed from this canonical declaration
-      c.isConstructedFrom(declaringType) and
-      pragma[only_bind_out](result.getName()) = pragma[only_bind_out](this.getName())
-      or
-      // or this canonical declaration is not a template.
-      not c.isConstructedFrom(_) and
-      result = this
-    )
-  }
-
-  override Class getADeclaringType() {
-    result = this.getDeclaringType()
-    or
-    result.isConstructedFrom(this.getDeclaringType())
-  }
-}
-
-private class LocalCanonicalField extends CanonicalField {
-  Class declaringType;
-
-  LocalCanonicalField() {
-    declaringType = this.getDeclaringType() and
-    declaringType.isLocal()
-  }
-
-  override Field getAField() { result = this }
-
-  override Class getADeclaringType() { result = declaringType }
-}
-
-/**
- * A canonical representation of a `Union`. See `CanonicalField` for the explanation for
- * why we need a canonical representation.
- */
-abstract private class CanonicalUnion extends Union {
-  /** Gets a union represented by this canonical union. */
-  abstract Union getAUnion();
-
-  /** Gets a canonical field of this canonical union. */
-  CanonicalField getACanonicalField() { result.getDeclaringType() = this }
-}
-
-private class NonLocalCanonicalUnion extends CanonicalUnion {
-  NonLocalCanonicalUnion() { not this.isFromTemplateInstantiation(_) and not this.isLocal() }
-
-  override Union getAUnion() {
-    result = this
-    or
-    result.isConstructedFrom(this)
-  }
-}
-
-private class LocalCanonicalUnion extends CanonicalUnion {
-  LocalCanonicalUnion() { this.isLocal() }
-
-  override Union getAUnion() { result = this }
-}
-
 bindingset[f]
 pragma[inline_late]
-private int getFieldSize(CanonicalField f) { result = max(f.getAType().getSize()) }
+private int getFieldSize(Field f) { result = f.getType().getSize() }
 
 /**
  * Gets a field in the union `u` whose size
  * is `bytes` number of bytes.
  */
-private CanonicalField getAFieldWithSize(CanonicalUnion u, int bytes) {
-  result = u.getACanonicalField() and
+private Field getAFieldWithSize(Union u, int bytes) {
+  result = u.getAField() and
   bytes = getFieldSize(result)
 }
 
 cached
 private newtype TContent =
-  TNonUnionContent(CanonicalField f, int indirectionIndex) {
+  TNonUnionContent(Field f, int indirectionIndex) {
     // the indirection index for field content starts at 1 (because `TNonUnionContent` is thought of as
     // the address of the field, `FieldAddress` in the IR).
-    indirectionIndex = [1 .. max(SsaImpl::getMaxIndirectionsForType(f.getAnUnspecifiedType()))] and
+    indirectionIndex = [1 .. SsaImpl::getMaxIndirectionsForType(f.getUnspecifiedType())] and
     // Reads and writes of union fields are tracked using `UnionContent`.
     not f.getDeclaringType() instanceof Union
   } or
-  TUnionContent(CanonicalUnion u, int bytes, int indirectionIndex) {
-    exists(CanonicalField f |
-      f = u.getACanonicalField() and
+  TUnionContent(Union u, int bytes, int indirectionIndex) {
+    exists(Field f |
+      f = u.getAField() and
       bytes = getFieldSize(f) and
       // We key `UnionContent` by the union instead of its fields since a write to one
       // field can be read by any read of the union's fields. Again, the indirection index
       // is 1-based (because 0 is considered the address).
       indirectionIndex =
         [1 .. max(SsaImpl::getMaxIndirectionsForType(getAFieldWithSize(u, bytes)
-                    .getAnUnspecifiedType())
+                    .getUnspecifiedType())
           )]
     )
   } or
@@ -2288,12 +2175,8 @@ class FieldContent extends Content, TFieldContent {
 
   /**
    * Gets the field associated with this `Content`, if a unique one exists.
-   *
-   * For fields from template instantiations this predicate may still return
-   * more than one field, but all the fields will be constructed from the same
-   * template.
    */
-  Field getField() { none() } // overridden in subclasses
+  final Field getField() { result = unique( | | this.getAField()) }
 
   override int getIndirectionIndex() { none() } // overridden in subclasses
 
@@ -2304,33 +2187,32 @@ class FieldContent extends Content, TFieldContent {
 
 /** A reference through a non-union instance field. */
 class NonUnionFieldContent extends FieldContent, TNonUnionContent {
-  private CanonicalField f;
+  private Field f;
   private int indirectionIndex;
 
   NonUnionFieldContent() { this = TNonUnionContent(f, indirectionIndex) }
 
   override string toString() { result = contentStars(this) + f.toString() }
 
-  final override Field getField() { result = f.getAField() }
-
-  override Field getAField() { result = this.getField() }
+  override Field getAField() { result = f }
 
   /** Gets the indirection index of this `FieldContent`. */
   override int getIndirectionIndex() { result = indirectionIndex }
 
   override predicate impliesClearOf(Content c) {
-    exists(int i |
-      c = TNonUnionContent(f, i) and
+    exists(FieldContent fc |
+      fc = c and
+      fc.getField() = f and
       // If `this` is `f` then `c` is cleared if it's of the
       // form `*f`, `**f`, etc.
-      i >= indirectionIndex
+      fc.getIndirectionIndex() >= indirectionIndex
     )
   }
 }
 
 /** A reference through an instance field of a union. */
 class UnionContent extends FieldContent, TUnionContent {
-  private CanonicalUnion u;
+  private Union u;
   private int indirectionIndex;
   private int bytes;
 
@@ -2338,31 +2220,24 @@ class UnionContent extends FieldContent, TUnionContent {
 
   override string toString() { result = contentStars(this) + u.toString() }
 
-  final override Field getField() { result = unique( | | u.getACanonicalField()).getAField() }
-
   /** Gets a field of the underlying union of this `UnionContent`, if any. */
-  override Field getAField() {
-    exists(CanonicalField cf |
-      cf = u.getACanonicalField() and
-      result = cf.getAField() and
-      getFieldSize(cf) = bytes
-    )
-  }
+  override Field getAField() { result = u.getAField() and getFieldSize(result) = bytes }
 
   /** Gets the underlying union of this `UnionContent`. */
-  Union getUnion() { result = u.getAUnion() }
+  Union getUnion() { result = u }
 
   /** Gets the indirection index of this `UnionContent`. */
   override int getIndirectionIndex() { result = indirectionIndex }
 
   override predicate impliesClearOf(Content c) {
-    exists(int i |
-      c = TUnionContent(u, _, i) and
+    exists(UnionContent uc |
+      uc = c and
+      uc.getUnion() = u and
       // If `this` is `u` then `c` is cleared if it's of the
       // form `*u`, `**u`, etc. (and we ignore `bytes` because
       // we know the entire union is overwritten because it's a
       // union).
-      i >= indirectionIndex
+      uc.getIndirectionIndex() >= indirectionIndex
     )
   }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll

@@ -1051,12 +1051,12 @@ module BarrierGuardWithIntParam<guardChecksNodeSig/4 guardChecksNode> {
   }
 
   private predicate guardChecksInstr(
-    IRGuards::Guards_v1::Guard g, IRGuards::GuardsInput::Expr instr, IRGuards::GuardValue gv,
+    IRGuards::Guards_v1::Guard g, IRGuards::GuardsInput::Expr instr, boolean branch,
     int indirectionIndex
   ) {
     exists(Node node |
       nodeHasInstruction(node, instr, indirectionIndex) and
-      guardChecksNode(g, node, gv.asBooleanValue(), indirectionIndex)
+      guardChecksNode(g, node, branch, indirectionIndex)
     )
   }
 
@@ -1064,8 +1064,8 @@ module BarrierGuardWithIntParam<guardChecksNodeSig/4 guardChecksNode> {
     DataFlowIntegrationInput::Guard g, SsaImpl::Definition def, IRGuards::GuardValue val,
     int indirectionIndex
   ) {
-    IRGuards::Guards_v1::ParameterizedValidationWrapper<int, guardChecksInstr/4>::guardChecksDef(g,
-      def, val, indirectionIndex)
+    IRGuards::Guards_v1::ValidationWrapperWithState<int, guardChecksInstr/4>::guardChecksDef(g, def,
+      val, indirectionIndex)
   }
 
   Node getABarrierNode(int indirectionIndex) {

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll

@@ -688,9 +688,15 @@ private module Cached {
       conversionFlow(mid, instr, false, _)
     )
     or
-    exists(Operand address |
-      isDereference(operand.getDef(), address, _) and
-      isUseImpl(address, base, ind - 1)
+    exists(int ind0 |
+      exists(Operand address |
+        isDereference(operand.getDef(), address, _) and
+        isUseImpl(address, base, ind0)
+      )
+      or
+      isUseImpl(operand.getDef().(InitializeParameterInstruction).getAnOperand(), base, ind0)
+    |
+      ind0 = ind - 1
     )
   }
 

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedExpr.qll

@@ -2679,7 +2679,7 @@ class TranslatedDestructorFieldDestruction extends TranslatedNonConstantExpr, St
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
     tag = OnlyInstructionTag() and
     operandTag instanceof UnaryOperandTag and
-    result = getTranslatedFunction(getEnclosingFunction(expr)).getLoadThisInstruction()
+    result = getTranslatedFunction(getEnclosingFunction(expr)).getInitializeThisInstruction()
   }
 
   final override Field getInstructionField(InstructionTag tag) {

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedFunction.qll

@@ -306,11 +306,11 @@ class TranslatedFunction extends TranslatedRootElement, TTranslatedFunction {
   final predicate hasReturnValue() { hasReturnValue(func) }
 
   /**
-   * Gets the first load of `this` for this function. Holds only if the function
-   * is an instance member function, constructor, or destructor.
+   * Gets the single `InitializeThis` instruction for this function. Holds only
+   * if the function is an instance member function, constructor, or destructor.
    */
-  final Instruction getLoadThisInstruction() {
-    result = getTranslatedThisParameter(func).getInstruction(InitializerIndirectAddressTag())
+  final Instruction getInitializeThisInstruction() {
+    result = getTranslatedThisParameter(func).getInstruction(InitializerStoreTag())
   }
 
   /**
@@ -639,7 +639,7 @@ class TranslatedConstructorInitList extends TranslatedElement, InitializationCon
   }
 
   override Instruction getTargetAddress() {
-    result = getTranslatedFunction(func).getLoadThisInstruction()
+    result = getTranslatedFunction(func).getInitializeThisInstruction()
   }
 
   override Type getTargetType() { result = getTranslatedFunction(func).getThisType() }

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedInitialization.qll

@@ -950,7 +950,7 @@ abstract class TranslatedBaseStructorCall extends TranslatedStructorCallFromStru
   final override Instruction getInstructionRegisterOperand(InstructionTag tag, OperandTag operandTag) {
     tag = OnlyInstructionTag() and
     operandTag instanceof UnaryOperandTag and
-    result = getTranslatedFunction(this.getFunction()).getLoadThisInstruction()
+    result = getTranslatedFunction(this.getFunction()).getInitializeThisInstruction()
   }
 
   final override predicate getInstructionInheritance(
@@ -1000,7 +1000,7 @@ class TranslatedConstructorDelegationInit extends TranslatedConstructorCallFromC
   }
 
   final override Instruction getReceiver() {
-    result = getTranslatedFunction(this.getFunction()).getLoadThisInstruction()
+    result = getTranslatedFunction(this.getFunction()).getInitializeThisInstruction()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/rangeanalysis/SimpleRangeAnalysis.qll

@@ -158,6 +158,22 @@ private class UnsignedBitwiseAndExpr extends BitwiseAndExpr {
   }
 }
 
+/**
+ * Gets the floor of `v`, with additional logic to work around issues with
+ * large numbers.
+ */
+bindingset[v]
+float safeFloor(float v) {
+  // return the floor of v
+  v.abs() < 2.pow(31) and
+  result = v.floor()
+  or
+  // `floor()` doesn't work correctly on large numbers (since it returns an integer),
+  // so fall back to unrounded numbers at this scale.
+  not v.abs() < 2.pow(31) and
+  result = v
+}
+
 /** A `MulExpr` where exactly one operand is constant. */
 private class MulByConstantExpr extends MulExpr {
   float constant;
@@ -1250,7 +1266,7 @@ private float getLowerBoundsImpl(Expr expr) {
       rsExpr = expr and
       left = getFullyConvertedLowerBounds(rsExpr.getLeftOperand()) and
       right = getValue(rsExpr.getRightOperand().getFullyConverted()).toInt() and
-      result = (left / 2.pow(right)).floorFloat()
+      result = safeFloor(left / 2.pow(right))
     )
     // Not explicitly modeled by a SimpleRangeAnalysisExpr
   ) and
@@ -1459,7 +1475,7 @@ private float getUpperBoundsImpl(Expr expr) {
       rsExpr = expr and
       left = getFullyConvertedUpperBounds(rsExpr.getLeftOperand()) and
       right = getValue(rsExpr.getRightOperand().getFullyConverted()).toInt() and
-      result = (left / 2.pow(right)).floorFloat()
+      result = safeFloor(left / 2.pow(right))
     )
     // Not explicitly modeled by a SimpleRangeAnalysisExpr
   ) and
@@ -1709,22 +1725,6 @@ predicate nonNanGuardedVariable(Expr guard, VariableAccess v, boolean branch) {
   nanExcludingComparison(guard, branch)
 }
 
-/**
- * Adjusts a lower bound to its meaning for integral types.
- *
- * Examples:
- * `>= 3.0` becomes `3.0`
- * ` > 3.0` becomes `4.0`
- * `>= 3.5` becomes `4.0`
- * ` > 3.5` becomes `4.0`
- */
-bindingset[strictness, lb]
-private float adjustLowerBoundIntegral(RelationStrictness strictness, float lb) {
-  if strictness = Nonstrict() and lb.floorFloat() = lb
-  then result = lb
-  else result = lb.floorFloat() + 1
-}
-
 /**
  * If the guard is a comparison of the form `p*v + q <CMP> r`, then this
  * predicate uses the bounds information for `r` to compute a lower bound
@@ -1736,29 +1736,15 @@ private predicate lowerBoundFromGuard(Expr guard, VariableAccess v, float lb, bo
   |
     if nonNanGuardedVariable(guard, v, branch)
     then
-      if getVariableRangeType(v.getTarget()) instanceof IntegralType
-      then lb = adjustLowerBoundIntegral(strictness, childLB)
-      else lb = childLB
+      if
+        strictness = Nonstrict() or
+        not getVariableRangeType(v.getTarget()) instanceof IntegralType
+      then lb = childLB
+      else lb = childLB + 1
     else lb = varMinVal(v.getTarget())
   )
 }
 
-/**
- * Adjusts an upper bound to its meaning for integral types.
- *
- * Examples:
- * `<= 3.0` becomes `3.0`
- * ` < 3.0` becomes `2.0`
- * `<= 3.5` becomes `3.0`
- * ` < 3.5` becomes `3.0`
- */
-bindingset[strictness, ub]
-private float adjustUpperBoundIntegral(RelationStrictness strictness, float ub) {
-  if strictness = Nonstrict() and ub.ceilFloat() = ub
-  then result = ub
-  else result = ub.ceilFloat() - 1
-}
-
 /**
  * If the guard is a comparison of the form `p*v + q <CMP> r`, then this
  * predicate uses the bounds information for `r` to compute a upper bound
@@ -1770,9 +1756,11 @@ private predicate upperBoundFromGuard(Expr guard, VariableAccess v, float ub, bo
   |
     if nonNanGuardedVariable(guard, v, branch)
     then
-      if getVariableRangeType(v.getTarget()) instanceof IntegralType
-      then ub = adjustUpperBoundIntegral(strictness, childUB)
-      else ub = childUB
+      if
+        strictness = Nonstrict() or
+        not getVariableRangeType(v.getTarget()) instanceof IntegralType
+      then ub = childUB
+      else ub = childUB - 1
     else ub = varMaxVal(v.getTarget())
   )
 }

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -617,9 +617,9 @@ case @builtintype.kind of
 | 37 = @signed_int128         // signed __int128
 | 38 = @float128              // __float128
 | 39 = @complex_float128      // _Complex __float128
-// ... 40 _Decimal32
-// ... 41 _Decimal64
-// ... 42 _Decimal128
+| 40 = @decimal32             // _Decimal32
+| 41 = @decimal64             // _Decimal64
+| 42 = @decimal128            // _Decimal128
 | 43 = @char16_t
 | 44 = @char32_t
 | 45 = @std_float32           // _Float32
@@ -1902,9 +1902,6 @@ case @expr.kind of
 | 391 = @nested_requirement
 | 392 = @compound_requirement
 | 393 = @concept_id
-| 394 = @isinvocable
-| 395 = @isnothrowinvocable
-| 396 = @isbitwisecloneable
 ;
 
 @var_args_expr = @vastartexpr
@@ -2021,9 +2018,6 @@ case @expr.kind of
             | @istriviallyequalitycomparable
             | @isscopedenum
             | @istriviallyrelocatable
-            | @isinvocable
-            | @isnothrowinvocable
-            | @isbitwisecloneable
             ;
 
 compound_requirement_is_noexcept(
@@ -2040,10 +2034,6 @@ new_array_allocated_type(
     int type_id: @type ref
 );
 
-param_ref_to_this(
-    int expr: @param_ref ref
-)
-
 /**
  * The field being initialized by an initializer expression within an aggregate
  * initializer for a class/struct/union. Position is used to sort repeated initializers.

cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/builtintypes.ql

@@ -1,11 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-predicate isDecimalBuiltinType(BuiltinType type) { builtintypes(type, _, [40, 41, 42], _, _, _) }
-
-from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
-where
-  builtintypes(type, name, kind, size, sign, alignment) and
-  if isDecimalBuiltinType(type) then kind_new = 1 else kind_new = kind
-select type, name, kind_new, size, sign, alignment

cpp/ql/lib/upgrades/a42ce5fc943254097f85471b94ae2247e819104a/upgrade.properties

@@ -1,3 +0,0 @@
-description: Remove _Decimal{32,64,128} types
-compatibility: partial
-builtintypes.rel: run builtintypes.qlo

cpp/ql/lib/upgrades/d2d611b3fdcc7c4fe370f0d115200a3aa6ad5837/upgrade.properties

@@ -1,2 +0,0 @@
-description: Add new builtin operations and this parameter access table
-compatibility: backwards

cpp/ql/src/CHANGELOG.md

@@ -1,19 +1,3 @@
-## 1.5.8
-
-No user-facing changes.
-
-## 1.5.7
-
-No user-facing changes.
-
-## 1.5.6
-
-No user-facing changes.
-
-## 1.5.5
-
-No user-facing changes.
-
 ## 1.5.4
 
 No user-facing changes.

cpp/ql/src/Likely Bugs/Arithmetic/PointlessComparison.ql

@@ -25,16 +25,11 @@ import UnsignedGEZero
 //
 // So to reduce the number of false positives, we do not report a result if
 // the comparison is in a macro expansion. Similarly for template
-// instantiations, static asserts, non-type template arguments, enum constants,
-// and constexprs.
+// instantiations.
 from ComparisonOperation cmp, SmallSide ss, float left, float right, boolean value, string reason
 where
   not cmp.isInMacroExpansion() and
   not cmp.isFromTemplateInstantiation(_) and
-  not exists(StaticAssert s | s.getCondition() = cmp.getParent*()) and
-  not exists(Declaration d | d.getATemplateArgument() = cmp.getParent*()) and
-  not exists(Variable v | v.isConstexpr() | v.getInitializer().getExpr() = cmp.getParent*()) and
-  not exists(EnumConstant e | e.getInitializer().getExpr() = cmp.getParent*()) and
   not functionContainsDisabledCode(cmp.getEnclosingFunction()) and
   reachablePointlessComparison(cmp, left, right, value, ss) and
   // a comparison between an enum and zero is always valid because whether

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll

@@ -10,7 +10,7 @@ import ExternalAPIsSpecific
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
   DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }

cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll

@@ -10,7 +10,7 @@ import ExternalAPIsSpecific
 
 /** A node representing untrusted data being passed to an external API. */
 class UntrustedExternalApiDataNode extends ExternalApiDataNode {
-  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flowTo(this) }
+  UntrustedExternalApiDataNode() { UntrustedDataToExternalApiFlow::flow(_, this) }
 
   /** Gets a source of untrusted data which is passed to this external API data node. */
   DataFlow::Node getAnUntrustedSource() { UntrustedDataToExternalApiFlow::flow(result, this) }

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -263,7 +263,7 @@ module FromSensitiveFlow = TaintTracking::Global<FromSensitiveConfig>;
  * A taint flow configuration for flow from a sensitive expression to an encryption operation.
  */
 module ToEncryptionConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { FromSensitiveFlow::flowFrom(source) }
+  predicate isSource(DataFlow::Node source) { FromSensitiveFlow::flow(source, _) }
 
   predicate isSink(DataFlow::Node sink) { isSinkEncrypt(sink, _) }
 
@@ -311,7 +311,7 @@ where
   FromSensitiveFlow::flowPath(source, sink) and
   isSinkSendRecv(sink.getNode(), networkSendRecv) and
   // no flow from sensitive -> evidence of encryption
-  not ToEncryptionFlow::flowFrom(source.getNode()) and
+  not ToEncryptionFlow::flow(source.getNode(), _) and
   not FromEncryptionFlow::flowTo(sink.getNode()) and
   // construct result
   if networkSendRecv instanceof NetworkSend

cpp/ql/src/change-notes/2026-01-02-constant-comparison.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `cpp/constant-comparison` query has been updated to not produce false positives for constants that are now represented by their unfolded expression trees.

cpp/ql/src/change-notes/released/1.5.5.md

@@ -1,3 +0,0 @@
-## 1.5.5
-
-No user-facing changes.

cpp/ql/src/change-notes/released/1.5.6.md

@@ -1,3 +0,0 @@
-## 1.5.6
-
-No user-facing changes.

cpp/ql/src/change-notes/released/1.5.7.md

@@ -1,3 +0,0 @@
-## 1.5.7
-
-No user-facing changes.

cpp/ql/src/change-notes/released/1.5.8.md

@@ -1,3 +0,0 @@
-## 1.5.8
-
-No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.8
+lastReleaseVersion: 1.5.4

cpp/ql/src/experimental/Security/CWE/CWE-125/DangerousWorksWithMultibyteOrWideCharacters.ql

@@ -1,5 +1,5 @@
 /**
- * @name Dangerous use convert function
+ * @name Dangerous use convert function.
  * @description Using convert function with an invalid length argument can result in an out-of-bounds access error or unexpected result.
  * @kind problem
  * @id cpp/dangerous-use-convert-function

cpp/ql/src/experimental/Security/CWE/CWE-190/DangerousUseOfTransformationAfterOperation.ql

@@ -1,5 +1,5 @@
 /**
- * @name Dangerous use of transformation after operation
+ * @name Dangerous use of transformation after operation.
  * @description By using the transformation after the operation, you are doing a pointless and dangerous action.
  * @kind problem
  * @id cpp/dangerous-use-of-transformation-after-operation

cpp/ql/src/experimental/Security/CWE/CWE-193/ConstantSizeArrayOffByOne.ql

@@ -129,7 +129,7 @@ module PointerArithmeticToDerefFlow = DataFlow::Global<PointerArithmeticToDerefC
 
 predicate pointerArithOverflow(PointerArithmeticInstruction pai, int delta) {
   pointerArithOverflow0(pai, delta) and
-  PointerArithmeticToDerefFlow::flowFrom(DataFlow::instructionNode(pai))
+  PointerArithmeticToDerefFlow::flow(DataFlow::instructionNode(pai), _)
 }
 
 bindingset[v]

cpp/ql/src/experimental/Security/CWE/CWE-200/ExposureSensitiveInformationUnauthorizedActor.ql

@@ -1,5 +1,5 @@
 /**
- * @name Writing to a file without setting permissions
+ * @name Writing to a file without setting permissions.
  * @description Lack of restriction on file access rights can be unsafe.
  * @kind problem
  * @id cpp/work-with-file-without-permissions-rights

cpp/ql/src/experimental/Security/CWE/CWE-243/IncorrectChangingWorkingDirectory.ql

@@ -1,5 +1,5 @@
 /**
- * @name Find work with changing working directories, with security errors
+ * @name Find work with changing working directories, with security errors.
  * @description Not validating the return value or pinning the directory can be unsafe.
  * @kind problem
  * @id cpp/work-with-changing-working-directories

cpp/ql/src/experimental/Security/CWE/CWE-266/IncorrectPrivilegeAssignment.ql

@@ -1,5 +1,5 @@
 /**
- * @name Find the wrong use of the umask function
+ * @name Find the wrong use of the umask function.
  * @description Incorrectly evaluated argument to the umask function may have security implications.
  * @kind problem
  * @id cpp/wrong-use-of-the-umask

cpp/ql/src/experimental/Security/CWE/CWE-377/InsecureTemporaryFile.ql

@@ -1,5 +1,5 @@
 /**
- * @name Insecure generation of filenames
+ * @name Insecure generation of filenames.
  * @description Using a predictable filename when creating a temporary file can lead to an attacker-controlled input.
  * @kind problem
  * @id cpp/insecure-generation-of-filename

cpp/ql/src/experimental/Security/CWE/CWE-476/DangerousUseOfExceptionBlocks.ql

@@ -1,5 +1,5 @@
 /**
- * @name Dangerous use of exception blocks
+ * @name Dangerous use of exception blocks.
  * @description When clearing the data in the catch block, you must be sure that the memory was allocated before the exception.
  * @kind problem
  * @id cpp/dangerous-use-of-exception-blocks