Bubble up changelog link tree

Demo files from changelog generator
Update docs/codeql/codeql-overview/codeql-changelog/index.rst
2026-05-26 09:01:22 +02:00 · 2023-11-20 22:02:49 +01:00 · 2023-11-20 01:32:49 +01:00 · 2023-11-19 23:27:37 +01:00 · 2023-11-16 17:44:30 +00:00 · 2023-11-16 14:09:55 +00:00
625 changed files with 37443 additions and 2473 deletions
--- a/cpp/ql/lib/change-notes/2023-10-31-odbc-models.md
+++ b/cpp/ql/lib/change-notes/2023-10-31-odbc-models.md
--- a/cpp/ql/lib/change-notes/2023-11-10-strlcpy-strlcat-models.md
+++ b/cpp/ql/lib/change-notes/2023-11-10-strlcpy-strlcat-models.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added models for `strlcpy` and `strlcat`.
--- a/cpp/ql/lib/change-notes/2023-11-15-return-stack-allocated-memory.md
+++ b/cpp/ql/lib/change-notes/2023-11-15-return-stack-allocated-memory.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Returning stack-allocated memory" (`cpp/return-stack-allocated-memory`) query now also detects returning stack-allocated memory allocated by calls to `alloca`, `strdupa`, and `strndupa`.
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll
@@ -81,6 +81,14 @@ class Node0Impl extends TIRDataFlowNode0 {
  /** Gets the operands corresponding to this node, if any. */
  Operand asOperand() { result = this.(OperandNode0).getOperand() }

+  /** Gets the location of this node. */
+  final Location getLocation() { result = this.getLocationImpl() }
+
+  /** INTERNAL: Do not use. */
+  Location getLocationImpl() {
+    none() // overridden by subclasses
+  }
+
  /** INTERNAL: Do not use. */
  string toStringImpl() {
    none() // overridden by subclasses
@@ -131,9 +139,15 @@ abstract class InstructionNode0 extends Node0Impl {
  override DataFlowType getType() { result = getInstructionType(instr, _) }

  override string toStringImpl() {
-    // This predicate is overridden in subclasses. This default implementation
-    // does not use `Instruction.toString` because that's expensive to compute.
-    result = instr.getOpcode().toString()
+    if instr.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = instr.getAst().toString()
+  }
+
+  override Location getLocationImpl() {
+    if exists(instr.getAst().getLocation())
+    then result = instr.getAst().getLocation()
+    else result instanceof UnknownDefaultLocation
  }

  final override predicate isGLValue() { exists(getInstructionType(instr, true)) }
@@ -173,7 +187,17 @@ abstract class OperandNode0 extends Node0Impl {

  override DataFlowType getType() { result = getOperandType(op, _) }

-  override string toStringImpl() { result = op.toString() }
+  override string toStringImpl() {
+    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
+    then result = "this"
+    else result = op.getDef().getAst().toString()
+  }
+
+  override Location getLocationImpl() {
+    if exists(op.getDef().getAst().getLocation())
+    then result = op.getDef().getAst().getLocation()
+    else result instanceof UnknownDefaultLocation
+  }

  final override predicate isGLValue() { exists(getOperandType(op, true)) }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -432,6 +432,10 @@ private class Node0 extends Node, TNode0 {

  override Declaration getFunction() { result = node.getFunction() }

+  override Location getLocationImpl() { result = node.getLocation() }
+
+  override string toStringImpl() { result = node.toString() }
+
  override DataFlowType getType() { result = node.getType() }

  override predicate isGLValue() { node.isGLValue() }
@@ -448,18 +452,6 @@ class InstructionNode extends Node0 {

  /** Gets the instruction corresponding to this node. */
  Instruction getInstruction() { result = instr }
-
-  override Location getLocationImpl() {
-    if exists(instr.getAst().getLocation())
-    then result = instr.getAst().getLocation()
-    else result instanceof UnknownDefaultLocation
-  }
-
-  override string toStringImpl() {
-    if instr.(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = instr.getAst().toString()
-  }
 }

 /**
@@ -473,18 +465,6 @@ class OperandNode extends Node, Node0 {

  /** Gets the operand corresponding to this node. */
  Operand getOperand() { result = op }
-
-  override Location getLocationImpl() {
-    if exists(op.getDef().getAst().getLocation())
-    then result = op.getDef().getAst().getLocation()
-    else result instanceof UnknownDefaultLocation
-  }
-
-  override string toStringImpl() {
-    if op.getDef().(InitializeParameterInstruction).getIRVariable() instanceof IRThisVariable
-    then result = "this"
-    else result = op.getDef().getAst().toString()
-  }
 }

 /**
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcat.qll
@@ -10,6 +10,8 @@ import semmle.code.cpp.models.interfaces.SideEffect

 /**
 * The standard function `strcat` and its wide, sized, and Microsoft variants.
+ *
+ * Does not include `strlcat`, which is covered by `StrlcatFunction`
 */
 class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, SideEffectFunction {
  StrcatFunction() {
@@ -90,3 +92,64 @@ class StrcatFunction extends TaintFunction, DataFlowFunction, ArrayFunction, Sid
    buffer = true
  }
 }
+
+/**
+ * The `strlcat` function.
+ */
+class StrlcatFunction extends TaintFunction, ArrayFunction, SideEffectFunction {
+  StrlcatFunction() {
+    this.hasGlobalName("strlcat") // strlcat(dst, src, dst_size)
+  }
+
+  /**
+   * Gets the index of the parameter that is the size of the copy (in characters).
+   */
+  int getParamSize() { result = 2 }
+
+  /**
+   * Gets the index of the parameter that is the source of the copy.
+   */
+  int getParamSrc() { result = 1 }
+
+  /**
+   * Gets the index of the parameter that is the destination to be appended to.
+   */
+  int getParamDest() { result = 0 }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    (
+      input.isParameter(2)
+      or
+      input.isParameterDeref(0)
+      or
+      input.isParameterDeref(1)
+    ) and
+    output.isParameterDeref(0)
+  }
+
+  override predicate hasArrayInput(int param) {
+    param = 0 or
+    param = 1
+  }
+
+  override predicate hasArrayOutput(int param) { param = 0 }
+
+  override predicate hasArrayWithNullTerminator(int param) { param = 1 }
+
+  override predicate hasArrayWithUnknownSize(int param) { param = 0 }
+
+  override predicate hasOnlySpecificReadSideEffects() { any() }
+
+  override predicate hasOnlySpecificWriteSideEffects() { any() }
+
+  override predicate hasSpecificWriteSideEffect(ParameterIndex i, boolean buffer, boolean mustWrite) {
+    i = 0 and
+    buffer = true and
+    mustWrite = false
+  }
+
+  override predicate hasSpecificReadSideEffect(ParameterIndex i, boolean buffer) {
+    (i = 0 or i = 1) and
+    buffer = true
+  }
+}
--- a/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll
@@ -32,7 +32,8 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
        "wcsxfrm_l", // _strxfrm_l(dest, src, max_amount, locale)
        "_mbsnbcpy", // _mbsnbcpy(dest, src, max_amount)
        "stpcpy", // stpcpy(dest, src)
-        "stpncpy" // stpcpy(dest, src, max_amount)
+        "stpncpy", // stpncpy(dest, src, max_amount)
+        "strlcpy" // strlcpy(dst, src, dst_size)
      ])
    or
    (
@@ -53,6 +54,11 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
   */
  private predicate isSVariant() { this.getName().matches("%\\_s") }

+  /**
+   * Holds if the function returns the total length the string would have had if the size was unlimited.
+   */
+  private predicate returnsTotalLength() { this.getName() = "strlcpy" }
+
  /**
   * Gets the index of the parameter that is the maximum size of the copy (in characters).
   */
@@ -60,7 +66,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
    if this.isSVariant()
    then result = 1
    else (
-      this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%"]) and
+      this.getName().matches(["%ncpy%", "%nbcpy%", "%xfrm%", "strlcpy"]) and
      result = 2
    )
  }
@@ -100,6 +106,7 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
    input.isParameterDeref(this.getParamSrc()) and
    output.isReturnValueDeref()
    or
+    not this.returnsTotalLength() and
    input.isParameter(this.getParamDest()) and
    output.isReturnValue()
  }
@@ -110,8 +117,9 @@ class StrcpyFunction extends ArrayFunction, DataFlowFunction, TaintFunction, Sid
    exists(this.getParamSize()) and
    input.isParameterDeref(this.getParamSrc()) and
    (
-      output.isParameterDeref(this.getParamDest()) or
-      output.isReturnValueDeref()
+      output.isParameterDeref(this.getParamDest())
+      or
+      not this.returnsTotalLength() and output.isReturnValueDeref()
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/SemanticSSA.qll
@@ -22,8 +22,6 @@ class SemSsaExplicitUpdate extends SemSsaVariable {

  SemSsaExplicitUpdate() { Specific::explicitUpdate(this, sourceExpr) }

-  final SemExpr getSourceExpr() { result = sourceExpr }
-
  final SemExpr getDefiningExpr() { result = sourceExpr }
 }

--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ConstantAnalysis.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/ConstantAnalysis.qll
@@ -14,7 +14,7 @@ private predicate constantIntegerExpr(SemExpr e, int val) {
  // Copy of another constant
  exists(SemSsaExplicitUpdate v, SemExpr src |
    e = v.getAUse() and
-    src = v.getSourceExpr() and
+    src = v.getDefiningExpr() and
    constantIntegerExpr(src, val)
  )
  or
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisConstantSpecific.qll
@@ -22,30 +22,7 @@ module CppLangImplConstant implements LangSig<Sem, FloatDelta> {
  predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }

  /**
-   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
+   * Holds if `e2 >= e1 + delta` (if `upper = false`) or `e2 <= e1 + delta` (if `upper = true`).
   */
-  predicate hasBound(SemExpr e, SemExpr bound, float delta, boolean upper) { none() }
-
-  /**
-   * Holds if the value of `dest` is known to be `src + delta`.
-   */
-  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, float delta) { none() }
-
-  /**
-   * Gets the type that range analysis should use to track the result of the specified expression,
-   * if a type other than the original type of the expression is to be used.
-   *
-   * This predicate is commonly used in languages that support immutable "boxed" types that are
-   * actually references but whose values can be tracked as the type contained in the box.
-   */
-  SemType getAlternateType(SemExpr e) { none() }
-
-  /**
-   * Gets the type that range analysis should use to track the result of the specified source
-   * variable, if a type other than the original type of the expression is to be used.
-   *
-   * This predicate is commonly used in languages that support immutable "boxed" types that are
-   * actually references but whose values can be tracked as the type contained in the box.
-   */
-  SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
+  predicate additionalBoundFlowStep(SemExpr e2, SemExpr e1, float delta, boolean upper) { none() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisImpl.qll
@@ -1,7 +1,6 @@
 private import RangeAnalysisConstantSpecific
 private import RangeAnalysisRelativeSpecific
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
-private import RangeUtils
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExpr
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticCFG
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticGuard
@@ -88,12 +87,18 @@ module Sem implements Semantic {

  class AddressType = SemAddressType;

+  SemType getExprType(SemExpr e) { result = e.getSemType() }
+
+  SemType getSsaType(SemSsaVariable var) { result = var.getType() }
+
  class SsaVariable = SemSsaVariable;

  class SsaPhiNode = SemSsaPhiNode;

  class SsaExplicitUpdate = SemSsaExplicitUpdate;

+  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, int delta) { none() }
+
  predicate conversionCannotOverflow(Type fromType, Type toType) {
    SemanticType::conversionCannotOverflow(fromType, toType)
  }
@@ -101,7 +106,7 @@ module Sem implements Semantic {

 module SignAnalysis implements SignAnalysisSig<Sem> {
  private import SignAnalysisCommon as SA
-  import SA::SignAnalysis<FloatDelta, Util>
+  import SA::SignAnalysis<FloatDelta>
 }

 module ConstantBounds implements BoundSig<SemLocation, Sem, FloatDelta> {
@@ -164,18 +169,16 @@ private module ModulusAnalysisInstantiated implements ModulusAnalysisSig<Sem> {
  class ModBound = AllBounds::SemBound;

  private import codeql.rangeanalysis.ModulusAnalysis as MA
-  import MA::ModulusAnalysis<SemLocation, Sem, FloatDelta, AllBounds, Util>
+  import MA::ModulusAnalysis<SemLocation, Sem, FloatDelta, AllBounds>
 }

-module Util = RangeUtil<FloatDelta, CppLangImplConstant>;
-
 module ConstantStage =
  RangeStage<SemLocation, Sem, FloatDelta, ConstantBounds, FloatOverflow, CppLangImplConstant,
-    SignAnalysis, ModulusAnalysisInstantiated, Util>;
+    SignAnalysis, ModulusAnalysisInstantiated>;

 module RelativeStage =
  RangeStage<SemLocation, Sem, FloatDelta, RelativeBounds, FloatOverflow, CppLangImplRelative,
-    SignAnalysis, ModulusAnalysisInstantiated, Util>;
+    SignAnalysis, ModulusAnalysisInstantiated>;

 private newtype TSemReason =
  TSemNoReason() or
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeAnalysisRelativeSpecific.qll
@@ -54,30 +54,7 @@ module CppLangImplRelative implements LangSig<Sem, FloatDelta> {
  predicate hasConstantBound(SemExpr e, float bound, boolean upper) { none() }

  /**
-   * Holds if `e >= bound + delta` (if `upper = false`) or `e <= bound + delta` (if `upper = true`).
+   * Holds if `e2 >= e1 + delta` (if `upper = false`) or `e2 <= e1 + delta` (if `upper = true`).
   */
-  predicate hasBound(SemExpr e, SemExpr bound, float delta, boolean upper) { none() }
-
-  /**
-   * Holds if the value of `dest` is known to be `src + delta`.
-   */
-  predicate additionalValueFlowStep(SemExpr dest, SemExpr src, float delta) { none() }
-
-  /**
-   * Gets the type that range analysis should use to track the result of the specified expression,
-   * if a type other than the original type of the expression is to be used.
-   *
-   * This predicate is commonly used in languages that support immutable "boxed" types that are
-   * actually references but whose values can be tracked as the type contained in the box.
-   */
-  SemType getAlternateType(SemExpr e) { none() }
-
-  /**
-   * Gets the type that range analysis should use to track the result of the specified source
-   * variable, if a type other than the original type of the expression is to be used.
-   *
-   * This predicate is commonly used in languages that support immutable "boxed" types that are
-   * actually references but whose values can be tracked as the type contained in the box.
-   */
-  SemType getAlternateTypeForSsaVariable(SemSsaVariable var) { none() }
+  predicate additionalBoundFlowStep(SemExpr e2, SemExpr e1, float delta, boolean upper) { none() }
 }
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeUtils.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/RangeUtils.qll
@@ -1,136 +0,0 @@
-/**
- * Provides utility predicates for range analysis.
- */
-
-private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
-private import RangeAnalysisRelativeSpecific
-private import codeql.rangeanalysis.RangeAnalysis
-private import RangeAnalysisImpl
-private import ConstantAnalysis
-
-module RangeUtil<DeltaSig D, LangSig<Sem, D> Lang> implements UtilSig<Sem, D> {
-  /**
-   * Gets an expression that equals `v - d`.
-   */
-  private SemExpr semSsaRead(SemSsaVariable v, D::Delta delta) {
-    // There are various language-specific extension points that can be removed once we no longer
-    // expect to match the original Java implementation's results exactly.
-    result = v.getAUse() and delta = D::fromInt(0)
-    or
-    exists(D::Delta d1, SemConstantIntegerExpr c |
-      result.(SemAddExpr).hasOperands(semSsaRead(v, d1), c) and
-      delta = D::fromFloat(D::toFloat(d1) - c.getIntValue())
-    )
-    or
-    exists(SemSubExpr sub, D::Delta d1, SemConstantIntegerExpr c |
-      result = sub and
-      sub.getLeftOperand() = semSsaRead(v, d1) and
-      sub.getRightOperand() = c and
-      delta = D::fromFloat(D::toFloat(d1) + c.getIntValue())
-    )
-    or
-    result = v.(SemSsaExplicitUpdate).getSourceExpr() and
-    delta = D::fromFloat(0)
-    or
-    result.(SemCopyValueExpr).getOperand() = semSsaRead(v, delta)
-    or
-    result.(SemStoreExpr).getOperand() = semSsaRead(v, delta)
-  }
-
-  /**
-   * Gets a condition that tests whether `v` equals `e + delta`.
-   *
-   * If the condition evaluates to `testIsTrue`:
-   * - `isEq = true`  : `v == e + delta`
-   * - `isEq = false` : `v != e + delta`
-   */
-  pragma[nomagic]
-  SemGuard semEqFlowCond(
-    SemSsaVariable v, SemExpr e, D::Delta delta, boolean isEq, boolean testIsTrue
-  ) {
-    exists(boolean eqpolarity |
-      result.isEquality(semSsaRead(v, delta), e, eqpolarity) and
-      (testIsTrue = true or testIsTrue = false) and
-      eqpolarity.booleanXor(testIsTrue).booleanNot() = isEq
-    )
-    or
-    exists(boolean testIsTrue0 |
-      semImplies_v2(result, testIsTrue, semEqFlowCond(v, e, delta, isEq, testIsTrue0), testIsTrue0)
-    )
-  }
-
-  /**
-   * Holds if `v` is an `SsaExplicitUpdate` that equals `e + delta`.
-   */
-  predicate semSsaUpdateStep(SemSsaExplicitUpdate v, SemExpr e, D::Delta delta) {
-    exists(SemExpr defExpr | defExpr = v.getSourceExpr() |
-      defExpr.(SemCopyValueExpr).getOperand() = e and delta = D::fromFloat(0)
-      or
-      defExpr.(SemStoreExpr).getOperand() = e and delta = D::fromFloat(0)
-      or
-      defExpr.(SemAddOneExpr).getOperand() = e and delta = D::fromFloat(1)
-      or
-      defExpr.(SemSubOneExpr).getOperand() = e and delta = D::fromFloat(-1)
-      or
-      e = defExpr and
-      not (
-        defExpr instanceof SemCopyValueExpr or
-        defExpr instanceof SemStoreExpr or
-        defExpr instanceof SemAddOneExpr or
-        defExpr instanceof SemSubOneExpr
-      ) and
-      delta = D::fromFloat(0)
-    )
-  }
-
-  /**
-   * Holds if `e1 + delta` equals `e2`.
-   */
-  predicate semValueFlowStep(SemExpr e2, SemExpr e1, D::Delta delta) {
-    e2.(SemCopyValueExpr).getOperand() = e1 and delta = D::fromFloat(0)
-    or
-    e2.(SemStoreExpr).getOperand() = e1 and delta = D::fromFloat(0)
-    or
-    e2.(SemAddOneExpr).getOperand() = e1 and delta = D::fromFloat(1)
-    or
-    e2.(SemSubOneExpr).getOperand() = e1 and delta = D::fromFloat(-1)
-    or
-    Lang::additionalValueFlowStep(e2, e1, delta)
-    or
-    exists(SemExpr x | e2.(SemAddExpr).hasOperands(e1, x) |
-      D::fromInt(x.(SemConstantIntegerExpr).getIntValue()) = delta
-    )
-    or
-    exists(SemExpr x, SemSubExpr sub |
-      e2 = sub and
-      sub.getLeftOperand() = e1 and
-      sub.getRightOperand() = x
-    |
-      D::fromInt(-x.(SemConstantIntegerExpr).getIntValue()) = delta
-    )
-  }
-
-  /**
-   * Gets the type used to track the specified expression's range information.
-   *
-   * Usually, this just `e.getSemType()`, but the language can override this to track immutable boxed
-   * primitive types as the underlying primitive type.
-   */
-  SemType getTrackedType(SemExpr e) {
-    result = Lang::getAlternateType(e)
-    or
-    not exists(Lang::getAlternateType(e)) and result = e.getSemType()
-  }
-
-  /**
-   * Gets the type used to track the specified source variable's range information.
-   *
-   * Usually, this just `e.getType()`, but the language can override this to track immutable boxed
-   * primitive types as the underlying primitive type.
-   */
-  SemType getTrackedTypeForSsaVariable(SemSsaVariable var) {
-    result = Lang::getAlternateTypeForSsaVariable(var)
-    or
-    not exists(Lang::getAlternateTypeForSsaVariable(var)) and result = var.getType()
-  }
-}
--- a/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/SignAnalysisCommon.qll
+++ b/cpp/ql/lib/semmle/code/cpp/rangeanalysis/new/internal/semantic/analysis/SignAnalysisCommon.qll
@@ -11,10 +11,9 @@ private import RangeAnalysisImpl
 private import SignAnalysisSpecific as Specific
 private import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
 private import ConstantAnalysis
-private import RangeUtils
 private import Sign

-module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {
+module SignAnalysis<DeltaSig D> {
  private import codeql.rangeanalysis.internal.RangeUtils::MakeUtils<Sem, D>

  /**
@@ -39,7 +38,7 @@ module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {

  /** An SSA definition whose sign is determined by the sign of that definitions source expression. */
  private class ExplicitSignDef extends FlowSignDef instanceof SemSsaExplicitUpdate {
-    final override Sign getSign() { result = semExprSign(super.getSourceExpr()) }
+    final override Sign getSign() { result = semExprSign(super.getDefiningExpr()) }
  }

  /** An SSA Phi definition, whose sign is the union of the signs of its inputs. */
@@ -148,7 +147,7 @@ module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {
      not this instanceof ConstantSignExpr and
      (
        // Only track numeric types.
-        Utils::getTrackedType(this) instanceof SemNumericType
+        Sem::getExprType(this) instanceof SemNumericType
        or
        // Unless the language says to track this expression anyway.
        Specific::trackUnknownNonNumericExpr(this)
@@ -203,7 +202,7 @@ module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {

  /** An expression of an unsigned type. */
  private class UnsignedExpr extends FlowSignExpr {
-    UnsignedExpr() { Utils::getTrackedType(this) instanceof SemUnsignedIntegerType }
+    UnsignedExpr() { Sem::getExprType(this) instanceof SemUnsignedIntegerType }

    override Sign getSignRestriction() {
      result = TPos() or
@@ -276,7 +275,7 @@ module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {
    override SemUnboxExpr cast;

    UnboxSignExpr() {
-      exists(SemType fromType | fromType = Utils::getTrackedType(cast.getOperand()) |
+      exists(SemType fromType | fromType = Sem::getExprType(cast.getOperand()) |
        // Only numeric source types are handled here.
        fromType instanceof SemNumericType
      )
@@ -471,7 +470,7 @@ module SignAnalysis<DeltaSig D, UtilSig<Sem, D> Utils> {
  Sign semExprSign(SemExpr e) {
    exists(Sign s | s = e.(SignExpr).getSign() |
      if
-        Utils::getTrackedType(e) instanceof SemUnsignedIntegerType and
+        Sem::getExprType(e) instanceof SemUnsignedIntegerType and
        s = TNeg() and
        not Specific::ignoreTypeRestrictions(e)
      then result = TPos()
--- a/Management/ReturnStackAllocatedMemory.ql
+++ b/Management/ReturnStackAllocatedMemory.ql
@@ -27,16 +27,26 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
  ReturnStackAllocatedMemoryConfig() { this = "ReturnStackAllocatedMemoryConfig" }

  override predicate isSource(Instruction source) {
-    // Holds if `source` is a node that represents the use of a stack variable
-    exists(VariableAddressInstruction var, Function func |
-      var = source and
-      func = source.getEnclosingFunction() and
-      var.getAstVariable() instanceof StackVariable and
-      // Pointer-to-member types aren't properly handled in the dbscheme.
-      not var.getResultType() instanceof PointerToMemberType and
+    exists(Function func |
      // Rule out FPs caused by extraction errors.
      not any(ErrorExpr e).getEnclosingFunction() = func and
-      not intentionallyReturnsStackPointer(func)
+      not intentionallyReturnsStackPointer(func) and
+      func = source.getEnclosingFunction()
+    |
+      // `source` is an instruction that represents the use of a stack variable
+      exists(VariableAddressInstruction var |
+        var = source and
+        var.getAstVariable() instanceof StackVariable and
+        // Pointer-to-member types aren't properly handled in the dbscheme.
+        not var.getResultType() instanceof PointerToMemberType
+      )
+      or
+      // `source` is an instruction that represents the return value of a
+      // function that is known to return stack-allocated memory.
+      exists(Call call |
+        call.getTarget().hasGlobalName(["alloca", "strdupa", "strndupa", "_alloca", "_malloca"]) and
+        source.getUnconvertedResultExpression() = call
+      )
    )
  }

@@ -85,10 +95,10 @@ class ReturnStackAllocatedMemoryConfig extends MustFlowConfiguration {
 }

 from
-  MustFlowPathNode source, MustFlowPathNode sink, VariableAddressInstruction var,
+  MustFlowPathNode source, MustFlowPathNode sink, Instruction instr,
  ReturnStackAllocatedMemoryConfig conf
 where
  conf.hasFlowPath(pragma[only_bind_into](source), pragma[only_bind_into](sink)) and
-  source.getInstruction() = var
+  source.getInstruction() = instr
 select sink.getInstruction(), source, sink, "May return stack-allocated memory from $@.",
-  var.getAst(), var.getAst().toString()
+  instr.getAst(), instr.getAst().toString()
--- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -14,25 +14,47 @@

 import cpp
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
-import TaintedWithPath
+import semmle.code.cpp.security.FlowSources
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import semmle.code.cpp.ir.IR
+import Flow::PathGraph

-predicate isProcessOperationExplanation(Expr arg, string processOperation) {
+predicate isProcessOperationExplanation(DataFlow::Node arg, string processOperation) {
  exists(int processOperationArg, FunctionCall call |
    isProcessOperationArgument(processOperation, processOperationArg) and
    call.getTarget().getName() = processOperation and
-    call.getArgument(processOperationArg) = arg
+    call.getArgument(processOperationArg) = [arg.asExpr(), arg.asIndirectExpr()]
  )
 }

-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element arg) { isProcessOperationExplanation(arg, _) }
+predicate isSource(FlowSource source, string sourceType) {
+  not source instanceof DataFlow::ExprNode and
+  sourceType = source.getSourceType()
 }

-from string processOperation, Expr arg, Expr source, PathNode sourceNode, PathNode sinkNode
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node node) { isSource(node, _) }
+
+  predicate isSink(DataFlow::Node node) { isProcessOperationExplanation(node, _) }
+
+  predicate isBarrier(DataFlow::Node node) {
+    isSink(node) and node.asExpr().getUnspecifiedType() instanceof ArithmeticType
+    or
+    node.asInstruction().(StoreInstruction).getResultType() instanceof ArithmeticType
+  }
+}
+
+module Flow = TaintTracking::Global<Config>;
+
+from
+  string processOperation, string sourceType, DataFlow::Node source, DataFlow::Node sink,
+  Flow::PathNode sourceNode, Flow::PathNode sinkNode
 where
-  isProcessOperationExplanation(arg, processOperation) and
-  taintedWithPath(source, arg, sourceNode, sinkNode)
-select arg, sourceNode, sinkNode,
+  source = sourceNode.getNode() and
+  sink = sinkNode.getNode() and
+  isSource(source, sourceType) and
+  isProcessOperationExplanation(sink, processOperation) and
+  Flow::flowPath(sourceNode, sinkNode)
+select sink, sourceNode, sinkNode,
  "The value of this argument may come from $@ and is being passed to " + processOperation + ".",
-  source, source.toString()
+  source, sourceType
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -52,16 +52,17 @@ predicate isUnboundedWrite(BufferWrite bw) {
 * Holds if `e` is a source buffer going into an unbounded write `bw` or a
 * qualifier of (a qualifier of ...) such a source.
 */
-predicate unboundedWriteSource(Expr e, BufferWrite bw) {
-  isUnboundedWrite(bw) and e = bw.getASource()
+predicate unboundedWriteSource(Expr e, BufferWrite bw, boolean qualifier) {
+  isUnboundedWrite(bw) and e = bw.getASource() and qualifier = false
  or
-  exists(FieldAccess fa | unboundedWriteSource(fa, bw) and e = fa.getQualifier())
+  exists(FieldAccess fa | unboundedWriteSource(fa, bw, _) and e = fa.getQualifier()) and
+  qualifier = true
 }

 predicate isSource(FS::FlowSource source, string sourceType) { source.getSourceType() = sourceType }

-predicate isSink(DataFlow::Node sink, BufferWrite bw) {
-  unboundedWriteSource(sink.asIndirectExpr(), bw)
+predicate isSink(DataFlow::Node sink, BufferWrite bw, boolean qualifier) {
+  unboundedWriteSource(sink.asIndirectExpr(), bw, qualifier)
  or
  // `gets` and `scanf` reads from stdin so there's no real input.
  // The `BufferWrite` library models this as the call itself being
@@ -69,7 +70,7 @@ predicate isSink(DataFlow::Node sink, BufferWrite bw) {
  // the sink so that we report a path where source = sink (because
  // the same output argument is also included in `isSource`).
  bw.getASource() = bw and
-  unboundedWriteSource(sink.asDefiningArgument(), bw)
+  unboundedWriteSource(sink.asDefiningArgument(), bw, qualifier)
 }

 predicate lessThanOrEqual(IRGuardCondition g, Expr e, boolean branch) {
@@ -84,9 +85,9 @@ predicate lessThanOrEqual(IRGuardCondition g, Expr e, boolean branch) {
 module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node source) { isSource(source, _) }

-  predicate isSink(DataFlow::Node sink) { isSink(sink, _) }
+  predicate isSink(DataFlow::Node sink) { isSink(sink, _, _) }

-  predicate isBarrierOut(DataFlow::Node node) { isSink(node) }
+  predicate isBarrierOut(DataFlow::Node node) { isSink(node, _, false) }

  predicate isBarrier(DataFlow::Node node) {
    // Block flow if the node is guarded by any <, <= or = operations.
@@ -116,7 +117,7 @@ from BufferWrite bw, Flow::PathNode source, Flow::PathNode sink, string sourceTy
 where
  Flow::flowPath(source, sink) and
  isSource(source.getNode(), sourceType) and
-  isSink(sink.getNode(), bw)
+  isSink(sink.getNode(), bw, _)
 select bw, source, sink,
  "This '" + bw.getBWDesc() + "' with input from $@ may overflow the destination.",
  source.getNode(), sourceType
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.c
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.c
@@ -1,24 +0,0 @@
-#include <stdio.h>
-
-char *copy;
-
-void copyArgv(char **argv) {
-	copy = argv[1];
-}
-
-void printWrapper(char *str) {
-	printf(str);
-}
-
-int main(int argc, char **argv) {
-	copyArgv(argv);
-
-	// This should be avoided
-	printf(copy);
-
-	// This should be avoided too, because it has the same effect
-	printWrapper(copy);
-
-	// This is fine
-	printf("%s", copy);
-}
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.qhelp
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.qhelp
@@ -1,36 +0,0 @@
-<!DOCTYPE qhelp PUBLIC
-  "-//Semmle//qhelp//EN"
-  "qhelp.dtd">
-<qhelp>
-<overview>
-<p>The program uses input from the user, propagated via a global variable, as a format string for <code>printf</code> style functions. 
-This can lead to buffer overflows or data representation problems. An attacker can exploit this weakness to crash the program, 
-disclose information or even execute arbitrary code.</p>
-
-<p>This rule only identifies inputs from the user that are transferred through global variables before being used in <code>printf</code> style functions.
-Analyzing the flow of data through global variables is more prone to errors and so this rule may identify some examples of code where 
-the input is not really from the user. For example, when a global variable is set in two places, one that comes from the user and one that does not.
-In this case we would mark all usages of the global variable as input from the user, but the input from the user may always came after the call to the
-<code>printf</code> style functions.</p>
-
-<p>The results of this rule should be considered alongside the related rule "Uncontrolled format string" which tracks the flow of the 
-values input by a user, excluding global variables, until the values are used as the format argument for a <code>printf</code> like function call.</p>
-
-</overview>
-<recommendation>
-<p>Use constant expressions as the format strings. If you need to print a value from the user, use <code>printf("%s", value_from_user)</code>.</p>
-
-</recommendation>
-<example>
-<sample src="UncontrolledFormatStringThroughGlobalVar.c" />
-
-</example>
-<references>
-
-<li>CERT C Coding
-Standard: <a href="https://www.securecoding.cert.org/confluence/display/c/FIO30-C.+Exclude+user+input+from+format+strings">FIO30-C. Exclude
-user input from format strings</a>.</li>
-
-
-</references>
-</qhelp>
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
@@ -1,40 +0,0 @@
-/**
- * @name Uncontrolled format string (through global variable)
- * @description Using externally-controlled format strings in
- *              printf-style functions can lead to buffer overflows
- *              or data representation problems.
- * @kind path-problem
- * @problem.severity warning
- * @security-severity 9.3
- * @precision high
- * @id cpp/tainted-format-string-through-global
- * @tags reliability
- *       security
- *       external/cwe/cwe-134
- */
-
-import cpp
-import semmle.code.cpp.security.FunctionWithWrappers
-import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
-import TaintedWithPath
-
-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element tainted) {
-    exists(PrintfLikeFunction printf | printf.outermostWrapperFunctionCall(tainted, _))
-  }
-
-  override predicate taintThroughGlobals() { any() }
-}
-
-from
-  PrintfLikeFunction printf, Expr arg, PathNode sourceNode, PathNode sinkNode,
-  string printfFunction, Expr userValue, string cause
-where
-  printf.outermostWrapperFunctionCall(arg, printfFunction) and
-  not taintedWithoutGlobals(arg) and
-  taintedWithPath(userValue, arg, sourceNode, sinkNode) and
-  isUserInput(userValue, cause)
-select arg, sourceNode, sinkNode,
-  "The value of this argument may come from $@ and is being used as a formatting argument to " +
-    printfFunction + ".", userValue, cause
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -14,10 +14,13 @@

 import cpp
 import semmle.code.cpp.security.Overflow
-import semmle.code.cpp.security.Security
-import semmle.code.cpp.ir.dataflow.internal.DefaultTaintTrackingImpl
-import TaintedWithPath
+import semmle.code.cpp.dataflow.new.TaintTracking
+import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.ir.IR
+import semmle.code.cpp.controlflow.IRGuards as IRGuards
+import semmle.code.cpp.security.FlowSources as FS
 import Bounded
+import Flow::PathGraph

 bindingset[op]
 predicate missingGuard(Operation op, Expr e, string effect) {
@@ -28,28 +31,90 @@ predicate missingGuard(Operation op, Expr e, string effect) {
  not e instanceof VariableAccess and effect = "overflow"
 }

-class Configuration extends TaintTrackingConfiguration {
-  override predicate isSink(Element e) {
-    exists(Operation op |
-      missingGuard(op, e, _) and
-      op.getAnOperand() = e
-    |
-      op instanceof UnaryArithmeticOperation or
-      op instanceof BinaryArithmeticOperation or
-      op instanceof AssignArithmeticOperation
-    )
-  }
+predicate isSource(FS::FlowSource source, string sourceType) { sourceType = source.getSourceType() }

-  override predicate isBarrier(Expr e) {
-    super.isBarrier(e) or bounded(e) or e.getUnspecifiedType().(IntegralType).getSize() <= 1
+predicate isSink(DataFlow::Node sink, Operation op, Expr e) {
+  e = sink.asExpr() and
+  missingGuard(op, e, _) and
+  op.getAnOperand() = e and
+  (
+    op instanceof UnaryArithmeticOperation or
+    op instanceof BinaryArithmeticOperation or
+    op instanceof AssignArithmeticOperation
+  )
+}
+
+predicate hasUpperBoundsCheck(Variable var) {
+  exists(RelationalOperation oper, VariableAccess access |
+    oper.getAnOperand() = access and
+    access.getTarget() = var and
+    // Comparing to 0 is not an upper bound check
+    not oper.getAnOperand().getValue() = "0"
+  )
+}
+
+predicate constantInstruction(Instruction instr) {
+  instr instanceof ConstantInstruction or
+  constantInstruction(instr.(UnaryInstruction).getUnary())
+}
+
+predicate readsVariable(LoadInstruction load, Variable var) {
+  load.getSourceAddress().(VariableAddressInstruction).getAstVariable() = var
+}
+
+predicate nodeIsBarrierEqualityCandidate(DataFlow::Node node, Operand access, Variable checkedVar) {
+  exists(Instruction instr | instr = node.asInstruction() |
+    readsVariable(instr, checkedVar) and
+    any(IRGuards::IRGuardCondition guard).ensuresEq(access, _, _, instr.getBlock(), true)
+  )
+}
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { isSource(source, _) }
+
+  predicate isSink(DataFlow::Node sink) { isSink(sink, _, _) }
+
+  predicate isBarrier(DataFlow::Node node) {
+    exists(StoreInstruction store | store = node.asInstruction() |
+      // Block flow to "likely small expressions"
+      bounded(store.getSourceValue().getUnconvertedResultExpression())
+      or
+      // Block flow to "small types"
+      store.getResultType().getUnspecifiedType().(IntegralType).getSize() <= 1
+    )
+    or
+    // Block flow if there's an upper bound check of the variable anywhere in the program
+    exists(Variable checkedVar, Instruction instr | instr = node.asInstruction() |
+      readsVariable(instr, checkedVar) and
+      hasUpperBoundsCheck(checkedVar)
+    )
+    or
+    // Block flow if the node is guarded by an equality check
+    exists(Variable checkedVar, Operand access |
+      nodeIsBarrierEqualityCandidate(node, access, checkedVar) and
+      readsVariable(access.getDef(), checkedVar)
+    )
+    or
+    // Block flow to any binary instruction whose operands are both non-constants.
+    exists(BinaryInstruction iTo |
+      iTo = node.asInstruction() and
+      not constantInstruction(iTo.getLeft()) and
+      not constantInstruction(iTo.getRight()) and
+      // propagate taint from either the pointer or the offset, regardless of constantness
+      not iTo instanceof PointerArithmeticInstruction
+    )
  }
 }

-from Expr origin, Expr e, string effect, PathNode sourceNode, PathNode sinkNode, Operation op
+module Flow = TaintTracking::Global<Config>;
+
+from
+  Expr e, string effect, Flow::PathNode source, Flow::PathNode sink, Operation op, string sourceType
 where
-  taintedWithPath(origin, e, sourceNode, sinkNode) and
-  op.getAnOperand() = e and
+  Flow::flowPath(source, sink) and
+  isSource(source.getNode(), sourceType) and
+  isSink(sink.getNode(), op, e) and
  missingGuard(op, e, effect)
-select e, sourceNode, sinkNode,
+select e, source, sink,
  "$@ flows to an operand of an arithmetic expression, potentially causing an " + effect + ".",
-  origin, "User-provided value"
+  source, sourceType
--- a/cpp/ql/src/Summary/LinesOfCode.ql
+++ b/cpp/ql/src/Summary/LinesOfCode.ql
@@ -4,6 +4,7 @@
 * @description The total number of lines of C/C++ code across all files, including system headers, libraries, and auto-generated files. This is a useful metric of the size of a database. For all files that were seen during the build, this query counts the lines of code, excluding whitespace or comments.
 * @kind metric
 * @tags summary
+ *       telemetry
 */

 import cpp
--- a/cpp/ql/src/change-notes/2023-11-16-tainted-format-string-through-global-deleted.md
+++ b/cpp/ql/src/change-notes/2023-11-16-tainted-format-string-through-global-deleted.md
@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* The `cpp/tainted-format-string-through-global` query has been deleted. This does not lead to a loss of relevant alerts, as the query duplicated a subset of the alerts from `cpp/tainted-format-string`.
--- a/cpp/ql/test/library-tests/ir/modulus-analysis/ModulusAnalysis.ql
+++ b/cpp/ql/test/library-tests/ir/modulus-analysis/ModulusAnalysis.ql
@@ -2,7 +2,6 @@ import cpp
 import codeql.rangeanalysis.ModulusAnalysis
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticLocation
-import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeUtils
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysisRelativeSpecific
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysisImpl
@@ -10,9 +9,7 @@ import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
 import semmle.code.cpp.ir.IR as IR
 import TestUtilities.InlineExpectationsTest

-module ModulusAnalysisInstantiated =
-  ModulusAnalysis<SemLocation, Sem, FloatDelta, ConstantBounds,
-    RangeUtil<FloatDelta, CppLangImplRelative>>;
+module ModulusAnalysisInstantiated = ModulusAnalysis<SemLocation, Sem, FloatDelta, ConstantBounds>;

 module ModulusAnalysisTest implements TestSig {
  string getARelevantTag() { result = "mod" }
--- a/cpp/ql/test/library-tests/ir/sign-analysis/SignAnalysis.ql
+++ b/cpp/ql/test/library-tests/ir/sign-analysis/SignAnalysis.ql
@@ -1,15 +1,13 @@
 import cpp
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.SignAnalysisCommon
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.Semantic
-import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeUtils
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.FloatDelta
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.analysis.RangeAnalysisRelativeSpecific
 import semmle.code.cpp.rangeanalysis.new.internal.semantic.SemanticExprSpecific
 import semmle.code.cpp.ir.IR as IR
 import TestUtilities.InlineExpectationsTest

-module SignAnalysisInstantiated =
-  SignAnalysis<FloatDelta, RangeUtil<FloatDelta, CppLangImplRelative>>;
+module SignAnalysisInstantiated = SignAnalysis<FloatDelta>;

 module SignAnalysisTest implements TestSig {
  string getARelevantTag() { result = "sign" }
--- a/Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected
+++ b/Management/ReturnStackAllocatedMemory/ReturnStackAllocatedMemory.expected
@@ -43,6 +43,11 @@ edges
 | test.cpp:189:16:189:16 | p | test.cpp:189:16:189:16 | (reference to) |
 | test.cpp:190:10:190:13 | (reference dereference) | test.cpp:190:10:190:13 | (reference to) |
 | test.cpp:190:10:190:13 | pRef | test.cpp:190:10:190:13 | (reference dereference) |
+| test.cpp:237:12:237:17 | call to alloca | test.cpp:237:12:237:17 | call to alloca |
+| test.cpp:237:12:237:17 | call to alloca | test.cpp:238:9:238:9 | p |
+| test.cpp:249:13:249:20 | call to strndupa | test.cpp:249:13:249:20 | call to strndupa |
+| test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | s2 |
+| test.cpp:250:9:250:10 | s2 | test.cpp:250:9:250:10 | (void *)... |
 nodes
 | test.cpp:17:9:17:11 | & ... | semmle.label | & ... |
 | test.cpp:17:10:17:11 | mc | semmle.label | mc |
@@ -101,6 +106,14 @@ nodes
 | test.cpp:190:10:190:13 | (reference dereference) | semmle.label | (reference dereference) |
 | test.cpp:190:10:190:13 | (reference to) | semmle.label | (reference to) |
 | test.cpp:190:10:190:13 | pRef | semmle.label | pRef |
+| test.cpp:237:12:237:17 | call to alloca | semmle.label | call to alloca |
+| test.cpp:237:12:237:17 | call to alloca | semmle.label | call to alloca |
+| test.cpp:238:9:238:9 | p | semmle.label | p |
+| test.cpp:245:9:245:15 | call to strdupa | semmle.label | call to strdupa |
+| test.cpp:249:13:249:20 | call to strndupa | semmle.label | call to strndupa |
+| test.cpp:249:13:249:20 | call to strndupa | semmle.label | call to strndupa |
+| test.cpp:250:9:250:10 | (void *)... | semmle.label | (void *)... |
+| test.cpp:250:9:250:10 | s2 | semmle.label | s2 |
 #select
 | test.cpp:17:9:17:11 | CopyValue: & ... | test.cpp:17:10:17:11 | mc | test.cpp:17:9:17:11 | & ... | May return stack-allocated memory from $@. | test.cpp:17:10:17:11 | mc | mc |
 | test.cpp:25:9:25:11 | Load: ptr | test.cpp:23:18:23:19 | mc | test.cpp:25:9:25:11 | ptr | May return stack-allocated memory from $@. | test.cpp:23:18:23:19 | mc | mc |
@@ -115,3 +128,6 @@ nodes
 | test.cpp:177:10:177:23 | Convert: (void *)... | test.cpp:176:25:176:34 | localArray | test.cpp:177:10:177:23 | (void *)... | May return stack-allocated memory from $@. | test.cpp:176:25:176:34 | localArray | localArray |
 | test.cpp:183:10:183:19 | CopyValue: (reference to) | test.cpp:182:21:182:27 | myLocal | test.cpp:183:10:183:19 | (reference to) | May return stack-allocated memory from $@. | test.cpp:182:21:182:27 | myLocal | myLocal |
 | test.cpp:190:10:190:13 | CopyValue: (reference to) | test.cpp:189:16:189:16 | p | test.cpp:190:10:190:13 | (reference to) | May return stack-allocated memory from $@. | test.cpp:189:16:189:16 | p | p |
+| test.cpp:238:9:238:9 | Load: p | test.cpp:237:12:237:17 | call to alloca | test.cpp:238:9:238:9 | p | May return stack-allocated memory from $@. | test.cpp:237:12:237:17 | call to alloca | call to alloca |
+| test.cpp:245:9:245:15 | Call: call to strdupa | test.cpp:245:9:245:15 | call to strdupa | test.cpp:245:9:245:15 | call to strdupa | May return stack-allocated memory from $@. | test.cpp:245:9:245:15 | call to strdupa | call to strdupa |
+| test.cpp:250:9:250:10 | Convert: (void *)... | test.cpp:249:13:249:20 | call to strndupa | test.cpp:250:9:250:10 | (void *)... | May return stack-allocated memory from $@. | test.cpp:249:13:249:20 | call to strndupa | call to strndupa |
--- a/Management/ReturnStackAllocatedMemory/test.cpp
+++ b/Management/ReturnStackAllocatedMemory/test.cpp
@@ -229,4 +229,23 @@ int* id(int* px) {
 void f() {
  int x;
  int* px = id(&x); // GOOD
+}
+
+void *alloca(size_t);
+
+void* test_alloca() {
+	void* p = alloca(10);
+	return p; // BAD
+}
+
+char *strdupa(const char *);
+char *strndupa(const char *, size_t);
+
+char* test_strdupa(const char* s) {
+	return strdupa(s); // BAD
+}
+
+void* test_strndupa(const char* s, size_t size) {
+	char* s2 = strndupa(s, size);
+	return s2; // BAD
 }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/SAMATE/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
@@ -1,23 +1,12 @@
 edges
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data |
-| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
-| test.cpp:64:30:64:35 | call to getenv | test.cpp:73:24:73:27 | data indirection |
-| test.cpp:73:24:73:27 | data | test.cpp:37:73:37:76 | data |
+| test.cpp:37:73:37:76 | data indirection | test.cpp:43:32:43:35 | data indirection |
+| test.cpp:64:30:64:35 | call to getenv indirection | test.cpp:73:24:73:27 | data indirection |
 | test.cpp:73:24:73:27 | data indirection | test.cpp:37:73:37:76 | data indirection |
-subpaths
 nodes
-| test.cpp:37:73:37:76 | data | semmle.label | data |
 | test.cpp:37:73:37:76 | data indirection | semmle.label | data indirection |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:43:32:43:35 | data | semmle.label | data |
-| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
-| test.cpp:64:30:64:35 | call to getenv | semmle.label | call to getenv |
-| test.cpp:73:24:73:27 | data | semmle.label | data |
+| test.cpp:43:32:43:35 | data indirection | semmle.label | data indirection |
+| test.cpp:64:30:64:35 | call to getenv indirection | semmle.label | call to getenv indirection |
 | test.cpp:73:24:73:27 | data indirection | semmle.label | data indirection |
+subpaths
 #select
-| test.cpp:43:32:43:35 | data | test.cpp:64:30:64:35 | call to getenv | test.cpp:43:32:43:35 | data | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | call to getenv | call to getenv |
+| test.cpp:43:32:43:35 | data indirection | test.cpp:64:30:64:35 | call to getenv indirection | test.cpp:43:32:43:35 | data indirection | The value of this argument may come from $@ and is being passed to LoadLibraryA. | test.cpp:64:30:64:35 | call to getenv indirection | an environment variable |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-114/semmle/UncontrolledProcessOperation/UncontrolledProcessOperation.expected
@@ -1,112 +1,48 @@
 edges
-| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
-| test.cpp:24:30:24:36 | command | test.cpp:26:10:26:16 | command |
-| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
-| test.cpp:29:30:29:36 | command | test.cpp:31:10:31:16 | command |
-| test.cpp:42:18:42:23 | call to getenv | test.cpp:24:30:24:36 | command |
-| test.cpp:42:18:42:34 | call to getenv | test.cpp:24:30:24:36 | command |
-| test.cpp:43:18:43:23 | call to getenv | test.cpp:29:30:29:36 | command |
-| test.cpp:43:18:43:34 | call to getenv | test.cpp:29:30:29:36 | command |
-| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 |
-| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 |
-| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
-| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer |
-| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer |
-| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer |
-| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer |
-| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer |
-| test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr |
-| test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr |
-| test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr |
-| test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr |
-subpaths
+| test.cpp:24:30:24:36 | command indirection | test.cpp:26:10:26:16 | command indirection |
+| test.cpp:29:30:29:36 | command indirection | test.cpp:31:10:31:16 | command indirection |
+| test.cpp:42:18:42:34 | call to getenv indirection | test.cpp:24:30:24:36 | command indirection |
+| test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:29:30:29:36 | command indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | (reference dereference) indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection |
+| test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection |
+| test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection |
+| test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer indirection |
+| test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection |
+| test.cpp:113:8:113:12 | call to fgets indirection | test.cpp:114:9:114:11 | ptr indirection |
 nodes
-| test.cpp:24:30:24:36 | command | semmle.label | command |
-| test.cpp:26:10:26:16 | command | semmle.label | command |
-| test.cpp:26:10:26:16 | command | semmle.label | command |
-| test.cpp:29:30:29:36 | command | semmle.label | command |
-| test.cpp:31:10:31:16 | command | semmle.label | command |
-| test.cpp:31:10:31:16 | command | semmle.label | command |
-| test.cpp:42:18:42:23 | call to getenv | semmle.label | call to getenv |
-| test.cpp:42:18:42:34 | call to getenv | semmle.label | call to getenv |
-| test.cpp:43:18:43:23 | call to getenv | semmle.label | call to getenv |
-| test.cpp:43:18:43:34 | call to getenv | semmle.label | call to getenv |
-| test.cpp:56:12:56:17 | buffer | semmle.label | buffer |
-| test.cpp:56:12:56:17 | buffer | semmle.label | buffer |
+| test.cpp:24:30:24:36 | command indirection | semmle.label | command indirection |
+| test.cpp:26:10:26:16 | command indirection | semmle.label | command indirection |
+| test.cpp:29:30:29:36 | command indirection | semmle.label | command indirection |
+| test.cpp:31:10:31:16 | command indirection | semmle.label | command indirection |
+| test.cpp:42:18:42:34 | call to getenv indirection | semmle.label | call to getenv indirection |
+| test.cpp:43:18:43:34 | call to getenv indirection | semmle.label | call to getenv indirection |
 | test.cpp:56:12:56:17 | fgets output argument | semmle.label | fgets output argument |
-| test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
-| test.cpp:62:10:62:15 | buffer | semmle.label | buffer |
-| test.cpp:63:10:63:13 | data | semmle.label | data |
-| test.cpp:63:10:63:13 | data | semmle.label | data |
-| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:64:10:64:16 | dataref | semmle.label | dataref |
-| test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
-| test.cpp:65:10:65:14 | data2 | semmle.label | data2 |
-| test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
-| test.cpp:76:12:76:17 | buffer | semmle.label | buffer |
+| test.cpp:62:10:62:15 | buffer indirection | semmle.label | buffer indirection |
+| test.cpp:63:10:63:13 | data indirection | semmle.label | data indirection |
+| test.cpp:64:10:64:16 | (reference dereference) indirection | semmle.label | (reference dereference) indirection |
+| test.cpp:64:10:64:16 | dataref indirection | semmle.label | dataref indirection |
+| test.cpp:65:10:65:14 | data2 indirection | semmle.label | data2 indirection |
 | test.cpp:76:12:76:17 | fgets output argument | semmle.label | fgets output argument |
-| test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
-| test.cpp:78:10:78:15 | buffer | semmle.label | buffer |
-| test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
-| test.cpp:98:17:98:22 | buffer | semmle.label | buffer |
+| test.cpp:78:10:78:15 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:98:17:98:22 | recv output argument | semmle.label | recv output argument |
-| test.cpp:99:15:99:20 | buffer | semmle.label | buffer |
-| test.cpp:99:15:99:20 | buffer | semmle.label | buffer |
-| test.cpp:106:17:106:22 | buffer | semmle.label | buffer |
-| test.cpp:106:17:106:22 | buffer | semmle.label | buffer |
+| test.cpp:99:15:99:20 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:106:17:106:22 | recv output argument | semmle.label | recv output argument |
-| test.cpp:107:15:107:20 | buffer | semmle.label | buffer |
-| test.cpp:107:15:107:20 | buffer | semmle.label | buffer |
-| test.cpp:113:8:113:12 | call to fgets | semmle.label | call to fgets |
-| test.cpp:113:8:113:12 | call to fgets | semmle.label | call to fgets |
-| test.cpp:114:9:114:11 | ptr | semmle.label | ptr |
-| test.cpp:114:9:114:11 | ptr | semmle.label | ptr |
+| test.cpp:107:15:107:20 | buffer indirection | semmle.label | buffer indirection |
+| test.cpp:113:8:113:12 | call to fgets indirection | semmle.label | call to fgets indirection |
+| test.cpp:114:9:114:11 | ptr indirection | semmle.label | ptr indirection |
+subpaths
 #select
-| test.cpp:26:10:26:16 | command | test.cpp:42:18:42:23 | call to getenv | test.cpp:26:10:26:16 | command | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:23 | call to getenv | call to getenv |
-| test.cpp:31:10:31:16 | command | test.cpp:43:18:43:23 | call to getenv | test.cpp:31:10:31:16 | command | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:23 | call to getenv | call to getenv |
-| test.cpp:62:10:62:15 | buffer | test.cpp:56:12:56:17 | buffer | test.cpp:62:10:62:15 | buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:63:10:63:13 | data | test.cpp:56:12:56:17 | buffer | test.cpp:63:10:63:13 | data | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:64:10:64:16 | dataref | test.cpp:56:12:56:17 | buffer | test.cpp:64:10:64:16 | dataref | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:65:10:65:14 | data2 | test.cpp:56:12:56:17 | buffer | test.cpp:65:10:65:14 | data2 | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | buffer | buffer |
-| test.cpp:78:10:78:15 | buffer | test.cpp:76:12:76:17 | buffer | test.cpp:78:10:78:15 | buffer | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | buffer | buffer |
-| test.cpp:99:15:99:20 | buffer | test.cpp:98:17:98:22 | buffer | test.cpp:99:15:99:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | buffer | buffer |
-| test.cpp:107:15:107:20 | buffer | test.cpp:106:17:106:22 | buffer | test.cpp:107:15:107:20 | buffer | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | buffer | buffer |
-| test.cpp:114:9:114:11 | ptr | test.cpp:113:8:113:12 | call to fgets | test.cpp:114:9:114:11 | ptr | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | call to fgets | call to fgets |
+| test.cpp:26:10:26:16 | command indirection | test.cpp:42:18:42:34 | call to getenv indirection | test.cpp:26:10:26:16 | command indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:42:18:42:34 | call to getenv indirection | an environment variable |
+| test.cpp:31:10:31:16 | command indirection | test.cpp:43:18:43:34 | call to getenv indirection | test.cpp:31:10:31:16 | command indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:43:18:43:34 | call to getenv indirection | an environment variable |
+| test.cpp:62:10:62:15 | buffer indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:62:10:62:15 | buffer indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:63:10:63:13 | data indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:63:10:63:13 | data indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:64:10:64:16 | (reference dereference) indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | (reference dereference) indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:64:10:64:16 | dataref indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:64:10:64:16 | dataref indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:65:10:65:14 | data2 indirection | test.cpp:56:12:56:17 | fgets output argument | test.cpp:65:10:65:14 | data2 indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:56:12:56:17 | fgets output argument | string read by fgets |
+| test.cpp:78:10:78:15 | buffer indirection | test.cpp:76:12:76:17 | fgets output argument | test.cpp:78:10:78:15 | buffer indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:76:12:76:17 | fgets output argument | string read by fgets |
+| test.cpp:99:15:99:20 | buffer indirection | test.cpp:98:17:98:22 | recv output argument | test.cpp:99:15:99:20 | buffer indirection | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:98:17:98:22 | recv output argument | buffer read by recv |
+| test.cpp:107:15:107:20 | buffer indirection | test.cpp:106:17:106:22 | recv output argument | test.cpp:107:15:107:20 | buffer indirection | The value of this argument may come from $@ and is being passed to LoadLibrary. | test.cpp:106:17:106:22 | recv output argument | buffer read by recv |
+| test.cpp:114:9:114:11 | ptr indirection | test.cpp:113:8:113:12 | call to fgets indirection | test.cpp:114:9:114:11 | ptr indirection | The value of this argument may come from $@ and is being passed to system. | test.cpp:113:8:113:12 | call to fgets indirection | string read by fgets |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
@@ -1,4 +1,32 @@
 edges
-subpaths
+| main.cpp:6:27:6:30 | argv indirection | main.cpp:10:20:10:23 | argv indirection |
+| main.cpp:10:20:10:23 | argv indirection | tests.cpp:631:32:631:35 | argv indirection |
+| tests.cpp:613:19:613:24 | source indirection | tests.cpp:615:17:615:22 | source indirection |
+| tests.cpp:622:19:622:24 | source indirection | tests.cpp:625:2:625:16 | ... = ... indirection |
+| tests.cpp:625:2:625:16 | ... = ... indirection | tests.cpp:625:4:625:7 | s indirection [post update] [home indirection] |
+| tests.cpp:625:4:625:7 | s indirection [post update] [home indirection] | tests.cpp:628:14:628:14 | s indirection [home indirection] |
+| tests.cpp:628:14:628:14 | s indirection [home indirection] | tests.cpp:628:14:628:19 | home indirection |
+| tests.cpp:628:14:628:14 | s indirection [home indirection] | tests.cpp:628:16:628:19 | home indirection |
+| tests.cpp:628:16:628:19 | home indirection | tests.cpp:628:14:628:19 | home indirection |
+| tests.cpp:631:32:631:35 | argv indirection | tests.cpp:656:9:656:15 | access to array indirection |
+| tests.cpp:631:32:631:35 | argv indirection | tests.cpp:657:9:657:15 | access to array indirection |
+| tests.cpp:656:9:656:15 | access to array indirection | tests.cpp:613:19:613:24 | source indirection |
+| tests.cpp:657:9:657:15 | access to array indirection | tests.cpp:622:19:622:24 | source indirection |
 nodes
+| main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
+| main.cpp:10:20:10:23 | argv indirection | semmle.label | argv indirection |
+| tests.cpp:613:19:613:24 | source indirection | semmle.label | source indirection |
+| tests.cpp:615:17:615:22 | source indirection | semmle.label | source indirection |
+| tests.cpp:622:19:622:24 | source indirection | semmle.label | source indirection |
+| tests.cpp:625:2:625:16 | ... = ... indirection | semmle.label | ... = ... indirection |
+| tests.cpp:625:4:625:7 | s indirection [post update] [home indirection] | semmle.label | s indirection [post update] [home indirection] |
+| tests.cpp:628:14:628:14 | s indirection [home indirection] | semmle.label | s indirection [home indirection] |
+| tests.cpp:628:14:628:19 | home indirection | semmle.label | home indirection |
+| tests.cpp:628:16:628:19 | home indirection | semmle.label | home indirection |
+| tests.cpp:631:32:631:35 | argv indirection | semmle.label | argv indirection |
+| tests.cpp:656:9:656:15 | access to array indirection | semmle.label | access to array indirection |
+| tests.cpp:657:9:657:15 | access to array indirection | semmle.label | access to array indirection |
+subpaths
 #select
+| tests.cpp:615:2:615:7 | call to strcpy | main.cpp:6:27:6:30 | argv indirection | tests.cpp:615:17:615:22 | source indirection | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | argv indirection | a command-line argument |
+| tests.cpp:628:2:628:7 | call to strcpy | main.cpp:6:27:6:30 | argv indirection | tests.cpp:628:14:628:19 | home indirection | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | argv indirection | a command-line argument |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
@@ -407,7 +407,7 @@ void test15()
 		{
 			if (ptr[5] == ' ') // GOOD
 			{
-				// ...
+				break;
 			}
 		}
 	}
@@ -608,6 +608,26 @@ int test23() {
 	return sizeof(buffer) / sizeof(buffer[101]); // GOOD
 }

+char* strcpy(char *, const char *);
+
+void test24(char* source) {
+	char buffer[100];
+	strcpy(buffer, source); // BAD
+}
+
+struct my_struct {
+	char* home;
+};
+
+void test25(char* source) {
+	my_struct s;
+
+	s.home = source;
+
+	char buf[100];
+	strcpy(buf, s.home); // BAD
+}
+
 int tests_main(int argc, char *argv[])
 {
 	long long arr17[19];
@@ -633,6 +653,8 @@ int tests_main(int argc, char *argv[])
 	test21(argc == 0);
 	test22(argc == 0, argv[0]);
 	test23();
+	test24(argv[0]);
+	test25(argv[0]);

 	return 0;
 }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.expected
@@ -1,69 +0,0 @@
-edges
-| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
-| globalVars.c:8:7:8:10 | copy | globalVars.c:27:9:27:12 | copy |
-| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
-| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
-| globalVars.c:8:7:8:10 | copy | globalVars.c:30:15:30:18 | copy |
-| globalVars.c:8:7:8:10 | copy | globalVars.c:33:15:33:18 | copy |
-| globalVars.c:8:7:8:10 | copy | globalVars.c:35:11:35:14 | copy |
-| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
-| globalVars.c:9:7:9:11 | copy2 | globalVars.c:38:9:38:13 | copy2 |
-| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
-| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
-| globalVars.c:9:7:9:11 | copy2 | globalVars.c:41:15:41:19 | copy2 |
-| globalVars.c:9:7:9:11 | copy2 | globalVars.c:44:15:44:19 | copy2 |
-| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
-| globalVars.c:9:7:9:11 | copy2 | globalVars.c:50:9:50:13 | copy2 |
-| globalVars.c:11:22:11:25 | argv | globalVars.c:8:7:8:10 | copy |
-| globalVars.c:11:22:11:25 | argv | globalVars.c:12:2:12:15 | ... = ... |
-| globalVars.c:12:2:12:15 | ... = ... | globalVars.c:8:7:8:10 | copy |
-| globalVars.c:15:21:15:23 | val | globalVars.c:9:7:9:11 | copy2 |
-| globalVars.c:15:21:15:23 | val | globalVars.c:16:2:16:12 | ... = ... |
-| globalVars.c:16:2:16:12 | ... = ... | globalVars.c:9:7:9:11 | copy2 |
-| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
-| globalVars.c:24:11:24:14 | argv | globalVars.c:11:22:11:25 | argv |
-| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
-| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
-| globalVars.c:30:15:30:18 | copy | globalVars.c:30:15:30:18 | copy |
-| globalVars.c:30:15:30:18 | copy | globalVars.c:35:11:35:14 | copy |
-| globalVars.c:33:15:33:18 | copy | globalVars.c:35:11:35:14 | copy |
-| globalVars.c:35:11:35:14 | copy | globalVars.c:15:21:15:23 | val |
-| globalVars.c:35:11:35:14 | copy | globalVars.c:35:11:35:14 | copy |
-| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
-| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
-| globalVars.c:41:15:41:19 | copy2 | globalVars.c:41:15:41:19 | copy2 |
-| globalVars.c:41:15:41:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
-| globalVars.c:41:15:41:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
-| globalVars.c:44:15:44:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
-| globalVars.c:44:15:44:19 | copy2 | globalVars.c:50:9:50:13 | copy2 |
-subpaths
-nodes
-| globalVars.c:8:7:8:10 | copy | semmle.label | copy |
-| globalVars.c:9:7:9:11 | copy2 | semmle.label | copy2 |
-| globalVars.c:11:22:11:25 | argv | semmle.label | argv |
-| globalVars.c:12:2:12:15 | ... = ... | semmle.label | ... = ... |
-| globalVars.c:15:21:15:23 | val | semmle.label | val |
-| globalVars.c:16:2:16:12 | ... = ... | semmle.label | ... = ... |
-| globalVars.c:24:11:24:14 | argv | semmle.label | argv |
-| globalVars.c:24:11:24:14 | argv | semmle.label | argv |
-| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
-| globalVars.c:27:9:27:12 | copy | semmle.label | copy |
-| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
-| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
-| globalVars.c:30:15:30:18 | copy | semmle.label | copy |
-| globalVars.c:33:15:33:18 | copy | semmle.label | copy |
-| globalVars.c:35:11:35:14 | copy | semmle.label | copy |
-| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
-| globalVars.c:38:9:38:13 | copy2 | semmle.label | copy2 |
-| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
-| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
-| globalVars.c:41:15:41:19 | copy2 | semmle.label | copy2 |
-| globalVars.c:44:15:44:19 | copy2 | semmle.label | copy2 |
-| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
-| globalVars.c:50:9:50:13 | copy2 | semmle.label | copy2 |
-#select
-| globalVars.c:27:9:27:12 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:27:9:27:12 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
-| globalVars.c:30:15:30:18 | copy | globalVars.c:24:11:24:14 | argv | globalVars.c:30:15:30:18 | copy | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv |
-| globalVars.c:38:9:38:13 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:38:9:38:13 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
-| globalVars.c:41:15:41:19 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:41:15:41:19 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(str), which calls printf(format). | globalVars.c:24:11:24:14 | argv | argv |
-| globalVars.c:50:9:50:13 | copy2 | globalVars.c:24:11:24:14 | argv | globalVars.c:50:9:50:13 | copy2 | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | globalVars.c:24:11:24:14 | argv | argv |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.qlref
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/globalVars/UncontrolledFormatStringThroughGlobalVar.qlref
@@ -1 +0,0 @@
-Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/SAMATE/ArithmeticTainted.expected
@@ -1,13 +1,8 @@
 edges
-| examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data |
-| examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data |
 | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data |
-| examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data |
-subpaths
 nodes
-| examples.cpp:63:26:63:30 | & ... | semmle.label | & ... |
 | examples.cpp:63:26:63:30 | fscanf output argument | semmle.label | fscanf output argument |
 | examples.cpp:66:11:66:14 | data | semmle.label | data |
-| examples.cpp:66:11:66:14 | data | semmle.label | data |
+subpaths
 #select
-| examples.cpp:66:11:66:14 | data | examples.cpp:63:26:63:30 | & ... | examples.cpp:66:11:66:14 | data | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | examples.cpp:63:26:63:30 | & ... | User-provided value |
+| examples.cpp:66:11:66:14 | data | examples.cpp:63:26:63:30 | fscanf output argument | examples.cpp:66:11:66:14 | data | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | examples.cpp:63:26:63:30 | fscanf output argument | value read by fscanf |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/ArithmeticTainted.expected
@@ -1,86 +1,59 @@
 edges
 | test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
-| test2.cpp:12:21:12:21 | v | test2.cpp:14:11:14:11 | v |
-| test2.cpp:25:22:25:23 | & ... | test2.cpp:27:13:27:13 | v |
 | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:27:13:27:13 | v |
 | test2.cpp:27:13:27:13 | v | test2.cpp:12:21:12:21 | v |
-| test2.cpp:36:9:36:14 | buffer | test2.cpp:39:9:39:11 | num |
-| test2.cpp:36:9:36:14 | buffer | test2.cpp:39:9:39:11 | num |
-| test2.cpp:36:9:36:14 | buffer | test2.cpp:39:9:39:11 | num |
-| test2.cpp:36:9:36:14 | buffer | test2.cpp:39:9:39:11 | num |
-| test2.cpp:36:9:36:14 | buffer | test2.cpp:40:3:40:5 | num |
-| test2.cpp:36:9:36:14 | buffer | test2.cpp:40:3:40:5 | num |
-| test2.cpp:36:9:36:14 | buffer | test2.cpp:40:3:40:5 | num |
-| test2.cpp:36:9:36:14 | buffer | test2.cpp:40:3:40:5 | num |
-| test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num |
 | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num |
 | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num |
-| test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num |
-| test5.cpp:5:5:5:17 | getTaintedInt indirection | test5.cpp:17:6:17:18 | call to getTaintedInt |
+| test3.c:10:27:10:30 | argv indirection | test.c:14:15:14:28 | maxConnections |
+| test3.c:10:27:10:30 | argv indirection | test.c:44:7:44:10 | len2 |
+| test3.c:10:27:10:30 | argv indirection | test.c:54:7:54:10 | len3 |
 | test5.cpp:5:5:5:17 | getTaintedInt indirection | test5.cpp:17:6:17:18 | call to getTaintedInt |
 | test5.cpp:5:5:5:17 | getTaintedInt indirection | test5.cpp:18:6:18:18 | call to getTaintedInt |
-| test5.cpp:9:7:9:9 | buf | test5.cpp:5:5:5:17 | getTaintedInt indirection |
-| test5.cpp:9:7:9:9 | buf | test5.cpp:5:5:5:17 | getTaintedInt indirection |
 | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:5:5:5:17 | getTaintedInt indirection |
 | test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y |
-| test5.cpp:18:6:18:18 | call to getTaintedInt | test5.cpp:19:6:19:6 | y |
-| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
-| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
-| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
-| test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections |
-| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
-| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
-| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
-| test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 |
-| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
-| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
-| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
-| test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 |
-subpaths
+| test.c:10:27:10:30 | argv indirection | test.c:14:15:14:28 | maxConnections |
+| test.c:10:27:10:30 | argv indirection | test.c:44:7:44:10 | len2 |
+| test.c:10:27:10:30 | argv indirection | test.c:54:7:54:10 | len3 |
 nodes
 | test2.cpp:12:21:12:21 | v | semmle.label | v |
 | test2.cpp:14:11:14:11 | v | semmle.label | v |
-| test2.cpp:14:11:14:11 | v | semmle.label | v |
-| test2.cpp:25:22:25:23 | & ... | semmle.label | & ... |
 | test2.cpp:25:22:25:23 | fscanf output argument | semmle.label | fscanf output argument |
 | test2.cpp:27:13:27:13 | v | semmle.label | v |
-| test2.cpp:36:9:36:14 | buffer | semmle.label | buffer |
-| test2.cpp:36:9:36:14 | buffer | semmle.label | buffer |
 | test2.cpp:36:9:36:14 | fgets output argument | semmle.label | fgets output argument |
 | test2.cpp:39:9:39:11 | num | semmle.label | num |
-| test2.cpp:39:9:39:11 | num | semmle.label | num |
-| test2.cpp:40:3:40:5 | num | semmle.label | num |
 | test2.cpp:40:3:40:5 | num | semmle.label | num |
+| test3.c:10:27:10:30 | argv indirection | semmle.label | argv indirection |
 | test5.cpp:5:5:5:17 | getTaintedInt indirection | semmle.label | getTaintedInt indirection |
-| test5.cpp:9:7:9:9 | buf | semmle.label | buf |
-| test5.cpp:9:7:9:9 | buf | semmle.label | buf |
 | test5.cpp:9:7:9:9 | gets output argument | semmle.label | gets output argument |
 | test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
-| test5.cpp:17:6:17:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
 | test5.cpp:18:6:18:18 | call to getTaintedInt | semmle.label | call to getTaintedInt |
 | test5.cpp:19:6:19:6 | y | semmle.label | y |
-| test5.cpp:19:6:19:6 | y | semmle.label | y |
-| test.c:11:29:11:32 | argv | semmle.label | argv |
-| test.c:11:29:11:32 | argv | semmle.label | argv |
+| test.c:10:27:10:30 | argv indirection | semmle.label | argv indirection |
 | test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
-| test.c:14:15:14:28 | maxConnections | semmle.label | maxConnections |
-| test.c:41:17:41:20 | argv | semmle.label | argv |
-| test.c:41:17:41:20 | argv | semmle.label | argv |
 | test.c:44:7:44:10 | len2 | semmle.label | len2 |
-| test.c:44:7:44:10 | len2 | semmle.label | len2 |
-| test.c:51:17:51:20 | argv | semmle.label | argv |
-| test.c:51:17:51:20 | argv | semmle.label | argv |
-| test.c:54:7:54:10 | len3 | semmle.label | len3 |
 | test.c:54:7:54:10 | len3 | semmle.label | len3 |
+subpaths
 #select
-| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | & ... | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
-| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | & ... | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test2.cpp:25:22:25:23 | & ... | User-provided value |
-| test2.cpp:39:9:39:11 | num | test2.cpp:36:9:36:14 | buffer | test2.cpp:39:9:39:11 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | buffer | User-provided value |
-| test2.cpp:40:3:40:5 | num | test2.cpp:36:9:36:14 | buffer | test2.cpp:40:3:40:5 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | buffer | User-provided value |
-| test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | buf | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | buf | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | buf | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test5.cpp:9:7:9:9 | buf | User-provided value |
-| test.c:14:15:14:28 | maxConnections | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test.c:11:29:11:32 | argv | User-provided value |
-| test.c:14:15:14:28 | maxConnections | test.c:11:29:11:32 | argv | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test.c:11:29:11:32 | argv | User-provided value |
-| test.c:44:7:44:10 | len2 | test.c:41:17:41:20 | argv | test.c:44:7:44:10 | len2 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test.c:41:17:41:20 | argv | User-provided value |
-| test.c:54:7:54:10 | len3 | test.c:51:17:51:20 | argv | test.c:54:7:54:10 | len3 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test.c:51:17:51:20 | argv | User-provided value |
+| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf |
+| test2.cpp:14:11:14:11 | v | test2.cpp:25:22:25:23 | fscanf output argument | test2.cpp:14:11:14:11 | v | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test2.cpp:25:22:25:23 | fscanf output argument | value read by fscanf |
+| test2.cpp:39:9:39:11 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:39:9:39:11 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets |
+| test2.cpp:40:3:40:5 | num | test2.cpp:36:9:36:14 | fgets output argument | test2.cpp:40:3:40:5 | num | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test2.cpp:36:9:36:14 | fgets output argument | string read by fgets |
+| test5.cpp:17:6:17:18 | call to getTaintedInt | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:17:6:17:18 | call to getTaintedInt | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets |
+| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets |
+| test5.cpp:19:6:19:6 | y | test5.cpp:9:7:9:9 | gets output argument | test5.cpp:19:6:19:6 | y | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test5.cpp:9:7:9:9 | gets output argument | string read by gets |
+| test.c:14:15:14:28 | maxConnections | test3.c:10:27:10:30 | argv indirection | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:14:15:14:28 | maxConnections | test3.c:10:27:10:30 | argv indirection | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:14:15:14:28 | maxConnections | test3.c:10:27:10:30 | argv indirection | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:14:15:14:28 | maxConnections | test3.c:10:27:10:30 | argv indirection | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:14:15:14:28 | maxConnections | test.c:10:27:10:30 | argv indirection | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:14:15:14:28 | maxConnections | test.c:10:27:10:30 | argv indirection | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an overflow. | test.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:14:15:14:28 | maxConnections | test.c:10:27:10:30 | argv indirection | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:14:15:14:28 | maxConnections | test.c:10:27:10:30 | argv indirection | test.c:14:15:14:28 | maxConnections | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:44:7:44:10 | len2 | test3.c:10:27:10:30 | argv indirection | test.c:44:7:44:10 | len2 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:44:7:44:10 | len2 | test3.c:10:27:10:30 | argv indirection | test.c:44:7:44:10 | len2 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:44:7:44:10 | len2 | test.c:10:27:10:30 | argv indirection | test.c:44:7:44:10 | len2 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:44:7:44:10 | len2 | test.c:10:27:10:30 | argv indirection | test.c:44:7:44:10 | len2 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:54:7:54:10 | len3 | test3.c:10:27:10:30 | argv indirection | test.c:54:7:54:10 | len3 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:54:7:54:10 | len3 | test3.c:10:27:10:30 | argv indirection | test.c:54:7:54:10 | len3 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:54:7:54:10 | len3 | test.c:10:27:10:30 | argv indirection | test.c:54:7:54:10 | len3 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test3.c:10:27:10:30 | argv indirection | a command-line argument |
+| test.c:54:7:54:10 | len3 | test.c:10:27:10:30 | argv indirection | test.c:54:7:54:10 | len3 | $@ flows to an operand of an arithmetic expression, potentially causing an underflow. | test.c:10:27:10:30 | argv indirection | a command-line argument |
--- a/csharp/autobuilder/Semmle.Autobuild.Shared/BuildActions.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.Shared/BuildActions.cs
@@ -252,7 +252,7 @@ namespace Semmle.Autobuild.Shared

            try
            {
-                var res = thisBuildActions.RunProcess("sysctl", "machdep.cpu.brand_string", workingDirectory: null, env: null, out var stdOut);
+                thisBuildActions.RunProcess("sysctl", "machdep.cpu.brand_string", workingDirectory: null, env: null, out var stdOut);
                return stdOut?.Any(s => s?.ToLowerInvariant().Contains("apple") == true) ?? false;
            }
            catch (Exception)
--- a/csharp/autobuilder/Semmle.Autobuild.Shared/MsBuildRule.cs
+++ b/csharp/autobuilder/Semmle.Autobuild.Shared/MsBuildRule.cs
@@ -15,14 +15,12 @@ namespace Semmle.Autobuild.Shared
        /// <returns></returns>
        public static CommandBuilder MsBuildCommand(this CommandBuilder cmdBuilder, IAutobuilder<AutobuildOptionsShared> builder)
        {
-            var IsRunningOnAppleSiliconMac = builder.Actions.IsMacOs() && builder.Actions.IsRunningOnAppleSilicon();
-
            // mono doesn't ship with `msbuild` on Arm-based Macs, but we can fall back to
            // msbuild that ships with `dotnet` which can be invoked with `dotnet msbuild`
            // perhaps we should do this on all platforms?
-            return IsRunningOnAppleSiliconMac ?
-                cmdBuilder.RunCommand("dotnet").Argument("msbuild") :
-                cmdBuilder.RunCommand("msbuild");
+            return builder.Actions.IsRunningOnAppleSilicon()
+                ? cmdBuilder.RunCommand("dotnet").Argument("msbuild")
+                : cmdBuilder.RunCommand("msbuild");
        }
    }

@@ -84,7 +82,12 @@ namespace Semmle.Autobuild.Shared
                        Argument("/t:restore").
                        QuoteArgument(projectOrSolution.FullPath);

-                    if (nugetDownloaded)
+                    if (builder.Actions.IsRunningOnAppleSilicon())
+                    {
+                        // On Apple Silicon, only try package restore with `dotnet msbuild /t:restore`
+                        ret &= BuildScript.Try(msbuildRestoreCommand.Script);
+                    }
+                    else if (nugetDownloaded)
                    {
                        ret &= BuildScript.Try(nugetRestore | msbuildRestoreCommand.Script);
                    }
--- a/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Populators/TypeContainerVisitor.cs
@@ -89,8 +89,10 @@ namespace Semmle.Extraction.CSharp.Populators
                SyntaxKind.ModuleKeyword => Entities.AttributeKind.Module,
                _ => throw new InternalError(node, "Unhandled global target")
            };
-            foreach (var attribute in node.Attributes)
+            var attributes = node.Attributes;
+            for (var i = 0; i < attributes.Count; i++)
            {
+                var attribute = attributes[i];
                if (attributeLookup.Value(attribute) is AttributeData attributeData)
                {
                    var ae = Entities.Attribute.Create(Cx, attributeData, outputAssembly, kind);
--- a/csharp/ql/integration-tests/all-platforms/msbuild/test.py
+++ b/csharp/ql/integration-tests/all-platforms/msbuild/test.py
@@ -1,24 +1,6 @@
-import os
-
 from create_database_utils import *
 from diagnostics_test_utils import *

-def is_running_on_apple_silicon():
-   arch = subprocess.Popen(['sysctl', 'machdep.cpu.brand_string'], stdout=subprocess.PIPE)
-   output, errors = arch.communicate()
-   if b'apple' in output.lower():
-       return True
-   return False
-
-# if on ARM runners, remove Mono from the path, so we're using
-# dotnet restore instead of nuget.exe restore - on ARM machines
-# we run dotner msbuild (instead of the mono-provided msbuild.exe)
-# so we need to match the restore command, too.
-
-platform_name = sys.platform.lower()
-if platform_name.startswith("darwin") and is_running_on_apple_silicon():
-    os.environ["PATH"] = os.environ["PATH"].replace("/Library/Frameworks/Mono.framework/Versions/Current/Commands:", "")
-
 # force CodeQL to use MSBuild by setting `LGTM_INDEX_MSBUILD_TARGET`
 run_codeql_database_create([], db=None, lang="csharp", extra_env={ 'LGTM_INDEX_MSBUILD_TARGET': 'Build' })
 check_diagnostics()
--- a/csharp/ql/integration-tests/posix-only/standalone_dependencies_nuget/skip-on-platform-osx-arm
+++ b/csharp/ql/integration-tests/posix-only/standalone_dependencies_nuget/skip-on-platform-osx-arm
@@ -0,0 +1 @@
+Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.
--- a/csharp/ql/test/library-tests/standalone/assemblyattribute/attr.expected
+++ b/csharp/ql/test/library-tests/standalone/assemblyattribute/attr.expected
@@ -0,0 +1,2 @@
+| standalone.cs:3:12:3:29 | [assembly: Attribute1(...)] |
+| standalone.cs:9:2:9:11 | [Attribute1(...)] |
--- a/csharp/ql/test/library-tests/standalone/assemblyattribute/attr.ql
+++ b/csharp/ql/test/library-tests/standalone/assemblyattribute/attr.ql
@@ -0,0 +1,5 @@
+import csharp
+
+from Attribute a
+where a.getType().getName() = "Attribute1Attribute"
+select a
--- a/csharp/ql/test/library-tests/standalone/assemblyattribute/options
+++ b/csharp/ql/test/library-tests/standalone/assemblyattribute/options
@@ -0,0 +1 @@
+semmle-extractor-options: --standalone
--- a/csharp/ql/test/library-tests/standalone/assemblyattribute/standalone.cs
+++ b/csharp/ql/test/library-tests/standalone/assemblyattribute/standalone.cs
@@ -0,0 +1,12 @@
+using System;
+
+[assembly: global::Attribute1]
+
+class Attribute1Attribute : Attribute
+{
+}
+
+[Attribute1]
+class A
+{
+}
--- a/docs/codeql/codeql-for-visual-studio-code/analyzing-your-projects.rst
+++ b/docs/codeql/codeql-for-visual-studio-code/analyzing-your-projects.rst
@@ -42,14 +42,47 @@ Downloading a database from GitHub

 .. include:: ../reusables/download-github-database.rst

+.. _filtering-databases-and-queries-by-language:
+
+Filtering databases and queries by language
+-------------------------------------------
+
+Optionally, to see databases containing a specific language and queries written for that language, you can apply a language filter using the language selector.
+
+#. To see available language filters, in the sidebar, click the **Language** title bar.
+#. Hover over the language filter you would like to apply, then click **Select**.
+
+   .. image:: ../images/codeql-for-visual-studio-code/choose-language-filter.png
+      :width: 350
+      :alt: Screenshot of the language selector. The "Select" button for a language filter is outlined in dark orange.
+
+Creating a custom query
+------------------------
+
+You can generate a query template for a specific language from the queries panel, then write your own code to quickly create a custom query.
+
+#. Optionally, to create a custom query in an existing directory, in the sidebar, click the **Queries** title bar to expand the queries panel, then select the desired directory.
+#. In the sidebar, hover over the **Queries** title bar, then click the **Create query** icon.
+
+   .. image:: ../images/codeql-for-visual-studio-code/create-query-icon.png
+      :width: 350
+      :alt: Screenshot of the queries panel. The "Create query" icon is outlined in dark orange.
+
+#. In the Command Palette, select the target language for your query. If you've chosen not to create your custom query in an existing directory, selecting a language will autogenerate a directory labeled ``codeql-custom-queries-<language>``, where ``<language>`` is the name of the selected language. A query template labeled ``example.ql`` will then be added to the existing or autogenerated directory.
+#. In the template, write your custom query, then save the file. Once your query is finished, you can run it from the queries panel.
+
 Running a query
 ------------------------

 The `CodeQL repository <https://github.com/github/codeql>`__ on GitHub contains lots of example queries.
-If you have that folder (or a different CodeQL pack) available in your workspace, you can access existing queries under ``<language>/ql/src/<category>``, for example ``java/ql/src/Likely Bugs``.
+You can access any existing queries in your workspace through the queries panel.

-#. Open a query (``.ql``) file. It is displayed in the editor, with IntelliSense features such as syntax highlighting and autocomplete suggestions.
-#. Right-click in the query window and select **CodeQL: Run Query on Selected Database**. (Alternatively, run the command from the Command Palette.)
+#. In the sidebar, to expand the queries panel, click the **Queries** title bar.
+#. To run a query against the selected database, hover over the desired query, then click the **Run local query** icon.
+
+   .. image:: ../images/codeql-for-visual-studio-code/run-local-query-icon.png
+      :width: 350
+      :alt: Screenshot of the mouse pointer hovering over a query in the queries panel. The "Run local query" icon is outlined in dark orange.

 The CodeQL extension runs the query on the current database and reports progress in the bottom right corner of the application.
 When the results are ready, they're displayed in the Results view.
@@ -61,6 +94,23 @@ For more information, see ":doc:`Troubleshooting CodeQL for Visual Studio Code <
 Running multiple queries
 --------------------------

+You can quickly run multiple queries against the database you've selected using the queries panel or a single command.
+
+Running all queries in a directory
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+You can easily run every query in a directory using the queries panel.
+
+#. In the sidebar, to expand the queries panel, click the **Queries** title bar.
+#. Hover over the desired directory of queries, then click the **Run local queries** icon.
+
+   .. image:: ../images/codeql-for-visual-studio-code/run-local-queries-icon.png
+      :width: 350
+      :alt: Screenshot of the mouse pointer hovering over a directory of queries in the queries panel. The "Run local queries" icon is outlined in dark orange.
+
+Running a selection of queries
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
 You can run multiple queries with a single command.

 #. Go to the File Explorer.
@@ -122,6 +172,7 @@ To see the queries that you have run in the current session, open the Query Hist

 The Query History contains information including the date and time when the query was run, the name of the query, the database on which it was run, and how long it took to run the query.
 To customize the information that is displayed, right-click an entry and select **Rename**.
+You can also filter the Query History view by language using the language selector. For more information, see ":ref:`Filtering databases and queries by language <filtering-databases-and-queries-by-language>`."

 Click an entry to display the corresponding results in the Query Results view, and double-click
 to display the query itself in the editor (or right-click and select **View Query**).
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.0.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.0.rst
@@ -0,0 +1,178 @@
+.. _codeql-cli-2.10.0:
+
+==========================
+CodeQL 2.10.0 (2022-06-27)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.0 runs a total of 339 security queries when configured with the Default suite (covering 142 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 4 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   The :code:`--format=stats` option of :code:`codeql generate log-summary` has been renamed to :code:`--format=overall`. It now produces a richer JSON object that, in addition to the previous statistics about the run (which can be found in the :code:`stats` property) also records the most expensive predicates in the evaluation run.
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   The :code:`codeql resolve ml-model` command now requires one or more query specifications as command line arguments in order to determine the set of starting packs from which to initiate the resolution process. The command will locate all ML models in any qlpack that is a transitive dependency of any of the starting packs. Also, the output of the command has been expanded to include for each model the containing package's name, version, and path.
+    
+*   The :code:`buildMetadata` inside of compiled CodeQL packs no longer contains a :code:`creationTime` property. This was removed in order to ensure that the content of a CodeQL pack is identical when it is re-compiled.
+    
+*   The :code:`codeql pack download` command, when used with the :code:`--dir` option,
+    now downloads requested packs in directories corresponding to their version numbers. Previously,
+    :code:`codeql pack download --dir ./somewhere codeql/java-queries@0.1.2` would download the pack into the :code:`./somewhere/codeql/java-queries` directory. Now, it will download the pack into the
+    :code:`./somewhere/codeql/java-queries/0.1.2` directory. This allows you to download multiple versions of the same pack using a single command.
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug where :code:`codeql pack download`, when used with the :code:`--dir` option, would not download a pack that is in the global package cache.
+    
+*   Fixed a bug where some versions of a CodeQL package could not be downloaded if there are more than 100 versions of this package in the package registry.
+    
+*   Fixed a bug where the :code:`--also-match` option for :code:`codeql resolve files` and :code:`codeql database index-files` does not work with relative paths.
+    
+*   Fixed a bug that caused :code:`codeql query decompile` to ignore the
+    :code:`--output` option when producing bytecode output (:code:`--kind=bytecode`),
+    writing only to :code:`stdout`.
+
+New Features
+~~~~~~~~~~~~
+
+*   You can now include diagnostic messages in the summary produced by the :code:`--print-diagnostics-summary` option of the
+    :code:`codeql database interpret-results` and :code:`codeql database analyze` commands by running these commands at high verbosity levels.
+
+Query Packs
+-----------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   Improved library modeling for the query "Request without certificate validation" (:code:`py/request-without-cert-validation`), so it now also covers :code:`httpx`, :code:`aiohttp.client`, and :code:`urllib3`.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The syntax of the (source|sink|summary)model CSV format has been changed slightly for Java and C#. A new column called :code:`provenance` has been introduced, where the allowed values are :code:`manual` and :code:`generated`. The value used to indicate whether a model as been written by hand (:code:`manual`) or create by the CSV model generator (:code:`generated`).
+*   All auto implemented public properties with public getters and setters on ASP.NET Core remote flow sources are now also considered to be tainted.
+
+Java
+""""
+
+*   The query :code:`java/log-injection` now reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`js/resource-exhaustion` query no longer treats the 3-argument version of :code:`Buffer.from` as a sink,
+    since it does not allocate a new buffer.
+
+Python
+""""""
+
+*   The query "Use of a broken or weak cryptographic algorithm" (:code:`py/weak-cryptographic-algorithm`) now reports if a cryptographic operation is potentially insecure due to use of a weak block mode.
+
+Ruby
+""""
+
+*   The query "Use of a broken or weak cryptographic algorithm" (:code:`rb/weak-cryptographic-algorithm`) now reports if a cryptographic operation is potentially insecure due to use of a weak block mode.
+
+New Queries
+~~~~~~~~~~~
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/improper-memoization`. The query finds cases where the parameter of a memoization method is not used in the memoization key.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The :code:`kind` query metadata was changed to :code:`diagnostic` on :code:`cs/compilation-error`, :code:`cs/compilation-message`, :code:`cs/extraction-error`, and :code:`cs/extraction-message`.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+C/C++
+"""""
+
+*   :code:`UserType.getADeclarationEntry()` now yields all forward declarations when the user type is a :code:`class`, :code:`struct`, or :code:`union`.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for TypeScript 4.7.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added a flow step for :code:`String.valueOf` calls on tainted :code:`android.text.Editable` objects.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   All new ECMAScript 2022 features are now supported.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+C#
+""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+Golang
+""""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+Java
+""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+Python
+""""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+Ruby
+""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.1.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.1.rst
@@ -0,0 +1,132 @@
+.. _codeql-cli-2.10.1:
+
+==========================
+CodeQL 2.10.1 (2022-07-19)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.1 runs a total of 340 security queries when configured with the Default suite (covering 143 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+New Features
+~~~~~~~~~~~~
+
+*   Improved error message from :code:`codeql database analyze` when a query is missing :code:`@id` or :code:`@kind` query metadata.
+
+Query Packs
+-----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/cpp-all` package.
+
+C#
+""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/csharp-all` package.
+
+Java
+""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/java-all` package.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/javascript-all` package.
+
+Python
+""""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/python-all` package.
+
+Ruby
+""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/ruby-all` package.
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   A new query "Improper verification of intent by broadcast receiver" (:code:`java/improper-intent-verification`) has been added.
+    This query finds instances of Android :code:`BroadcastReceiver`\ s that don't verify the action string of received intents when registered to receive system intents.
+
+Language Libraries
+------------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   :code:`AnalysedExpr::isNullCheck` and :code:`AnalysedExpr::isValidCheck` have been updated to handle variable accesses on the left-hand side of the C++ logical "and", and variable declarations in conditions.
+
+Java
+""""
+
+*   Added data-flow models for :code:`java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a :code:`Properties` instance.
+*   Added :code:`Modifier.isInline()`.
+*   Removed Kotlin-specific database and QL structures for loops and :code:`break`\ /\ :code:`continue` statements. The Kotlin extractor was changed to reuse the Java structures for these constructs.
+*   Added additional flow sources for uses of external storage on Android.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`chownr` library is now modeled as a sink for the :code:`js/path-injection` query.
+*   Improved modeling of sensitive data sources, so common words like :code:`certain` and :code:`secretary` are no longer considered a certificate and a secret (respectively).
+*   The :code:`gray-matter` library is now modeled as a sink for the :code:`js/code-injection` query.
+
+Python
+""""""
+
+*   Improved modeling of sensitive data sources, so common words like :code:`certain` and :code:`secretary` are no longer considered a certificate and a secret (respectively).
+
+Ruby
+""""
+
+*   Fixed a bug causing every expression in the database to be considered a system-command execution sink when calls to any of the following methods exist:
+
+    *   The :code:`spawn`, :code:`fspawn`, :code:`popen4`, :code:`pspawn`, :code:`system`, :code:`_pspawn` methods and the backtick operator from the :code:`POSIX::spawn` gem.
+    *   The :code:`execute_command`, :code:`rake`, :code:`rails_command`, and :code:`git` methods in :code:`Rails::Generation::Actions`.
+    
+*   Improved modeling of sensitive data sources, so common words like :code:`certain` and :code:`secretary` are no longer considered a certificate and a secret (respectively).
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   The documentation of API graphs (the :code:`API` module) has been expanded, and some of the members predicates of :code:`API::Node` have been renamed as follows:
+
+    *   :code:`getAnImmediateUse` -> :code:`asSource`
+    *   :code:`getARhs` -> :code:`asSink`
+    *   :code:`getAUse` -> :code:`getAValueReachableFromSource`
+    *   :code:`getAValueReachingRhs` -> :code:`getAValueReachingSink`
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added an :code:`ErrorType` class. An instance of this class will be used if an extractor is unable to extract a type, or if an up/downgrade script is unable to provide a type.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.2.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.2.rst
@@ -0,0 +1,105 @@
+.. _codeql-cli-2.10.2:
+
+==========================
+CodeQL 2.10.2 (2022-08-02)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.2 runs a total of 341 security queries when configured with the Default suite (covering 144 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   The option :code:`--compiler-spec` to :code:`codeql database create` (and
+    :code:`codeql database trace-command`) no longer works. It is replaced by
+    :code:`--extra-tracing-config`, which accepts a tracer configuration file in the new, Lua-based tracer configuration format instead. See
+    :code:`tools/tracer/base.lua` for the precise API available. If you need help help porting your existing compiler specification files, please file a public issue in https://github.com/github/codeql-cli-binaries,
+    or open a private ticket with GitHub support and request an escalation to engineering.
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   Versions of the CodeQL extension for Visual Studio Code released before February 2021 may not work correctly with this CLI, in particular if database upgrades are necessary. We recommend keeping your VS Code extension up-to-date.
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The experimental :code:`codeql resolve ml-models` command has been deprecated. Advanced users calling this command should use the new
+    :code:`codeql resolve extensions` command instead.
+
+New Features
+~~~~~~~~~~~~
+
+*   The :code:`codeql github upload-results` command now supports a :code:`--merge` option. If this option is provided, the command will accept the paths to multiple SARIF files, and will merge those files before uploading them as a single analysis. This option is recommended *only* for backwards compatibility with old analyses produced by the CodeQL Runner, which combined the results for multiple languages into a single analysis.
+
+Query Packs
+-----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/python-all` package.
+
+New Queries
+~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   A new query "Case-sensitive middleware path" (:code:`js/case-sensitive-middleware-path`) has been added.
+    It highlights middleware routes that can be bypassed due to having a case-sensitive regular expression path.
+
+Ruby
+""""
+
+*   Added a new experimental query, :code:`rb/manually-checking-http-verb`, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow.
+*   Added a new experimental query, :code:`rb/weak-params`, to detect cases when the rails strong parameters pattern isn't followed and values flow into persistent store writes.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+C/C++
+"""""
+
+*   Under certain circumstances a variable declaration that is not also a definition could be associated with a :code:`Variable` that did not have the definition as a :code:`VariableDeclarationEntry`. This is now fixed, and a unique :code:`Variable` will exist that has both the declaration and the definition as a :code:`VariableDeclarationEntry`.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The JUnit5 version of :code:`AssertNotNull` is now recognized, which removes related false positives in the nullness queries.
+*   Added data flow models for :code:`java.util.Scanner`.
+
+Ruby
+""""
+
+*   Calls to :code:`Arel.sql` are now recognised as propagating taint from their argument.
+*   Calls to :code:`ActiveRecord::Relation#annotate` are now recognized as :code:`SqlExecution`\ s so that it will be considered as a sink for queries like rb/sql-injection.
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   The QL predicate :code:`Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.3.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.3.rst
@@ -0,0 +1,111 @@
+.. _codeql-cli-2.10.3:
+
+==========================
+CodeQL 2.10.3 (2022-08-15)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.3 runs a total of 342 security queries when configured with the Default suite (covering 144 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+New Features
+~~~~~~~~~~~~
+
+*   When called with :code:`--start-tracing`, the :code:`codeql database init` command now accepts extractor options for the indirect tracing environment via
+    :code:`--extractor-option`. Users should continue to specify extractor options for direct tracing environments by passing them to
+    :code:`codeql database trace-command` invocations.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.4.
+
+Query Packs
+-----------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The query :code:`java/sensitive-log` has been improved to no longer report results that are effectively duplicates due to one source flowing to another source.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The query :code:`cpp/bad-strncpy-size` now covers more :code:`strncpy`\ -like functions than before, including :code:`strxfrm`(:code:`_l`), :code:`wcsxfrm`(:code:`_l`), and :code:`stpncpy`. Users of this query may see an increase in results.
+
+Golang
+""""""
+
+*   The query :code:`go/path-injection` no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.
+
+Java
+""""
+
+*   The query :code:`java/path-injection` now recognises vulnerable APIs defined using the :code:`SinkModelCsv` class with the :code:`create-file` type. Out of the box this includes Apache Commons-IO functions, as well as any user-defined sinks.
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   A new query "Android :code:`WebView` that accepts all certificates" (:code:`java/improper-webview-certificate-validation`) has been added. This query finds implementations of :code:`WebViewClient`\ s that accept all certificates in the case of an SSL error.
+
+Language Libraries
+------------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The IR dataflow library now includes flow through global variables. This enables new findings in many scenarios.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Improved analysis of the Android class :code:`AsyncTask` so that data can properly flow through its methods according to the life-cycle steps described here: https://developer.android.com/reference/android/os/AsyncTask#the-4-steps.
+*   Added a data-flow model for the :code:`setProperty` method of :code:`java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a :code:`Properties` instance.
+
+Python
+""""""
+
+*   Change :code:`.getASubclass()` on :code:`API::Node` so it allows to follow subclasses even if the class has a class decorator.
+
+Ruby
+""""
+
+*   Calls to methods generated by ActiveRecord associations are now recognised as instantiations of ActiveRecord objects. This increases the sensitivity of queries such as :code:`rb/sql-injection` and :code:`rb/stored-xss`.
+*   Calls to :code:`ActiveRecord::Base.create` and :code:`ActiveRecord::Base.update` are now recognised as write accesses.
+*   Arguments to :code:`Mime::Type#match?` and :code:`Mime::Type#=~` are now recognised as regular expression sources.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a predicate :code:`getValueConstant` to :code:`AttributeArgument` that yields the argument value as an :code:`Expr` when the value is a constant expression.
+*   A new class predicate :code:`MustFlowConfiguration::allowInterproceduralFlow` has been added to the :code:`semmle.code.cpp.ir.dataflow.MustFlow` library. The new predicate can be overridden to disable interprocedural flow.
+*   Added subclasses of :code:`BuiltInOperations` for :code:`__builtin_bit_cast`, :code:`__builtin_shuffle`, :code:`__has_unique_object_representations`, :code:`__is_aggregate`, and :code:`__is_assignable`.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.4.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.4.rst
@@ -0,0 +1,216 @@
+.. _codeql-cli-2.10.4:
+
+==========================
+CodeQL 2.10.4 (2022-08-31)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.4 runs a total of 352 security queries when configured with the Default suite (covering 146 CWE). The Extended suite enables an additional 106 queries (covering 30 more CWE). 12 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+There are no user-facing CLI changes in this release.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The "Cleartext storage of sensitive information in buffer" (:code:`cpp/cleartext-storage-buffer`) query has been improved to produce fewer false positives.
+
+C#
+""
+
+*   Parameters of delegates passed to routing endpoint calls like :code:`MapGet` in ASP.NET Core are now considered remote flow sources.
+*   The query :code:`cs/unsafe-deserialization-untrusted-input` is not reporting on all calls of :code:`JsonConvert.DeserializeObject` any longer, it only covers cases that explicitly use unsafe serialization settings.
+*   Added better support for the SQLite framework in the SQL injection query.
+*   File streams are now considered stored flow sources. For example, reading query elements from a file can lead to a Second Order SQL injection alert.
+
+Java
+""""
+
+*   The query :code:`java/static-initialization-vector` no longer requires a :code:`Cipher` object to be initialized with :code:`ENCRYPT_MODE` to be considered a valid sink. Also, several new sanitizers were added.
+*   Improved sanitizers for :code:`java/sensitive-log`, which removes some false positives and improves performance a bit.
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   Added a new query, :code:`java/android/implicitly-exported-component`, to detect if components are implicitly exported in the Android manifest.
+*   A new query "Use of RSA algorithm without OAEP" (:code:`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme.
+*   Added a new query, :code:`java/android/debuggable-attribute-enabled`, to detect if the :code:`android:debuggable` attribute is enabled in the Android manifest.
+*   The query "Using a static initialization vector for encryption" (:code:`java/static-initialization-vector`) has been promoted from experimental to the main query pack. This query was originally `submitted as an experimental query by @artem-smotrakov <https://github.com/github/codeql/pull/6357>`__.
+*   A new query :code:`java/partial-path-traversal` finds partial path traversal vulnerabilities resulting from incorrectly using
+    :code:`String#startsWith` to compare canonical paths.
+*   Added a new query, :code:`java/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match
+    too many characters.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added a new query, :code:`py/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match
+    too many characters.
+
+Python
+""""""
+
+*   Added a new query, :code:`py/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match
+    too many characters.
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/log-injection`, to detect cases where a malicious user may be able to forge log entries.
+*   Added a new query, :code:`rb/incomplete-multi-character-sanitization`. The query finds string transformations that do not replace all occurrences of a multi-character substring.
+*   Added a new query, :code:`rb/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match
+    too many characters.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The queries :code:`java/redos` and :code:`java/polynomial-redos` now have a tag for CWE-1333.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixed that top-level :code:`for await` statements would produce a syntax error. These statements are now parsed correctly.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+
+C#
+""
+
+*   All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+
+Golang
+""""""
+
+*   Go 1.19 is now supported, including adding new taint propagation steps for new standard-library functions introduced in this release.
+*   Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+*   Fixed data-flow to captured variable references.
+*   We now assume that if a channel-typed field is only referred to twice in the user codebase, once in a send operation and once in a receive, then data flows from the send to the receive statement. This enables finding some cross-goroutine flow.
+
+Java
+""""
+
+*   Added new flow steps for the classes :code:`java.nio.file.Path` and :code:`java.nio.file.Paths`.
+*   The class :code:`AndroidFragment` now also models the Android Jetpack version of the :code:`Fragment` class (:code:`androidx.fragment.app.Fragment`).
+*   Java 19 builds can now be extracted. There are no non-preview new language features in this release, so the only user-visible change is that the CodeQL extractor will now correctly trace compilations using the JDK 19 release of :code:`javac`.
+*   Classes and methods that are seen with several different paths during the extraction process (for example, packaged into different JAR files) now report an arbitrarily selected location via their :code:`getLocation` and :code:`hasLocationInfo` predicates, rather than reporting all of them. This may lead to reduced alert duplication.
+*   The query :code:`java/hardcoded-credential-api-call` now recognises methods that consume usernames, passwords and keys from the JSch, Ganymed, Apache SSHD, sshj, Trilead SSH-2, Apache FTPClient and MongoDB projects.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+
+Python
+""""""
+
+*   Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+
+Ruby
+""""
+
+*   Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+*   Calls to :code:`render` in Rails controllers and views are now recognized as HTTP response bodies.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+C#
+""
+
+*   Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+Java
+""""
+
+*   Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+*   The utility files previously in the :code:`semmle.code.java.security.performance` package have been moved to the :code:`semmle.code.java.security.regexp` package.
+    
+    The previous files still exist as deprecated aliases.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+*   The utility files previously in the :code:`semmle.javascript.security.performance` package have been moved to the :code:`semmle.javascript.security.regexp` package.
+    
+    The previous files still exist as deprecated aliases.
+
+Python
+""""""
+
+*   Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+*   The utility files previously in the :code:`semmle.python.security.performance` package have been moved to the :code:`semmle.python.security.regexp` package.
+    
+    The previous files still exist as deprecated aliases.
+
+Ruby
+""""
+
+*   The utility files previously in the :code:`codeql.ruby.security.performance` package have been moved to the :code:`codeql.ruby.security.regexp` package.
+    
+    The previous files still exist as deprecated aliases.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added support for getting the link targets of global and namespace variables.
+*   Added a :code:`BlockAssignExpr` class, which models a :code:`memcpy`\ -like operation used in compiler generated copy/move constructors and assignment operations.
+
+Java
+""""
+
+*   Added a new predicate, :code:`requiresPermissions`, in the :code:`AndroidComponentXmlElement` and :code:`AndroidApplicationXmlElement` classes to detect if the element has explicitly set a value for its :code:`android:permission` attribute.
+*   Added a new predicate, :code:`hasAnIntentFilterElement`, in the :code:`AndroidComponentXmlElement` class to detect if a component contains an intent filter element.
+*   Added a new predicate, :code:`hasExportedAttribute`, in the :code:`AndroidComponentXmlElement` class to detect if a component has an :code:`android:exported` attribute.
+*   Added a new class, :code:`AndroidCategoryXmlElement`, to represent a category element in an Android manifest file.
+*   Added a new predicate, :code:`getACategoryElement`, in the :code:`AndroidIntentFilterXmlElement` class to get a category element of an intent filter.
+*   Added a new predicate, :code:`isInBuildDirectory`, in the :code:`AndroidManifestXmlFile` class. This predicate detects if the manifest file is located in a build directory.
+*   Added a new predicate, :code:`isDebuggable`, in the :code:`AndroidApplicationXmlElement` class. This predicate detects if the application element has its :code:`android:debuggable` attribute enabled.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.5.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.5.rst
@@ -0,0 +1,20 @@
+.. _codeql-cli-2.10.5:
+
+==========================
+CodeQL 2.10.5 (2022-09-13)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+New Features
+~~~~~~~~~~~~
+
+*   You can now define which registries should be used for downloading and publishing CodeQL packs on a per-workspace basis by creating a :code:`codeql-workspace.yml` file and adding a :code:`registries` block. For more infomation, see `About CodeQL Workspaces <https://codeql.github.com/docs/codeql-cli/about-codeql-workspaces/>`__.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.0.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.0.rst
@@ -0,0 +1,365 @@
+.. _codeql-cli-2.11.0:
+
+==========================
+CodeQL 2.11.0 (2022-09-28)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.11.0 runs a total of 353 security queries when configured with the Default suite (covering 148 CWE). The Extended suite enables an additional 109 queries (covering 30 more CWE). 4 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The CodeQL CLI now uses Python 3 to extract both Python 2 and Python 3 databases. Correspondingly, support for using Python 2 to extract Python databases is now deprecated. Starting with version 2.11.3, you will need to install Python 3 to extract Python databases.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.4.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixed a bug in the :code:`js/type-confusion-through-parameter-tampering` query that would cause it to ignore sanitizers in branching conditions. The query should now report fewer false positives.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Modernizations from "Cleartext storage of sensitive information in buffer" (:code:`cpp/cleartext-storage-buffer`) have been ported to the "Cleartext storage of sensitive information in file" (:code:`cpp/cleartext-storage-file`), "Cleartext transmission of sensitive information" (:code:`cpp/cleartext-transmission`) and "Cleartext storage of sensitive information in an SQLite database" (:code:`cpp/cleartext-storage-database`) queries. These changes may result in more correct results and fewer false positive results from these queries.
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+C#
+""
+
+*   A new extractor option has been introduced for disabling CIL extraction. Either pass :code:`-Ocil=false` to the :code:`codeql` CLI or set the environment variable :code:`CODEQL_EXTRACTOR_CSHARP_OPTION_CIL=false`.
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+Golang
+""""""
+
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+Java
+""""
+
+*   The Java extractor now populates the :code:`Method` relating to a :code:`MethodAccess` consistently for calls using an explicit and implicit :code:`this` qualifier. Previously if the method :code:`foo` was inherited from a specialised generic type :code:`ParentType<String>`, then an explicit call :code:`this.foo()` would yield a :code:`MethodAccess` whose :code:`getMethod()` accessor returned the bound method :code:`ParentType<String>.foo`, whereas an implicitly-qualified :code:`foo()` :code:`MethodAccess`\ 's :code:`getMethod()` would return the unbound method :code:`ParentType.foo`. Now both scenarios produce a bound method. This means that all data-flow queries may return more results where a relevant path transits a call to such an implicitly-qualified call to a member method with a bound generic type, while queries that inspect the result of :code:`MethodAccess.getMethod()` may need to tolerate bound generic methods in more circumstances. The queries :code:`java/iterator-remove-failure`, :code:`java/non-static-nested-class`, :code:`java/internal-representation-exposure`, :code:`java/subtle-inherited-call` and :code:`java/deprecated-call` have been amended to properly handle calls to bound generic methods, and in some instances may now produce more results in the explicit-\ :code:`this` case as well.
+*   Added taint model for arguments of :code:`java.net.URI` constructors to the queries :code:`java/path-injection` and :code:`java/path-injection-local`.
+*   Added new sinks related to Android's :code:`AlarmManager` to the query :code:`java/android/implicit-pendingintents`.
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Improved how the JavaScript parser handles ambiguities between plain JavaScript and dialects such as Flow and E4X that use the same file extension. The parser now prefers plain JavaScript if possible, falling back to dialects only if the source code can not be parsed as plain JavaScript. Previously, there were rare cases where parsing would fail because the parser would erroneously attempt to parse dialect-specific syntax in a regular JavaScript file.- The :code:`js/regexp/always-matches` query will no longer report an empty regular expression as always matching, as this is often the intended behavior.
+    
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+Python
+""""""
+
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+Ruby
+""""
+
+*   The :code:`rb/unsafe-deserialization` query now includes alerts for user-controlled data passed to :code:`Hash.from_trusted_xml`, since that method can deserialize YAML embedded in the XML, which in turn can result in deserialization of arbitrary objects.
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+New Queries
+~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a new medium-precision query, :code:`cpp/missing-check-scanf`, which detects :code:`scanf` output variables that are used without a proper return-value check to see that they were actually written. A variation of this query was originally contributed as an `experimental query by @ihsinme <https://github.com/github/codeql/pull/8246>`__.
+
+Java
+""""
+
+*   The query "Server-side template injection" (:code:`java/server-side-template-injection`) has been promoted from experimental to the main query pack. This query was originally `submitted as an experimental query by @porcupineyhairs <https://github.com/github/codeql/pull/5935>`__.
+*   Added a new query, :code:`java/android/backup-enabled`, to detect if Android applications allow backups.
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/hardcoded-data-interpreted-as-code`, to detect cases where hardcoded data is executed as code, a technique associated with backdoors.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+Golang
+""""""
+
+*   Added the :code:`security-severity` tag and CWE tag to the :code:`go/insecure-hostkeycallback` query.
+
+Java
+""""
+
+*   Removed the :code:`@security-severity` tag from several queries not in the :code:`Security/` folder that also had missing :code:`security` tags.
+
+Python
+""""""
+
+*   Added the :code:`security-severity` tag the :code:`py/redos`, :code:`py/polynomial-redos`, and :code:`py/regex-injection` queries.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+C/C++
+"""""
+
+*   Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
+C#
+""
+
+*   Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
+Java
+""""
+
+*   Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
+Python
+""""""
+
+*   Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
+Ruby
+""""
+
+*   Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The :code:`Member.getQualifiedName()` predicate result now includes the qualified name of the declaring type.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Many library models have been rewritten to use dataflow nodes instead of the AST.
+    The types of some classes have been changed, and these changes may break existing code.
+    Other classes and predicates have been renamed, in these cases the old name is still available as a deprecated feature.
+*   The basetype of the following list of classes has changed from an expression to a dataflow node, and thus code using these classes might break.
+    The fix to these breakages is usually to use :code:`asExpr()` to get an expression from a dataflow node, or to use :code:`.flow()` to get a dataflow node from an expression.
+
+    *   DOM.qll#WebStorageWrite
+    *   CryptoLibraries.qll#CryptographicOperation
+    *   Express.qll#Express::RequestBodyAccess
+    *   HTTP.qll#HTTP::ResponseBody
+    *   HTTP.qll#HTTP::CookieDefinition
+    *   HTTP.qll#HTTP::ServerDefinition
+    *   HTTP.qll#HTTP::RouteSetup
+    *   NoSQL.qll#NoSql::Query
+    *   SQL.qll#SQL::SqlString
+    *   SQL.qll#SQL::SqlSanitizer
+    *   HTTP.qll#ResponseBody
+    *   HTTP.qll#CookieDefinition
+    *   HTTP.qll#ServerDefinition
+    *   HTTP.qll#RouteSetup
+    *   HTTP.qll#HTTP::RedirectInvocation
+    *   HTTP.qll#RedirectInvocation
+    *   Express.qll#Express::RouterDefinition
+    *   AngularJSCore.qll#LinkFunction
+    *   Connect.qll#Connect::StandardRouteHandler
+    *   CryptoLibraries.qll#CryptographicKeyCredentialsExpr
+    *   AWS.qll#AWS::Credentials
+    *   Azure.qll#Azure::Credentials
+    *   Connect.qll#Connect::Credentials
+    *   DigitalOcean.qll#DigitalOcean::Credentials
+    *   Express.qll#Express::Credentials
+    *   NodeJSLib.qll#NodeJSLib::Credentials
+    *   PkgCloud.qll#PkgCloud::Credentials
+    *   Request.qll#Request::Credentials
+    *   ServiceDefinitions.qll#InjectableFunctionServiceRequest
+    *   SensitiveActions.qll#SensitiveVariableAccess
+    *   SensitiveActions.qll#CleartextPasswordExpr
+    *   Connect.qll#Connect::ServerDefinition
+    *   Restify.qll#Restify::ServerDefinition
+    *   Connect.qll#Connect::RouteSetup
+    *   Express.qll#Express::RouteSetup
+    *   Fastify.qll#Fastify::RouteSetup
+    *   Hapi.qll#Hapi::RouteSetup
+    *   Koa.qll#Koa::RouteSetup
+    *   Restify.qll#Restify::RouteSetup
+    *   NodeJSLib.qll#NodeJSLib::RouteSetup
+    *   Express.qll#Express::StandardRouteHandler
+    *   Express.qll#Express::SetCookie
+    *   Hapi.qll#Hapi::RouteHandler
+    *   HTTP.qll#HTTP::Servers::StandardHeaderDefinition
+    *   HTTP.qll#Servers::StandardHeaderDefinition
+    *   Hapi.qll#Hapi::ServerDefinition
+    *   Koa.qll#Koa::AppDefinition
+    *   SensitiveActions.qll#SensitiveCall
+
+Ruby
+""""
+
+*   :code:`import ruby` no longer brings the standard Ruby AST library into scope; it instead brings a module :code:`Ast` into scope, which must be imported. Alternatively, it is also possible to import :code:`codeql.ruby.AST`.
+*   Changed the :code:`HTTP::Client::Request` concept from using :code:`MethodCall` as base class, to using :code:`DataFlow::Node` as base class. Any class that extends :code:`HTTP::Client::Request::Range` must be changed, but if you only use the member predicates of :code:`HTTP::Client::Request`, no changes are required.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The virtual dispatch relation used in data flow now favors summary models over source code for dispatch to interface methods from :code:`java.util` unless there is evidence that a specific source implementation is reachable. This should provide increased precision for any projects that include, for example, custom :code:`List` or :code:`Map` implementations.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for TypeScript 4.8.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added new sinks to the query :code:`java/android/implicit-pendingintents` to take into account the classes :code:`androidx.core.app.NotificationManagerCompat` and :code:`androidx.core.app.AlarmManagerCompat`.
+*   Added new flow steps for :code:`androidx.core.app.NotificationCompat` and its inner classes.
+*   Added flow sinks, sources and summaries for the Kotlin standard library.
+*   Added flow summary for :code:`org.springframework.data.repository.CrudRepository.save()`.
+*   Added new flow steps for the following Android classes:
+
+    *   :code:`android.content.ContentResolver`
+    *   :code:`android.content.ContentProviderClient`
+    *   :code:`android.content.ContentProviderOperation`
+    *   :code:`android.content.ContentProviderOperation$Builder`
+    *   :code:`android.content.ContentProviderResult`
+    *   :code:`android.database.Cursor`
+    
+*   Added taint flow models for the :code:`java.lang.String.(charAt|getBytes)` methods.
+*   Improved taint flow models for the :code:`java.lang.String.(replace|replaceFirst|replaceAll)` methods. Additional results may be found where users do not properly sanitize their inputs.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   A model for the :code:`mermaid` library has been added. XSS queries can now detect flow through the :code:`render` method of the :code:`mermaid` library.
+
+Python
+""""""
+
+*   Changed :code:`CallNode.getArgByName` such that it has results for keyword arguments given after a dictionary unpacking argument, as the :code:`bar=2` argument in :code:`func(foo=1, **kwargs, bar=2)`.
+*   :code:`getStarArg` member-predicate on :code:`Call` and :code:`CallNode` has been changed for calls that have multiple :code:`*args` arguments (for example :code:`func(42, *my_args, *other_args)`): Instead of producing no results, it will always have a result for the *first* such :code:`*args` argument.
+*   Reads of global/non-local variables (without annotations) inside functions defined on classes now works properly in the case where the class had an attribute defined with the same name as the non-local variable.
+
+Ruby
+""""
+
+*   Uses of :code:`ActionView::FileSystemResolver` are now recognized as filesystem accesses.
+*   Accesses of ActiveResource models are now recognized as HTTP requests.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+C#
+""
+
+*   Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+Golang
+""""""
+
+*   Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+Java
+""""
+
+*   The predicate :code:`Annotation.getAValue()` has been deprecated because it might lead to obtaining the value of the wrong annotation element by accident. :code:`getValue(string)` (or one of the value type specific predicates) should be used to explicitly specify the name of the annotation element.
+*   The predicate :code:`Annotation.getAValue(string)` has been renamed to :code:`getAnArrayValue(string)`.
+*   The predicate :code:`SuppressWarningsAnnotation.getASuppressedWarningLiteral()` has been deprecated because it unnecessarily restricts the result type; :code:`getASuppressedWarning()` should be used instead.
+*   The predicates :code:`TargetAnnotation.getATargetExpression()` and :code:`RetentionAnnotation.getRetentionPolicyExpression()` have been deprecated because getting the enum constant read expression is rarely useful, instead the corresponding predicates for getting the name of the referenced enum constants should be used.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+Python
+""""""
+
+*   Some unused predicates in :code:`SsaDefinitions.qll`, :code:`TObject.qll`, :code:`protocols.qll`, and the :code:`pointsto/` folder have been deprecated.
+*   Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+Ruby
+""""
+
+*   Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added subclasses of :code:`BuiltInOperations` for :code:`__is_same`, :code:`__is_function`, :code:`__is_layout_compatible`, :code:`__is_pointer_interconvertible_base_of`, :code:`__is_array`, :code:`__array_rank`, :code:`__array_extent`, :code:`__is_arithmetic`, :code:`__is_complete_type`, :code:`__is_compound`, :code:`__is_const`, :code:`__is_floating_point`, :code:`__is_fundamental`, :code:`__is_integral`, :code:`__is_lvalue_reference`, :code:`__is_member_function_pointer`, :code:`__is_member_object_pointer`, :code:`__is_member_pointer`, :code:`__is_object`, :code:`__is_pointer`, :code:`__is_reference`, :code:`__is_rvalue_reference`, :code:`__is_scalar`, :code:`__is_signed`, :code:`__is_unsigned`, :code:`__is_void`, and :code:`__is_volatile`.
+
+Java
+""""
+
+*   Added a new predicate, :code:`allowsBackup`, in the :code:`AndroidApplicationXmlElement` class. This predicate detects if the application element does not disable the :code:`android:allowBackup` attribute.
+*   The predicates of the CodeQL class :code:`Annotation` have been improved:
+
+    *   Convenience value type specific predicates have been added, such as :code:`getEnumConstantValue(string)` or :code:`getStringValue(string)`.
+    *   Convenience predicates for elements with array values have been added, such as :code:`getAnEnumConstantArrayValue(string)`. While the behavior of the existing predicates has not changed, usage of them should be reviewed (or replaced with the newly added predicate) to make sure they work correctly for elements with array values.
+    *   Some internal CodeQL usage of the :code:`Annotation` predicates has been adjusted and corrected; this might affect the results of some queries.
+    
+*   New predicates have been added to the CodeQL class :code:`Annotatable` to support getting declared and associated annotations. As part of that, :code:`hasAnnotation()` has been changed to also consider inherited annotations, to be consistent with :code:`hasAnnotation(string, string)` and :code:`getAnAnnotation()`. The newly added predicate :code:`hasDeclaredAnnotation()` can be used as replacement for the old functionality.
+*   New predicates have been added to the CodeQL class :code:`AnnotationType` to simplify getting information about usage of JDK meta-annotations, such as :code:`@Retention`.
+
+Shared Libraries
+----------------
+
+Initial Release
+~~~~~~~~~~~~~~~
+
+Static Single Assignment (SSA)
+""""""""""""""""""""""""""""""
+
+*   Initial release. Extracted common SSA code into a library pack to share code between languages.
+
+Database of Common Typographical Errors
+"""""""""""""""""""""""""""""""""""""""
+
+*   Initial release. Share the database of common typographical errors between languages.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.1.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.1.rst
@@ -0,0 +1,145 @@
+.. _codeql-cli-2.11.1:
+
+==========================
+CodeQL 2.11.1 (2022-10-11)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.11.1 runs a total of 354 security queries when configured with the Default suite (covering 148 CWE). The Extended suite enables an additional 109 queries (covering 30 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   Pack installation using the CodeQL Packaging beta will now fail if a compatible version cannot be found. This replaces the previous behavior where :code:`codeql pack download` and related commands would instead install the latest version of the pack in this situation.
+
+Bug Fixes
+~~~~~~~~~
+
+*   It is no longer an error to call :code:`codeql pack create <path>` with a :code:`<path>` option pointing to a file name. The CLI will walk up the directory tree and run the command in the first directory containing the :code:`qlpack.yml` or :code:`codeql-pack.yml` file.
+*   Fixed a concurrency error observed when using :code:`codeql database import` or
+    :code:`codeql database finalize` with multiple threads and multiple additional databases on a C++ codebase.
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The :code:`--[no-]count-lines` option to :code:`codeql database create` and related commands is now deprecated and will be removed in a future release of the CodeQL CLI (earliest 2.12.0). It is replaced by
+    :code:`--[no-]calculate-baseline` to reflect the additional baseline information that is now captured as of this release.
+
+New Features
+~~~~~~~~~~~~
+
+*   Subcommands that compile QL accept a new :code:`--no-release-compatibility` option. It does nothing for now, but in the future it will be used to control a trade-off between query performance and compatibility with older/newer releases of the QL evaluator.
+*   :code:`codeql database analyze` and related commands now support absolute paths containing the :code:`@` or :code:`:` characters when specifying which queries to run. To reference a query file, directory, or suite whose path contains a literal :code:`@` or :code:`:`, prefix the query specifier with :code:`path:`, for example:
+
+    ..  code-block:: shell
+    
+            codeql database analyze --format=sarif-latest --output=results <db> path:C:/Users/ci/workspace@2/security/query.ql
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+
+C#
+""
+
+*   The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+
+Java
+""""
+
+*   The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+*   :code:`PathSanitizer.qll` has been promoted from experimental to the main query pack. This sanitizer was originally `submitted as part of an experimental query by @luchua-bc <https://github.com/github/codeql/pull/7286>`__.
+*   The queries :code:`java/path-injection`, :code:`java/path-injection-local` and :code:`java/zipslip` now use the sanitizers provided by :code:`PathSanitizer.qll`.
+
+Ruby
+""""
+
+*   The :code:`rb/xxe` query has been updated to add the following sinks for XML external entity expansion:
+
+    #.  Calls to parse XML using :code:`LibXML` when its :code:`default_substitute_entities` option is enabled.
+    #.  Uses of the Rails methods :code:`ActiveSupport::XmlMini.parse`, :code:`Hash.from_xml`, and :code:`Hash.from_trusted_xml` when :code:`ActiveSupport::XmlMini` is configured to use :code:`LibXML` as its backend, and its :code:`default_substitute_entities` option is enabled.
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   Added a new query, :code:`java/android/webview-debugging-enabled`, to detect instances of WebView debugging being enabled in production builds.
+
+Language Libraries
+------------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   :code:`DateTime` expressions are now considered simple type sanitizers. This affects a wide range of security queries.
+*   ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.
+
+Golang
+""""""
+
+*   Added support for :code:`BeegoInput.RequestBody` as a source of untrusted data.
+
+Java
+""""
+
+*   Added external flow sources for the intents received in exported Android services.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Several of the SQL and NoSQL library models have improved, leading to more results for the :code:`js/sql-injection` query,
+    and in some cases the :code:`js/missing-rate-limiting` query.
+
+Python
+""""""
+
+*   Added the ability to refer to subscript operations in the API graph. It is now possible to write :code:`response().getMember("cookies").getASubscript()` to find code like :code:`resp.cookies["key"]` (assuming :code:`response` returns an API node for response objects).
+*   Added modeling of creating Flask responses with :code:`flask.jsonify`.
+
+Ruby
+""""
+
+*   The following classes have been moved from :code:`codeql.ruby.frameworks.ActionController` to :code:`codeql.ruby.frameworks.Rails`\ :
+
+    *   :code:`ParamsCall`, now accessed as :code:`Rails::ParamsCall`.
+    *   :code:`CookieCall`, now accessed as :code:`Rails::CookieCall`.
+    
+*   The following classes have been moved from :code:`codeql.ruby.frameworks.ActionView` to :code:`codeql.ruby.frameworks.Rails`\ :
+
+    *   :code:`HtmlSafeCall`, now accessed as :code:`Rails::HtmlSafeCall`.
+    *   :code:`HtmlEscapeCall`, now accessed as :code:`Rails::HtmlEscapeCall`.
+    *   :code:`RenderCall`, now accessed as :code:`Rails::RenderCall`.
+    *   :code:`RenderToCall`, now accessed as :code:`Rails::RenderToCall`.
+    
+*   Subclasses of :code:`ActionController::Metal` are now recognised as controllers.
+*   :code:`ActionController::DataStreaming::send_file` is now recognized as a
+    :code:`FileSystemAccess`.
+*   Various XSS sinks in the ActionView library are now recognized.
+*   Calls to :code:`ActiveRecord::Base.create` are now recognized as model instantiations.
+*   Various code executions, command executions and HTTP requests in the ActiveStorage library are now recognized.
+*   :code:`MethodBase` now has two new predicates related to visibility: :code:`isPublic` and
+    :code:`isProtected`. These hold, respectively, if the method is public or protected.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.2.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.2.rst
@@ -0,0 +1,175 @@
+.. _codeql-cli-2.11.2:
+
+==========================
+CodeQL 2.11.2 (2022-10-25)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.11.2 runs a total of 357 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 111 queries (covering 31 more CWE). 5 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   Bundling and publishing a CodeQL pack will no longer include nested CodeQL packs. If you want to include a nested pack in your published pack,
+    then you must explicitly include it using the :code:`include` property in the top-level :code:`qlpack.yml` file.
+    
+    For example, if your package structure looks like this:
+
+    ..  code-block:: text
+    
+        qlpack.yml
+        nested-pack
+           ∟ qlpack.yml
+             query.ql
+        
+    then the contents of :code:`nested-pack` will not be included by default within the published package. To include :code:`nested-pack`, add an entry like this to the top level :code:`qlpack.yml` file:
+
+    ..  code-block:: yaml
+    
+        include:
+          - nested-pack/**
+
+Bug Fixes
+~~~~~~~~~
+
+*   Using the :code:`--codescanning-config=<file>` option in
+    :code:`codeql database init` will now correctly process the :code:`paths` and
+    :code:`pathsIgnore` properties of the configuration file in a way that is identical to the behavior of the :code:`codeql-action`. Previously, :code:`paths` or :code:`pathsIgnore` entries that end in :code:`/**` or start with :code:`/`  were incorrectly rejected by the CLI.
+    
+*   Fixed a bug where the :code:`--compilation-cache` option to
+    :code:`codeql pack publish` and :code:`codeql pack create` was being ignored when creating a query pack.  Now, the indicated cache is used when pre-compiling the queries in it.
+    
+*   Fixed a bug that would make the "Show DIL" command in the VSCode extension display nothing.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   Emit a detailed warning if package resolution fails, the legacy
+    :code:`--search-path` option is provided, *and* there is at least one referenced pack that does not use legacy package resolution.
+    In this case, :code:`--additional-packs` should be used to extend the search to additional directories, instead of :code:`--search-path`.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+Python
+""""""
+
+*   Fixed how :code:`flask.request` is modeled as a RemoteFlowSource, such that we show fewer duplicated alert messages for Code Scanning alerts. The import, such as :code:`from flask import request`, will now be shown as the first step in a path explanation.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The "Unterminated variadic call" (:code:`cpp/unterminated-variadic-call`) query has been tuned to produce fewer false positive results.
+*   Fixed false positives from the "Unused static function" (:code:`cpp/unused-static-function`) query in files that had errors during compilation.
+
+Golang
+""""""
+
+*   The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Removed some false positives from the :code:`js/file-system-race` query by requiring that the file-check dominates the file-access.
+*   Improved taint tracking through :code:`JSON.stringify` in cases where a tainted value is stored somewhere in the input object.
+
+Python
+""""""
+
+*   Added model of :code:`cx_Oracle`, :code:`oracledb`, :code:`phonenixdb` and :code:`pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for :code:`py/sql-injection`.
+*   Added model of :code:`executemany` calls on PEP-249 compliant database APIs, resulting in additional sinks for :code:`py/sql-injection`.
+*   Added model of :code:`pymssql` PyPI package as a SQL interface following PEP249, resulting in additional sinks for :code:`py/sql-injection`.
+*   The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.
+
+Ruby
+""""
+
+*   HTTP response header and body writes via :code:`ActionDispatch::Response` are now recognized.
+*   The :code:`rb/path-injection` query now treats the :code:`file:` argument of the Rails :code:`render` method as a sink.
+*   The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.
+
+New Queries
+~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a new medium-precision query, :code:`cpp/comma-before-misleading-indentation`, which detects instances of whitespace that have readability issues.
+
+Java
+""""
+
+*   Added a new query, :code:`java/android/incomplete-provider-permissions`, to detect if an Android ContentProvider is not protected with a correct set of permissions.
+*   A new query "Uncontrolled data used in content resolution" (:code:`java/androd/unsafe-content-uri-resolution`) has been added. This query finds paths from user-provided data to URI resolution operations in Android's :code:`ContentResolver` without previous validation or sanitization.
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/non-constant-kernel-open`, to detect uses of Kernel.open and related methods with non-constant values.
+*   Added a new query, :code:`rb/sensitive-get-query`, to detect cases where sensitive data is read from the query parameters of an HTTP :code:`GET` request.
+
+Language Libraries
+------------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added support for common patterns involving :code:`Stream.collect` and common collectors like :code:`Collectors.toList()`.
+*   The class :code:`TypeVariable` now also extends :code:`Modifiable`.
+*   Added data flow steps for tainted Android intents that are sent to services and receivers.
+*   Improved the data flow step for tainted Android intents that are sent to activities so that more cases are covered.
+
+Python
+""""""
+
+*   Fixed labels in the API graph pertaining to definitions of subscripts. Previously, these were found by :code:`getMember` rather than :code:`getASubscript`.
+*   Added edges for indices of subscripts to the API graph. Now a subscripted API node will have an edge to the API node for the index expression. So if :code:`foo` is matched by API node :code:`A`, then :code:`"key"` in :code:`foo["key"]` will be matched by the API node :code:`A.getIndex()`. This can be used to track the origin of the index.
+*   Added member predicate :code:`getSubscriptAt(API::Node index)` to :code:`API::Node`. Like :code:`getASubscript()`, this will return an API node that matches a subscript of the node, but here it will be restricted to subscripts where the index matches the :code:`index` parameter.
+*   Added convenience predicate :code:`getSubscript("key")` to obtain a subscript at a specific index, when the index happens to be a statically known string.
+
+Ruby
+""""
+
+*   The hashing algorithms from :code:`Digest` and :code:`OpenSSL::Digest` are now recognized and can be flagged by the :code:`rb/weak-cryptographic-algorithm` query.
+*   More sources of remote input arising from methods on :code:`ActionDispatch::Request` are now recognized.
+*   The response value returned by the :code:`Faraday#run_request` method is now also considered a source of remote input.
+*   :code:`ActiveJob::Serializers.deserialize` is considered to be a code execution sink.
+*   Calls to :code:`params` in :code:`ActionMailer` classes are now treated as sources of remote user input.
+*   Taint flow through :code:`ActionController::Parameters` is tracked more accurately.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Deprecated :code:`ContextStartActivityMethod`. Use :code:`StartActivityMethod` instead.
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added a new predicate, :code:`hasIncompletePermissions`, in the :code:`AndroidProviderXmlElement` class. This predicate detects if a provider element does not provide both read and write permissions.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.3.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.3.rst
@@ -0,0 +1,107 @@
+.. _codeql-cli-2.11.3:
+
+==========================
+CodeQL 2.11.3 (2022-11-11)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.11.3 runs a total of 358 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 111 queries (covering 31 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   The :code:`codeql pack ls --format json` deep plumbing command now returns only the :code:`name` and :code:`version` properties for each found pack.
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   :code:`codeql pack download`, :code:`codeql pack install`, and :code:`codeql pack add` will ignore CodeQL packs with pre-release versions, unless the
+    :code:`--allow-prerelease` option is passed to the command. This brings these commands into alignment with :code:`codeql pack publish` that will avoid publishing CodeQL packs with pre-release versions unless the
+    :code:`--allow-prerelease` option is specified. Pre-release versions have the following format: :code:`X.Y.Z-qualifier` where :code:`X`, :code:`Y`, and :code:`Z` are respectively the major, minor, and patch number. :code:`qualifier` is the pre-release version. For more information about pre-releases, see the
+    \ `Semantic Versioning specification <https://semver.org/#spec-item-9>`__.
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The :code:`--[no-]fast-compilation` option to :code:`codeql query compile` is now deprecated.
+
+New Features
+~~~~~~~~~~~~
+
+*   :code:`codeql resolve files` and :code:`codeql database index-files` have a new
+    :code:`--find-any` option, which finds at most one match.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Apache Commons Text that is bundled with the CodeQL CLI has been updated to version 1.10.0. While previous releases shipped with version 1.6 of the library, no part of the CodeQL CLI references the :code:`StringSubstitutor` class that the recently disclosed
+    \ `CVE-2022-42889 <https://github.com/advisories/GHSA-599f-7c49-w659>`__ vulnerability applies to. We therefore do not believe that running previous releases of CodeQL exposes users to this vulnerability.
+*   The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.5.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Fixed a bug in :code:`cpp/jsf/av-rule-76` that caused the query to miss results when an implicitly-defined copy constructor or copy assignment operator was generated.
+
+Golang
+""""""
+
+*   Query :code:`go/clear-text-logging` now excludes :code:`GetX` methods of protobuf :code:`Message` structs, except where taint is specifically known to belong to the right field. This is to avoid FPs where taint is written to one field and then spuriously read from another.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added sources for user defined path and query parameters in :code:`Next.js`.
+*   The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+
+Ruby
+""""
+
+*   The :code:`rb/weak-cryptographic-algorithm` has been updated to no longer report uses of hash functions such as :code:`MD5` and :code:`SHA1` even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice.
+
+New Queries
+~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added a new query, :code:`js/second-order-command-line-injection`, to detect shell commands that may execute arbitrary code when the user has control over
+    the arguments to a command-line program.
+    This currently flags up unsafe invocations of git and hg.
+
+Language Libraries
+------------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Fixed bugs in the :code:`FormatLiteral` class that were causing :code:`getMaxConvertedLength` and related predicates to return no results when the format literal was :code:`%e`, :code:`%f` or :code:`%g` and an explicit precision was specified.
+
+Ruby
+""""
+
+*   There was a bug in :code:`TaintTracking::localTaint` and :code:`TaintTracking::localTaintStep` such that they only tracked non-value-preserving flow steps. They have been fixed and now also include value-preserving steps.
+*   Instantiations using :code:`Faraday::Connection.new` are now recognized as part of :code:`FaradayHttpRequest`\ s, meaning they will be considered as sinks for queries such as :code:`rb/request-forgery`.
+*   Taint flow is now tracked through extension methods on :code:`Hash`, :code:`String` and
+    :code:`Object` provided by :code:`ActiveSupport`.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.4.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.4.rst
@@ -0,0 +1,147 @@
+.. _codeql-cli-2.11.4:
+
+==========================
+CodeQL 2.11.4 (2022-11-24)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.11.4 runs a total of 361 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 112 queries (covering 32 more CWE). 4 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   CodeQL 2.11.1 to 2.11.3 contained a bug in `indirect build tracing <https://codeql.github.com/docs/codeql-cli/creating-codeql-databases/#using-indirect-build-tracing>`__ on Windows when using :code:`codeql database init` with the |link-code-trace-process-level-1|_ flag.
+    In these versions, when :code:`--trace-process-level` was set to a value greater than zero,
+    (or left at the default value of 1), CodeQL attempted to inject its build tracer at a higher level in the process tree than the requested process level.
+    This could lead to errors of the form "No source code found" or
+    "Process tree ended before reaching required level".
+    From 2.11.4 onwards, the CodeQL build tracer is injected at the requested process level.
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The :code:`--[no-]fast-compilation` option to :code:`codeql test run` is now deprecated.
+
+New Features
+~~~~~~~~~~~~
+
+*   Kotlin support is now in beta. This means that Java analyses will also include Kotlin code by default. Kotlin support can be disabled by setting :code:`CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN` to :code:`true` in the environment.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixed a bug that would cause the extractor to crash when an :code:`import` type is used in the :code:`extends` clause of an :code:`interface`.
+*   Fixed an issue with multi-line strings in YAML files being associated with an invalid location,
+    causing alerts related to such strings to appear at the top of the YAML file.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for :code:`@hapi/glue` and Hapi plugins to the :code:`frameworks/Hapi.qll` library.
+
+Ruby
+""""
+
+*   The :code:`rb/sql-injection` query now considers consider SQL constructions, such as calls to :code:`Arel.sql`, as sinks.
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   The query :code:`java/insufficient-key-size` has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @luchua-bc <https://github.com/github/codeql/pull/4926>`__.
+*   Added a new query, :code:`java/android/sensitive-keyboard-cache`, to detect instances of sensitive information possibly being saved to the Android keyboard cache.
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/shell-command-constructed-from-input`, to detect libraries that unsafely construct shell commands from their inputs.
+
+Language Libraries
+------------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for TypeScript 4.9.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The :code:`[Summary|Sink|Source]ModelCsv` classes have been deprecated and Models as Data models are defined as data extensions instead.
+
+Java
+""""
+
+*   The ReDoS libraries in :code:`semmle.code.java.security.regexp` has been moved to a shared pack inside the :code:`shared/` folder, and the previous location has been deprecated.
+*   Added data flow summaries for tainted Android intents sent to activities via :code:`Activity.startActivities`.
+
+Python
+""""""
+
+*   The ReDoS libraries in :code:`semmle.code.python.security.regexp` have been moved to a shared pack inside the :code:`shared/` folder, and the previous location has been deprecated.
+
+Ruby
+""""
+
+*   Data flow through the :code:`ActiveSupport` extension :code:`Enumerable#index_by` is now modeled.
+*   The :code:`codeql.ruby.Concepts` library now has a :code:`SqlConstruction` class, in addition to the existing :code:`SqlExecution` class.
+*   Calls to :code:`Arel.sql` are now modeled as instances of the new :code:`SqlConstruction` concept.
+*   Arguments to RPC endpoints (public methods) on subclasses of :code:`ActionCable::Channel::Base` are now recognized as sources of remote user input.
+*   Taint flow through the :code:`ActiveSupport` extensions :code:`Hash#reverse_merge` and :code:`Hash:reverse_merge!`, and their aliases, is now modeled more generally, where previously it was only modeled in the context of :code:`ActionController` parameters.
+*   Calls to :code:`logger` in :code:`ActiveSupport` actions are now recognised as logger instances.
+*   Calls to :code:`send_data` in :code:`ActiveSupport` actions are recognised as HTTP responses.
+*   Calls to :code:`body_stream` in :code:`ActiveSupport` actions are recognised as HTTP request accesses.
+*   The :code:`ActiveSupport` extensions :code:`Object#try` and :code:`Object#try!` are now recognised as code executions.
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   Kotlin support is now in beta. This means that Java analyses will also include Kotlin code by default. Kotlin support can be disabled by setting :code:`CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN` to :code:`true` in the environment.
+*   The new :code:`string Compilation.getInfo(string)` predicate provides access to some information about compilations.
+
+Shared Libraries
+----------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Regular Expression Analysis
+"""""""""""""""""""""""""""
+
+*   Initial release. Extracted common regex related code, including the ReDoS analysis, into a library pack to share code between languages.
+
+.. |link-code-trace-process-level-1| replace:: :code:`--trace-process-level`\ 
+.. _link-code-trace-process-level-1: https://codeql.github.com/docs/codeql-cli/manual/database-init/#cmdoption-codeql-database-init-trace-process-level
+
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.5.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.5.rst
@@ -0,0 +1,20 @@
+.. _codeql-cli-2.11.5:
+
+==========================
+CodeQL 2.11.5 (2022-12-07)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug that could cause log summary generation to fail in vscode.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.6.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.6.rst
@@ -0,0 +1,39 @@
+.. _codeql-cli-2.11.6:
+
+==========================
+CodeQL 2.11.6 (2022-12-13)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   Java and Kotlin analyses in this release of the CLI and all earlier releases are incompatible with Kotlin 1.7.30 and later. To prevent code scanning alerts being spuriously dismissed, Java and Kotlin analyses will now fail when using Kotlin 1.7.30 or later.
+    
+    If you are unable to use Kotlin 1.7.29 or earlier, you can disable Kotlin support by setting
+    :code:`CODEQL_EXTRACTOR_JAVA_AGENT_DISABLE_KOTLIN` to :code:`true` in the environment.
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug where it was not possible to run queries in CodeQL query packs for C# that use the legacy :code:`libraryPathDependencies` property in their :code:`qlpack.yml` file. The associated error message complained about undefined extensional predicates.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Kotlin extraction will now fail if the Kotlin version in use is at least 1.7.30. This is to ensure using an as-yet-unsupported version is noticable, rather than silently failing to extract Kotlin code and therefore producing false-negative results.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.0.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.0.rst
@@ -0,0 +1,325 @@
+.. _codeql-cli-2.12.0:
+
+==========================
+CodeQL 2.12.0 (2023-01-10)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.12.0 runs a total of 365 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 116 queries (covering 32 more CWE). 8 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   The :code:`--[no-]count-lines` option to :code:`codeql database create` and related commands that was deprecated in 2.11.1 has been removed. Users of this option should instead pass
+    :code:`--[no-]calculate-baseline`.
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug where the :code:`codeql pack install` command would fail if a `CodeQL configuration file <https://codeql.github.com/docs/codeql-cli/specifying-command-options-in-a-codeql-configuration-file/#using-a-codeql-configuration-file>`__ is used and the :code:`--additional-packs` option is specified.
+
+New Features
+~~~~~~~~~~~~
+
+*   Query packs created by :code:`codeql pack create`, :code:`codeql pack bundle`, and :code:`codeql pack release` now contain precompiled queries in a new format that aims to be compatible with future (and, to a certain extent, past) releases of the CodeQL CLI. Previously the precompiled queries were in a format specific to each CLI release, and all other releases would need to re-compile queries.
+    
+    Published packs contain precompiled queries in files with a :code:`.qlx` extension located next to each query's :code:`.ql` source file.  In case of differences between the :code:`.ql` and :code:`.qlx` files, the :code:`.qlx` file takes priority when evaluating queries from the command line, so if you need to modify a published pack, be sure to delete the :code:`.qlx` files first.
+    
+    A new :code:`--precompile` flag to :code:`codeql query compile` can be used to construct :code:`*.qlx` file explicitly, but in all usual cases it should be enough to rely on :code:`codeql pack create` doing the right thing.
+    
+*   The :code:`codeql database init` command now accepts a PAT that allows you to download queries from external, private repositories when using the :code:`--codescanning-config <config-file>` option. For example, you can specify the following queries block in the config file, which will checkout the main branch of the :code:`codeql-test/my-private-repository` repository and evaluate any queries found in that repository:
+
+    ..  code-block:: yaml
+    
+        queries:
+          - codeql-test/my-private-repository@main
+        
+    If the repository is private, you can add a :code:`--external-repository-token-stdin` option and supply a PAT with appropriate permissions via standard input. For more information on queries and external repositories in Code Scanning, see `Using queries in QL packs <https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs>`__.
+    
+*   The baseline information produced by :code:`codeql database init` and
+    :code:`codeql database create` now accounts for
+    |link-code-paths-and-code-paths-ignore-configuration-1|_.
+    
+*   In the VS Code extension, recursive calls will be marked with inlay hints. These can be disabled with the global inlay hints setting
+    (:code:`editor.inlayHints.enabled`). If you just want to disable them for
+    codeql the settings can be scoped to just codeql files (language id is :code:`ql`).
+    See `Language Specific Editor Settings <https://code.visualstudio.com/docs/getstarted/settings#_language-specific-editor-settings>`__ in the VS Code documentation for more information.
+    
+*   The CLI now gives a more helpful error message when asked to run queries on a database that has not been finalized.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+C#
+""
+
+*   Fixes a bug where the Owin.qll framework library will look for "URI" instead of "Uri" in the OwinRequest class.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`AlertSuppression.ql` query has been updated to support the new :code:`// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`// lgtm` and :code:`// lgtm[query-id]` comments can now also be placed on the line before an alert.
+*   The :code:`cpp/missing-check-scanf` query no longer reports the free'ing of :code:`scanf` output variables as potential reads.
+
+C#
+""
+
+*   The :code:`AlertSuppression.ql` query has been updated to support the new :code:`// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`// lgtm` and :code:`// lgtm[query-id]` comments can now also be placed on the line before an alert.
+*   The extensible predicates for Models as Data have been renamed (the :code:`ext` prefix has been removed). As an example, :code:`extSummaryModel` has been renamed to :code:`summaryModel`.
+
+Golang
+""""""
+
+*   The :code:`AlertSuppression.ql` query has been updated to support the new :code:`// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`// lgtm` and :code:`// lgtm[query-id]` comments can now also be placed on the line before an alert.
+
+Java
+""""
+
+*   The :code:`AlertSuppression.ql` query has been updated to support the new :code:`// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`// lgtm` and :code:`// lgtm[query-id]` comments can now also be placed on the line before an alert.
+*   The extensible predicates for Models as Data have been renamed (the :code:`ext` prefix has been removed). As an example, :code:`extSummaryModel` has been renamed to :code:`summaryModel`.
+*   The query :code:`java/misnamed-type` is now enabled for Kotlin.
+*   The query :code:`java/non-serializable-field` is now enabled for Kotlin.
+*   Fixed an issue in the query :code:`java/android/implicit-pendingintents` by which an implicit Pending Intent marked as immutable was not correctly recognized as such.
+*   The query :code:`java/maven/non-https-url` no longer alerts about disabled repositories.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`AlertSuppression.ql` query has been updated to support the new :code:`// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`// lgtm` and :code:`// lgtm[query-id]` comments can now also be placed on the line before an alert.
+
+Python
+""""""
+
+*   The :code:`analysis/AlertSuppression.ql` query has moved to the root folder. Users that refer to this query by path should update their configurations. The query has been updated to support the new :code:`# codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`# lgtm` and :code:`# lgtm[query-id]` comments can now also be placed on the line before an alert.
+*   Bumped the minimum keysize we consider secure for elliptic curve cryptography from 224 to 256 bits, following current best practices. This might effect results from the *Use of weak cryptographic key* (:code:`py/weak-crypto-key`) query.
+*   Added modeling of :code:`getpass.getpass` as a source of passwords, which will be an additional source for :code:`py/clear-text-logging-sensitive-data`, :code:`py/clear-text-storage-sensitive-data`, and :code:`py/weak-sensitive-data-hashing`.
+
+Ruby
+""""
+
+*   The :code:`AlertSuppression.ql` query has been updated to support the new :code:`# codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy :code:`# lgtm` and :code:`# lgtm[query-id]` comments can now also be placed on the line before an alert.
+*   Extended the :code:`rb/kernel-open` query with following sinks: :code:`IO.write`, :code:`IO.binread`, :code:`IO.binwrite`, :code:`IO.foreach`, :code:`IO.readlines`, and :code:`URI.open`.
+
+New Queries
+~~~~~~~~~~~
+
+C#
+""
+
+*   Added a new query, :code:`csharp/telemetry/supported-external-api`, to detect supported 3rd party APIs used in a codebase.
+
+Java
+""""
+
+*   Added a new query, :code:`java/summary/generated-vs-manual-coverage`, to expose metrics for the number of API endpoints covered by generated versus manual MaD models.
+*   Added a new query, :code:`java/telemetry/supported-external-api`, to detect supported 3rd party APIs used in a codebase.
+*   Added a new query, :code:`java/android/missing-certificate-pinning`, to find network calls where certificate pinning is not implemented.
+*   Added a new query, :code:`java/android-webview-addjavascriptinterface`, to detect the use of :code:`addJavascriptInterface`, which can lead to cross-site scripting.
+*   Added a new query, :code:`java/android-websettings-file-access`, to detect configurations that enable file system access in Android WebViews.
+*   Added a new query, :code:`java/android-websettings-javascript-enabled`, to detect if JavaScript execution is enabled in an Android WebView.
+*   The query :code:`java/regex-injection` has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally `submitted as an experimental query by @edvraa <https://github.com/github/codeql/pull/5704>`__.
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/stack-trace-exposure`, to detect exposure of stack-traces to users via HTTP responses.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+Golang
+""""""
+
+*   Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
+Java
+""""
+
+*   We now correctly handle empty block comments, like :code:`/**/`. Previously these could be mistaken for Javadoc comments and led to attribution of Javadoc tags to the wrong declaration.
+
+Python
+""""""
+
+*   :code:`except*` is now supported.
+*   The result of :code:`Try.getAHandler` and :code:`Try.getHandler(<index>)` is no longer of type :code:`ExceptStmt`, as handlers may also be :code:`ExceptGroupStmt`\ s (After Python 3.11 introduced PEP 654). Instead, it is of the new type :code:`ExceptionHandler` of which :code:`ExceptStmt` and :code:`ExceptGroupStmt` are subtypes. To support selecting only one type of handler, :code:`Try.getANormalHandler` and :code:`Try.getAGroupHandler` have been added. Existing uses of :code:`Try.getAHandler` for which it is important to select only normal handlers, will need to be updated to :code:`Try.getANormalHandler`.
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The predicates in the :code:`MustFlow::Configuration` class used by the :code:`MustFlow` library (:code:`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
+
+Golang
+""""""
+
+*   The signature of :code:`allowImplicitRead` on :code:`DataFlow::Configuration` and :code:`TaintTracking::Configuration` has changed from :code:`allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to :code:`allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   The *PAM authorization bypass due to incorrect usage* (:code:`py/pam-auth-bypass`) query has been converted to a taint-tracking query, resulting in significantly fewer false positives.
+
+Ruby
+""""
+
+*   Flow through :code:`initialize` constructors is now taken into account. For example, in
+
+    ..  code-block:: rb
+    
+        class C
+          def initialize(x)
+            @field = x
+          end
+        end
+        
+        C.new(y)
+        
+    there will be flow from :code:`y` to the field :code:`@field` on the constructed :code:`C` object.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`ArgvSource` flow source now uses the second parameter of :code:`main` as its source instead of the uses of this parameter.
+*   The :code:`ArgvSource` flow source has been generalized to handle cases where the argument vector of :code:`main` is not named :code:`argv`.
+*   The :code:`getaddrinfo` function is now recognized as a flow source.
+*   The :code:`secure_getenv` and :code:`_wgetenv` functions are now recognized as local flow sources.
+*   The :code:`scanf` and :code:`fscanf` functions and their variants are now recognized as flow sources.
+*   Deleted the deprecated :code:`getName` and :code:`getShortName` predicates from the :code:`Folder` class.
+
+C#
+""
+
+*   C# 11: Added support for list- and slice patterns in the extractor.
+*   Deleted the deprecated :code:`getNameWithoutBrackets` predicate from the :code:`ValueOrRefType` class in :code:`Type.qll`.
+*   :code:`Element::hasQualifiedName/1` has been deprecated. Use :code:`hasQualifiedName/2` or :code:`hasQualifiedName/3` instead.
+*   Added TCP/UDP sockets as taint sources.
+
+Golang
+""""""
+
+*   The predicate :code:`getNumParameter` on :code:`FuncTypeExpr` has been changed to actually give the number of parameters. It previously gave the number of parameter declarations. :code:`getNumParameterDecl` has been introduced to preserve this functionality.
+*   The definition of :code:`mayHaveSideEffects` for :code:`ReturnStmt` was incorrect when more than one expression was being returned. Such return statements were effectively considered to never have side effects. This has now been fixed. In rare circumstances :code:`globalValueNumber` may have incorrectly treated two values as the same when they were in fact distinct.
+*   Queries that care about SQL, such as :code:`go/sql-injection`, now recognise SQL-consuming functions belonging to the :code:`gorqlite` and :code:`GoFrame` packages.
+*   :code:`rsync` has been added to the list of commands which may evaluate its parameters as a shell command.
+
+Java
+""""
+
+*   Added more dataflow models for frequently-used JDK APIs.
+*   The extraction of Kotlin extension methods has been improved when default parameter values are present. The dispatch and extension receiver parameters are extracted in the correct order. The :code:`ExtensionMethod::getExtensionReceiverParameterIndex` predicate has been introduced to facilitate getting the correct extension parameter index.
+*   The query :code:`java/insecure-cookie` now uses global dataflow to track secure cookies being set to the HTTP response object.
+*   The library :code:`PathSanitizer.qll` has been improved to detect more path validation patterns in Kotlin.
+*   Models as Data models for Java are defined as data extensions instead of being inlined in the code. New models should be added in the :code:`lib/ext` folder.
+*   Added a taint model for the method :code:`java.nio.file.Path.getParent`.
+*   Fixed a problem in the taint model for the method :code:`java.nio.file.Paths.get`.
+*   Deleted the deprecated :code:`LocalClassDeclStmtNode` and :code:`LocalClassDeclStmt` classes from :code:`PrintAst.qll` and :code:`Statement.qll` respectively.
+*   Deleted the deprecated :code:`getLocalClass` predicate from :code:`LocalTypeDeclStmt`, and the deprecated :code:`getLocalClassDeclStmt` predicate from :code:`LocalClassOrInterface`.
+*   Added support for Android Manifest :code:`<activity-aliases>` elements in data flow sources.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Deleted the deprecated :code:`Instance` class from the :code:`Vue` module.
+*   Deleted the deprecated :code:`VHtmlSourceWrite` class from :code:`DomBasedXssQuery.qll`.
+*   Deleted all the deprecated :code:`[QueryName].qll` files from the :code:`javascript/ql/lib/semmle/javascript/security/dataflow` folder, use the corresponding :code:`[QueryName]Query.qll` files instead.
+*   The ReDoS libraries in :code:`semmle.code.javascript.security.regexp` has been moved to a shared pack inside the :code:`shared/` folder, and the previous location has been deprecated.
+
+Python
+""""""
+
+*   Added :code:`subprocess.getoutput` and :code:`subprocess.getoutputstatus` as new command injection sinks for the StdLib.
+*   The data-flow library has been rewritten to no longer rely on the points-to analysis in order to resolve references to modules. Improvements in the module resolution can lead to more results.
+*   Deleted the deprecated :code:`importNode` predicate from the :code:`DataFlowUtil.qll` file.
+*   Deleted the deprecated features from :code:`PEP249.qll` that were not inside the :code:`PEP249` module.
+*   Deleted the deprecated :code:`werkzeug` from the :code:`Werkzeug` module in :code:`Werkzeug.qll`.
+*   Deleted the deprecated :code:`methodResult` predicate from :code:`PEP249::Cursor`.
+
+Ruby
+""""
+
+*   Calls to :code:`Kernel.load`, :code:`Kernel.require`, :code:`Kernel.autoload` are now modeled as sinks for path injection.
+*   Calls to :code:`mail` and :code:`inbound_mail` in :code:`ActionMailbox` controllers are now considered sources of remote input.
+*   Calls to :code:`GlobalID::Locator.locate` and its variants are now recognized as instances of :code:`OrmInstantiation`.
+*   Data flow through the :code:`ActiveSupport` extensions :code:`Enumerable#index_with`, :code:`Enumerable#pick`, :code:`Enumerable#pluck` and :code:`Enumerable#sole`  are now modeled.
+*   When resolving a method call, the analysis now also searches in sub-classes of the receiver's type.
+*   Taint flow is now tracked through many common JSON parsing and generation methods.
+*   The ReDoS libraries in :code:`codeql.ruby.security.regexp` has been moved to a shared pack inside the :code:`shared/` folder, and the previous location has been deprecated.
+*   String literals and arrays of string literals in case expression patterns are now recognised as barrier guards.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Deprecated :code:`semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use :code:`semmle.code.cpp.ir.dataflow.TaintTracking`.
+*   Deprecated :code:`semmle.code.cpp.security.TaintTrackingImpl`. Use :code:`semmle.code.cpp.ir.dataflow.TaintTracking`.
+*   Deprecated :code:`semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use :code:`semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
+
+Golang
+""""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+New Features
+~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Improved support for `Restify <http://restify.com/>`__ framework, leading to more results when scanning applications developed with this framework.
+*   Added support for the `Spife <https://github.com/npm/spife>`__ framework.
+
+Shared Libraries
+----------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Type Trackers
+"""""""""""""
+
+*   Initial release. Includes a parameterized module implementing type-trackers.
+
+QL Detective Tutorial
+"""""""""""""""""""""
+
+*   Initial release. Contains the library for the CodeQL detective tutorials, helping new users learn to write CodeQL queries.
+
+Utility Classes
+"""""""""""""""
+
+*   Initial release. Includes common utility classes and modules: Unit, Boolean, and Option.
+
+.. |link-code-paths-and-code-paths-ignore-configuration-1| replace:: :code:`paths` and :code:`paths-ignore` configuration
+.. _link-code-paths-and-code-paths-ignore-configuration-1: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#specifying-directories-to-scan
+
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.1.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.1.rst
@@ -0,0 +1,99 @@
+.. _codeql-cli-2.12.1:
+
+==========================
+CodeQL 2.12.1 (2023-01-23)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.12.1 runs a total of 384 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 120 queries (covering 31 more CWE). 23 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+New Features
+~~~~~~~~~~~~
+
+*   Added a new command-line flag :code:`--expect-discarded-cache`, which gives a hint to the evaluator that the evaluation cache will be discarded after analysis completes. This allows it to avoid some unnecessary writes to the cache, for predicates that aren't needed by the query/suite being evaluated.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`cpp/no-space-for-terminator` and :code:`cpp/uncontrolled-allocation-size` queries have been enhanced with heuristic detection of allocations. These queries now find more results.
+
+Golang
+""""""
+
+*   Replacing "\r" or "\n" using the functions :code:`strings.ReplaceAll`, :code:`strings.Replace`, :code:`strings.Replacer.Replace` and :code:`strings.Replacer.WriteString` has been added as a sanitizer for the queries "Log entries created from user input".
+*   The functions :code:`strings.Replacer.Replace` and :code:`strings.Replacer.WriteString` have been added as sanitizers for the query "Potentially unsafe quoting".
+
+Java
+""""
+
+*   The name, description and alert message for the query :code:`java/concatenated-sql-query` have been altered to emphasize that the query flags the use of string concatenation to construct SQL queries, not the lack of appropriate escaping. The query's files have been renamed from :code:`SqlUnescaped.ql` and :code:`SqlUnescapedLib.qll` to :code:`SqlConcatenated.ql` and :code:`SqlConcatenatedLib.qll` respectively; in the unlikely event your custom configuration or queries refer to either of these files by name, those references will need to be adjusted. The query id remains :code:`java/concatenated-sql-query`, so alerts should not be re-raised as a result of this change.
+
+Ruby
+""""
+
+*   The :code:`rb/unsafe-deserialization` query now recognizes input from STDIN as a source.
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   Added a new query :code:`java/android/websettings-allow-content-access` to detect Android WebViews which do not disable access to :code:`content://` urls.
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/unsafe-code-construction`, to detect libraries that unsafely construct code from their inputs.
+
+Language Libraries
+------------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   Added library support for generic attributes (also for CIL extracted attributes).
+*   :code:`cil.ConstructedType::getName` was changed to include printing of the type arguments.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   Attributes on methods in CIL are now extracted (Bugfix).
+*   Support for :code:`static virtual` and :code:`static abstract` interface members.
+*   Support for *operators* in interface definitions.
+*   C# 11: Added support for the unsigned right shift :code:`>>>` and unsigned right shift assignment :code:`>>>=` operators.
+*   Query id's have been aligned such that they are prefixed with :code:`cs` instead of :code:`csharp`.
+
+Java
+""""
+
+*   Added sink models for the constructors of :code:`org.springframework.jdbc.object.MappingSqlQuery` and :code:`org.springframework.jdbc.object.MappingSqlQueryWithParameters`.
+*   Added more dataflow models for frequently-used JDK APIs.
+*   Removed summary model for :code:`java.lang.String#endsWith(String)` and added neutral model for this API.
+*   Added additional taint step for :code:`java.lang.String#endsWith(String)` to :code:`ConditionalBypassFlowConfig`.
+*   Added :code:`AllowContentAccessMethod` to represent the :code:`setAllowContentAccess` method of the :code:`android.webkit.WebSettings` class.
+*   Added an external flow source for the parameters of methods annotated with :code:`android.webkit.JavascriptInterface`.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.2.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.2.rst
@@ -0,0 +1,92 @@
+.. _codeql-cli-2.12.2:
+
+==========================
+CodeQL 2.12.2 (2023-02-07)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.12.2 runs a total of 385 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 121 queries (covering 31 more CWE). 2 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a QL evaluator bug introduced in release 2.12.1 which could in certain rare cases lead to wrong analysis results.
+    
+*   Fixed handling of :code:`-Xclang <arg>` arguments passed to the :code:`clang` compiler which could cause missing extractions for C++ code bases.
+    
+*   Fixed a bug where the :code:`--overwrite` option was failing for database clusters.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.6.
+
+Query Packs
+-----------
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   Added a new query, :code:`java/android/sensitive-result-receiver`, to find instances of sensitive data being leaked to an untrusted :code:`ResultReceiver`.
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/html-constructed-from-input`, to detect libraries that unsafely construct HTML from their inputs.
+
+Language Libraries
+------------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   Add extractor and library support for UTF-8 encoded strings.
+*   The :code:`StringLiteral` class includes UTF-8 encoded strings.
+*   In the DB Scheme :code:`@string_literal_expr` is renamed to :code:`@utf16_string_literal_expr`.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   C# 11: Added extractor support for :code:`ref` fields in :code:`ref struct` declarations.
+
+Java
+""""
+
+*   Added sink models for the :code:`createQuery`, :code:`createNativeQuery`, and :code:`createSQLQuery` methods of the :code:`org.hibernate.query.QueryProducer` interface.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added sinks from the |link-code-node-pty-1|_ library to the :code:`js/code-injection` query.
+
+Ruby
+""""
+
+*   Data flowing from the :code:`locals` argument of a Rails :code:`render` call is now tracked to uses of that data in an associated view.
+*   Access to headers stored in the :code:`env` of Rack requests is now recognized as a source of remote input.
+*   Ruby 3.2: anonymous rest and keyword rest arguments can now be passed as arguments, instead of just used in method parameters.
+
+.. |link-code-node-pty-1| replace:: :code:`node-pty`\ 
+.. _link-code-node-pty-1: https://www.npmjs.com/package/node-pty
+
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.3.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.3.rst
@@ -0,0 +1,132 @@
+.. _codeql-cli-2.12.3:
+
+==========================
+CodeQL 2.12.3 (2023-02-23)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.12.3 runs a total of 385 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 122 queries (covering 31 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug where the CLI would refuse to complete database creation if the OS reports less than about 1.5 GB of physical memory. Now an attempt will be made even on low-memory systems (but it might still run out of memory unless there's swap space available).
+
+New Features
+~~~~~~~~~~~~
+
+*   The CodeQL compiler now produces better error messages when it is unable to find a QL library that the query being evaluated depends on.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The :code:`java/index-out-of-bounds` query has improved its handling of arrays of constant length, and may report additional results in those cases.
+
+Ruby
+""""
+
+*   The :code:`rb/polynomial-redos` query now considers the entrypoints of the API of a gem as sources.
+
+New Queries
+~~~~~~~~~~~
+
+Golang
+""""""
+
+*   Added a new query, :code:`go/unhandled-writable-file-close`, to detect instances where writable file handles are closed without appropriate checks for errors.
+
+Java
+""""
+
+*   Added a new query, :code:`java/xxe-local`, which is a version of the XXE query that uses local sources (for example, reads from a local file).
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/regex/badly-anchored-regexp`, to detect regular expression validators that use :code:`^` and :code:`$` as anchors and therefore might match only a single line of a multi-line string.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+Golang
+""""""
+
+*   The precision of the :code:`go/log-injection` query was decreased from :code:`high` to :code:`medium`, since it may not be able to identify every way in which log data may be sanitized. This also aligns it with the precision of comparable queries for other languages.
+
+Language Libraries
+------------------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   Python 2 is no longer supported for extracting databases using the CodeQL CLI. As a consequence,
+    the previously deprecated support for :code:`pyxl` and :code:`spitfire` templates has also been removed. When extracting Python 2 code, having Python 2 installed is still recommended, as this ensures the correct version of the Python standard library is extracted.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   C# 11: Added extractor support for the :code:`scoped` modifier annotation on parameters and local variables.
+
+Golang
+""""""
+
+*   Support for the Twirp framework has been added.
+
+Java
+""""
+
+*   Removed the first argument of :code:`java.nio.file.Files#createTempDirectory(String,FileAttribute[])` as a "create-file" sink.
+*   Added the first argument of :code:`java.nio.file.Files#copy` as a "read-file" sink for the :code:`java/path-injection` query.
+*   The data flow library now disregards flow through code that is dead based on some basic constant propagation, for example, guards like :code:`if (1+1>3)`.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added dataflow sources for the `express-ws <https://www.npmjs.com/package/express-ws>`__ library.
+
+Python
+""""""
+
+*   Fixed module resolution so we properly recognize that in :code:`from <pkg> import *`, where :code:`<pkg>` is a package, the actual imports are made from the :code:`<pkg>/__init__.py` file.
+
+Ruby
+""""
+
+*   Ruby 3.1: one-line pattern matches are now supported. The AST nodes are named :code:`TestPattern` (:code:`expr in pattern`) and :code:`MatchPattern` (:code:`expr => pattern`).
+
+New Features
+~~~~~~~~~~~~
+
+Golang
+""""""
+
+*   Go 1.20 is now supported. The extractor now functions as expected when Go 1.20 is installed; the definition of :code:`implementsComparable` has been updated according to Go 1.20's new, more-liberal rules; and taint flow models have been added for relevant, new standard-library functions.
+
+Java
+""""
+
+*   Kotlin versions up to 1.8.20 are now supported.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.4.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.4.rst
@@ -0,0 +1,115 @@
+.. _codeql-cli-2.12.4:
+
+==========================
+CodeQL 2.12.4 (2023-03-09)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   The default value of the :code:`--mode` switch to :code:`codeql pack install` has changed. The default is now :code:`--mode minimal-update`.
+    Previously, it was :code:`use-lock`.
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The :code:`--freeze` switch for :code:`codeql pack create`, :code:`codeql pack bundle`, and :code:`codeql pack publish` is now deprecated and ignored, as there is no longer a cache within a pack.
+*   The :code:`--mode update` switch to :code:`codeql pack resolve-dependencies` is now deprecated. Instead, use the new :code:`--mode upgrade` switch, which has identical behavior.
+*   The :code:`--mode` switch to :code:`codeql pack install` is now deprecated.
+
+    *   Instead of :code:`--mode update`, use :code:`codeql pack upgrade`.
+    *   Instead of :code:`--mode verify`, use :code:`codeql pack ci`.
+
+New Features
+~~~~~~~~~~~~
+
+*   The per-pack compilation cache has been replaced with a global compilation cache found within :code:`~/.codeql`.
+*   :code:`codeql pack install` now uses a new algorithm to determine which versions of the pack's dependencies to use, based on the `PubGrub <https://nex3.medium.com/pubgrub-2fb6470504f>`__ algorithm. The new algorithm is able to find a solution for many cases that the previous algorithm would fail to solve. When the new algorithm is unable to find a valid solution, it generates a detailed error message explaining why there is no valid solution.
+*   Added a new command, :code:`codeql pack upgrade`. This command is similar to :code:`codeql pack install`,
+    except that it ignores any existing lock file, installs the latest compatible version of each dependency, and writes a new lock file. This is equivalent to :code:`codeql pack install --mode update`.
+    Note that the :code:`--mode` switch to :code:`codeql pack install` is now deprecated.
+*   Added a new command, :code:`codeql pack ci`. This command is similar to :code:`codeql pack install`,
+    except if the existing lock file is missing, or if it conflicts with the version constraints in the :code:`qlpack.yml` file, the command generates an error. This is equivalent to
+    :code:`codeql pack install --mode verify`. Note that the :code:`--mode` switch to :code:`codeql pack install` is now deprecated.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Golang
+""""""
+
+*   The query :code:`go/incorrect-integer-conversion` now correctly recognizes guards of the form :code:`if val <= x` to protect a conversion :code:`uintX(val)` when :code:`x` is in the range :code:`(math.MaxIntX, math.MaxUintX]`.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`js/regex-injection` query now recognizes environment variables and command-line arguments as sources.
+
+Language Libraries
+------------------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`CryptographicOperation` concept has been changed to use a range pattern. This is a breaking change and existing implementations of :code:`CryptographicOperation` will need to be updated in order to compile. These implementations can be updated by:
+
+    #.  Extending :code:`CryptographicOperation::Range` rather than :code:`CryptographicOperation`
+    #.  Renaming the :code:`getInput()` member predicate as :code:`getAnInput()`
+    #.  Implementing the :code:`BlockMode getBlockMode()` member predicate. The implementation for this can be :code:`none()` if the operation is a hashing operation or an encryption operation using a stream cipher.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   We use a new analysis for the call-graph (determining which function is called). This can lead to changed results. In most cases this is much more accurate than the old call-graph that was based on points-to, but we do lose a few valid edges in the call-graph, especially around methods that are not defined inside its class.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The query :code:`cs/static-field-written-by-instance` is updated to handle properties.
+*   C# 11: Support for explicit interface member implementation of operators.
+*   The extraction of member modifiers has been generalized, which could lead to the extraction of more modifiers.
+*   C# 11: Added extractor and library support for :code:`file` scoped types.
+*   C# 11: Added extractor support for :code:`required` fields and properties.
+*   C# 11: Added library support for :code:`checked` operators.
+
+Java
+""""
+
+*   Added new sinks for :code:`java/hardcoded-credential-api-call` to identify the use of hardcoded secrets in the creation and verification of JWT tokens using :code:`com.auth0.jwt`. These sinks are from `an experimental query submitted by @luchua <https://github.com/github/codeql/pull/9036>`__.
+*   The Java extractor now supports builds against JDK 20.
+*   The query :code:`java/hardcoded-credential-api-call` now recognizes methods that accept user and password from the SQLServerDataSource class of the Microsoft JDBC Driver for SQL Server.
+
+Python
+""""""
+
+*   Fixed module resolution so we properly recognize definitions made within if-then-else statements.
+*   Added modeling of cryptographic operations in the :code:`hmac` library.
+
+Ruby
+""""
+
+*   Flow is now tracked between ActionController :code:`before_filter` and :code:`after_filter` callbacks and their associated action methods.
+*   Calls to :code:`ApplicationController#render` and :code:`ApplicationController::Renderer#render` are recognized as Rails rendering calls.
+*   Support for `Twirp framework <https://twitchtv.github.io/twirp/docs/intro.html>`__.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.5.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.5.rst
@@ -0,0 +1,238 @@
+.. _codeql-cli-2.12.5:
+
+==========================
+CodeQL 2.12.5 (2023-03-21)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.12.5 runs a total of 385 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 124 queries (covering 31 more CWE). 2 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fix a bug in :code:`codeql query run` where queries whose path contain colons cannot be run.
+
+New Features
+~~~~~~~~~~~~
+
+*   The :code:`codeql pack install` command now accepts a :code:`--additional-packs` option. This option takes a list of directories to search for locally available packs when resolving which packs to install. Any pack that is found locally through :code:`--additional-packs` will override any other version of a pack found in the package registry.
+    Locally resolved packs are not added to the lock file.
+    
+    Because the use of :code:`--additional-packs` when running
+    :code:`codeql pack install` makes running queries dependent on the local state of the machine initially invoking :code:`codeql pack install`, a warning is emitted if any pack is found outside of the package registry. This warning can be suppressed by using the
+    :code:`--no-strict-mode` option.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The following queries now recognize HTML sanitizers as propagating taint: :code:`js/sql-injection`,
+    :code:`js/path-injection`, :code:`js/server-side-unvalidated-url-redirection`, :code:`js/client-side-unvalidated-url-redirection`,
+    and :code:`js/request-forgery`.
+
+Deprecated Queries
+~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`NetworkToBufferSizeConfiguration` and :code:`UntrustedDataToExternalApiConfig` dataflow configurations have been deprecated. Please use :code:`NetworkToBufferSizeFlow` and :code:`UntrustedDataToExternalApiFlow`.
+*   The :code:`LeapYearCheckConfiguration`, :code:`FiletimeYearArithmeticOperationCheckConfiguration`, and :code:`PossibleYearArithmeticOperationCheckConfiguration` dataflow configurations have been deprecated. Please use :code:`LeapYearCheckFlow`, :code:`FiletimeYearArithmeticOperationCheckFlow` and :code:`PossibleYearArithmeticOperationCheckFlow`.
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   Added a new query, :code:`java/android/arbitrary-apk-installation`, to detect installation of APKs from untrusted sources.
+
+Python
+""""""
+
+*   Added a new query, :code:`py/shell-command-constructed-from-input`, to detect libraries that unsafely construct shell commands from their inputs.
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/zip-slip`, to detect arbitrary file writes during extraction of zip/tar archives.
+
+Language Libraries
+------------------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`semmle.code.cpp.commons.Buffer` and :code:`semmle.code.cpp.commons.NullTermination` libraries no longer expose :code:`semmle.code.cpp.dataflow.DataFlow`. Please import :code:`semmle.code.cpp.dataflow.DataFlow` directly.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   A new C/C++ dataflow library (:code:`semmle.code.cpp.dataflow.new.DataFlow`) has been added.
+    The new library behaves much more like the dataflow library of other CodeQL supported languages by following use-use dataflow paths instead of def-use dataflow paths.
+    The new library also better supports dataflow through indirections, and new predicates such as :code:`Node::asIndirectExpr` have been added to facilitate working with indirections.
+    
+    The :code:`semmle.code.cpp.ir.dataflow.DataFlow` library is now identical to the new
+    :code:`semmle.code.cpp.dataflow.new.DataFlow` library.
+    
+*   The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
+
+C#
+""
+
+*   The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
+
+Golang
+""""""
+
+*   The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
+
+Java
+""""
+
+*   Removed low-confidence call edges to known neutral call targets from the call graph used in data flow analysis. This includes, for example, custom :code:`List.contains` implementations when the best inferrable type at the call site is simply :code:`List`.
+*   Added more sink and summary dataflow models for the following packages:
+
+    *   :code:`java.io`
+    *   :code:`java.lang`
+    *   :code:`java.sql`
+    *   :code:`javafx.scene.web`
+    *   :code:`org.apache.commons.compress.archivers.tar`
+    *   :code:`org.apache.http.client.utils`
+    *   :code:`org.codehaus.cargo.container.installer`
+    
+*   The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
+
+Python
+""""""
+
+*   The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
+
+Ruby
+""""
+
+*   The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Deleted the deprecated :code:`hasGeneratedCopyConstructor` and :code:`hasGeneratedCopyAssignmentOperator` predicates from the :code:`Folder` class.
+*   Deleted the deprecated :code:`getPath` and :code:`getFolder` predicates from the :code:`XmlFile` class.
+*   Deleted the deprecated :code:`getMustlockFunction`, :code:`getTrylockFunction`, :code:`getLockFunction`, and :code:`getUnlockFunction` predicates from the :code:`MutexType` class.
+*   Deleted the deprecated :code:`getPosInBasicBlock` predicate from the :code:`SubBasicBlock` class.
+*   Deleted the deprecated :code:`getExpr` predicate from the :code:`PointerDereferenceExpr` class.
+*   Deleted the deprecated :code:`getUseInstruction` and :code:`getDefinitionInstruction` predicates from the :code:`Operand` class.
+*   Deleted the deprecated :code:`isInParameter`, :code:`isInParameterPointer`, and :code:`isInQualifier` predicates from the :code:`FunctionInput` class.
+*   Deleted the deprecated :code:`isOutParameterPointer`, :code:`isOutQualifier`, :code:`isOutReturnValue`, and :code:`isOutReturnPointer` predicate from the :code:`FunctionOutput` class.
+*   Deleted the deprecated 3-argument :code:`isGuardPhi` predicate from the :code:`RangeSsaDefinition` class.
+
+C#
+""
+
+*   Deleted the deprecated :code:`getPath` and :code:`getFolder` predicates from the :code:`XmlFile` class.
+*   Deleted the deprecated :code:`getAssertionIndex`, and :code:`getAssertedParameter` predicates from the :code:`AssertMethod` class.
+*   Deleted the deprecated :code:`OverridableMethod` and :code:`OverridableAccessor` classes.
+*   The :code:`unsafe` predicate for :code:`Modifiable` has been extended to cover delegate return types and identify pointer-like types at any nest level. This is relevant for :code:`unsafe` declarations extracted from assemblies.
+
+Java
+""""
+
+*   Deleted the deprecated :code:`getPath` and :code:`getFolder` predicates from the :code:`XmlFile` class.
+*   Deleted the deprecated :code:`getRepresentedString` predicate from the :code:`StringLiteral` class.
+*   Deleted the deprecated :code:`ServletWriterSource` class.
+*   Deleted the deprecated :code:`getGroupID`, :code:`getArtefactID`, and :code:`artefactMatches` predicates from the :code:`MavenRepoJar` class.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Deleted the deprecated :code:`getPath` and :code:`getFolder` predicates from the :code:`XmlFile` class.
+*   Deleted the deprecated :code:`getId` from the :code:`Function`, :code:`NamespaceDefinition`, and :code:`ImportEqualsDeclaration` classes.
+*   Deleted the deprecated :code:`flowsTo` predicate from the :code:`HTTP::Servers::RequestSource` and :code:`HTTP::Servers::ResponseSource` class.
+*   Deleted the deprecated :code:`getEventName` predicate from the :code:`SocketIO::ReceiveNode`, :code:`SocketIO::SendNode`, :code:`SocketIOClient::SendNode` classes.
+*   Deleted the deprecated :code:`RateLimitedRouteHandlerExpr` and :code:`RouteHandlerExpressionWithRateLimiter` classes.
+*   \ `Import assertions <https://github.com/tc39/proposal-import-assertions>`__ are now supported.
+    Previously this feature was only supported in TypeScript code, but is now supported for plain JavaScript as well and is also accessible in the AST.
+
+Python
+""""""
+
+*   Deleted the deprecated :code:`getPath` and :code:`getFolder` predicates from the :code:`XmlFile` class.
+
+Ruby
+""""
+
+*   Data flow through :code:`initialize` methods is now taken into account also when the receiver of a :code:`new` call is an (implicit or explicit) :code:`self`.
+*   The Active Record query methods :code:`reorder` and :code:`count_by_sql` are now recognized as SQL executions.
+*   Calls to :code:`ActiveRecord::Connection#execute`, including those via subclasses, are now recognized as SQL executions.
+*   Data flow through :code:`ActionController::Parameters#require` is now tracked properly.
+*   The severity of parse errors was reduced to warning (previously error).
+*   Deleted the deprecated :code:`getQualifiedName` predicate from the :code:`ConstantWriteAccess` class.
+*   Deleted the deprecated :code:`getWhenBranch` and :code:`getAWhenBranch` predicates from the :code:`CaseExpr` class.
+*   Deleted the deprecated :code:`Self`, :code:`PatternParameter`, :code:`Pattern`, :code:`VariablePattern`, :code:`TuplePattern`, and :code:`TuplePatternParameter` classes.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`WriteConfig` taint tracking configuration has been deprecated. Please use :code:`WriteFlow`.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.
+
+C#
+""
+
+*   Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.
+
+Golang
+""""""
+
+*   Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.
+
+Java
+""""
+
+*   Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.
+
+Python
+""""""
+
+*   Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.
+
+Ruby
+""""
+
+*   Added support for merging two :code:`PathGraph`\ s via disjoint union to allow results from multiple data flow computations in a single :code:`path-problem` query.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.6.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.6.rst
@@ -0,0 +1,57 @@
+.. _codeql-cli-2.12.6:
+
+==========================
+CodeQL 2.12.6 (2023-04-04)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.12.6 runs a total of 386 security queries when configured with the Default suite (covering 154 CWE). The Extended suite enables an additional 124 queries (covering 31 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug in :code:`codeql database analyze` and related commands where the :code:`--max-paths` option was not respected correctly when multiple alerts with the same primary code location were grouped together.
+    (This grouping is the default behavior unless the :code:`--no-group-alerts` option is passed.)
+    This bug caused some SARIF files produced by CodeQL to exceed the limits on the number of paths (:code:`threadFlows`) accepted by code scanning,
+    leading to errors when uploading results.
+
+New Features
+~~~~~~~~~~~~
+
+*   Several experimental subcommands have been added in support of the new `code scanning tool status page <https://github.blog/changelog/2023-03-28-code-scanning-shows-the-health-of-tools-enabled-on-a-repository/>`__.
+    These include :code:`codeql database add-diagnostic`,
+    :code:`codeql database export-diagnostics`, and the
+    :code:`codeql diagnostic add` and :code:`codeql diagnostic export` plumbing subcommands.
+
+Known Issues
+~~~~~~~~~~~~
+
+*   We recommend that customers using the CodeQL CLI in a third party CI system do not upgrade to this release, due to an issue with :code:`codeql  github upload-results`. Instead, please use CodeQL 2.12.5, or, when available, CodeQL 2.12.7 or 2.13.1.
+    
+    This issue occurs when uploading certain kinds of diagnostic information and causes the subcommand to fail with "A fatal error occurred: Invalid SARIF.", reporting an :code:`InvalidDefinitionException`.
+    
+    Customers who wish to use CodeQL 2.12.6 or 2.13.0 can
+    work around the problem by passing :code:`--no-sarif-include-diagnostics` to any invocations of :code:`codeql database analyze` or :code:`codeql database interpret-results`.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Ruby
+""""
+
+*   :code:`rb/sensitive-get-query` no longer reports flow paths from input parameters to sensitive use nodes. This avoids cases where many flow paths could be generated for a single parameter, which caused excessive paths to be generated.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.7.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.12.7.rst
@@ -0,0 +1,20 @@
+.. _codeql-cli-2.12.7:
+
+==========================
+CodeQL 2.12.7 (2023-04-18)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug in :code:`codeql database upload-results` where the subcommand would fail with "A fatal error occurred: Invalid SARIF.", reporting an :code:`InvalidDefinitionException`. This issue occurred when the SARIF file contained certain kinds of diagnostic information.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.0.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.0.rst
@@ -0,0 +1,322 @@
+.. _codeql-cli-2.13.0:
+
+==========================
+CodeQL 2.13.0 (2023-04-20)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.13.0 runs a total of 388 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 124 queries (covering 30 more CWE). 2 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   In :code:`codeql pack add`, the dependency that is added to the :code:`qlpack.yml` file will now allow any version of the pack that is compatible with the specified version (:code:`^version`) in the following cases:
+
+    *   When no version is specified (:code:`codeql pack add codeql/cpp-all`).
+    *   When the version is specified as :code:`latest` (:code:`codeql pack add codeql/cpp-all@latest`).
+    *   When a single version is specified (:code:`codeql pack add codeql/cpp-all@1.0.0`).
+    
+    The :code:`^version` dependency allows any version of that pack with no breaking changes since :code:`version`.
+    For example, :code:`^1.2.3` would allow versions :code:`1.2.3`, :code:`1.2.5`, and :code:`1.4.0`, but not :code:`2.0.0`, because changing the major version number to :code:`2` indicates a breaking change.
+    
+    Using :code:`^version` ensures that the added pack is not needlessly constrained to an exact version by default.
+    
+*   Upper-case variable names are no longer accepted by the QL compiler.
+    
+    Such variable names have produced a deprecation warning since release 2.9.2 (released 2022-05-16), so QL code that compiles without warnings with a recent release of the CLI should still work.
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The possibility to omit :code:`override` annotations on class member predicates that override a base class predicate has been deprecated.
+    This is to avoid confusion with shadowing behaviour in the presence of final member predicates.
+
+    ..  code-block:: ql
+    
+        class Foo extends Base {
+          final predicate foo() { ... }
+        
+          predicate bar() { ... }
+        
+          predicate baz() { ... }
+        }
+        
+        class Bar extends Foo {
+          // This method shadows Foo::foo.
+          predicate foo() { ... }
+        
+          // This used to override Foo::bar with a warning, is now deprecated.
+          predicate bar() { ... }
+        
+          // This correctly overrides Foo::baz
+          override predicate baz() { ... }
+        }
+
+New Features
+~~~~~~~~~~~~
+
+*   :code:`codeql database analyze` and related commands now export file coverage information by default. GHAS customers using CodeQL in third-party CI systems will now see file coverage information on the
+    \ `tool status page <https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/about-the-tool-status-page>`__ without needing to modify their CI workflows.
+
+Known Issues
+~~~~~~~~~~~~
+
+*   We recommend that customers using the CodeQL CLI in a third party CI system do not upgrade to this release, due to an issue with :code:`codeql  github upload-results`. Instead, please use CodeQL 2.12.5, or, when available, CodeQL 2.12.7 or 2.13.1. For more information, see the
+    "Known issues" section for CodeQL 2.12.6.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixed a bug where a destructuring pattern could not be parsed if it had a property named :code:`get` or :code:`set` with a default value.
+
+Python
+""""""
+
+*   Nonlocal variables are excluded from alerts.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The query :code:`cpp/tainted-arithmetic` now also flags possible overflows in arithmetic assignment operations.
+
+C#
+""
+
+*   The query :code:`cs/web/debug-binary` now disregards the :code:`debug` attribute in case there is a transformation that removes it.
+
+Golang
+""""""
+
+*   The receiver arguments of :code:`net/http.Header.Set` and :code:`.Del` are no longer flagged by query :code:`go/untrusted-data-to-external-api`.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`DisablingCertificateValidation.ql` query has been updated to check :code:`createServer` from :code:`https` for disabled certificate validation.
+*   Improved the model of jQuery to account for XSS sinks where the HTML string is provided via a callback. This may lead to more results for the :code:`js/xss` query.
+*   The :code:`js/weak-cryptographic-algorithm` query now flags cryptograhic operations using a weak block mode,
+    such as AES-ECB.
+
+New Queries
+~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The query :code:`cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.
+
+Java
+""""
+
+*   The query :code:`java/insecure-ldap-auth` has been promoted from experimental to the main query pack. This query detects transmission of cleartext credentials in LDAP authentication. Insecure LDAP authentication causes sensitive information to be vulnerable to remote attackers. This query was originally `submitted as an experimental query by @luchua-bc <https://github.com/github/codeql/pull/4854>`__
+
+Ruby
+""""
+
+*   Added a new experimental query, :code:`rb/server-side-template-injection`, to detect cases where user input may be embedded into a template's code in an unsafe manner.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+C/C++
+"""""
+
+*   Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
+
+C#
+""
+
+*   Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
+
+Golang
+""""""
+
+*   Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
+
+Java
+""""
+
+*   Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
+
+Python
+""""""
+
+*   Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular, :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
+
+Ruby
+""""
+
+*   Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular :code:`DataFlow::hasFlowPath`, :code:`DataFlow::hasFlow`, :code:`DataFlow::hasFlowTo`, and :code:`DataFlow::hasFlowToExpr` were accidentally exposed in a single version.
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The internal :code:`SsaConsistency` module has been moved from :code:`SSAConstruction` to :code:`SSAConsitency`, and the deprecated :code:`SSAConsistency` module has been removed.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for TypeScript 5.0.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`BufferAccess` library (:code:`semmle.code.cpp.security.BufferAccess`) no longer matches buffer accesses inside unevaluated contexts (such as inside :code:`sizeof` or :code:`decltype` expressions). As a result, queries using this library may see fewer false positives.
+
+Java
+""""
+
+*   Fixed a bug in the regular expression used to identify sensitive information in :code:`SensitiveActions::getCommonSensitiveInfoRegex`. This may affect the results of the queries :code:`java/android/sensitive-communication`, :code:`java/android/sensitive-keyboard-cache`, and :code:`java/sensitive-log`.
+*   Added a summary model for the :code:`java.lang.UnsupportedOperationException(String)` constructor.
+*   The filenames embedded in :code:`Compilation.toString()` now use :code:`/` as the path separator on all platforms.
+*   Added models for the following packages:
+
+    *   :code:`java.lang`
+    *   :code:`java.net`
+    *   :code:`java.nio.file`
+    *   :code:`java.io`
+    *   :code:`java.lang.module`
+    *   :code:`org.apache.commons.httpclient.util`
+    *   :code:`org.apache.commons.io`
+    *   :code:`org.apache.http.client`
+    *   :code:`org.eclipse.jetty.client`
+    *   :code:`com.google.common.io`
+    *   :code:`kotlin.io`
+    
+*   Added the :code:`TaintedPathQuery.qll` library to provide the :code:`TaintedPathFlow` and :code:`TaintedPathLocalFlow` taint-tracking modules to reason about tainted path vulnerabilities.
+*   Added the :code:`ZipSlipQuery.qll` library to provide the :code:`ZipSlipFlow` taint-tracking module to reason about zip-slip vulnerabilities.
+*   Added the :code:`InsecureBeanValidationQuery.qll` library to provide the :code:`BeanValidationFlow` taint-tracking module to reason about bean validation vulnerabilities.
+*   Added the :code:`XssQuery.qll` library to provide the :code:`XssFlow` taint-tracking module to reason about cross site scripting vulnerabilities.
+*   Added the :code:`LdapInjectionQuery.qll` library to provide the :code:`LdapInjectionFlow` taint-tracking module to reason about LDAP injection vulnerabilities.
+*   Added the :code:`ResponseSplittingQuery.qll` library to provide the :code:`ResponseSplittingFlow` taint-tracking module to reason about response splitting vulnerabilities.
+*   Added the :code:`ExternallyControlledFormatStringQuery.qll` library to provide the :code:`ExternallyControlledFormatStringFlow` taint-tracking module to reason about externally controlled format string vulnerabilities.
+*   Improved the handling of addition in the range analysis. This can cause in minor changes to the results produced by :code:`java/index-out-of-bounds` and :code:`java/constant-comparison`.
+*   A new models as data sink kind :code:`command-injection` has been added.
+*   The queries :code:`java/command-line-injection` and :code:`java/concatenated-command-line` now can be extended using the :code:`command-injection` models as data sink kind.
+*   Added more sink and summary dataflow models for the following packages:
+
+    *   :code:`java.net`
+    *   :code:`java.nio.file`
+    *   :code:`javax.imageio.stream`
+    *   :code:`javax.naming`
+    *   :code:`javax.servlet`
+    *   :code:`org.geogebra.web.full.main`
+    *   :code:`hudson`
+    *   :code:`hudson.cli`
+    *   :code:`hudson.lifecycle`
+    *   :code:`hudson.model`
+    *   :code:`hudson.scm`
+    *   :code:`hudson.util`
+    *   :code:`hudson.util.io`
+    
+*   Added the extensible abstract class :code:`JndiInjectionSanitizer`. Now this class can be extended to add more sanitizers to the :code:`java/jndi-injection` query.
+*   Added a summary model for the :code:`nativeSQL` method of the :code:`java.sql.Connection` interface.
+*   Added sink and summary dataflow models for the Jenkins and Netty frameworks.
+*   The Models as Data syntax for selecting the qualifier has been changed from :code:`-1` to :code:`this` (e.g. :code:`Argument[-1]` is now written as :code:`Argument[this]`).
+*   Added sources and flow step models for the Netty framework up to version 4.1.
+*   Added more dataflow models for frequently-used JDK APIs.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   :code:`router.push` and :code:`router.replace` in :code:`Next.js` are now considered as XSS sink.
+*   The crypto-js module in :code:`CryptoLibraries.qll` now supports progressive hashing with algo.update().
+
+Python
+""""""
+
+*   Added modeling of SQL execution in the packages :code:`sqlite3.dbapi2`, :code:`cassandra-driver`, :code:`aiosqlite`, and the functions :code:`sqlite3.Connection.executescript`\ /\ :code:`sqlite3.Cursor.executescript` and :code:`asyncpg.connection.connect()`.
+*   Fixed module resolution so we allow imports of definitions that have had an attribute assigned to it, such as :code:`class Foo; Foo.bar = 42`.
+
+Ruby
+""""
+
+*   Control flow graph: the evaluation order of scope expressions and receivers in multiple assignments has been adjusted to match the changes made in Ruby
+    3.1 and 3.2.
+*   The clear-text storage (:code:`rb/clear-text-storage-sensitive-data`) and logging (:code:`rb/clear-text-logging-sensitive-data`) queries now use built-in flow through hashes, for improved precision. This may result in both new true positives and less false positives.
+*   Accesses of :code:`params` in Sinatra applications are now recognized as HTTP input accesses.
+*   Data flow is tracked from Sinatra route handlers to ERB files.
+*   Data flow is tracked between basic Sinatra filters (those without URL patterns) and their corresponding route handlers.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The single-parameter predicates :code:`ArrayOrVectorAggregateLiteral.getElementExpr` and :code:`ClassAggregateLiteral.getFieldExpr` have been deprecated in favor of :code:`ArrayOrVectorAggregateLiteral.getAnElementExpr` and :code:`ClassAggregateLiteral.getAFieldExpr`.
+*   The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
+*   The :code:`SslContextCallAbstractConfig`, :code:`SslContextCallConfig`, :code:`SslContextCallBannedProtocolConfig`, :code:`SslContextCallTls12ProtocolConfig`, :code:`SslContextCallTls13ProtocolConfig`, :code:`SslContextCallTlsProtocolConfig`, :code:`SslContextFlowsToSetOptionConfig`, :code:`SslOptionConfig` dataflow configurations from :code:`BoostorgAsio` have been deprecated. Please use :code:`SslContextCallConfigSig`, :code:`SslContextCallGlobal`, :code:`SslContextCallFlow`, :code:`SslContextCallBannedProtocolFlow`, :code:`SslContextCallTls12ProtocolFlow`, :code:`SslContextCallTls13ProtocolFlow`, :code:`SslContextCallTlsProtocolFlow`, :code:`SslContextFlowsToSetOptionFlow`.
+
+C#
+""
+
+*   The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
+
+Golang
+""""""
+
+*   The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
+
+Java
+""""
+
+*   The :code:`execTainted` predicate in :code:`CommandLineQuery.qll` has been deprecated and replaced with the predicate :code:`execIsTainted`.
+*   The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
+*   The :code:`WebViewDubuggingQuery` library has been renamed to :code:`WebViewDebuggingQuery` to fix the typo in the file name. :code:`WebViewDubuggingQuery` is now deprecated.
+
+Python
+""""""
+
+*   The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
+
+Ruby
+""""
+
+*   The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added overridable predicates :code:`getSizeExpr` and :code:`getSizeMult` to the :code:`BufferAccess` class (:code:`semmle.code.cpp.security.BufferAccess.qll`). This makes it possible to model a larger class of buffer reads and writes using the library.
+
+Java
+""""
+
+*   Predicates :code:`Compilation.getExpandedArgument` and :code:`Compilation.getAnExpandedArgument` has been added.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.1.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.1.rst
@@ -0,0 +1,118 @@
+.. _codeql-cli-2.13.1:
+
+==========================
+CodeQL 2.13.1 (2023-05-03)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.13.1 runs a total of 389 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 125 queries (covering 32 more CWE). 2 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug in :code:`codeql database upload-results` where the subcommand would fail with "A fatal error occurred: Invalid SARIF.", reporting an :code:`InvalidDefinitionException`. This issue occurred when the SARIF file contained certain kinds of diagnostic information.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.7.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixes an issue that would cause TypeScript extraction to hang in rare cases when extracting code containing recursive generic type aliases.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   Additional sinks modelling writes to unencrypted local files have been added to :code:`ExternalLocationSink`, used by the :code:`cs/cleartext-storage` and :code:`cs/exposure-of-sensitive-information` queries.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Improved the call graph to better handle the case where a function is stored on a plain object and subsequently copied to a new host object via an :code:`extend` call.
+
+New Queries
+~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   A new query :code:`cpp/double-free` has been added. The query finds possible cases of deallocating the same pointer twice. The precision of the query has been set to "medium".
+*   The query :code:`cpp/use-after-free` has been modernized and assigned the precision "medium". The query finds cases of where a pointer is dereferenced after its memory has been deallocated.
+
+Language Libraries
+------------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The Yaml.qll library was moved into a shared library pack named :code:`codeql/yaml` to make it possible for other languages to re-use it. This change should be backwards compatible for existing JavaScript queries.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Golang
+""""""
+
+*   Taking a slice is now considered a sanitizer for :code:`SafeUrlFlow`.
+
+Java
+""""
+
+*   Changed some models of Spring's :code:`FileCopyUtils.copy` to be path injection sinks instead of summaries.
+*   Added models for the following packages:
+
+    *   java.nio.file
+    
+*   Added models for `Apache HttpComponents <https://hc.apache.org/>`__ versions 4 and 5.
+*   Added sanitizers that recognize line breaks to the query :code:`java/log-injection`.
+*   Added new flow steps for :code:`java.util.StringJoiner`.
+
+Python
+""""""
+
+*   Added support for querying the contents of YAML files.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The :code:`sensitiveResultReceiver` predicate in :code:`SensitiveResultReceiverQuery.qll` has been deprecated and replaced with :code:`isSensitiveResultReceiver` in order to use the new dataflow API.
+
+Shared Libraries
+----------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+YAML Data Analysis
+""""""""""""""""""
+
+*   Initial release. Extracted YAML related code into a library pack to share code between languages.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.3.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.3.rst
@@ -0,0 +1,202 @@
+.. _codeql-cli-2.13.3:
+
+==========================
+CodeQL 2.13.3 (2023-05-31)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug that could cause the compiler to infer incorrect binding sets for non-direct calls to overriding member predicates that have stronger binding sets than their root definitions.
+    
+*   Fixed a bug that could have caused the compiler to incorrectly infer that a class matched a type signature. The bug only affected classes with overriding member predicates that had stronger binding sets than their root definitions.
+    
+*   Fixed a bug where a query could not be run from VS Code when there were packs nested within sibling directories
+    of the query.
+
+New Features
+~~~~~~~~~~~~
+
+*   This release enhances our preliminary Swift support, setting the stage for the upcoming public beta.
+    
+*   The :code:`codeql database bundle` command now supports the :code:`--[no]-include-temp` option. When enabled, this option will include the :code:`temp` folder of the database directory in the zip file of the bundled database. This folder includes generated packages and queries, and query suites.
+    
+*   The structured log produced by :code:`codeql generate log-summary` now includes a Boolean :code:`isCached` field for predicate events, where a :code:`true` value indicates the predicate is a wrapper implementing the :code:`cached` annotation on another predicate. The wrapper depends on the underlying predicate that the annotation was found on, and will usually have the same name, but it has a separate :code:`raHash`.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixed a spurious diagnostic warning about comments in JSON files being illegal.
+    Comments in JSON files are in fact fully supported, and the diagnostic message was misleading.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added taint sources from the :code:`@actions/core` and :code:`@actions/github` packages.
+*   Added command-injection sinks from the :code:`@actions/exec` package.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The query :code:`java/groovy-injection` now recognizes :code:`groovy.text.TemplateEngine.createTemplate` as a sink.
+*   The queries :code:`java/xxe` and :code:`java/xxe-local` now recognize the second argument of calls to :code:`XPath.evaluate` as a sink.
+*   Experimental sinks for the query "Resolving XML external entity in user-controlled data" (:code:`java/xxe`) have been promoted to the main query pack. These sinks were originally `submitted as part of an experimental query by @haby0 <https://github.com/github/codeql/pull/6564>`__.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`js/indirect-command-line-injection` query no longer flags command arguments that cannot be interpreted as a shell string.
+*   The :code:`js/unsafe-deserialization` query no longer flags deserialization through the :code:`js-yaml` library, except when it is used with an unsafe schema.
+*   The Forge module in :code:`CryptoLibraries.qll` now correctly classifies SHA-512/224,
+    SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.
+
+Language Libraries
+------------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   In the intermediate representation, handling of control flow after non-returning calls has been improved. This should remove false positives in queries that use the intermedite representation or libraries based on it, including the new data flow library.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`StdNamespace` class now also includes all inline namespaces that are children of :code:`std` namespace.
+*   The new dataflow (:code:`semmle.code.cpp.dataflow.new.DataFlow`) and taint-tracking libraries (:code:`semmle.code.cpp.dataflow.new.TaintTracking`) now support tracking flow through static local variables.
+
+C#
+""
+
+*   The :code:`cs/log-forging`, :code:`cs/cleartext-storage`, and :code:`cs/exposure-of-sensitive-information` queries now correctly handle unsanitized arguments to :code:`ILogger` extension methods.
+*   Updated the :code:`neutralModel` extensible predicate to include a :code:`kind` column.
+
+Golang
+""""""
+
+*   Fixed data flow through variadic function parameters. The arguments corresponding to a variadic parameter are no longer returned by :code:`CallNode.getArgument(int i)` and :code:`CallNode.getAnArgument()`, and hence aren't :code:`ArgumentNode`\ s. They now have one result, which is an :code:`ImplicitVarargsSlice` node. For example, a call :code:`f(a, b, c)` to a function :code:`f(T...)` is treated like :code:`f([]T{a, b, c})`. The old behaviour is preserved by :code:`CallNode.getSyntacticArgument(int i)` and :code:`CallNode.getASyntacticArgument()`. :code:`CallExpr.getArgument(int i)` and :code:`CallExpr.getAnArgument()` are unchanged, and will still have three results in the example given.
+
+Java
+""""
+
+*   Added SQL injection sinks for Spring JDBC's :code:`NamedParameterJdbcOperations`.
+    
+*   Added models for the following packages:
+
+    *   org.apache.hadoop.fs
+    
+*   Added the :code:`ArithmeticCommon.qll` library to provide predicates for reasoning about arithmetic operations.
+    
+*   Added the :code:`ArithmeticTaintedLocalQuery.qll` library to provide the :code:`ArithmeticTaintedLocalOverflowFlow` and :code:`ArithmeticTaintedLocalUnderflowFlow` taint-tracking modules to reason about arithmetic with unvalidated user input.
+    
+*   Added the :code:`ArithmeticTaintedQuery.qll` library to provide the :code:`RemoteUserInputOverflow` and :code:`RemoteUserInputUnderflow` taint-tracking modules to reason about arithmetic with unvalidated user input.
+    
+*   Added the :code:`ArithmeticUncontrolledQuery.qll` library to provide the :code:`ArithmeticUncontrolledOverflowFlow`  and :code:`ArithmeticUncontrolledUnderflowFlow` taint-tracking modules to reason about arithmetic with uncontrolled user input.
+    
+*   Added the :code:`ArithmeticWithExtremeValuesQuery.qll` library to provide the :code:`MaxValueFlow` and :code:`MinValueFlow` dataflow modules to reason about arithmetic with extreme values.
+    
+*   Added the :code:`BrokenCryptoAlgorithmQuery.qll` library to provide the :code:`InsecureCryptoFlow` taint-tracking module to reason about broken cryptographic algorithm vulnerabilities.
+    
+*   Added the :code:`ExecTaintedLocalQuery.qll` library to provide the :code:`LocalUserInputToArgumentToExecFlow` taint-tracking module to reason about command injection vulnerabilities caused by local data flow.
+    
+*   Added the :code:`ExternallyControlledFormatStringLocalQuery.qll` library to provide the :code:`ExternallyControlledFormatStringLocalFlow` taint-tracking module to reason about format string vulnerabilities caused by local data flow.
+    
+*   Added the :code:`ImproperValidationOfArrayConstructionCodeSpecifiedQuery.qll` library to provide the :code:`BoundedFlowSourceFlow` dataflow module to reason about improper validation of code-specified sizes used for array construction.
+    
+*   Added the :code:`ImproperValidationOfArrayConstructionLocalQuery.qll` library to provide the :code:`ImproperValidationOfArrayConstructionLocalFlow` taint-tracking module to reason about improper validation of local user-provided sizes used for array construction caused by local data flow.
+    
+*   Added the :code:`ImproperValidationOfArrayConstructionQuery.qll` library to provide the :code:`ImproperValidationOfArrayConstructionFlow` taint-tracking module to reason about improper validation of user-provided size used for array construction.
+    
+*   Added the :code:`ImproperValidationOfArrayIndexCodeSpecifiedQuery.qll` library to provide the :code:`BoundedFlowSourceFlow` data flow module to reason about about improper validation of code-specified array index.
+    
+*   Added the :code:`ImproperValidationOfArrayIndexLocalQuery.qll` library to provide the :code:`ImproperValidationOfArrayIndexLocalFlow` taint-tracking module to reason about improper validation of a local user-provided array index.
+    
+*   Added the :code:`ImproperValidationOfArrayIndexQuery.qll` library to provide the :code:`ImproperValidationOfArrayIndexFlow` taint-tracking module to reason about improper validation of user-provided array index.
+    
+*   Added the :code:`InsecureCookieQuery.qll` library to provide the :code:`SecureCookieFlow` taint-tracking module to reason about insecure cookie vulnerabilities.
+    
+*   Added the :code:`MaybeBrokenCryptoAlgorithmQuery.qll` library to provide the :code:`InsecureCryptoFlow` taint-tracking module to reason about broken cryptographic algorithm vulnerabilities.
+    
+*   Added the :code:`NumericCastTaintedQuery.qll` library to provide the :code:`NumericCastTaintedFlow` taint-tracking module to reason about numeric cast vulnerabilities.
+    
+*   Added the :code:`ResponseSplittingLocalQuery.qll` library to provide the :code:`ResponseSplittingLocalFlow` taint-tracking module to reason about response splitting vulnerabilities caused by local data flow.
+    
+*   Added the :code:`SqlConcatenatedQuery.qll` library to provide the :code:`UncontrolledStringBuilderSourceFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by concatenating untrusted strings.
+    
+*   Added the :code:`SqlTaintedLocalQuery.qll` library to provide the :code:`LocalUserInputToArgumentToSqlFlow` taint-tracking module to reason about SQL injection vulnerabilities caused by local data flow.
+    
+*   Added the :code:`StackTraceExposureQuery.qll` library to provide the :code:`printsStackExternally`, :code:`stringifiedStackFlowsExternally`, and :code:`getMessageFlowsExternally` predicates to reason about stack trace exposure vulnerabilities.
+    
+*   Added the :code:`TaintedPermissionQuery.qll` library to provide the :code:`TaintedPermissionFlow` taint-tracking module to reason about tainted permission vulnerabilities.
+    
+*   Added the :code:`TempDirLocalInformationDisclosureQuery.qll` library to provide the :code:`TempDirSystemGetPropertyToCreate` taint-tracking module to reason about local information disclosure vulnerabilities caused by local data flow.
+    
+*   Added the :code:`UnsafeHostnameVerificationQuery.qll` library to provide the :code:`TrustAllHostnameVerifierFlow` taint-tracking module to reason about insecure hostname verification vulnerabilities.
+    
+*   Added the :code:`UrlRedirectLocalQuery.qll` library to provide the :code:`UrlRedirectLocalFlow` taint-tracking module to reason about URL redirection vulnerabilities caused by local data flow.
+    
+*   Added the :code:`UrlRedirectQuery.qll` library to provide the :code:`UrlRedirectFlow` taint-tracking module to reason about URL redirection vulnerabilities.
+    
+*   Added the :code:`XPathInjectionQuery.qll` library to provide the :code:`XPathInjectionFlow` taint-tracking module to reason about XPath injection vulnerabilities.
+    
+*   Added the :code:`XssLocalQuery.qll` library to provide the :code:`XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow.
+    
+*   Moved the :code:`url-open-stream` sink models to experimental and removed :code:`url-open-stream` as a sink option from the `Customizing Library Models for Java <https://github.com/github/codeql/blob/733a00039efdb39c3dd76ddffad5e6d6c85e6774/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst#customizing-library-models-for-java>`__ documentation.
+    
+*   Added models for the Apache Commons Net library.
+    
+*   Updated the :code:`neutralModel` extensible predicate to include a :code:`kind` column.
+    
+*   Added models for the :code:`io.jsonwebtoken` library.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Improved the queries for injection vulnerabilities in GitHub Actions workflows (:code:`js/actions/command-injection` and :code:`js/actions/pull-request-target`) and the associated library :code:`semmle.javascript.Actions`. These now support steps defined in composite actions, in addition to steps defined in Actions workflow files. It supports more potentially untrusted input values. Additionally to the shell injections it now also detects injections in :code:`actions/github-script`. It also detects simple injections from user controlled :code:`${{ env.name }}`. Additionally to the :code:`yml` extension now it also supports workflows with the :code:`yaml` extension.
+
+Python
+""""""
+
+*   Type tracking is now aware of reads of captured variables (variables defined in an outer scope). This leads to a richer API graph, and may lead to more results in some queries.
+*   Added more content-flow/field-flow for dictionaries, by adding support for reads through :code:`mydict.get("key")` and :code:`mydict.setdefault("key", value)`, and store steps through :code:`dict["key"] = value` and :code:`mydict.setdefault("key", value)`.
+
+Ruby
+""""
+
+*   Support for the :code:`sqlite3` gem has been added. Method calls that execute queries against an SQLite3 database that may be vulnerable to injection attacks will now be recognized.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added an AST-based interface (:code:`semmle.code.cpp.rangeanalysis.new.RangeAnalysis`) for the relative range analysis library.
+*   A new predicate :code:`BarrierGuard::getAnIndirectBarrierNode` has been added to the new dataflow library (:code:`semmle.code.cpp.dataflow.new.DataFlow`) to mark indirect expressions as barrier nodes using the :code:`BarrierGuard` API.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.4.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.4.rst
@@ -0,0 +1,245 @@
+.. _codeql-cli-2.13.4:
+
+==========================
+CodeQL 2.13.4 (2023-06-19)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.13.4 runs a total of 390 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 125 queries (covering 32 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed an issue where indirect build tracing did not work in Azure DevOps pipeline jobs in Windows containers. To use indirect build tracing in such environments, ensure both the :code:`--begin-tracing` and
+    :code:`--trace-process-name=CExecSvc.exe` arguments are passed to
+    :code:`codeql database init`.
+*   Improved the error message for the :code:`codeql pack create` command when the pack being published has a dependency with no scope in its name.
+
+New Features
+~~~~~~~~~~~~
+
+*   Temporary files and folders created by the CodeQL CLI will now be cleaned up when each CLI command (and its internal JVM) shuts down normally.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+Python
+""""""
+
+*   The display name (:code:`@name`) of the :code:`py/unsafe-deserialization` query has been updated in favor of consistency with other languages.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The :code:`java/summary/lines-of-code` query now only counts lines of Java code. The new :code:`java/summary/lines-of-code-kotlin` counts lines of Kotlin code.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixed an issue where calls to a method named :code:`search` would lead to false positive alerts related to regular expressions.
+    This happened when the call was incorrectly seen as a call to :code:`String.prototype.search`, since this function converts its first argument to a regular expression. The analysis is now more restrictive about when to treat :code:`search` calls as regular expression sinks.
+
+Ruby
+""""
+
+*   Fixed a bug that would occur when an :code:`initialize` method returns :code:`self` or one of its parameters.
+    In such cases, the corresponding calls to :code:`new` would be associated with an incorrect return type.
+    This could result in inaccurate call target resolution and cause false positive alerts.
+*   Fixed an issue where calls to :code:`delete` or :code:`assoc` with a constant-valued argument would be analyzed imprecisely,
+    as if the argument value was not a known constant.
+
+Swift
+"""""
+
+*   Fixed some false positive results from the :code:`swift/string-length-conflation` query, caused by imprecise sinks.
+
+New Queries
+~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a new query, :code:`cpp/overrun-write`, to detect buffer overflows in C-style functions that manipulate buffers.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+Swift
+"""""
+
+*   Fixed a number of inconsistencies in the abstract syntax tree (AST) and in the control-flow graph (CFG). This may lead to more results in queries that use these libraries, or libraries that depend on them (such as dataflow).
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The extractor has been changed to run after the traced compiler call. This allows inspecting compiler generated files, such as the output of source generators. With this change, :code:`.cshtml` files and their generated :code:`.cshtml.g.cs` counterparts are extracted on dotnet 6 and above.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for TypeScript 5.1.
+
+Swift
+"""""
+
+*   Incorporated the cross-language :code:`SensitiveDataHeuristics.qll` heuristics library into the Swift :code:`SensitiveExprs.qll` library. This adds a number of new heuristics enhancing detection from the library.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Deleted the deprecated :code:`hasCopyConstructor` predicate from the :code:`Class` class in :code:`Class.qll`.
+*   Deleted many deprecated predicates and classes with uppercase :code:`AST`, :code:`SSA`, :code:`CFG`, :code:`API`, etc. in their names. Use the PascalCased versions instead.
+*   Deleted the deprecated :code:`CodeDuplication.qll` file.
+
+C#
+""
+
+*   C#: Analysis of the :code:`dotnet test` command supplied with a :code:`dll` or :code:`exe` file as argument no longer fails due to the addition of an erroneous :code:`-p:SharedCompilation=false` argument.
+*   Deleted the deprecated :code:`WebConfigXML`, :code:`ConfigurationXMLElement`, :code:`LocationXMLElement`, :code:`SystemWebXMLElement`, :code:`SystemWebServerXMLElement`, :code:`CustomErrorsXMLElement`, and :code:`HttpRuntimeXMLElement` classes from :code:`WebConfig.qll`. The non-deprecated names with PascalCased Xml suffixes should be used instead.
+*   Deleted the deprecated :code:`Record` class from both :code:`Types.qll` and :code:`Type.qll`.
+*   Deleted the deprecated :code:`StructuralComparisonConfiguration` class from :code:`StructuralComparison.qll`, use :code:`sameGvn` instead.
+*   Deleted the deprecated :code:`isParameterOf` predicate from the :code:`ParameterNode` class.
+*   Deleted the deprecated :code:`SafeExternalAPICallable`, :code:`ExternalAPIDataNode`, :code:`UntrustedDataToExternalAPIConfig`, :code:`UntrustedExternalAPIDataNode`, and :code:`ExternalAPIUsedWithUntrustedData` classes from :code:`ExternalAPIsQuery.qll`. The non-deprecated names with PascalCased Api suffixes should be used instead.
+*   Updated the following C# sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
+
+    *   :code:`code` to :code:`code-injection`
+    *   :code:`sql` to :code:`sql-injection`
+    *   :code:`html` to :code:`html-injection`
+    *   :code:`xss` to :code:`js-injection`
+    *   :code:`remote` to :code:`file-content-store`
+
+Java
+""""
+
+*   Added flow through the block arguments of :code:`kotlin.io.use` and :code:`kotlin.with`.
+    
+*   Added models for the following packages:
+
+    *   com.alibaba.druid.sql
+    *   com.fasterxml.jackson.databind
+    *   com.jcraft.jsch
+    *   io.netty.handler.ssl
+    *   okhttp3
+    *   org.antlr.runtime
+    *   org.fusesource.leveldbjni
+    *   org.influxdb
+    *   org.springframework.core.io
+    *   org.yaml.snakeyaml
+    
+*   Deleted the deprecated :code:`getRHS` predicate from the :code:`LValue` class, use :code:`getRhs` instead.
+    
+*   Deleted the deprecated :code:`getCFGNode` predicate from the :code:`SsaVariable` class, use :code:`getCfgNode` instead.
+    
+*   Deleted many deprecated predicates and classes with uppercase :code:`XML`, :code:`JSON`, :code:`URL`, :code:`API`, etc. in their names. Use the PascalCased versions instead.
+    
+*   Added models for the following packages:
+
+    *   java.lang
+    *   java.nio.file
+    
+*   Added dataflow models for the Gson deserialization library.
+    
+*   Added models for the following packages:
+
+    *   okhttp3
+    
+*   Added more dataflow models for the Play Framework.
+    
+*   Modified the models related to :code:`java.nio.file.Files.copy` so that generic :code:`[Input|Output]Stream` arguments are not considered file-related sinks.
+    
+*   Dataflow analysis has a new flow step through constructors of transitive subtypes of :code:`java.io.InputStream` that wrap an underlying data source. Previously, the step only existed for direct subtypes of :code:`java.io.InputStream`.
+    
+*   Path creation sinks modeled in :code:`PathCreation.qll` have been added to the models-as-data sink kind :code:`path-injection`.
+    
+*   Updated the regular expression in the :code:`HostnameSanitizer` sanitizer in the :code:`semmle.code.java.security.RequestForgery` library to better detect strings prefixed with a hostname.
+    
+*   Changed the :code:`android-widget` Java source kind to :code:`remote`. Any custom data extensions that use the :code:`android-widget` source kind will need to be updated accordingly in order to continue working.
+    
+*   Updated the following Java sink kind names. Any custom data extensions will need to be updated accordingly in order to continue working.
+
+    *   :code:`sql` to :code:`sql-injection`
+    *   :code:`url-redirect` to :code:`url-redirection`
+    *   :code:`xpath` to :code:`xpath-injection`
+    *   :code:`ssti` to :code:`template-injection`
+    *   :code:`logging` to :code:`log-injection`
+    *   :code:`groovy` to :code:`groovy-injection`
+    *   :code:`jexl` to :code:`jexl-injection`
+    *   :code:`mvel` to :code:`mvel-injection`
+    *   :code:`xslt` to :code:`xslt-injection`
+    *   :code:`ldap` to :code:`ldap-injection`
+    *   :code:`pending-intent-sent` to :code:`pending-intents`
+    *   :code:`intent-start` to :code:`intent-redirection`
+    *   :code:`set-hostname-verifier` to :code:`hostname-verification`
+    *   :code:`header-splitting` to :code:`response-splitting`
+    *   :code:`xss` to :code:`html-injection` and :code:`js-injection`
+    *   :code:`write-file` to :code:`file-system-store`
+    *   :code:`create-file` and :code:`read-file` to :code:`path-injection`
+    *   :code:`open-url` and :code:`jdbc-url` to :code:`request-forgery`
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Deleted many deprecated predicates and classes with uppercase :code:`XML`, :code:`JSON`, :code:`URL`, :code:`API`, etc. in their names. Use the PascalCased versions instead.
+*   Deleted the deprecated :code:`localTaintStep` predicate from :code:`DataFlow.qll`.
+*   Deleted the deprecated :code:`stringStep`, and :code:`localTaintStep` predicates from :code:`TaintTracking.qll`.
+*   Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead.
+*   Deleted the deprecated :code:`HtmlInjectionConfiguration` and :code:`JQueryHtmlOrSelectorInjectionConfiguration` classes from :code:`DomBasedXssQuery.qll`, use :code:`Configuration` instead.
+*   Deleted the deprecated :code:`DefiningIdentifier` class and the :code:`Definitions.qll` file it was in. Use :code:`SsaDefinition` instead.
+*   Deleted the deprecated :code:`definitionReaches`, :code:`localDefinitionReaches`, :code:`getAPseudoDefinitionInput`, :code:`nextDefAfter`, and :code:`localDefinitionOverwrites` predicates from :code:`DefUse.qll`.
+*   Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
+
+    *   :code:`command-line-injection` to :code:`command-injection`
+    *   :code:`credentials[kind]` to :code:`credentials-kind`
+    
+*   Added a support of sub modules in :code:`node_modules`.
+
+Ruby
+""""
+
+*   Deleted many deprecated predicates and classes with uppercase :code:`URL`, :code:`XSS`, etc. in their names. Use the PascalCased versions instead.
+*   Deleted the deprecated :code:`getValueText` predicate from the :code:`Expr`, :code:`StringComponent`, and :code:`ExprCfgNode` classes. Use :code:`getConstantValue` instead.
+*   Deleted the deprecated :code:`VariableReferencePattern` class, use :code:`ReferencePattern` instead.
+*   Deleted all deprecated aliases in :code:`StandardLibrary.qll`, use :code:`codeql.ruby.frameworks.Core` and :code:`codeql.ruby.frameworks.Stdlib` instead.
+*   Support for the :code:`sequel` gem has been added. Method calls that execute queries against a database that may be vulnerable to injection attacks will now be recognized.
+*   Support for the :code:`mysql2` gem has been added. Method calls that execute queries against an MySQL database that may be vulnerable to injection attacks will now be recognized.
+*   Support for the :code:`pg` gem has been added. Method calls that execute queries against a PostgreSQL database that may be vulnerable to injection attacks will now be recognized.
+
+Swift
+"""""
+
+*   Some models for the :code:`Data` class have been generalized to :code:`DataProtocol` so that they apply more widely.
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   Kotlin versions up to 1.9.0 are now supported.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.5.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.13.5.rst
@@ -0,0 +1,20 @@
+.. _codeql-cli-2.13.5:
+
+==========================
+CodeQL 2.13.5 (2023-07-05)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+New Features
+~~~~~~~~~~~~
+
+*   The Swift extractor now supports Swift 5.8.1.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.0.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.0.rst
@@ -0,0 +1,269 @@
+.. _codeql-cli-2.14.0:
+
+==========================
+CodeQL 2.14.0 (2023-07-13)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.14.0 runs a total of 390 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 127 queries (covering 33 more CWE). 2 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   The legacy option :code:`--search-path` will now be used, if provided, when searching for the dependencies of packages that have no lock file.
+*   CodeQL query packs that specify their dependencies using the legacy
+    :code:`libraryPathDependencies` property in :code:`qlpack.yml`\ /\ :code:`codeql-pack.yml` files are no longer permitted to contain a :code:`codeql-pack.lock.yml` lock file.
+    This will lead to a compilation error. This change is intended to prevent confusing behavior arising from a mix of legacy (unversioned) and modern
+    (versioned) package dependencies. To fix this error, either delete the lock file, or convert :code:`libraryPathDependencies` to :code:`dependencies`.
+*   CodeQL CLI commands that create packages or update package lock files, such as :code:`codeql pack publish` and :code:`codeql pack create`, will no longer work on query packs that specify their dependencies using the legacy
+    :code:`libraryPathDependencies` property. To fix this error, convert
+    :code:`libraryPathDependencies` to :code:`dependencies`.
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed super calls on final base classes (or final aliases) so that they are now dispatched the same way as super calls on instanceof supertypes.
+*   Fixed a bug where running :code:`codeql database finalize` with a large number of threads would fail due to running out of file descriptors.
+*   Fixed a bug where :code:`codeql database create --overwrite` would not work with database clusters.
+*   Fixed a bug where the CodeQL documentation coverage statistics were incorrect.
+*   Fixed a bug where the generated CodeQL libarary documentation could generate invalid uris on windows.
+
+Deprecations
+~~~~~~~~~~~~
+
+*   Missing override annotations on class member predicates now raise errors rather than warnings. This is to avoid confusion with the shadowing behaviour in the presence of final member predicates.
+
+    ..  code-block:: ql
+    
+        class Foo extends Base {
+          final predicate foo() { ... }
+        
+          predicate bar() { ... }
+        }
+        
+        class Bar extends Foo {
+          // This method shadows Foo::foo.
+          predicate foo() { ... }
+        
+          // This used to override Foo::bar with a warning, now raises error.
+          predicate bar() { ... }
+        }
+
+Improvements
+~~~~~~~~~~~~
+
+*   Unqualified imports can now be marked as deprecated to indicate that the import may be removed in the future. Usage of names only reachable through deprecated imports will generate deprecation warnings.
+*   Classes declared inside a parameterized modules can final extend parameters of the module as well as types that are declared outside the parameterized module.
+*   Fields are fully functional when extending types from within a module instantiation.
+*   Files with a :code:`.yaml` extension will now be included in compiled CodeQL packs. Previously, files with this extension were excluded even though :code:`.yml` files were included.
+*   When interpreting results (e.g., using :code:`bqrs interpret` or
+    :code:`database interpret-results`), extra placeholders in alert messages are treated as normal text. Previously, results with more placeholders than placeholder values were skipped.
+*   Windows users of the CodeQL extension for VS Code will see faster start times.
+*   In VS Code, errors in the current file are rechecked when dependencies change.
+*   In VS Code, autocomplete in large QL files is now faster.
+*   Member predicates can shadow final member predicates of the same arity even when the signatures are not fully matching.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+C#
+""
+
+*   The query "Arbitrary file write during zip extraction ("Zip Slip")" (:code:`cs/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
+
+Golang
+""""""
+
+*   The query "Arbitrary file write during zip extraction ("zip slip")" (:code:`go/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
+
+Java
+""""
+
+*   The query "Arbitrary file write during archive extraction ("Zip Slip")" (:code:`java/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The query "Arbitrary file write during zip extraction ("Zip Slip")" (:code:`js/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
+
+Python
+""""""
+
+*   The query "Arbitrary file write during archive extraction ("Zip Slip")" (:code:`py/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
+
+Ruby
+""""
+
+*   The experimental query "Arbitrary file write during zipfile/tarfile extraction" (:code:`ruby/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
+
+Swift
+"""""
+
+*   Functions and methods modeled as flow summaries are no longer shown in the path of :code:`path-problem` queries. This results in more succinct paths for most security queries.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`cpp/comparison-with-wider-type` query now correctly handles relational operations on signed operators. As a result the query may find more results.
+
+Java
+""""
+
+*   New models have been added for :code:`org.apache.commons.lang`.
+*   The query :code:`java/unsafe-deserialization` has been updated to take into account :code:`SerialKiller`, a library used to prevent deserialization of arbitrary classes.
+
+Ruby
+""""
+
+*   Fixed a bug in how :code:`map_filter` calls are analyzed. Previously, such calls would appear to the return the receiver of the call, but now the return value of the callback is properly taken into account.
+
+New Queries
+~~~~~~~~~~~
+
+C#
+""
+
+*   Added a new query, :code:`cs/web/missing-function-level-access-control`, to find instances of missing authorization checks.
+
+Language Libraries
+------------------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+Swift
+"""""
+
+*   The :code:`BraceStmt` AST node's :code:`AstNode getElement(index)` member predicate no longer returns :code:`VarDecl`\ s after the :code:`PatternBindingDecl` that declares them. Instead, a new :code:`VarDecl getVariable(index)` predicate has been introduced for accessing the variables declared in a :code:`BraceStmt`.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.
+
+Java
+""""
+
+*   The data flow library now performs type strengthening. This increases precision for all data flow queries by excluding paths that can be inferred to be impossible due to incompatible types.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Deleted the deprecated :code:`getURL` predicate from the :code:`Container`, :code:`Folder`, and :code:`File` classes. Use the :code:`getLocation` predicate instead.
+
+C#
+""
+
+*   Additional support for :code:`command-injection`, :code:`ldap-injection`, :code:`log-injection`, and :code:`url-redirection` sink kinds for Models as Data.
+
+Golang
+""""""
+
+*   When a result of path query flows through a function modeled using :code:`DataFlow::FunctionModel` or :code:`TaintTracking::FunctionModel`, the path now includes nodes corresponding to the input and output to the function. This brings it in line with functions modeled using Models-as-Data.
+
+Java
+""""
+
+*   Added automatically-generated dataflow models for :code:`javax.portlet`.
+*   Added a missing summary model for the method :code:`java.net.URL.toString`.
+*   Added automatically-generated dataflow models for the following frameworks and libraries:
+
+    *   :code:`hudson`
+    *   :code:`jenkins`
+    *   :code:`net.sf.json`
+    *   :code:`stapler`
+    
+*   Added more models for the Hudson framework.
+*   Added more models for the Stapler framework.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added models for the Webix Framework.
+
+Python
+""""""
+
+*   Deleted many models that used the old dataflow library, the new models can be found in the :code:`python/ql/lib/semmle/python/frameworks` folder.
+*   More precise modeling of several container functions (such as :code:`sorted`, :code:`reversed`) and methods (such as :code:`set.add`, :code:`list.append`).
+*   Added modeling of taint flow through the template argument of :code:`flask.render_template_string` and :code:`flask.stream_template_string`.
+*   Deleted many deprecated predicates and classes with uppercase :code:`API`, :code:`HTTP`, :code:`XSS`, :code:`SQL`, etc. in their names. Use the PascalCased versions instead.
+*   Deleted the deprecated :code:`getName()` predicate from the :code:`Container` class, use :code:`getAbsolutePath()` instead.
+*   Deleted many deprecated module names that started with a lowercase letter, use the versions that start with an uppercase letter instead.
+*   Deleted many deprecated predicates in :code:`PointsTo.qll`.
+*   Deleted many deprecated files from the :code:`semmle.python.security` package.
+*   Deleted the deprecated :code:`BottleRoutePointToExtension` class from :code:`Extensions.qll`.
+*   Type tracking is now aware of flow summaries. This leads to a richer API graph, and may lead to more results in some queries.
+
+Ruby
+""""
+
+*   More kinds of rack applications are now recognized.
+*   Rack::Response instances are now recognized as potential responses from rack applications.
+*   HTTP redirect responses from Rack applications are now recognized as a potential sink for open redirect alerts.
+*   Additional sinks for :code:`rb/unsafe-deserialization` have been added. This includes various methods from the :code:`yaml` and :code:`plist` gems, which deserialize YAML and Property List data, respectively.
+
+Swift
+"""""
+
+*   Added a data flow model for :code:`swap(_:_:)`.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+Golang
+""""""
+
+*   The :code:`LogInjection::Configuration` taint flow configuration class has been deprecated. Use the :code:`LogInjection::Flow` module instead.
+
+Java
+""""
+
+*   The :code:`ExecCallable` class in :code:`ExternalProcess.qll` has been deprecated.
+
+Ruby
+""""
+
+*   The :code:`Configuration` taint flow configuration class from :code:`codeql.ruby.security.InsecureDownloadQuery` has been deprecated. Use the :code:`Flow` module instead.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`ProductFlow::StateConfigSig` signature now includes default predicates for :code:`isBarrier1`, :code:`isBarrier2`, :code:`isAdditionalFlowStep1`, and :code:`isAdditionalFlowStep1`. Hence, it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
+
+Python
+""""""
+
+*   It is now possible to specify flow summaries in the format "MyPkg;Member[list_map];Argument[1].ListElement;Argument[0].Parameter[0];value"
+
+Swift
+"""""
+
+*   Added new libraries :code:`Regex.qll` and :code:`RegexTreeView.qll` for reasoning about regular expressions in Swift code and places where they are evaluated.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.1.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.1.rst
@@ -0,0 +1,215 @@
+.. _codeql-cli-2.14.1:
+
+==========================
+CodeQL 2.14.1 (2023-07-27)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.14.1 runs a total of 392 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 127 queries (covering 33 more CWE). 2 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+There are no user-facing CLI changes in this release.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`cpp/uninitialized-local` query now excludes uninitialized uses that are explicitly cast to void and are expression statements. As a result, the query will report less false positives.
+
+Java
+""""
+
+*   The query "Unsafe resource fetching in Android WebView" (:code:`java/android/unsafe-android-webview-fetch`) now recognizes WebViews where :code:`setJavascriptEnabled`, :code:`setAllowFileAccess`, :code:`setAllowUniversalAccessFromFileURLs`, and/or :code:`setAllowFileAccessFromFileURLs` are set inside the function block of the Kotlin :code:`apply` function.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`fs/promises` package is now recognised as an alias for :code:`require('fs').promises`.
+*   The :code:`js/path-injection` query can now track taint through calls to :code:`path.join()` with a spread argument, such as :code:`path.join(baseDir, ...args)`.
+
+Python
+""""""
+
+*   Fixed modeling of :code:`aiohttp.ClientSession` so we properly handle :code:`async with` uses. This can impact results of server-side request forgery queries (:code:`py/full-ssrf`, :code:`py/partial-ssrf`).
+
+Ruby
+""""
+
+*   Improved resolution of calls performed on an object created with :code:`Proc.new`.
+
+New Queries
+~~~~~~~~~~~
+
+Ruby
+""""
+
+*   Added a new experimental query, :code:`rb/xpath-injection`, to detect cases where XPath statements are constructed from user input in an unsafe manner.
+
+Swift
+"""""
+
+*   Added new query "Regular expression injection" (:code:`swift/regex-injection`). The query finds places where user input is used to construct a regular expression without proper escaping.
+*   Added new query "Inefficient regular expression" (:code:`swift/redos`). This query finds regular expressions that require exponential time to match certain inputs and may make an application vulnerable to denial-of-service attacks.
+
+Language Libraries
+------------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Ruby
+""""
+
+*   The API graph library (:code:`codeql.ruby.ApiGraphs`) has been significantly improved, with better support for inheritance,
+    and data-flow nodes can now be converted to API nodes by calling :code:`.track()` or :code:`.backtrack()` on the node.
+    API graphs allow for efficient modelling of how a given value is used by the code base, or how values produced by the code base are consumed by a library. See the documentation for :code:`API::Node` for details and examples.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
+*   The :code:`IRGuards` library has improved handling of pointer addition and subtraction operations.
+
+C#
+""
+
+*   Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
+
+Golang
+""""""
+
+*   Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
+*   Parameter nodes now exist for unused parameters as well as used parameters.
+*   Add support for v4 of the `Go Micro framework <https://github.com/go-micro/go-micro>`__.
+*   Support for the `Bun framework <https://bun.uptrace.dev/>`__ has been added.
+*   Support for `gqlgen <https://github.com/99designs/gqlgen>`__ has been added.
+*   Support for the `go-pg framework <https://github.com/go-pg/pg>`__ has been improved.
+
+Java
+""""
+
+*   Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
+    
+*   Added models for Apache Commons Lang3 :code:`ToStringBuilder.reflectionToString` method.
+    
+*   Added support for the Kotlin method :code:`apply`.
+    
+*   Added models for the following packages:
+
+    *   java.io
+    *   java.lang
+    *   java.net
+    *   java.nio.channels
+    *   java.nio.file
+    *   java.util.zip
+    *   okhttp3
+    *   org.gradle.api.file
+    *   retrofit2
+
+Python
+""""""
+
+*   Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
+*   Add support for Models as Data for Reflected XSS query
+*   Parameters with a default value are now considered a :code:`DefinitionNode`. This improvement was motivated by allowing type-tracking and API graphs to follow flow from such a default value to a use by a captured variable.
+
+Ruby
+""""
+
+*   Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
+*   The :code:`'QUERY_STRING'` field of a Rack :code:`env` parameter is now recognized as a source of remote user input.
+*   Query parameters and cookies from :code:`Rack::Response` objects are recognized as potential sources of remote flow input.
+*   Calls to :code:`Rack::Utils.parse_query` now propagate taint.
+
+Swift
+"""""
+
+*   Data flow configurations can now include a predicate :code:`neverSkip(Node node)` in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations.
+*   The regular expression library now understands mode flags specified by :code:`Regex` methods and the :code:`NSRegularExpression` initializer.
+*   The regular expression library now understands mode flags specified at the beginning of a regular expression (for example :code:`(?is)`).
+*   Added detail to the taint model for :code:`URL`.
+*   Added new heuristics to :code:`SensitiveExprs.qll`, enhancing detection from the library.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The library :code:`semmle.code.cpp.dataflow.DataFlow` has been deprecated. Please use :code:`semmle.code.cpp.dataflow.new.DataFlow` instead.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
+    Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
+
+C#
+""
+
+*   The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
+    Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
+
+Golang
+""""""
+
+*   The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
+    Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
+
+Java
+""""
+
+*   The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
+    Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
+*   A :code:`Class.isFileClass()` predicate, to identify Kotlin file classes, has been added.
+
+Python
+""""""
+
+*   The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
+    Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
+
+Ruby
+""""
+
+*   The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
+    Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
+
+Swift
+"""""
+
+*   The :code:`DataFlow::StateConfigSig` signature module has gained default implementations for :code:`isBarrier/2` and :code:`isAdditionalFlowStep/4`.
+    Hence it is no longer needed to provide :code:`none()` implementations of these predicates if they are not needed.
+
+Shared Libraries
+----------------
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+Utility Classes
+"""""""""""""""
+
+*   The :code:`InlineExpectationsTest` class has been deprecated. Use :code:`TestSig` and :code:`MakeTest` instead.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.2.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.2.rst
@@ -0,0 +1,159 @@
+.. _codeql-cli-2.14.2:
+
+==========================
+CodeQL 2.14.2 (2023-08-11)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.14.2 runs a total of 393 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 127 queries (covering 33 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   The functionality provided by the :code:`codeql execute query-server` subcommand has been removed. The subcommand now responds to all JSON RPC requests with an error response. Correspondingly, this release is no longer compatible with versions of the CodeQL extension for Visual Studio Code prior to 1.7.6.
+    
+    This change also breaks third-party CodeQL IDE integrations that still rely on the :code:`codeql execute query-server` subcommand. Maintainers of such CodeQL IDE integrations should migrate to the :code:`codeql execute query-server2` subcommand at the earliest opportunity.
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed bug that made the :code:`--warnings=hide` option do nothing in
+    :code:`codeql database analyze` and other commands that *evaluate* queries.
+
+Improvements
+~~~~~~~~~~~~
+
+*   Switched from prefix filtering of autocomplete suggestions in the language server to client-side filtering. This improves autocomplete suggestions in contexts with an autocompletion prefix.
+    
+*   The CodeQL language server now checks query metadata for errors. This allows Visual Studio Code users to see errors in their query metadata without needing to compile the query.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The sanitizer in :code:`java/potentially-weak-cryptographic-algorithm` has been improved, so the query may yield additional results.
+
+New Queries
+~~~~~~~~~~~
+
+Ruby
+""""
+
+*   Added a new experimental query, :code:`rb/ldap-injection`, to detect cases where user input is incorporated into LDAP queries without proper validation or sanitization, potentially leading to LDAP injection vulnerabilities.
+
+Swift
+"""""
+
+*   Added new query "Command injection" (:code:`swift/command-line-injection`). The query finds places where user input is used to execute system commands without proper escaping.
+*   Added new query "Bad HTML filtering regexp" (:code:`swift/bad-tag-filter`). This query finds regular expressions that match HTML tags in a way that is not robust and can easily lead to security issues.
+
+Language Libraries
+------------------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`shouldPrintFunction` predicate from :code:`PrintAstConfiguration` has been replaced by :code:`shouldPrintDeclaration`. Users should now override :code:`shouldPrintDeclaration` if they want to limit the declarations that should be printed.
+*   The :code:`shouldPrintFunction` predicate from :code:`PrintIRConfiguration` has been replaced by :code:`shouldPrintDeclaration`. Users should now override :code:`shouldPrintDeclaration` if they want to limit the declarations that should be printed.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`PrintAST` library now also prints global and namespace variables and their initializers.
+
+Swift
+"""""
+
+*   Added :code:`DataFlow::ArrayContent`, which will provide more accurate flow through arrays.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`_Float128x` type is no longer exposed as a builtin type. As this type could not occur any code base, this should only affect queries that explicitly looked at the builtin types.
+
+Golang
+""""""
+
+*   Logrus' :code:`WithContext` methods are no longer treated as if they output the values stored in that context to a log message.
+
+Java
+""""
+
+*   Fixed a typo in the :code:`StdlibRandomSource` class in :code:`RandomDataSource.qll`, which caused the class to improperly model calls to the :code:`nextBytes` method. Queries relying on :code:`StdlibRandomSource` may see an increase in results.
+*   Improved the precision of virtual dispatch of :code:`java.io.InputStream` methods. Now, calls to these methods will not dispatch to arbitrary implementations of :code:`InputStream` if there is a high-confidence alternative (like a models-as-data summary).
+*   Added more dataflow steps for :code:`java.io.InputStream`\ s that wrap other :code:`java.io.InputStream`\ s.
+*   Added models for the Struts 2 framework.
+*   Improved the modeling of Struts 2 sources of untrusted data by tainting the whole object graph of the objects unmarshaled from an HTTP request.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added :code:`log-injection` as a customizable sink kind for log injection.
+
+Swift
+"""""
+
+*   Flow through forced optional unwrapping (:code:`!`) is modelled more accurately.
+*   Added flow models for :code:`Sequence.withContiguousStorageIfAvailable`.
+*   Added taint flow for :code:`NSUserActivity.referrerURL`.
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   A :code:`Diagnostic.getCompilationInfo()` predicate has been added.
+
+Shared Libraries
+----------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Control Flow Analysis
+"""""""""""""""""""""
+
+*   Initial release. Adds a shared library for control flow analyses.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Dataflow Analysis
+"""""""""""""""""
+
+*   Initial release. Moves the shared inter-procedural data-flow library into its own qlpack.
+
+New Features
+~~~~~~~~~~~~
+
+Dataflow Analysis
+"""""""""""""""""
+
+*   The :code:`StateConfigSig` signature now supports a unary :code:`isSink` predicate that does not specify the :code:`FlowState` for which the given node is a sink. Instead, any :code:`FlowState` is considered a valid :code:`FlowState` for such a sink.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.3.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.3.rst
@@ -0,0 +1,114 @@
+.. _codeql-cli-2.14.3:
+
+==========================
+CodeQL 2.14.3 (2023-08-25)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   The :code:`<run>.tool.extensions` property in the SARIF generated by :code:`codeql database analyze` now contains the following packs:
+
+    *   The containing query pack for each query that was evaluated.
+    *   Each model pack that was specified via the :code:`--model-packs` option, regardless of whether that model pack affected any of the evaluated queries.
+    
+    Library packs are no longer included in the list.
+    
+    Previously, this property contained every query and library pack that was available on the search path, regardless of whether that pack was used during the evaluation.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.8.
+    
+*   When :code:`codeql test` generates :code:`.actual` files, they will in some cases list the query predicates in a different order than past versions.
+    There is no need to update :code:`.expected` files, as :code:`codeql test` sorts their results accordingly before diffing.
+    However, when there are genuine changes in expected results, the generated :code:`.actual` file can show additional changes against the
+    :code:`.expected` due to the reordering.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+Python
+""""""
+
+*   Fixed the computation of locations for imports with aliases in jump-to-definition.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
+
+Swift
+"""""
+
+*   Added :code:`DataFlow::CollectionContent`, which will enable more accurate flow through collections.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The query library for :code:`cs/hardcoded-credentials` now excludes benign properties such as :code:`UserNameClaimType` and :code:`AllowedUserNameCharacters` from :code:`Microsoft.AspNetCore.Identity` options classes.
+
+Java
+""""
+
+*   Modified the :code:`getSecureAlgorithmName` predicate in :code:`Encryption.qll` to also include :code:`SHA-256` and :code:`SHA-512`. Previously only the versions of the names without dashes were considered secure.
+*   Add support for :code:`WithElement` and :code:`WithoutElement` for MaD access paths.
+
+Python
+""""""
+
+*   Support analyzing packages (folders with python code) that do not have :code:`__init__.py` files, although this is technically required, we see real world projects that don't have this.
+*   Added modeling of AWS Lambda handlers that can be identified with :code:`AWS::Serverless::Function` in YAML files, where the event parameter is modeled as a remote-flow-source.
+*   Improvements of the :code:`aiohttp` models including remote-flow-sources from type annotations, new path manipulation, and SSRF sinks.
+
+Ruby
+""""
+
+*   Flow between positional arguments and splat parameters (:code:`*args`) is now tracked more precisely.
+*   Flow between splat arguments (:code:`*args`) and positional parameters is now tracked more precisely.
+
+Swift
+"""""
+
+*   Added local flow sources for :code:`UITextInput` and related classes.
+*   Flow through forced optional unwrapping (:code:`!`) on the left side of assignment now works in most cases.
+*   :code:`Type.getName` now gets the name of the type alone without any enclosing types. Use :code:`Type.getFullName` for the old behaviour.
+
+Shared Libraries
+----------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Dataflow Analysis
+"""""""""""""""""
+
+*   Initial release. Adds a library to implement flow through captured variables that properly adheres to inter-procedural control flow.
+
+New Features
+~~~~~~~~~~~~
+
+YAML Data Analysis
+""""""""""""""""""
+
+*   Added library for serverless functions. Currently used by JavaScript and Python.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.4.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.4.rst
@@ -0,0 +1,197 @@
+.. _codeql-cli-2.14.4:
+
+==========================
+CodeQL 2.14.4 (2023-09-12)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.14.4 runs a total of 394 security queries when configured with the Default suite (covering 155 CWE). The Extended suite enables an additional 129 queries (covering 35 more CWE). 3 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   The CodeQL CLI no longer supports the :code:`SEMMLE_JAVA_ARGS` environment variable.
+    All previous versions of the CodeQL CLI perform command substitution on the
+    :code:`SEMMLE_JAVA_ARGS` value (for example, replacing :code:`'$(echo foo)'` with :code:`'foo'`)
+    when starting a new Java virtual machine, which, depending on the execution environment, may have security implications.  Users are advised to check their environments for possible :code:`SEMMLE_JAVA_ARGS` misuse.
+
+Bug Fixes
+~~~~~~~~~
+
+*   :code:`codeql database init` (and :code:`github/codeql-action/init@v2` on GitHub Actions)
+    should no longer hang or crash for traced languages on 64-bit Windows machines when certain antivirus software is installed.
+*   During :code:`codeql pack create` and :code:`codeql pack publish`, a source version of a pack coming from :code:`--additional-packs` can explicitly be used to override a requested pack version even if this source version is incompatible with the requested version in the pack file. Previously, this would fail with a confusing error message.
+*   Fixed a bug where :code:`codeql database interpret-results` hangs when a path query produces a result that has no paths from source to sink.
+
+New Features
+~~~~~~~~~~~~
+
+*   The Java extractor now supports files that use Lombok.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.8.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixed an extractor crash that would occur in rare cases when a TypeScript file contains a self-referential namespace alias.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The "Comparison where assignment was intended" query (:code:`cpp/compare-where-assign-meant`) no longer reports comparisons that appear in macro expansions.
+*   Some queries that had repeated results corresponding to different levels of indirection for :code:`argv` now only have a single result.
+*   The :code:`cpp/non-constant-format` query no longer considers an assignment on the right-hand side of another assignment to be a source of non-constant format strings. As a result, the query may now produce fewer results.
+
+Java
+""""
+
+*   The queries "Resolving XML external entity in user-controlled data" (:code:`java/xxe`) and "Resolving XML external entity in user-controlled data from local source" (:code:`java/xxe-local`) now recognize sinks in the MDHT library.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Files larger than 10 MB are no longer be extracted or analyzed.
+*   Imports can now be resolved in more cases, where a non-constant string expression is passed to a :code:`require()` call.
+
+Python
+""""""
+
+*   Improved *Reflected server-side cross-site scripting* (:code:`py/reflective-xss`) query to not alert on data passed to :code:`flask.jsonify`. Since these HTTP responses are returned with mime-type :code:`application/json`, they do not pose a security risk for XSS.
+*   Updated path explanations for :code:`@kind path-problem` queries to always include left hand side of assignments, making paths easier to understand.
+
+New Queries
+~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a new query, :code:`cpp/invalid-pointer-deref`, to detect out-of-bounds pointer reads and writes.
+
+Java
+""""
+
+*   Added the :code:`java/trust-boundary-violation` query to detect trust boundary violations between HTTP requests and the HTTP session. Also added the :code:`trust-boundary-violation` sink kind for sinks which may cross a trust boundary, such as calls to the :code:`HttpSession#setAttribute` method.
+
+Ruby
+""""
+
+*   Added a new experimental query, :code:`rb/improper-ldap-auth`, to detect cases where user input is used during LDAP authentication without proper validation or sanitization, potentially leading to authentication bypass.
+
+Swift
+"""""
+
+*   Added new query "Incomplete regular expression for hostnames" (:code:`swift/incomplete-hostname-regexp`). This query finds regular expressions matching a URL or hostname that may match more hostnames than expected.
+
+Language Libraries
+------------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for TypeScript 5.2.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   :code:`delete` and :code:`delete[]` are now modeled as calls to the relevant :code:`operator delete` in the IR. In the case of a dynamic delete call a new instruction :code:`VirtualDeleteFunctionAddress` is used to represent a function that dispatches to the correct delete implementation.
+*   Only the 2 level indirection of :code:`argv` (corresponding to :code:`**argv`) is consided for :code:`FlowSource`.
+
+C#
+""
+
+*   The :code:`--nostdlib` extractor option for the standalone extractor has been removed.
+
+Golang
+""""""
+
+*   Added `http.Error <https://pkg.go.dev/net/http#Error>`__ to XSS sanitzers.
+
+Java
+""""
+
+*   Fixed the MaD signature specifications to use proper nested type names.
+*   Added new sanitizer to Java command injection model
+*   Added more dataflow models for JAX-RS.
+*   The predicate :code:`JaxWsEndpoint::getARemoteMethod` no longer requires the result to be annotated with :code:`@WebMethod`. Instead, the requirements listed in the JAX-RPC Specification 1.1 for required parameter and return types are used. Applications using JAX-RS may see an increase in results.
+
+Python
+""""""
+
+*   Regular expressions containing multiple parse mode flags are now interpretted correctly. For example :code:`"(?is)abc.*"` with both the :code:`i` and :code:`s` flags.
+*   Added :code:`shlex.quote` as a sanitizer for the :code:`py/shell-command-constructed-from-input` query.
+
+Swift
+"""""
+
+*   Flow through optional chaining and forced unwrapping in keypaths is now supported by the data flow library.
+*   Added flow models of collection :code:`.withContiguous[Mutable]StorageIfAvailable`, :code:`.withUnsafe[Mutable]BufferPointer` and :code:`.withUnsafe[Mutable]Bytes` methods.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   :code:`getAllocatorCall` on :code:`DeleteExpr` and :code:`DeleteArrayExpr` has been deprecated. :code:`getDeallocatorCall` should be used instead.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added :code:`DeleteOrDeleteArrayExpr` as a super type of :code:`DeleteExpr` and :code:`DeleteArrayExpr`
+
+Java
+""""
+
+*   Kotlin versions up to 1.9.10 are now supported.
+
+Shared Libraries
+----------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Dataflow Analysis
+"""""""""""""""""
+
+*   The shared taint-tracking library is now part of the dataflow qlpack.
+
+New Features
+~~~~~~~~~~~~
+
+Dataflow Analysis
+"""""""""""""""""
+
+*   The various inline flow test libraries have been consolidated as a shared library part in the dataflow qlpack.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.5.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.5.rst
@@ -0,0 +1,20 @@
+.. _codeql-cli-2.14.5:
+
+==========================
+CodeQL 2.14.5 (2023-09-14)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a JavaScript extractor crash that was introduced in 2.14.4.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.6.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.14.6.rst
@@ -0,0 +1,31 @@
+.. _codeql-cli-2.14.6:
+
+==========================
+CodeQL 2.14.6 (2023-09-26)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   The tracking of RAM usage has been improved. This fixes some cases where CodeQL uses more RAM than requested.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixed an extractor crash that could occur in projects containing TypeScript files larger than 10 MB.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.0.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.0.rst
@@ -0,0 +1,224 @@
+.. _codeql-cli-2.15.0:
+
+==========================
+CodeQL 2.15.0 (2023-10-11)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.15.0 runs a total of 397 security queries when configured with the Default suite (covering 157 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 2 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed an issue with analyzing Python projects using Python 3.12.
+
+Deprecations
+~~~~~~~~~~~~
+
+*   :code:`pragma[assume_small_delta]` is now deprecated. The pragma has no effect and should be removed.
+    
+*   Missing override annotations on class fields now raise errors rather than warnings. This is to avoid confusion with the shadowing behavior in the presence of final fields.
+    
+*   The CodeQL CLI no longer supports ML-powered alerts. For more information,
+    including details of our work in the AI-powered security technology space,
+    see
+    "\ `CodeQL code scanning deprecates ML-powered alerts <https://github.blog/changelog/2023-09-29-codeql-code-scanning-deprecates-ml-powered-alerts/>`__."
+
+New Features
+~~~~~~~~~~~~
+
+*   The output of :code:`codeql version --format json` now includes a :code:`features` property. Each key in the map identifies a feature of the CodeQL CLI. The value for a key is always :code:`true`. Going forward, whenever a significant new feature is added to the CodeQL CLI, a corresponding entry will be added to the
+    :code:`features` map. This is intended to make it easier for tools that invoke the CodeQL CLI to know if the particular version of the CLI they are invoking supports a given feature, without having to know exactly what CLI version introduced that feature.
+
+Improvements
+~~~~~~~~~~~~
+
+*   You can now specify the CodeQL languages C/C++, Java/Kotlin, and JavaScript/TypeScript using :code:`--language c-cpp`, :code:`--language java-kotlin`, and
+    :code:`--language javascript-typescript` respectively. These new CodeQL language names convey more clearly what languages each CodeQL language will analyze.
+    
+    You can also reference these CodeQL languages via their secondary language names (C/C++ via :code:`--language c` or :code:`--language cpp`, Java/Kotlin via
+    :code:`--language java` or :code:`--language kotlin`, and JavaScript/TypeScript via
+    :code:`--language javascript` or :code:`--language typescript`), however we recommend you refer to them via the new primary CodeQL language names for improved clarity.
+    
+*   CodeQL now respects custom home directories set by the :code:`$HOME` environment variable on MacOS and Linux and :code:`%USERPROFILE%` on Windows. When set, CodeQL will use the variable's value to change the default location of downloaded packages and the global compilation cache.
+    
+*   This release improves the quality of
+    \ `file coverage information <https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/about-the-tool-status-page#using-the-tool-status-page>`__ for repositories that vendor their dependencies. This is currently supported for Go and JavaScript projects.
+
+QL Language
+~~~~~~~~~~~
+
+*   The QL language now has two new methods :code:`codePointAt` and :code:`codePointCount` on the :code:`string` type. The methods both return integers and act the same as the similarly named Java methods on strings. For example, :code:`"abc".codePointAt(2)` is :code:`99` and :code:`("a" + 128512.toUnicode() + "c").codePointAt(1)` is a :code:`128512`.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The queries :code:`cpp/double-free` and :code:`cpp/use-after-free` find fewer false positives in cases where a non-returning function is called.
+*   The number of duplicated dataflow paths reported by queries has been significantly reduced.
+
+Python
+""""""
+
+*   Improved *URL redirection from remote source* (:code:`py/url-redirection`) query to not alert when URL has been checked with :code:`django.utils.http. url_has_allowed_host_and_scheme`.
+*   Extended the :code:`py/command-line-injection` query with sinks from Python's :code:`asyncio` module.
+
+Ruby
+""""
+
+*   Built-in Ruby queries now use the new DataFlow API.
+
+Swift
+"""""
+
+*   Adder barriers for numeric type values to the injection-like queries, to reduce false positive results where the user input that can be injected is constrainted to a numerical value. The queries updated by this change are: "Predicate built from user-controlled sources" (:code:`swift/predicate-injection`), "Database query built from user-controlled sources" (:code:`swift/sql-injection`), "Uncontrolled format string" (:code:`swift/uncontrolled-format-string`), "JavaScript Injection" (:code:`swift/unsafe-js-eval`) and "Regular expression injection" (:code:`swift/regex-injection`).
+*   Added additional taint steps to the :code:`swift/cleartext-transmission`, :code:`swift/cleartext-logging` and :code:`swift/cleartext-storage-preferences` queries to identify data within sensitive containers. This is similar to an existing additional taint step in the :code:`swift/cleartext-storage-database` query.
+*   Added new logging sinks to the :code:`swift/cleartext-logging` query.
+*   Added sqlite3 and SQLite.swift path injection sinks for the :code:`swift/path-injection` query.
+
+New Queries
+~~~~~~~~~~~
+
+C#
+""
+
+*   Added a new query, :code:`cs/web/insecure-direct-object-reference`, to find instances of missing authorization checks for resources selected by an ID parameter.
+
+Python
+""""""
+
+*   The query :code:`py/nosql-injection` for finding NoSQL injection vulnerabilities is now available in the default security suite.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`cpp/double-free` query has been further improved to reduce false positives and its precision has been increased from :code:`medium` to :code:`high`.
+*   The :code:`cpp/use-after-free` query has been further improved to reduce false positives and its precision has been increased from :code:`medium` to :code:`high`.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+Java
+""""
+
+*   The regular expressions library no longer incorrectly matches mode flag characters against the input.
+
+Python
+""""""
+
+*   Subterms of regular expressions encoded as single-line string literals now have better source-location information.
+
+Swift
+"""""
+
+*   The regular expressions library no longer incorrectly matches mode flag characters against the input.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Ruby
+""""
+
+*   Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
+
+Swift
+"""""
+
+*   The predicates :code:`getABaseType`, :code:`getABaseTypeDecl`, :code:`getADerivedType` and :code:`getADerivedTypeDecl` on :code:`Type` and :code:`TypeDecl` now behave more usefully and consistently. They now explore through type aliases used in base class declarations, and include protocols added in extensions.To examine base class declarations at a low level without these enhancements, use :code:`TypeDecl.getInheritedType`.
+*   Modelled varargs function in :code:`NSString` more accurately.
+*   Modelled :code:`CustomStringConvertible.description` and :code:`CustomDebugStringConvertible.debugDescription`, replacing ad-hoc models of these properties on derived classes.
+*   The regular expressions library now accepts a wider range of mode flags in a regular expression mode flag group (such as :code:`(?u)`). The :code:`(?w`) flag has been renamed from "UNICODE" to "UNICODEBOUNDARY", and the :code:`(?u)` flag is called "UNICODE" in the libraries.
+*   Renamed :code:`TypeDecl.getBaseType/1` to :code:`getInheritedType`.
+*   Flow through writes via keypaths is now supported by the data flow library.
+*   Added flow through variadic arguments, and the :code:`getVaList` function.
+*   Added flow steps through :code:`Dictionary` keys and values.
+*   Added taint models for :code:`Numeric` conversions.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Functions that do not return due to calling functions that don't return (e.g. :code:`exit`) are now detected as non-returning in the IR and dataflow.
+*   Treat functions that reach the end of the function as returning in the IR.
+    They used to be treated as unreachable but it is allowed in C.
+*   The :code:`DataFlow::asDefiningArgument` predicate now takes its argument from the range starting at :code:`1` instead of :code:`2`. Queries that depend on the single-parameter version of :code:`DataFlow::asDefiningArgument` should have their arguments updated accordingly.
+
+Golang
+""""""
+
+*   Added Numeric and Boolean types to SQL injection sanitzers.
+
+Java
+""""
+
+*   Fixed a control-flow bug where case rule statements would incorrectly include a fall-through edge.
+*   Added support for default cases as proper guards in switch expressions to match switch statements.
+*   Improved the class :code:`ArithExpr` of the :code:`Overflow.qll` module to also include compound operators. Because of this, new alerts may be raised in queries related to overflows/underflows.
+*   Added new dataflow models for the Apache CXF framework.
+*   Regular expressions containing multiple parse mode flags are now interpretted correctly. For example :code:`"(?is)abc.*"` with both the :code:`i` and :code:`s` flags.
+
+Python
+""""""
+
+*   Django Rest Framework better handles custom :code:`ModelViewSet` classes functions
+*   Regular expression fragments residing inside implicitly concatenated strings now have better location information.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+Swift
+"""""
+
+*   The :code:`ArrayContent` type in the data flow library has been deprecated and made an alias for the :code:`CollectionContent` type, to better reflect the hierarchy of the Swift standard library. Uses of :code:`ArrayElement` in model files will be interpreted as referring to :code:`CollectionContent`.
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   Kotlin versions up to 1.9.20 are now supported.
+
+Shared Libraries
+----------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Dataflow Analysis
+"""""""""""""""""
+
+*   Added support for type-based call edge pruning. This removes data flow call edges that are incompatible with the set of flow paths that reach it based on type information. This improves dispatch precision for constructs like lambdas, :code:`Object.toString()` calls, and the visitor pattern. For now this is only enabled for Java and C#.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Dataflow Analysis
+"""""""""""""""""
+
+*   The :code:`isBarrierIn` and :code:`isBarrierOut` predicates in :code:`DataFlow::StateConfigSig` now have overloaded variants that block a specific :code:`FlowState`.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.1.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.1.rst
@@ -0,0 +1,214 @@
+.. _codeql-cli-2.15.1:
+
+==========================
+CodeQL 2.15.1 (2023-10-19)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.15.1 runs a total of 398 security queries when configured with the Default suite (covering 158 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   The query server's :code:`evaluation/trimCache` command was previously equivalent to the :code:`codeql database cleanup --mode=gentle` CLI command, but is now equivalent to using :code:`--mode=normal`. The new meaning of the command is to clear the entire evaluation cache of a database except for predicates annotated with the :code:`cached` keyword.
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug where the :code:`$CODEQL_JAVA_HOME` environment variable was erroneously ignored for certain subsidiary Java processes started by
+    :code:`codeql`.
+*   Fixed a bug in the CodeQL build tracer on Apple Silicon machines that prevented database creation if System Integrity Protection was disabled.
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The accepted values of the :code:`codeql database cleanup --mode=` command line option have been renamed to bring them in line with what they are called in the VSCode extension and the query server:
+
+    *   :code:`--mode=brutal` is now :code:`--mode=clear`.
+    *   :code:`--mode=normal` is now :code:`--mode=trim`.
+    *   :code:`--mode=light` is now :code:`--mode=fit`.
+    *   The old names are deprecated, but will be accepted for backwards-compatibility reasons until further notice.
+
+Improvements
+~~~~~~~~~~~~
+
+*   The list of failed tests at the end of a :code:`codeql test run` is now sorted lexicographically.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The :code:`cs/web/insecure-direct-object-reference` and :code:`cs/web/missing-function-level-access-control` have been improved to better recognize attributes on generic classes.
+
+Golang
+""""""
+
+*   The query "Incorrect conversion between integer types" (:code:`go/incorrect-integer-conversion`) has been improved. It can now detect parsing an unsigned integer type (like :code:`uint32`) and converting it to the signed integer type of the same size (like :code:`int32`), which may lead to more results. It also treats :code:`int` and :code:`uint` more carefully, which may lead to more results or fewer incorrect results.
+
+Java
+""""
+
+*   Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added the :code:`AmdModuleDefinition::Range` class, making it possible to define custom aliases for the AMD :code:`define` function.
+
+Swift
+"""""
+
+*   Added more new logging sinks to the :code:`swift/cleartext-logging` query.
+*   Added sinks for the GRDB database library to the :code:`swift/hardcoded-key` query.
+*   Added sqlite3 and SQLite.swift sinks and flow summaries for the :code:`swift/hardcoded-key` query.
+*   Added sqlite3 and SQLite.swift sinks and flow summaries for the :code:`swift/cleartext-storage-database` query.
+
+New Queries
+~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The query :code:`cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.
+    
+    Note: This query was incorrectly noted as being promoted to Code Scanning in CodeQL version 2.14.6.
+
+Ruby
+""""
+
+*   Added a new experimental query, :code:`rb/jwt-empty-secret-or-algorithm`, to detect when application uses an empty secret or weak algorithm.
+*   Added a new experimental query, :code:`rb/jwt-missing-verification`, to detect when the application does not verify a JWT payload.
+
+Language Libraries
+------------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Deleted the deprecated :code:`AnalysedString` class, use the new name :code:`AnalyzedString`.
+*   Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
+
+C#
+""
+
+*   Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
+
+Golang
+""""""
+
+*   Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
+*   Support has been added for file system access sinks in the following libraries: \ `net/http <https://pkg.go.dev/net/http>`__, `Afero <https://github.com/spf13/afero>`__, `beego <https://pkg.go.dev/github.com/astaxie/beego>`__, `Echo <https://pkg.go.dev/github.com/labstack/echo>`__, `Fiber <https://github.com/kataras/iris>`__, `Gin <https://pkg.go.dev/github.com/gin-gonic/gin>`__, `Iris <https://github.com/kataras/iris>`__.
+*   Added :code:`GoKit.qll` to :code:`go.qll` enabling the GoKit framework by default
+
+Java
+""""
+
+*   The :code:`isBarrier`, :code:`isBarrierIn`, :code:`isBarrierOut`, and :code:`isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the :code:`ArithmeticTaintedLocalQuery`, :code:`ExternallyControlledFormatStringLocalQuery`, :code:`ImproperValidationOfArrayIndexQuery`, :code:`NumericCastTaintedQuery`, :code:`ResponseSplittingLocalQuery`, :code:`SqlTaintedLocalQuery`, and :code:`XssLocalQuery` libraries have been changed to match their remote counterpart configurations.
+*   Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
+*   Deleted the deprecated :code:`getAValue` predicate from the :code:`Annotation` class.
+*   Deleted the deprecated alias :code:`FloatingPointLiteral`, use :code:`FloatLiteral` instead.
+*   Deleted the deprecated :code:`getASuppressedWarningLiteral` predicate from the :code:`SuppressWarningsAnnotation` class.
+*   Deleted the deprecated :code:`getATargetExpression` predicate form the :code:`TargetAnnotation` class.
+*   Deleted the deprecated :code:`getRetentionPolicyExpression` predicate from the :code:`RetentionAnnotation` class.
+*   Deleted the deprecated :code:`conditionCheck` predicate from :code:`Preconditions.qll`.
+*   Deleted the deprecated :code:`semmle.code.java.security.performance` folder, use :code:`semmle.code.java.security.regexp` instead.
+*   Deleted the deprecated :code:`ExternalAPI` class from :code:`ExternalApi.qll`, use :code:`ExternalApi` instead.
+*   Modified the :code:`EnvInput` class in :code:`semmle.code.java.dataflow.FlowSources` to include :code:`environment` and :code:`file` source nodes.
+    There are no changes to results unless you add source models using the :code:`environment` or :code:`file` source kinds.
+*   Added :code:`environment` source models for the following methods:
+
+    *   :code:`java.lang.System#getenv`
+    *   :code:`java.lang.System#getProperties`
+    *   :code:`java.lang.System#getProperty`
+    *   :code:`java.util.Properties#get`
+    *   :code:`java.util.Properties#getProperty`
+    
+*   Added :code:`file` source models for the following methods:
+
+    *   the :code:`java.io.FileInputStream` constructor
+    *   :code:`hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded`
+    *   :code:`hudson.FilePath#openInputStream`
+    *   :code:`hudson.FilePath#read`
+    *   :code:`hudson.FilePath#readFromOffset`
+    *   :code:`hudson.FilePath#readToString`
+    
+*   Modified the :code:`DatabaseInput` class in :code:`semmle.code.java.dataflow.FlowSources` to include :code:`database` source nodes.
+    There are no changes to results unless you add source models using the :code:`database` source kind.
+*   Added :code:`database` source models for the following method:
+
+    *   :code:`java.sql.ResultSet#getString`
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The contents of :code:`.jsp` files are now extracted, and any :code:`<script>` tags inside these files will be parsed as JavaScript.
+*   \ `Import attributes <https://github.com/tc39/proposal-import-attributes>`__ are now supported in JavaScript code.
+    Note that import attributes are an evolution of an earlier proposal called "import assertions", which were implemented in TypeScript 4.5.
+    The QL library includes new predicates named :code:`getImportAttributes()` that should be used in favor of the now deprecated :code:`getImportAssertion()`\ ;
+    in addition, the :code:`getImportAttributes()` method of the :code:`DynamicImportExpr` has been renamed to :code:`getImportOptions()`.
+*   Deleted the deprecated :code:`getAnImmediateUse`, :code:`getAUse`, :code:`getARhs`, and :code:`getAValueReachingRhs` predicates from the :code:`API::Node` class.
+*   Deleted the deprecated :code:`mayReferToParameter` predicate from :code:`DataFlow::Node`.
+*   Deleted the deprecated :code:`getStaticMethod` and :code:`getAStaticMethod` predicates from :code:`DataFlow::ClassNode`.
+*   Deleted the deprecated :code:`isLibaryFile` predicate from :code:`ClassifyFiles.qll`, use :code:`isLibraryFile` instead.
+*   Deleted many library models that were build on the AST. Use the new models that are build on the dataflow library instead.
+*   Deleted the deprecated :code:`semmle.javascript.security.performance` folder, use :code:`semmle.javascript.security.regexp` instead.
+*   Tagged template literals have been added to :code:`DataFlow::CallNode`. This allows the analysis to find flow into functions called with a tagged template literal,
+    and the arguments to a tagged template literal are part of the API-graph in :code:`ApiGraphs.qll`.
+
+Python
+""""""
+
+*   Added better support for API graphs when encountering :code:`from ... import *`. For example in the code :code:`from foo import *; Bar()`, we will now find a result for :code:`API::moduleImport("foo").getMember("Bar").getACall()`
+*   Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
+*   Deleted the deprecated :code:`getAUse`, :code:`getAnImmediateUse`, :code:`getARhs`, and :code:`getAValueReachingRhs` predicates from the :code:`API::Node` class.
+*   Deleted the deprecated :code:`fullyQualifiedToAPIGraphPath` class from :code:`SubclassFinder.qll`, use :code:`fullyQualifiedToApiGraphPath` instead.
+*   Deleted the deprecated :code:`Paths.qll` file.
+*   Deleted the deprecated :code:`semmle.python.security.performance` folder, use :code:`semmle.python.security.regexp` instead.
+*   Deleted the deprecated :code:`semmle.python.security.strings` and :code:`semmle.python.web` folders.
+*   Improved modeling of decoding through pickle related functions (which can lead to code execution), resulting in additional sinks for the *Deserializing untrusted input* query (:code:`py/unsafe-deserialization`). Added support for :code:`pandas.read_pickle`, :code:`numpy.load` and :code:`joblib.load`.
+
+Ruby
+""""
+
+*   Deleted the deprecated :code:`isBarrierGuard` predicate from the dataflow library and its uses, use :code:`isBarrier` and the :code:`BarrierGuard` module instead.
+*   Deleted the deprecated :code:`isWeak` predicate from the :code:`CryptographicOperation` class.
+*   Deleted the deprecated :code:`getStringOrSymbol` and :code:`isStringOrSymbol` predicates from the :code:`ConstantValue` class.
+*   Deleted the deprecated :code:`getAPI` from the :code:`IOOrFileMethodCall` class.
+*   Deleted the deprecated :code:`codeql.ruby.security.performance` folder, use :code:`codeql.ruby.security.regexp` instead.
+*   GraphQL enums are no longer considered remote flow sources.
+
+Swift
+"""""
+
+*   Improved taint models for :code:`Numeric` types and :code:`RangeReplaceableCollection`\ s.
+*   The nil-coalescing operator :code:`??` is now supported by the CFG construction and dataflow libraries.
+*   The data flow library now supports flow to the loop variable of for-in loops.
+*   The methods :code:`getIteratorVar` and :code:`getNextCall` have been added to the :code:`ForEachStmt` class.
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added predicate :code:`MemberRefExpr::getReceiverExpr`\ 
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.2.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.15.2.rst
@@ -0,0 +1,167 @@
+.. _codeql-cli-2.15.2:
+
+==========================
+CodeQL 2.15.2 (2023-11-13)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.15.2 runs a total of 399 security queries when configured with the Default suite (covering 158 CWE). The Extended suite enables an additional 128 queries (covering 33 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   C++ extraction has been updated to output more accurate C++ value categories.
+    This may cause unexpected alerts on databases extracted with an up-to-date CodeQL when the queries are part of a query pack that was compiled with an earlier CodeQL.
+    To resolve this, please recompile the query pack with the latest CodeQL.
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug where :code:`codeql github upload-results` would report a 403 error when attempting to upload to a GitHub Enterprise Server instance.
+*   Fixed a bug in Python extraction where UTF-8 characters would cause logging to fail on systems with non-UTF-8 default system encoding (for example, Windows systems).
+*   The :code:`resolve qlpacks --kind extension` command no longer resolves extensions packs from the search path. This matches the behavior of
+    :code:`resolve extensions-by-pack` and will ensure that extensions which are resolved by :code:`resolve qlpacks --kind extension` can also be resolved by
+    :code:`resolve extensions-by-pack`.
+
+New Features
+~~~~~~~~~~~~
+
+*   :code:`codeql database analyze` and :code:`codeql database interpret-results` can now output human-readable analysis summaries in a new format. This format provides file coverage information and improves the way that diagnostic messages are displayed. The new format also includes a link to the tool status page when the :code:`GITHUB_SERVER_URL` and :code:`GITHUB_REPOSITORY` environment variables are set. Note that that page only exists on GitHub.com, or in GitHub Enterprise Server version 3.9.0 or later. To enable this new format, pass the :code:`--analysis-summary-v2` flag.
+*   CodeQL now supports distinguishing file coverage information between related languages C and C++, Java and Kotlin,
+    and JavaScript and TypeScript. By default, file coverage information for each of these pairs of languages is grouped together. To enable specific file coverage information for these languages, pass the
+    :code:`--sublanguage-file-coverage` flag when initializing the database (with :code:`codeql database create` or :code:`codeql database init`) and when analyzing the database (with :code:`codeql database analyze` or :code:`codeql database interpret-results`). If you are uploading results to a GitHub instance, this flag requires GitHub.com or GitHub Enterprise Server version 3.12 or later.
+*   All CLI commands now support :code:`--common-caches`, which controls the location of the cached data that is persisted between several runs of the CLI, such as downloaded QL packs and compiled query plans.
+
+Improvements
+~~~~~~~~~~~~
+
+*   Model packs that are used in an analysis will now be included in an output SARIF results file. All model packs now include the :code:`isCodeQLModelPack: true` property in their tool component property bag.
+*   The default formatting of DIL now more closely resembles equivalent QL code.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Golang
+""""""
+
+*   The query :code:`go/incorrect-integer-conversion` now correctly recognizes more guards of the form :code:`if val <= x` to protect a conversion :code:`uintX(val)`.
+
+Java
+""""
+
+*   java/summary/lines-of-code now gives the total number of lines of Java and Kotlin code, and is the only query tagged :code:`lines-of-code`. java/summary/lines-of-code-java and java/summary/lines-of-code-kotlin give the per-language counts.
+*   The query :code:`java/spring-disabled-csrf-protection` has been improved to detect more ways of disabling CSRF in Spring.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added modeling for importing :code:`express-rate-limit` using a named import.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+Golang
+""""""
+
+*   Fixed a bug where data flow nodes in files that are not in the project being analyzed (such as libraries) and are not contained within a function were not given an enclosing :code:`Callable`. Note that for nodes that are not contained within a function, the enclosing callable is considered to be the file itself. This may cause some minor changes to results.
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`Container` and :code:`Folder` classes now derive from :code:`ElementBase` instead of :code:`Locatable`, and no longer expose the :code:`getLocation` predicate. Use :code:`getURL` instead.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   More field accesses are identified as :code:`ImplicitThisFieldAccess`.
+*   Added support for new floating-point types in C23 and C++23.
+
+Golang
+""""""
+
+*   Added `Request.Cookie <https://pkg.go.dev/net/http#Request.Cookie>`__ to reflected XSS sanitizers.
+
+Java
+""""
+
+*   Java classes :code:`MethodAccess`, :code:`LValue` and :code:`RValue` were renamed to :code:`MethodCall`, :code:`VarWrite` and :code:`VarRead` respectively, along with related predicates and class names. The old names remain usable for the time being but are deprecated and should be replaced.
+    
+*   New class :code:`NewClassExpr` was added to represent specifically an explicit :code:`new ClassName(...)` invocation, in contrast to :code:`ClassInstanceExpr` which also includes expressions that implicitly instantiate classes, such as defining a lambda or taking a method reference.
+    
+*   Added up to date models related to Spring Framework 6's :code:`org.springframework.http.ResponseEntity`.
+    
+*   Added models for the following packages:
+
+    *   com.alibaba.fastjson2
+    *   javax.management
+    *   org.apache.http.client.utils
+
+Python
+""""""
+
+*   Added support for functions decorated with :code:`contextlib.contextmanager`.
+*   Namespace packages in the form of regular packages with missing :code:`__init__.py`\ -files are now allowed. This enables the analysis to resolve modules and functions inside such packages.
+
+Swift
+"""""
+
+*   Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
+*   Added children of :code:`UnspecifiedElement`, which will be present only in certain downgraded databases.
+*   Collection content is now automatically read at taint flow sinks. This removes the need to define an :code:`allowImplicitRead` predicate on data flow configurations where the sink might be an array, set or similar type with tainted contents. Where that step had not been defined, taint may find additional results now.
+*   Added taint models for :code:`StringProtocol.appendingFormat` and :code:`String.decodeCString`.
+*   Added taint flow models for members of :code:`Substring`.
+*   Added taint flow models for :code:`RawRepresentable`.
+*   The contents of autoclosure function parameters are now included in the control flow graph and data flow libraries.
+*   Added models of :code:`StringProtocol` and :code:`NSString` methods that evaluate regular expressions.
+*   Flow through 'open existential expressions', implicit expressions created by the compiler when a method is called on a protocol. This may apply, for example, when the method is a modelled taint source.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a new class :code:`AdditionalCallTarget` for specifying additional call targets.
+
+Shared Libraries
+----------------
+
+Bug Fixes
+~~~~~~~~~
+
+Dataflow Analysis
+"""""""""""""""""
+
+*   The API for debugging flow using partial flow has changed slightly. Instead of using :code:`module Partial = FlowExploration<limit/0>` and choosing between :code:`Partial::partialFlow` and :code:`Partial::partialFlowRev`, you now choose between :code:`module Partial = FlowExplorationFwd<limit/0>` and :code:`module Partial = FlowExplorationRev<limit/0>`, and then always use :code:`Partial::partialFlow`.
+
+New Features
+~~~~~~~~~~~~
+
+Utility Classes
+"""""""""""""""
+
+*   Added :code:`FilePath` API for normalizing filepaths.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.1.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.1.rst
@@ -0,0 +1,37 @@
+.. _codeql-cli-2.4.1:
+
+=========================
+CodeQL 2.4.1 (2020-12-19)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.4.1 runs a total of 231 security queries when configured with the Default suite (covering 105 CWE). The Extended suite enables an additional 77 queries (covering 26 more CWE). 3 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+New Features
+~~~~~~~~~~~~
+
+*   :code:`codeql query format` now checks all files rather than stopping after the first failure when the :code:`--check-only` option is given.
+    
+*   :code:`codeql resolve database` will produce a :code:`languages` key giving the language the database was created for. This can be useful in IDEs to help describe the database and suggest default actions or queries.
+    For databases created by earlier versions, the result will be a best-effort guess.
+    
+*   :code:`codeql database interpret-results` can now produce Graphviz :code:`.dot` files from queries with :code:`@kind graph`.
+
+Removed Features
+~~~~~~~~~~~~~~~~
+
+*   :code:`codeql test run` had some special compatibility support for running unit tests for the "code duplication" extractor features of certain discontinued Semmle products. Those tests have since been removed from the `public QL repository <https://github.com/github/codeql>`__,
+    so the compatibility support for them has been removed. This should not affect any external users (since the extractor feature in question was never supported by :code:`codeql database create` anyway),
+    but if you run :code:`codeql test run` against the unit tests belonging to an *old* checkout of the repository, you may now see some failures among :code:`Metrics` tests.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.2.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.2.rst
@@ -0,0 +1,22 @@
+.. _codeql-cli-2.4.2:
+
+=========================
+CodeQL 2.4.2 (2021-01-22)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.4.2 runs a total of 233 security queries when configured with the Default suite (covering 106 CWE). The Extended suite enables an additional 78 queries (covering 26 more CWE). 3 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+There are no user-facing CLI changes in this release.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.3.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.3.rst
@@ -0,0 +1,17 @@
+.. _codeql-cli-2.4.3:
+
+=========================
+CodeQL 2.4.3 (2021-01-29)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+There are no user-facing CLI changes in this release.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.4.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.4.rst
@@ -0,0 +1,44 @@
+.. _codeql-cli-2.4.4:
+
+=========================
+CodeQL 2.4.4 (2021-02-12)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.4.4 runs a total of 235 security queries when configured with the Default suite (covering 106 CWE). The Extended suite enables an additional 79 queries (covering 26 more CWE). 3 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   The :code:`name` property in :code:`qlpack.yml` must now meet the following requirements:
+
+    *   Only lowercase ASCII letters, ASCII digits, and hyphens (:code:`-`) are allowed.
+    *   A hyphen is not allowed as the first or last character of the name.
+    *   The name must be at least one character long, and no longer than 128 characters.
+
+Bug Fixes
+~~~~~~~~~
+
+*   The default value of the :code:`--working-dir` options for the
+    :code:`index-files` and :code:`trace-command` subcommands of :code:`codeql database` has been fixed to match the documentation; previously, it would erroneously use the process' current working directory rather than the database source root.
+    
+*   :code:`codeql test run` will not crash if database extraction in a test directory fails. Instead only the tests in that directory will be marked as failing, and tests in other directories will continue executing.
+
+New Features
+~~~~~~~~~~~~
+
+*   Alert and path queries can now give a score to each alert they produce. You can incorporate alert scores in an alert or path query by first adding the :code:`@scored` property to the query metadata. You can then introduce a new numeric column at the end of the :code:`select` statement structure to represent the score of each alert.
+    Alert scores are exposed in the SARIF output of commands like
+    :code:`codeql database analyze` as the :code:`score` property in the property bags of result objects.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.5.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.5.rst
@@ -0,0 +1,22 @@
+.. _codeql-cli-2.4.5:
+
+=========================
+CodeQL 2.4.5 (2021-03-08)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.4.5 runs a total of 237 security queries when configured with the Default suite (covering 108 CWE). The Extended suite enables an additional 79 queries (covering 26 more CWE). 2 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+There are no user-facing CLI changes in this release.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.6.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.4.6.rst
@@ -0,0 +1,17 @@
+.. _codeql-cli-2.4.6:
+
+=========================
+CodeQL 2.4.6 (2021-03-19)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+There are no user-facing CLI changes in this release.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.0.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.0.rst
@@ -0,0 +1,39 @@
+.. _codeql-cli-2.5.0:
+
+=========================
+CodeQL 2.5.0 (2021-03-26)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.5.0 runs a total of 239 security queries when configured with the Default suite (covering 108 CWE). The Extended suite enables an additional 79 queries (covering 26 more CWE). 2 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   By default, :code:`codeql test` now performs additional compiler checks when extracting test code written in Java.
+    Existing Java tests that previously passed may therefore fail due to this change, if they do not compile using the :code:`javac` compiler.
+    To allow time to migrate existing tests, the new behavior can be disabled by setting the environment variable
+    :code:`CODEQL_EXTRACTOR_JAVA_FLOW_CHECKS=false`.
+
+New Features
+~~~~~~~~~~~~
+
+*   Log files that contain output from build processes will now prefix it with :code:`[build-stdout]` and :code:`[build-stderr]` instead of :code:`[build]` and :code:`[build-err]`.  In particular the latter sometimes caused confusion.
+
+QL Language
+~~~~~~~~~~~
+
+*   The QL language now recognizes new :code:`pragma[only_bind_into](...)` and
+    :code:`pragma[only_bind_out](...)` annotations on expressions. Advanced users may use these annotations to provide hints to the compiler to influence binding behavior and thus indirectly performance.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.1.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.1.rst
@@ -0,0 +1,47 @@
+.. _codeql-cli-2.5.1:
+
+=========================
+CodeQL 2.5.1 (2021-04-19)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   The QL compiler will now reject queries where the query metadata (if present) at the top of the :code:`.ql` file is inconsistent with the output format of the query.  This check can be disabled by giving the :code:`--no-metadata-verification` flag.  (The flag already existed but has not had any effect until now.)
+
+Bug Fixes
+~~~~~~~~~
+
+*   Environment variables required for Java extraction are now propagated by the tracer. This may resolve issues with tracing and extraction in the context of certain build systems such as Bazel.
+    
+*   A number of :code:`--check-CONDITION` options to :code:`codeql database finalize` and :code:`codeql dataset import` designed to look for consistency errors in the intermediate "TRAP" output from extractors erroneously did nothing. They will now actually print warnings if errors are found.  The warnings become fatal errors if the new
+    :code:`--fail-on-trap-errors` option is also given.
+
+New Features
+~~~~~~~~~~~~
+
+*   :code:`codeql resolve qlref` is a new command that takes in a :code:`.qlref` file for a CodeQL test case and returns the path of the :code:`.ql` file it references.
+    
+*   :code:`codeql database analyze` and :code:`codeql database interpret-results` have a new :code:`--sarif-group-rules-by-pack` option which will place the SARIF rule object for each query underneath its corresponding query pack in :code:`runs[].tool.extensions`.
+    
+*   :code:`codeql database finalize` and :code:`codeql dataset import` have a new
+    :code:`--fail-on-trap-errors` option that will make database creation fail if extractors produce ill-formatted "TRAP" data for inclusion into a database. This is not enabled by default because some of the existing extractors have minor output bugs that cause the check to fail.
+    
+*   :code:`codeql database finalize` and :code:`codeql dataset import` have a new
+    :code:`--check-undefined-labels` option that enables stricter consistency checks on the "TRAP" output from extractors.
+
+QL Language
+~~~~~~~~~~~
+
+*   :code:`super` may now be used unqualified, e.g. :code:`super.predicateName()`,
+    when the declaring class has multiple super types, as long as the call itself is unambiguous.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.2.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.2.rst
@@ -0,0 +1,17 @@
+.. _codeql-cli-2.5.2:
+
+=========================
+CodeQL 2.5.2 (2021-04-21)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+There are no user-facing CLI changes in this release.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.3.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.3.rst
@@ -0,0 +1,44 @@
+.. _codeql-cli-2.5.3:
+
+=========================
+CodeQL 2.5.3 (2021-04-30)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   Ensure the correct URL is generated during :code:`codeql github upload-results` for GitHub Enterprise Server.
+
+New Features
+~~~~~~~~~~~~
+
+*   When tracing a C/C++ build, the C compiler entries in compiler-settings must now specify :code:`order compiler,extractor`. The default configuration already does this, so no change is necessary if using the default configuration.
+    
+*   :code:`codeql database analyze` and :code:`codeql database interpret-results` now report the results of summary metric queries in the
+    :code:`<run>.properties.metricResults` property of the SARIF output.
+    Summary metric queries describe metrics about the code analyzed by CodeQL. They are identified by the query metadata :code:`@kind metric` and
+    :code:`@tag summary`.
+    For example, see the `lines of code summary metric query for C++ <https://github.com/github/codeql/blob/main/cpp/ql/src/Summary/LinesOfCode.ql>`__.
+    
+*   :code:`codeql database analyze` and :code:`codeql database interpret-results` now calculate an
+    \ `automation ID <https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html#_Toc16012482>`__ and add it to the resulting SARIF. In SARIF v2.1.0, this field is
+    :code:`runs[].automationDetails.id`.  In SARIF v2, this field is
+    :code:`runs[].automationLogicalId`. In SARIF v1, this field is
+    :code:`runs[].automationId`. By default, this automation ID will be derived from the database language and the operating system of the machine that performed the run. It can be set explicitly using a new
+    :code:`--sarif-category` option.
+    
+*   In query metadata, :code:`@kind alert` and :code:`@kind path-alert` are now recognized as (more accurate) synonyms of :code:`@kind problem` and
+    :code:`@kind path-problem`, respectively.
+    
+*   Diagnostic queries are now permitted by the metadata verifier. They are identified by :code:`@kind diagnostic` metadata. Currently the result patterns of diagnostic queries are not verified. This will change in a future CLI release.
+    
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.4.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.4.rst
@@ -0,0 +1,17 @@
+.. _codeql-cli-2.5.4:
+
+=========================
+CodeQL 2.5.4 (2021-05-03)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+There are no user-facing CLI changes in this release.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.5.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.5.rst
@@ -0,0 +1,44 @@
+.. _codeql-cli-2.5.5:
+
+=========================
+CodeQL 2.5.5 (2021-05-17)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.5.5 runs a total of 248 security queries when configured with the Default suite (covering 112 CWE). The Extended suite enables an additional 72 queries (covering 26 more CWE). 2 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   When scanning the disk for QL packs and extractors, directories of the form :code:`.../SOMETHING/SOMETHING.testproj` (where the two
+    :code:`SOMETHING` are identical) will now be ignored.  Names of this form are used by :code:`codeql test run` for ephemeral test databases, which can sometimes contain files that confuse QL compilations.
+
+Bug Fixes
+~~~~~~~~~
+
+*   When using the :code:`--sarif-group-rules-by-pack` flag to place the SARIF rule object for each query underneath its corresponding query pack in :code:`runs[].tool.extensions`, the :code:`rule` property of result objects can now be used to look up the rule within the :code:`rules` property of the appropriate query pack in :code:`runs[].tool.extensions`. Previously,
+    rule lookup for result objects in the SARIF output was not well-defined when the :code:`--sarif-group-rules-by-pack` flag was passed.
+
+New Features
+~~~~~~~~~~~~
+
+*   Query writers can now optionally use :code:`@severity` in place of
+    :code:`@problem.severity` in the metadata for alert queries. SARIF consumers should continue to consume this severity information using the :code:`rule.defaultConfiguration.level` property for SARIF v2.1.0, and corresponding properties for other versions of SARIF. They should not depend on the value stored in the :code:`rule.properties` property bag, since this will contain either :code:`@problem.severity` or
+    :code:`@severity` based on exactly what was written in the query metadata.
+    
+*   When exporting analysis results to SARIF v2.1.0, results and metric results now contain a `reporting descriptor reference object <https://docs.oasis-open.org/sarif/sarif/v2.1.0/csprd01/sarif-v2.1.0-csprd01.html#_Toc10541300>`__ that specifies the rule that produced them. For metric results, this new property replaces the :code:`metric` property.
+    
+*   :code:`codeql database analyze` now outputs a table that summarizes the results of metric queries that were part of the analysis. This can be suppressed by passing the :code:`--no-print-metrics-summary` flag.
+    
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.6.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.6.rst
@@ -0,0 +1,56 @@
+.. _codeql-cli-2.5.6:
+
+=========================
+CodeQL 2.5.6 (2021-06-22)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.5.6 runs a total of 266 security queries when configured with the Default suite (covering 114 CWE). The Extended suite enables an additional 57 queries (covering 28 more CWE). 3 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+New Features
+~~~~~~~~~~~~
+
+*   :code:`codeql database create` (and the plumbing commands it comprises)
+    now supports creating databases for a source tree with several languages while tracing a single build. This is enabled by a new
+    :code:`--db-cluster` option. Once created, the multiple databases must be
+    *analyzed* one by one.
+    
+*   :code:`codeql database create` and :code:`codeql database init` now accept an
+    :code:`--overwrite` argument which will lead existing CodeQL databases to be overwritten.
+    
+*   :code:`codeql database analyze` now supports "diagnostic" queries (tagged
+    :code:`@kind diagnostic`), which are intended to report information about the analysis process itself rather than problems with the analyzed code. The results of these queries will be summarized in a table printed to the terminal when :code:`codeql database analyze` finishes.
+    
+    They are also included in the analysis results in SARIF output formats as `notification objects <https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/sarif-v2.1.0-os.html#_Toc34317894>`__ so they can be displayed by subsequent tooling such as the Code Scanning user interface.
+
+    *   For SARIF v2.1.0, a reporting descriptor object for each diagnostic query is output to output to
+        :code:`runs[].tool.driver.notifications`, or
+        :code:`runs[].tool.extensions[].notifications` if running with
+        :code:`--sarif-group-rules-by-pack`. A rule object for each diagnostic query is output to :code:`runs[].resources[].rules` for SARIF v2, or to
+        :code:`runs[].rules` for SARIF v1.
+        
+    *   Results of diagnostic queries are exported to the
+        :code:`runs[].invocations[].toolExecutionNotifications` property in SARIF v2.1.0, the :code:`runs[].invocations[].toolNotifications` property in SARIF v2, and the :code:`runs[].toolNotifications` property in SARIF v1.
+
+    SARIF v2.1.0 output will now also contain version information for query packs in :code:`runs[].tool.extensions[].semanticVersion`, if the Git commit the queries come from is known.
+    
+*   :code:`codeql github upload-results` has a :code:`--checkout-path` option which will attempt to automatically configure upload target parameters.
+    When this is given, the :code:`--commit` option will be taken from the HEAD of the checkout Git repository, and if there is precisely one remote configured in the local repository, the :code:`--repository` and
+    :code:`--github-url` options will also be automatically configured.
+    
+*   The CodeQL C++ extractor includes beta support for C++20.
+    This is only available when building codebases with GCC on Linux.
+    C++20 modules are **not** supported.
+    
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.7.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.7.rst
@@ -0,0 +1,37 @@
+.. _codeql-cli-2.5.7:
+
+=========================
+CodeQL 2.5.7 (2021-07-02)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.5.7 runs a total of 268 security queries when configured with the Default suite (covering 114 CWE). The Extended suite enables an additional 56 queries (covering 28 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+New Features
+~~~~~~~~~~~~
+
+*   :code:`codeql database create` and :code:`codeql database init` can now automatically recognise the languages present in checkouts of GitHub repositories by making an API call to the GitHub server. This requires a PAT token to either be set in the :code:`GITHUB_TOKEN` environment variable, or passed by stdin with the
+    :code:`--github-auth-stdin` argument.
+    
+*   Operations that make outgoing HTTP calls (that is, :code:`codeql github upload-results` and the language-detection feature described above)
+    now support the use of HTTP proxies. To use a proxy, specify an
+    :code:`$https_proxy` environment variable for HTTPS requests or a
+    :code:`$http_proxy` environment variable for HTTP requests. If the
+    :code:`$no_proxy` variable is also set, these variables will be ignored and requests will be made without a proxy.
+
+QL Language
+~~~~~~~~~~~
+
+*   The QL language now has a new method :code:`toUnicode` on the :code:`int` type. This method converts Unicode codepoint to a one-character string.  For example, :code:`65.toUnicode() = "A"`, :code:`128512.toUnicode()` results in a smiley, and :code:`any(int i | i.toUnicode() = "A") = 65`.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.8.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.8.rst
@@ -0,0 +1,37 @@
+.. _codeql-cli-2.5.8:
+
+=========================
+CodeQL 2.5.8 (2021-07-26)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.5.8 runs a total of 268 security queries when configured with the Default suite (covering 114 CWE). The Extended suite enables an additional 79 queries (covering 28 more CWE). 23 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   The QL compiler now verifies that :code:`@security-severity` query metadata is numeric. You can disable this verification by passing the :code:`--no-metadata-verification` flag.
+
+New Features
+~~~~~~~~~~~~
+
+*   The :code:`database index-files` and :code:`database trace-command` CLI commands now support :code:`--threads` and :code:`--ram` options, which are passed to extractors as suggestions.
+    
+*   The :code:`database finalize` CLI command now supports the :code:`--ram` option,
+    which controls memory usage for finalization.
+    
+*   The :code:`database create` CLI command now supports the :code:`--ram` option,
+    which controls memory usage for database creation.  - The :code:`generate query-help` CLI command now support rendering query help in SARIF format.
+    
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.9.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.5.9.rst
@@ -0,0 +1,17 @@
+.. _codeql-cli-2.5.9:
+
+=========================
+CodeQL 2.5.9 (2021-08-09)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+There are no user-facing CLI changes in this release.
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.6.0.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.6.0.rst
@@ -0,0 +1,64 @@
+.. _codeql-cli-2.6.0:
+
+=========================
+CodeQL 2.6.0 (2021-08-24)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.6.0 runs a total of 275 security queries when configured with the Default suite (covering 119 CWE). The Extended suite enables an additional 78 queries (covering 27 more CWE). 6 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   The :code:`physicalLocation.artifactLocation.uri` fields in SARIF output are now properly encoded as specified by RFC 3986.
+    
+*   The :code:`--include-extension` option to the :code:`codeql database index-files` command no longer includes directories that are named with the provided extension. For example, if the option
+    :code:`--include-extension=.rb` is provided, then a directory named
+    :code:`foo.rb/` will be excluded from the indexing.
+
+New Features
+~~~~~~~~~~~~
+
+*   A new :code:`codeql database unbundle` subcommand performs the reverse of
+    :code:`codeql database bundle` and extracts a CodeQL database from an archive.
+    
+*   The CLI now understands per-codebase configuration files in `the format already supported by the CodeQL Action <https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#example-configuration-files>`__.  The configuration file must be given in a :code:`--codescanning-config` option to :code:`codeql database create` or :code:`codeql database init`. For some languages, this configuration can contain pathname filters that control which parts of the codebase is analysed; the configuration file is the only way this functionality is exposed. The configuration file can also control which queries are run, including custom queries from repositories that must first be downloaded. To actually use those queries, run :code:`codeql database analyze` without any query-selection arguments.
+    
+*   The CLI now supports the "sandwiched tracing" feature that has previously only been offered through the separate CodeQL Runner.
+    This feature is intended for use with CI systems that cannot be configured to wrap build actions with :code:`codeql database trace-command`. Instead the CI system must be able to set custom environment variables for each build action; the required environment variables are output by :code:`codeql database init` when given a :code:`--begin-tracing` argument.
+    
+    On Windows, :code:`codeql database init --begin-tracing` will also inject build-tracing code into the calling process or an ancestor; there are additional options to control this.
+    
+*   This version contains *beta* support for a new packaging and publishing system for third-party QL queries and libraries. It comprises the following new commands:
+
+    *   :code:`codeql pack init`\ : Creates an empty CodeQL pack from a template.
+        
+    *   :code:`codeql pack add`\ : Adds a dependency to a CodeQL pack.
+        
+    *   :code:`codeql pack install`\ : Installs all pack dependencies specified in the :code:`qlpack.yml` file.
+        
+    *   :code:`codeql pack download`\ : Downloads one or more pack dependencies into the global package cache.
+        
+    *   :code:`codeql pack publish`\ : Publishes a package to the GitHub Container Registry.
+        
+    *   (Plumbing) :code:`codeql pack bundle`\ : Builds a :code:`.zip` file for a CodeQL query or library pack from sources. Used by :code:`codeql pack publish`.
+        
+    *   (Plumbing) :code:`codeql pack create`\ : Creates a compiled CodeQL query or library pack from sources. Used by :code:`codeql pack bundle`.
+        
+    *   (Plumbing) :code:`codeql pack packlist`\ : Lists all files in a local CodeQL pack that will be included in the pack's bundle. Used by
+        :code:`codeql pack create`.
+        
+    *   (Plumbing) :code:`codeql pack resolve-dependencies`\ : Resolves all transitive dependencies of a local CodeQL pack. Used by :code:`codeql pack install`.
+
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.6.1.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.6.1.rst
@@ -0,0 +1,96 @@
+.. _codeql-cli-2.6.1:
+
+=========================
+CodeQL 2.6.1 (2021-09-07)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.6.1 runs a total of 274 security queries when configured with the Default suite (covering 119 CWE). The Extended suite enables an additional 80 queries (covering 27 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   The :code:`codeql resolve qlref` command will now throw an error when the target is ambiguous.
+    
+    The qlref resolution rules are now as follows:
+
+    #.  If the target of a qlref is in the same qlpack, then that target is always returned.
+        
+    #.  If multiple targets of the qlref are found in dependent packs, this is an error.
+
+    Previously, the command would have arbitrarily chosen one of the targets and ignored any ambiguities.
+    
+*   The :code:`qlpack` directive in query suites has its semantics changed.
+    Previously, this directive would return all queries in the qlpack. Now, the directive returns only those queries matched by the
+    :code:`defaultSuite` directive in the query pack. Here is an example:
+    
+    Consider a :code:`qlpack.yml` like the following:
+
+    ..  code-block:: yaml
+    
+        name: codeql/my-qlpack
+        version: 0.0.1
+        defaultSuite:
+          queries: standard
+        
+    And the directory structure is the following:
+
+    ..  code-block:: text
+    
+        qlpack.yml
+        standard/
+          a.ql
+        experimental/
+          b.ql
+        
+    A query suite :code:`suite.qls` like this:
+
+    ..  code-block:: yaml
+    
+        - qlpack: codeql/my-qlpack
+        
+    Previously, would return all the queries in all subdirectories (i.e,
+    :code:`standard/a.ql` and :code:`experimental/b.ql`). Now, it only returns
+    :code:`standard/a.ql`, since that is the only query matched by its default suite.
+    
+    If you want to have the same behavior as before, you must update your query suites to use the :code:`queries` directive with a :code:`from` attribute,
+    like this:
+
+    ..  code-block:: yaml
+    
+        - queries: .
+          from: codeql/my-qlpack
+
+New Features
+~~~~~~~~~~~~
+
+*   Commands that evaluate CodeQL queries now support an additional option :code:`--evaluator-log=path/to/log.json` that will result in the evaluator producing a structured log (in JSON format) of events that occurred during evaluation in order to aid debugging of query performance. The format of these logs will be subject to change with no notice as we make modifications to the evaluator.
+    
+    There is also a new CLI command :code:`codeql generate log-summary` that will produce a summary of the predicates that were evaluated from these event logs. We will aim to keep this summary format more stable, although it is also subject to change. Unless you have a good reason to use the event logs directly, it is strongly recommended you use this command to produce summary logs and use these instead.
+    
+    For further information on these new logs and additional options to configure their format and verbosity, please refer to the CLI documentation.
+
+QL Language
+~~~~~~~~~~~
+
+*   QL classes can now be non-extending subtypes via the :code:`instanceof` keyword, allowing for a form of private subtyping that is not visible externally. Methods of the supertype are accessible from within a non-extending subtype class through extended semantics of the :code:`super` keyword.
+
+    ..  code-block:: text
+    
+        class Foo instanceof int {
+          Foo() { this in [1 .. 10] }
+          string toString() { result = "foo" + super.toString() }
+        }
+        
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.6.2.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.6.2.rst
@@ -0,0 +1,52 @@
+.. _codeql-cli-2.6.2:
+
+=========================
+CodeQL 2.6.2 (2021-09-21)
+=========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.6.2 runs a total of 274 security queries when configured with the Default suite (covering 120 CWE). The Extended suite enables an additional 81 queries (covering 28 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Bug Fixes
+~~~~~~~~~
+
+*   A bug where :code:`codeql generate log-summary` would sometimes crash with a :code:`JsonMappingException` has been fixed.
+
+Documentation
+~~~~~~~~~~~~~
+
+*   Documentation has been added detailing how to use the "indirect build tracing" feature, which is enabled by using the
+    :code:`--begin-tracing` flag provided by :code:`codeql database init`. The new documentation can be found `here <https://aka.ms/codeql-docs/indirect-tracing>`__. This feature was temporarily described as "sandwiched tracing" in the 2.6.0 release notes.
+
+New Features
+~~~~~~~~~~~~
+
+*   The CodeQL CLI now counts the lines of code found under
+    :code:`--source-root` when :code:`codeql database init` or :code:`codeql database create` is called. This information can be viewed later by either the new :code:`codeql database print-baseline` command or the new
+    :code:`--print-baseline-loc` argument to :code:`codeql database interpret-results`.
+    
+*   :code:`qlpack.yml` files now support an additional field :code:`include` in which glob patterns of additional files that should be included (or excluded) when creating a given CodeQL pack can be specified.
+    
+*   QL packs created by the experimental :code:`codeql pack create` command will now include some information about the build in a new
+    :code:`buildMetadata` field of their :code:`qlpack.yml` file.
+    
+*   :code:`codeql database create` now supports the same flags as :code:`codeql database init` for automatically recognizing the languages present in checkouts of GitHub repositories:
+
+    *   :code:`--github-url` accepts the URL of a custom GitHub instance
+        (previously only :code:`github.com` was supported).
+        
+    *   :code:`--github-auth-stdin` allows a personal access token to be provided through standard input (previously only the
+        :code:`GITHUB_TOKEN` environment variable was supported).
+
--- a/Show More
+++ b/Show More
				`@@ -1 +0,0 @@`
				`Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql`
				`@@ -0,0 +1 @@`
				`Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.`