Python: Exclude "self-inheritance" results

It's not possible for a class to actually inherit from itself, so if
this happens, something has gone wrong with our analysis. We therefore
explicitly exclude these results so they don't result in false
positives.

MODULE.bazel

@@ -15,7 +15,7 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages
 
 bazel_dep(name = "platforms", version = "1.0.0")
-bazel_dep(name = "rules_cc", version = "0.2.18")
+bazel_dep(name = "rules_cc", version = "0.2.17")
 bazel_dep(name = "rules_go", version = "0.60.0")
 bazel_dep(name = "rules_java", version = "9.6.1")
 bazel_dep(name = "rules_pkg", version = "1.2.0")
@@ -27,7 +27,7 @@ bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
 bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
-bazel_dep(name = "gazelle", version = "0.50.0")
+bazel_dep(name = "gazelle", version = "0.47.0")
 bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
 bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
 bazel_dep(name = "rules_rust", version = "0.69.0")

actions/ql/lib/CHANGELOG.md

@@ -1,13 +1,3 @@
-## 0.4.34
-
-### Minor Analysis Improvements
-
-* Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.
-
-## 0.4.33
-
-No user-facing changes.
-
 ## 0.4.32
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.33.md

@@ -1,3 +0,0 @@
-## 0.4.33
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.34.md

@@ -1,5 +0,0 @@
-## 0.4.34
-
-### Minor Analysis Improvements
-
-* Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.34
+lastReleaseVersion: 0.4.32

actions/ql/lib/ext/manual/docker_build-push-action.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: actionsSinkModel
+    data:
+      - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"]

actions/ql/lib/ext/manual/step-security_harden-runner.model.yml

@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/actions-all
+      extensible: actionsSinkModel
+    data:
+      - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"]

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.35-dev
+version: 0.4.33-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,17 +1,3 @@
-## 0.6.26
-
-### Major Analysis Improvements
-
-* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also improved the wording to make it clearer that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Finally, changed the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
-
-### Minor Analysis Improvements
-
-* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
-
-## 0.6.25
-
-No user-facing changes.
-
 ## 0.6.24
 
 No user-facing changes.
@@ -173,7 +159,7 @@ No user-facing changes.
   * `actions/if-expression-always-true/critical`
   * `actions/if-expression-always-true/high`
   * `actions/unnecessary-use-of-advanced-config`
-
+  
 * The following query has been moved from the `code-scanning` suite to the `security-extended`
   suite. Any existing alerts for this query will be closed automatically unless the analysis is
   configured to use the `security-extended` suite.

actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql

@@ -26,23 +26,10 @@ string permissionsForJob(Job job) {
     "{" + concat(string permission | permission = jobNeedsPermission(job) | permission, ", ") + "}"
 }
 
-predicate jobHasPermissions(Job job) {
-  exists(job.getPermissions())
-  or
-  exists(job.getEnclosingWorkflow().getPermissions())
-  or
-  // The workflow is reusable and cannot be triggered in any other way; check callers
-  exists(ReusableWorkflow r | r = job.getEnclosingWorkflow() |
-    not exists(Event e | e = r.getOn().getAnEvent() | e.getName() != "workflow_call") and
-    forall(Job caller | caller = job.getEnclosingWorkflow().(ReusableWorkflow).getACaller() |
-      jobHasPermissions(caller)
-    )
-  )
-}
-
 from Job job, string permissions
 where
-  not jobHasPermissions(job) and
+  not exists(job.getPermissions()) and
+  not exists(job.getEnclosingWorkflow().getPermissions()) and
   // exists a trigger event that is not a workflow_call
   exists(Event e |
     e = job.getATriggerEvent() and

actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql

@@ -20,6 +20,6 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin
 where
   ArtifactPoisoningFlow::flowPath(source, sink) and
   event = getRelevantEventInPrivilegedContext(sink.getNode())
-select source.getNode(), source, sink,
-  "Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@).",
-  event, event.getName()
+select sink.getNode(), source, sink,
+  "Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink,
+  sink.getNode().toString(), event, event.getName()

actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql

@@ -20,5 +20,6 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin
 where
   ArtifactPoisoningFlow::flowPath(source, sink) and
   inNonPrivilegedContext(sink.getNode().asExpr())
-select source.getNode(), source, sink,
-  "Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user."
+select sink.getNode(), source, sink,
+  "Potential artifact poisoning in $@, which may be controlled by an external user.", sink,
+  sink.getNode().toString()

actions/ql/src/change-notes/released/0.6.25.md

@@ -1,3 +0,0 @@
-## 0.6.25
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.26.md

@@ -1,9 +0,0 @@
-## 0.6.26
-
-### Major Analysis Improvements
-
-* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also improved the wording to make it clearer that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Finally, changed the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
-
-### Minor Analysis Improvements
-
-* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.26
+lastReleaseVersion: 0.6.24

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.27-dev
+version: 0.6.25-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms11.yml

@@ -1,9 +0,0 @@
-on:
-  workflow_call:
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/deploy-pages

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms12.yml

@@ -1,11 +0,0 @@
-on:
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  id-token: write
-  pages: write
-
-jobs:
-  call-workflow:
-    uses: ./.github/workflows/perms11.yml

actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected

@@ -55,21 +55,21 @@ nodes
 | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n |
 subpaths
 #select
-| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target |
-| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run |
-| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | python foo/x.py | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target |
+| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | npm install | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run |
+| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run |

cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected

@@ -7,12 +7,10 @@ ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
 ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
 ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
 ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
-ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
 ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
 ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
 ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
 ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
-ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
@@ -30,7 +28,6 @@ ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
 ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
 ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
 ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
-ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
 ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
 ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
 ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -43,7 +40,6 @@ ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
-ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
 ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
 ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
 ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql

cpp/ql/lib/CHANGELOG.md

@@ -1,34 +1,3 @@
-## 10.0.0
-
-### Breaking Changes
-
-* The deprecated `NonThrowingFunction` class has been removed, use `NonCppThrowingFunction` instead.
-* The deprecated `ThrowingFunction` class has been removed, use `AlwaysSehThrowingFunction` instead.
-
-### New Features
-
-* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.
-
-## 9.0.0
-
-### Breaking Changes
-
-* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
-
-### New Features
-
-* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
-* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
-* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
-* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
-* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
-* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
-
-### Minor Analysis Improvements
-
-* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
-* Added dataflow through members initialized via non-static data member initialization (NSDMI).
-
 ## 8.0.3
 
 No user-facing changes.

cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.

cpp/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).

cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
+* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.

cpp/ql/lib/change-notes/2026-03-24-field-init.md

@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
+* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.

cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md

@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.

cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added dataflow through members initialized via non-static data member initialization (NSDMI).

cpp/ql/lib/change-notes/2026-03-31-http-flow-sources.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.

cpp/ql/lib/change-notes/2026-03-31-meson.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.

cpp/ql/lib/change-notes/2026-04-07-autoconf.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.

cpp/ql/lib/change-notes/released/10.0.0.md

@@ -1,10 +0,0 @@
-## 10.0.0
-
-### Breaking Changes
-
-* The deprecated `NonThrowingFunction` class has been removed, use `NonCppThrowingFunction` instead.
-* The deprecated `ThrowingFunction` class has been removed, use `AlwaysSehThrowingFunction` instead.
-
-### New Features
-
-* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.

cpp/ql/lib/change-notes/released/9.0.0.md

@@ -1,19 +0,0 @@
-## 9.0.0
-
-### Breaking Changes
-
-* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
-
-### New Features
-
-* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
-* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
-* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
-* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
-* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
-* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
-
-### Minor Analysis Improvements
-
-* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
-* Added dataflow through members initialized via non-static data member initialization (NSDMI).

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 10.0.0
+lastReleaseVersion: 8.0.3

cpp/ql/lib/ext/allocation/Std.allocation.model.yml

@@ -12,7 +12,4 @@ extensions:
       - ["", "", False, "_malloca", "0", "", "", False]
       - ["", "", False, "calloc", "1", "0", "", True]
       - ["std", "", False, "calloc", "1", "0", "", True]
-      - ["bsl", "", False, "calloc", "1", "0", "", True]
-      - ["", "", False, "aligned_alloc", "1", "", "", True]
-      - ["std", "", False, "aligned_alloc", "1", "", "", True]
-      - ["bsl", "", False, "aligned_alloc", "1", "", "", True]
+      - ["bsl", "", False, "calloc", "1", "0", "", True]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.0.1-dev
+version: 8.0.4-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -459,13 +459,6 @@ class FormatLiteral extends Literal instanceof StringLiteral {
    */
   int getConvSpecOffset(int n) { result = this.getFormat().indexOf("%", n, 0) }
 
-  /**
-   * Gets the nth conversion specifier string.
-   */
-  private string getConvSpecString(int n) {
-    n >= 0 and result = "%" + this.getFormat().splitAt("%", n + 1)
-  }
-
   /*
    * Each of these predicates gets a regular expressions to match each individual
    * parts of a conversion specifier.
@@ -531,20 +524,22 @@ class FormatLiteral extends Literal instanceof StringLiteral {
     int n, string spec, string params, string flags, string width, string prec, string len,
     string conv
   ) {
-    exists(string convSpec, string regexp |
-      convSpec = this.getConvSpecString(n) and
+    exists(int offset, string fmt, string rst, string regexp |
+      offset = this.getConvSpecOffset(n) and
+      fmt = this.getFormat() and
+      rst = fmt.substring(offset, fmt.length()) and
       regexp = this.getConvSpecRegexp() and
       (
-        spec = convSpec.regexpCapture(regexp, 1) and
-        params = convSpec.regexpCapture(regexp, 2) and
-        flags = convSpec.regexpCapture(regexp, 3) and
-        width = convSpec.regexpCapture(regexp, 4) and
-        prec = convSpec.regexpCapture(regexp, 5) and
-        len = convSpec.regexpCapture(regexp, 6) and
-        conv = convSpec.regexpCapture(regexp, 7)
+        spec = rst.regexpCapture(regexp, 1) and
+        params = rst.regexpCapture(regexp, 2) and
+        flags = rst.regexpCapture(regexp, 3) and
+        width = rst.regexpCapture(regexp, 4) and
+        prec = rst.regexpCapture(regexp, 5) and
+        len = rst.regexpCapture(regexp, 6) and
+        conv = rst.regexpCapture(regexp, 7)
         or
-        spec = convSpec.regexpCapture(regexp, 1) and
-        not exists(convSpec.regexpCapture(regexp, 2)) and
+        spec = rst.regexpCapture(regexp, 1) and
+        not exists(rst.regexpCapture(regexp, 2)) and
         params = "" and
         flags = "" and
         width = "" and
@@ -559,10 +554,12 @@ class FormatLiteral extends Literal instanceof StringLiteral {
    * Gets the nth conversion specifier (including the initial `%`).
    */
   string getConvSpec(int n) {
-    exists(string convSpec, string regexp |
-      convSpec = this.getConvSpecString(n) and
+    exists(int offset, string fmt, string rst, string regexp |
+      offset = this.getConvSpecOffset(n) and
+      fmt = this.getFormat() and
+      rst = fmt.substring(offset, fmt.length()) and
       regexp = this.getConvSpecRegexp() and
-      result = convSpec.regexpCapture(regexp, 1)
+      result = rst.regexpCapture(regexp, 1)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll

@@ -194,13 +194,6 @@ class ScanfFormatLiteral extends Expr {
     )
   }
 
-  /**
-   * Gets the nth conversion specifier string.
-   */
-  private string getConvSpecString(int n) {
-    n >= 0 and result = "%" + this.getFormat().splitAt("%", n + 1)
-  }
-
   /**
    * Gets the regular expression to match each individual part of a conversion specifier.
    */
@@ -234,14 +227,16 @@ class ScanfFormatLiteral extends Expr {
    * specifier.
    */
   predicate parseConvSpec(int n, string spec, string width, string len, string conv) {
-    exists(string convSpec, string regexp |
-      convSpec = this.getConvSpecString(n) and
+    exists(int offset, string fmt, string rst, string regexp |
+      offset = this.getConvSpecOffset(n) and
+      fmt = this.getFormat() and
+      rst = fmt.substring(offset, fmt.length()) and
       regexp = this.getConvSpecRegexp() and
       (
-        spec = convSpec.regexpCapture(regexp, 1) and
-        width = convSpec.regexpCapture(regexp, 2) and
-        len = convSpec.regexpCapture(regexp, 3) and
-        conv = convSpec.regexpCapture(regexp, 4)
+        spec = rst.regexpCapture(regexp, 1) and
+        width = rst.regexpCapture(regexp, 2) and
+        len = rst.regexpCapture(regexp, 3) and
+        conv = rst.regexpCapture(regexp, 4)
       )
     )
   }

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -6,15 +6,11 @@
  *
  * The extensible relations have the following columns:
  * - Sources:
- *   `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
+ *   `namespace; type; subtypes; name; signature; ext; output; kind`
  * - Sinks:
- *   `namespace; type; subtypes; name; signature; ext; input; kind; provenance`
+ *   `namespace; type; subtypes; name; signature; ext; input; kind`
  * - Summaries:
- *   `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance`
- * - Barriers:
- *   `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
- * - BarrierGuards:
- *   `namespace; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance`
+ *   `namespace; type; subtypes; name; signature; ext; input; output; kind`
  *
  * The interpretation of a row is similar to API-graphs with a left-to-right
  * reading.
@@ -91,23 +87,11 @@
  *    value, and
  *    - flow from the _second_ indirection of the 0th argument to the first
  *    indirection of the return value, etc.
- * 8. The `acceptingValue` column of barrier guard models specifies the condition
- *    under which the guard blocks flow. It can be one of "true" or "false". In
- *    the future "no-exception", "not-zero", "null", "not-null" may be supported.
- * 9. The `kind` column is a tag that can be referenced from QL to determine to
+ * 8. The `kind` column is a tag that can be referenced from QL to determine to
  *    which classes the interpreted elements should be added. For example, for
  *    sources "remote" indicates a default remote flow source, and for summaries
  *    "taint" indicates a default additional taint step and "value" indicates a
  *    globally applicable value-preserving step.
- * 10. The `provenance` column is a tag to indicate the origin and verification of a model.
- *    The format is {origin}-{verification} or just "manual" where the origin describes
- *    the origin of the model and verification describes how the model has been verified.
- *    Some examples are:
- *    - "df-generated": The model has been generated by the model generator tool.
- *    - "df-manual": The model has been generated by the model generator and verified by a human.
- *    - "manual": The model has been written by hand.
- *    This information is used in a heuristic for dataflow analysis to determine, if a
- *    model or source code should be used for determining flow.
  */
 
 import cpp
@@ -947,13 +931,13 @@ private module Cached {
 
   private predicate barrierGuardChecks(IRGuardCondition g, Expr e, boolean gv, TKindModelPair kmp) {
     exists(
-      SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingValue,
+      SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingvalue,
       string kind, string model
     |
-      isBarrierGuardNode(n, acceptingValue, kind, model) and
+      isBarrierGuardNode(n, acceptingvalue, kind, model) and
       n.asNode().asExpr() = e and
       kmp = TMkPair(kind, model) and
-      gv = convertAcceptingValue(acceptingValue).asBooleanValue() and
+      gv = convertAcceptingValue(acceptingvalue).asBooleanValue() and
       n.asNode().(Private::ArgumentNode).getCall().asCallInstruction() = g
     )
   }
@@ -970,14 +954,14 @@ private module Cached {
   ) {
     exists(
       SourceSinkInterpretationInput::InterpretNode interpretNode,
-      Public::AcceptingValue acceptingValue, string kind, string model, int indirectionIndex,
+      Public::AcceptingValue acceptingvalue, string kind, string model, int indirectionIndex,
       Private::ArgumentNode arg
     |
-      isBarrierGuardNode(interpretNode, acceptingValue, kind, model) and
+      isBarrierGuardNode(interpretNode, acceptingvalue, kind, model) and
       arg = interpretNode.asNode() and
       arg.asIndirectExpr(indirectionIndex) = e and
       kmp = MkKindModelPairIntPair(TMkPair(kind, model), indirectionIndex) and
-      gv = convertAcceptingValue(acceptingValue).asBooleanValue() and
+      gv = convertAcceptingValue(acceptingvalue).asBooleanValue() and
       arg.getCall().asCallInstruction() = g
     )
   }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll

@@ -33,7 +33,7 @@ extensible predicate barrierModel(
  */
 extensible predicate barrierGuardModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId
+  string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
 );
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -162,13 +162,13 @@ module SourceSinkInterpretationInput implements
   }
 
   predicate barrierGuardElement(
-    Element e, string input, Public::AcceptingValue acceptingValue, string kind,
+    Element e, string input, Public::AcceptingValue acceptingvalue, string kind,
     Public::Provenance provenance, string model
   ) {
     exists(
       string package, string type, boolean subtypes, string name, string signature, string ext
     |
-      barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingValue, kind,
+      barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingvalue, kind,
         provenance, model) and
       e = interpretElement(package, type, subtypes, name, signature, ext)
     )

cpp/ql/lib/semmle/code/cpp/models/interfaces/NonThrowing.qll

@@ -11,3 +11,10 @@ import semmle.code.cpp.models.Models
  * The function may still raise a structured exception handling (SEH) exception.
  */
 abstract class NonCppThrowingFunction extends Function { }
+
+/**
+ * A function that is guaranteed to never throw.
+ *
+ * DEPRECATED: use `NonCppThrowingFunction` instead.
+ */
+deprecated class NonThrowingFunction = NonCppThrowingFunction;

cpp/ql/lib/semmle/code/cpp/models/interfaces/Throwing.qll

@@ -10,6 +10,19 @@ import semmle.code.cpp.Function
 import semmle.code.cpp.models.Models
 import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
 
+/**
+ * A function that is known to raise an exception.
+ *
+ * DEPRECATED: use `AlwaysSehThrowingFunction` instead.
+ */
+abstract deprecated class ThrowingFunction extends Function {
+  /**
+   * Holds if this function may throw an exception during evaluation.
+   * If `unconditional` is `true` the function always throws an exception.
+   */
+  abstract predicate mayThrowException(boolean unconditional);
+}
+
 /**
  * A function that unconditionally raises a structured exception handling (SEH) exception.
  */

cpp/ql/src/CHANGELOG.md

@@ -1,28 +1,3 @@
-## 1.6.1
-
-### Minor Analysis Improvements
-
-* Added `AllocationFunction` models for `aligned_alloc`, `std::aligned_alloc`, and `bsl::aligned_alloc`.
-* The "Comparison of narrow type with wide type in loop condition" (`cpp/comparison-with-wider-type`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
-* The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
-* The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
-* The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
-* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.
-
-## 1.6.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
-
-### Minor Analysis Improvements
-
-* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
-* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
-* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
-* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
-* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
-
 ## 1.5.15
 
 No user-facing changes.
@@ -366,7 +341,7 @@ No user-facing changes.
 ### Minor Analysis Improvements
 
 * The "non-constant format string" query (`cpp/non-constant-format`) has been updated to produce fewer false positives.
-* Added dataflow models for the `gettext` function variants.
+* Added dataflow models for the `gettext` function variants. 
 
 ## 0.9.4
 

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 8.1
- * @precision high
+ * @precision medium
  * @id cpp/integer-multiplication-cast-to-long
  * @tags reliability
  *       security

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @problem.severity error
  * @security-severity 7.5
- * @precision high
+ * @precision medium
  * @id cpp/wrong-type-format-argument
  * @tags reliability
  *       correctness

cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qhelp

@@ -14,9 +14,6 @@ function may behave unpredictably.</p>
 <p>This may indicate a misspelled function name, or that the required header containing
 the function declaration has not been included.</p>
 
-<p>Note: This query is not compatible with <code>build mode: none</code> databases, and produces
-no results on those databases.</p>
-
 </overview>
 <recommendation>
 <p>Provide an explicit declaration of the function before invoking it.</p>
@@ -29,4 +26,4 @@ no results on those databases.</p>
 <references>
 <li>SEI CERT C Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL31-C.+Declare+identifiers+before+using+them">DCL31-C. Declare identifiers before using them</a></li>
 </references>
-</qhelp>
+</qhelp>

cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql

@@ -5,7 +5,7 @@
  * may lead to unpredictable behavior.
  * @kind problem
  * @problem.severity warning
- * @precision high
+ * @precision medium
  * @id cpp/implicit-function-declaration
  * @tags correctness
  *       maintainability
@@ -17,11 +17,6 @@ import TooFewArguments
 import TooManyArguments
 import semmle.code.cpp.commons.Exclusions
 
-/*
- * This query is not compatible with build mode: none databases, and produces
- * no results on those databases.
- */
-
 predicate locInfo(Locatable e, File file, int line, int col) {
   e.getFile() = file and
   e.getLocation().getStartLine() = line and
@@ -44,7 +39,6 @@ predicate isCompiledAsC(File f) {
 from FunctionDeclarationEntry fdeIm, FunctionCall fc
 where
   isCompiledAsC(fdeIm.getFile()) and
-  not any(Compilation c).buildModeNone() and
   not isFromMacroDefinition(fc) and
   fdeIm.isImplicit() and
   sameLocation(fdeIm, fc) and

cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qll

@@ -79,7 +79,9 @@ private predicate hasZeroParamDecl(Function f) {
 
 // True if this file (or header) was compiled as a C file
 private predicate isCompiledAsC(File f) {
-  exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
+  f.compiledAsC()
+  or
+  exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
 }
 
 predicate mistypedFunctionArguments(FunctionCall fc, Function f, Parameter p) {

cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.qll

@@ -28,7 +28,9 @@ private predicate hasZeroParamDecl(Function f) {
 
 /* Holds if this file (or header) was compiled as a C file. */
 private predicate isCompiledAsC(File f) {
-  exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
+  f.compiledAsC()
+  or
+  exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
 }
 
 /** Holds if `fc` is a call to `f` with too few arguments. */

cpp/ql/src/Likely Bugs/Underspecified Functions/TooManyArguments.qll

@@ -19,7 +19,9 @@ private predicate hasZeroParamDecl(Function f) {
 
 // True if this file (or header) was compiled as a C file
 private predicate isCompiledAsC(File f) {
-  exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
+  f.compiledAsC()
+  or
+  exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
 }
 
 predicate tooManyArguments(FunctionCall fc, Function f) {

cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 7.8
- * @precision high
+ * @precision medium
  * @tags reliability
  *       security
  *       external/cwe/cwe-190

cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 8.8
- * @precision high
+ * @precision medium
  * @id cpp/suspicious-add-sizeof
  * @tags security
  *       external/cwe/cwe-468

cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md

@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).

cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.

cpp/ql/src/change-notes/2026-03-30-warning-diagnostics.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.

cpp/ql/src/change-notes/released/1.6.0.md

@@ -1,13 +0,0 @@
-## 1.6.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
-
-### Minor Analysis Improvements
-
-* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
-* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
-* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
-* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
-* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/released/1.6.1.md

@@ -1,10 +0,0 @@
-## 1.6.1
-
-### Minor Analysis Improvements
-
-* Added `AllocationFunction` models for `aligned_alloc`, `std::aligned_alloc`, and `bsl::aligned_alloc`.
-* The "Comparison of narrow type with wide type in loop condition" (`cpp/comparison-with-wider-type`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
-* The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
-* The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
-* The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
-* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.1
+lastReleaseVersion: 1.5.15

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.2-dev
+version: 1.5.16-dev
 groups:
   - cpp
   - queries

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,11 +1,3 @@
-## 1.7.65
-
-No user-facing changes.
-
-## 1.7.64
-
-No user-facing changes.
-
 ## 1.7.63
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.64.md

@@ -1,3 +0,0 @@
-## 1.7.64
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.65.md

@@ -1,3 +0,0 @@
-## 1.7.65
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.65
+lastReleaseVersion: 1.7.63

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.66-dev
+version: 1.7.64-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,11 +1,3 @@
-## 1.7.65
-
-No user-facing changes.
-
-## 1.7.64
-
-No user-facing changes.
-
 ## 1.7.63
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/ModifiedFnvFunctionDetection.ql

@@ -13,13 +13,11 @@ import csharp
 import Solorigate
 import experimental.code.csharp.Cryptography.NonCryptographicHashes
 
-ControlFlowNode loopExitNode(LoopStmt loop) { result.isAfter(loop) }
-
 from Variable v, Literal l, LoopStmt loop, Expr additional_xor
 where
   maybeUsedInFnvFunction(v, _, _, loop) and
   exists(BitwiseXorOperation xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
-    loopExitNode(loop).getASuccessor*() = xor2.getControlFlowNode() and
+    loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
     xor2.getAnOperand() = v.getAnAccess()
   )
 select l, "This literal is used in an $@ after an FNV-like hash calculation with variable $@.",

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.64.md

@@ -1,3 +0,0 @@
-## 1.7.64
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.65.md

@@ -1,3 +0,0 @@
-## 1.7.65
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.65
+lastReleaseVersion: 1.7.63

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.66-dev
+version: 1.7.64-dev
 groups:
   - csharp
   - solorigate

csharp/ql/consistency-queries/CfgConsistency.ql

@@ -1,2 +1,5 @@
 import csharp
-import ControlFlow::Consistency
+import semmle.code.csharp.controlflow.internal.Completion
+import ControlFlow
+import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl::Consistency
+import semmle.code.csharp.controlflow.internal.Splitting

csharp/ql/consistency-queries/DataFlowConsistency.ql

@@ -1,4 +1,5 @@
 import csharp
+private import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl as ControlFlowGraphImpl
 private import semmle.code.csharp.dataflow.internal.DataFlowImplSpecific
 private import semmle.code.csharp.dataflow.internal.TaintTrackingImplSpecific
 private import codeql.dataflow.internal.DataFlowImplConsistency
@@ -6,6 +7,20 @@ private import codeql.dataflow.internal.DataFlowImplConsistency
 private module Input implements InputSig<Location, CsharpDataFlow> {
   private import CsharpDataFlow
 
+  private predicate isStaticAssignable(Assignable a) { a.(Modifiable).isStatic() }
+
+  predicate uniqueEnclosingCallableExclude(Node node) {
+    // TODO: Remove once static initializers are folded into the
+    // static constructors
+    isStaticAssignable(ControlFlowGraphImpl::getNodeCfgScope(node.getControlFlowNode()))
+  }
+
+  predicate uniqueCallEnclosingCallableExclude(DataFlowCall call) {
+    // TODO: Remove once static initializers are folded into the
+    // static constructors
+    isStaticAssignable(ControlFlowGraphImpl::getNodeCfgScope(call.getControlFlowNode()))
+  }
+
   predicate uniqueNodeLocationExclude(Node n) {
     // Methods with multiple implementations
     n instanceof ParameterNode
@@ -55,14 +70,17 @@ private module Input implements InputSig<Location, CsharpDataFlow> {
           init.getInitializer().getNumberOfChildren() > 1
         )
       or
-      call.(NonDelegateDataFlowCall).getDispatchCall().isReflection()
-      or
-      // Exclude calls that are both getter and setter calls, as they share the same argument nodes.
-      exists(AccessorCall ac |
-        call.(NonDelegateDataFlowCall).getDispatchCall().getCall() = ac and
-        ac instanceof AssignableRead and
-        ac instanceof AssignableWrite
+      exists(ControlFlow::Nodes::ElementNode cfn, ControlFlow::Nodes::Split split |
+        exists(arg.asExprAtNode(cfn))
+      |
+        split = cfn.getASplit() and
+        not split = call.getControlFlowNode().getASplit()
+        or
+        split = call.getControlFlowNode().getASplit() and
+        not split = cfn.getASplit()
       )
+      or
+      call.(NonDelegateDataFlowCall).getDispatchCall().isReflection()
     )
   }
 }

csharp/ql/consistency-queries/VariableCaptureConsistency.ql

@@ -1,6 +1,13 @@
 import csharp
 import semmle.code.csharp.dataflow.internal.DataFlowPrivate::VariableCapture::Flow::ConsistencyChecks
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate::VariableCapture::Flow::ConsistencyChecks as ConsistencyChecks
+private import semmle.code.csharp.controlflow.BasicBlocks
+private import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl
+
+query predicate uniqueEnclosingCallable(BasicBlock bb, string msg) {
+  ConsistencyChecks::uniqueEnclosingCallable(bb, msg) and
+  getNodeCfgScope(bb.getFirstNode()) instanceof Callable
+}
 
 query predicate consistencyOverview(string msg, int n) { none() }
 

csharp/ql/examples/snippets/integer_literal.ql

@@ -9,5 +9,5 @@
 import csharp
 
 from IntegerLiteral literal
-where literal.getIntValue() = 0
+where literal.getValue().toInt() = 0
 select literal

csharp/ql/lib/CHANGELOG.md

@@ -1,19 +1,3 @@
-## 5.5.0
-
-### Deprecated APIs
-
-* The predicates `get[L|R]Value` in the class `Assignment` have been deprecated. Use `get[Left|Right]Operand` instead.
-
-## 5.4.12
-
-### Minor Analysis Improvements
-
-* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
-* The `cs/log-forging` query no longer treats arguments to extension methods with
-  source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
-  through extension method bodies, reducing false positives when extension methods
-  sanitize input internally.
-
 ## 5.4.11
 
 No user-facing changes.

csharp/ql/lib/Linq/Helpers.qll

@@ -121,17 +121,15 @@ predicate missedOfTypeOpportunity(ForeachStmtEnumerable fes, LocalVariableDeclSt
 /**
  * Holds if `foreach` statement `fes` can be converted to a `.Select()` call.
  * That is, the loop variable is accessed only in the first statement of the
- * block, the access is not a cast, the first statement is a
- * local variable declaration statement `s`, and the initializer does not
- * contain an `await` expression (since `Select` does not support async lambdas).
+ * block, the access is not a cast, and the first statement is a
+ * local variable declaration statement `s`.
  */
 predicate missedSelectOpportunity(ForeachStmtGenericEnumerable fes, LocalVariableDeclStmt s) {
   s = firstStmt(fes) and
   forex(VariableAccess va | va = fes.getVariable().getAnAccess() |
     va = s.getAVariableDeclExpr().getAChildExpr*()
   ) and
-  not s.getAVariableDeclExpr().getInitializer() instanceof Cast and
-  not s.getAVariableDeclExpr().getInitializer().getAChildExpr*() instanceof AwaitExpr
+  not s.getAVariableDeclExpr().getInitializer() instanceof Cast
 }
 
 /**

csharp/ql/lib/change-notes/2026-03-19-fix-log-forging-extension-methods.md

@@ -1,8 +1,6 @@
-## 5.4.12
-
-### Minor Analysis Improvements
-
-* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
+---
+category: minorAnalysis
+---
 * The `cs/log-forging` query no longer treats arguments to extension methods with
   source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
   through extension method bodies, reducing false positives when extension methods

csharp/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/).

csharp/ql/lib/change-notes/2026-03-26-expanded-assignments.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.

csharp/ql/lib/change-notes/2026-04-01-asp-remote-sources.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Expanded ASP and ASP.NET remote source modeling to cover additional sources, including fields of tainted parameters as well as properties and fields that become tainted transitively.

csharp/ql/lib/change-notes/2026-04-01-getlrvalue.md

@@ -1,5 +1,4 @@
-## 5.5.0
-
-### Deprecated APIs
-
+---
+category: deprecated
+---
 * The predicates `get[L|R]Value` in the class `Assignment` have been deprecated. Use `get[Left|Right]Operand` instead.

csharp/ql/lib/change-notes/2026-04-13-cfg.md

@@ -1,20 +0,0 @@
----
-category: breaking
----
-* The C# control flow graph (CFG) implementation has been completely
-  rewritten. The CFG now includes additional nodes to more accurately represent
-  certain constructs. This also means that any existing code that implicitly
-  relies on very specific details about the CFG may need to be updated.
-  The CFG no longer uses splitting, which means that AST nodes now have a unique
-  CFG node representation.
-  Additionally, the following breaking changes have been made:
-  - `ControlFlow::Node` has been renamed to `ControlFlowNode`.
-  - `ControlFlow::Nodes` has been renamed to `ControlFlowNodes`.
-  - `BasicBlock.getCallable` has been renamed to `BasicBlock.getEnclosingCallable`.
-  - `BasicBlocks.qll` has been deleted.
-  - `ControlFlowNode.getAstNode` has changed its meaning. The AST-to-CFG
-    mapping remains one-to-many, but now for a different reason. It used to be
-    because of splitting, but now it's because of additional "helper" CFG
-    nodes. To get the (now canonical) CFG node for a given AST node, use
-    `ControlFlowNode.asExpr()` or `ControlFlowNode.asStmt()` or
-    `ControlFlowElement.getControlFlowNode()` instead.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.5.0
+lastReleaseVersion: 5.4.11

csharp/ql/lib/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll

@@ -30,7 +30,7 @@ predicate maybeUsedInFnvFunction(Variable v, Operation xor, Operation mul, LoopS
     e2.getAChild*() = v.getAnAccess() and
     e1 = xor.getAnOperand() and
     e2 = mul.getAnOperand() and
-    xor.getControlFlowNode().getASuccessor*() = mul.getControlFlowNode() and
+    xor.getAControlFlowNode().getASuccessor*() = mul.getAControlFlowNode() and
     (xor instanceof AssignXorExpr or xor instanceof BitwiseXorExpr) and
     (mul instanceof AssignMulExpr or mul instanceof MulExpr)
   ) and
@@ -55,11 +55,11 @@ private predicate maybeUsedInElfHashFunction(Variable v, Operation xor, Operatio
     v = addAssign.getTargetVariable() and
     addAssign.getAChild*() = add and
     (xor instanceof BitwiseXorExpr or xor instanceof AssignXorExpr) and
-    addAssign.getControlFlowNode().getASuccessor*() = xor.getControlFlowNode() and
+    addAssign.getAControlFlowNode().getASuccessor*() = xor.getAControlFlowNode() and
     xorAssign.getAChild*() = xor and
     v = xorAssign.getTargetVariable() and
     (notOp instanceof UnaryBitwiseOperation or notOp instanceof AssignBitwiseOperation) and
-    xor.getControlFlowNode().getASuccessor*() = notOp.getControlFlowNode() and
+    xor.getAControlFlowNode().getASuccessor*() = notOp.getAControlFlowNode() and
     notAssign.getAChild*() = notOp and
     v = notAssign.getTargetVariable() and
     loop.getAChild*() = add.getEnclosingStmt() and

csharp/ql/lib/printCfg.ql

@@ -7,7 +7,7 @@
  * @tags ide-contextual-queries/print-cfg
  */
 
-import csharp
+private import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl
 
 external string selectedSourceFile();
 
@@ -21,7 +21,7 @@ external int selectedSourceColumn();
 
 private predicate selectedSourceColumnAlias = selectedSourceColumn/0;
 
-module ViewCfgQueryInput implements ControlFlow::ViewCfgQueryInputSig<File> {
+module ViewCfgQueryInput implements ViewCfgQueryInputSig<File> {
   predicate selectedSourceFile = selectedSourceFileAlias/0;
 
   predicate selectedSourceLine = selectedSourceLineAlias/0;
@@ -29,7 +29,7 @@ module ViewCfgQueryInput implements ControlFlow::ViewCfgQueryInputSig<File> {
   predicate selectedSourceColumn = selectedSourceColumnAlias/0;
 
   predicate cfgScopeSpan(
-    Callable scope, File file, int startLine, int startColumn, int endLine, int endColumn
+    CfgScope scope, File file, int startLine, int startColumn, int endLine, int endColumn
   ) {
     file = scope.getFile() and
     scope.getLocation().getStartLine() = startLine and
@@ -40,20 +40,11 @@ module ViewCfgQueryInput implements ControlFlow::ViewCfgQueryInputSig<File> {
     |
       loc = scope.(Callable).getBody().getLocation()
       or
-      loc = any(AssignExpr init | scope.(ObjectInitMethod).initializes(init)).getLocation()
+      loc = scope.(Field).getInitializer().getLocation()
       or
-      exists(AssignableMember a, Constructor ctor |
-        scope = ctor and
-        ctor.isStatic() and
-        a.isStatic() and
-        a.getDeclaringType() = ctor.getDeclaringType()
-      |
-        loc = a.(Field).getInitializer().getLocation()
-        or
-        loc = a.(Property).getInitializer().getLocation()
-      )
+      loc = scope.(Property).getInitializer().getLocation()
     )
   }
 }
 
-import ControlFlow::ViewCfgQuery<File, ViewCfgQueryInput>
+import ViewCfgQuery<File, ViewCfgQueryInput>

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.5.1-dev
+version: 5.4.12-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/Assignable.qll

@@ -85,8 +85,8 @@ class AssignableRead extends AssignableAccess {
   }
 
   pragma[noinline]
-  private ControlFlowNode getAnAdjacentReadSameVar() {
-    SsaImpl::adjacentReadPairSameVar(_, this.getControlFlowNode(), result)
+  private ControlFlow::Node getAnAdjacentReadSameVar() {
+    SsaImpl::adjacentReadPairSameVar(_, this.getAControlFlowNode(), result)
   }
 
   /**
@@ -114,7 +114,11 @@ class AssignableRead extends AssignableAccess {
    * - The read of `this.Field` on line 11 is next to the read on line 10.
    */
   pragma[nomagic]
-  AssignableRead getANextRead() { result.getControlFlowNode() = this.getAnAdjacentReadSameVar() }
+  AssignableRead getANextRead() {
+    forex(ControlFlow::Node cfn | cfn = result.getAControlFlowNode() |
+      cfn = this.getAnAdjacentReadSameVar()
+    )
+  }
 }
 
 /**
@@ -406,7 +410,7 @@ private import AssignableInternal
  */
 class AssignableDefinition extends TAssignableDefinition {
   /**
-   * DEPRECATED: Use `this.getExpr().getControlFlowNode()` instead.
+   * DEPRECATED: Use `this.getExpr().getAControlFlowNode()` instead.
    *
    * Gets a control flow node that updates the targeted assignable when
    * reached.
@@ -415,7 +419,9 @@ class AssignableDefinition extends TAssignableDefinition {
    * the definitions of `x` and `y` in `M(out x, out y)` and `(x, y) = (0, 1)`
    * relate to the same call to `M` and assignment node, respectively.
    */
-  deprecated ControlFlowNode getAControlFlowNode() { result = this.getExpr().getControlFlowNode() }
+  deprecated ControlFlow::Node getAControlFlowNode() {
+    result = this.getExpr().getAControlFlowNode()
+  }
 
   /**
    * Gets the underlying expression that updates the targeted assignable when
@@ -488,7 +494,7 @@ class AssignableDefinition extends TAssignableDefinition {
    */
   pragma[nomagic]
   AssignableRead getAFirstRead() {
-    exists(ControlFlowNode cfn | cfn = result.getControlFlowNode() |
+    forex(ControlFlow::Node cfn | cfn = result.getAControlFlowNode() |
       exists(Ssa::ExplicitDefinition def | result = def.getAFirstReadAtNode(cfn) |
         this = def.getADefinition()
       )
@@ -566,9 +572,11 @@ module AssignableDefinitions {
   }
 
   /** Holds if a node in basic block `bb` assigns to `ref` parameter `p` via definition `def`. */
-  private predicate basicBlockRefParamDef(BasicBlock bb, Parameter p, AssignableDefinition def) {
+  private predicate basicBlockRefParamDef(
+    ControlFlow::BasicBlock bb, Parameter p, AssignableDefinition def
+  ) {
     def = any(RefArg arg).getAnAnalyzableRefDef(p) and
-    bb.getANode() = def.getExpr().getControlFlowNode()
+    bb.getANode() = def.getExpr().getAControlFlowNode()
   }
 
   /**
@@ -577,7 +585,7 @@ module AssignableDefinitions {
    * any assignments to `p`.
    */
   pragma[nomagic]
-  private predicate parameterReachesWithoutDef(Parameter p, BasicBlock bb) {
+  private predicate parameterReachesWithoutDef(Parameter p, ControlFlow::BasicBlock bb) {
     forall(AssignableDefinition def | basicBlockRefParamDef(bb, p, def) |
       isUncertainRefCall(def.getTargetAccess())
     ) and
@@ -585,7 +593,9 @@ module AssignableDefinitions {
       any(RefArg arg).isAnalyzable(p) and
       p.getCallable().getEntryPoint() = bb.getFirstNode()
       or
-      exists(BasicBlock mid | parameterReachesWithoutDef(p, mid) | bb = mid.getASuccessor())
+      exists(ControlFlow::BasicBlock mid | parameterReachesWithoutDef(p, mid) |
+        bb = mid.getASuccessor()
+      )
     )
   }
 
@@ -597,7 +607,7 @@ module AssignableDefinitions {
   cached
   predicate isUncertainRefCall(RefArg arg) {
     arg.isPotentialAssignment() and
-    exists(BasicBlock bb, Parameter p | arg.isAnalyzable(p) |
+    exists(ControlFlow::BasicBlock bb, Parameter p | arg.isAnalyzable(p) |
       parameterReachesWithoutDef(p, bb) and
       bb.getLastNode() = p.getCallable().getExitPoint()
     )
@@ -678,7 +688,7 @@ module AssignableDefinitions {
     /** Gets the underlying parameter. */
     Parameter getParameter() { result = p }
 
-    deprecated override ControlFlowNode getAControlFlowNode() {
+    deprecated override ControlFlow::Node getAControlFlowNode() {
       result = p.getCallable().getEntryPoint()
     }
 

csharp/ql/lib/semmle/code/csharp/Caching.qll

@@ -7,6 +7,23 @@ private import csharp
  * in the same stage across different files.
  */
 module Stages {
+  cached
+  module ControlFlowStage {
+    private import semmle.code.csharp.controlflow.internal.Splitting
+
+    cached
+    predicate forceCachingInSameStage() { any() }
+
+    cached
+    private predicate forceCachingInSameStageRev() {
+      exists(Split s)
+      or
+      exists(ControlFlow::Node n)
+      or
+      forceCachingInSameStageRev()
+    }
+  }
+
   cached
   module GuardsStage {
     private import semmle.code.csharp.controlflow.Guards

csharp/ql/lib/semmle/code/csharp/Callable.qll

@@ -22,7 +22,7 @@ private import TypeRef
  * an anonymous function (`AnonymousFunctionExpr`), or a local function
  * (`LocalFunction`).
  */
-class Callable extends Parameterizable, ControlFlowElementOrCallable, @callable {
+class Callable extends Parameterizable, ExprOrStmtParent, @callable {
   /** Gets the return type of this callable. */
   Type getReturnType() { none() }
 
@@ -157,10 +157,10 @@ class Callable extends Parameterizable, ControlFlowElementOrCallable, @callable
   final predicate hasExpressionBody() { exists(this.getExpressionBody()) }
 
   /** Gets the entry point in the control graph for this callable. */
-  ControlFlow::EntryNode getEntryPoint() { result.getEnclosingCallable() = this }
+  ControlFlow::Nodes::EntryNode getEntryPoint() { result.getCallable() = this }
 
   /** Gets the exit point in the control graph for this callable. */
-  ControlFlow::ExitNode getExitPoint() { result.getEnclosingCallable() = this }
+  ControlFlow::Nodes::ExitNode getExitPoint() { result.getCallable() = this }
 
   /**
    * Gets the enclosing callable of this callable, if any.

csharp/ql/lib/semmle/code/csharp/Conversion.qll

@@ -232,9 +232,14 @@ private module Identity {
    */
   pragma[nomagic]
   private predicate convTypeArguments(Type fromTypeArgument, Type toTypeArgument, int i) {
-    fromTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i)) and
-    toTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i)) and
-    convIdentity(fromTypeArgument, toTypeArgument)
+    exists(int j |
+      fromTypeArgument = getTypeArgumentRanked(_, _, i) and
+      toTypeArgument = getTypeArgumentRanked(_, _, j) and
+      i <= j and
+      j <= i
+    |
+      convIdentity(fromTypeArgument, toTypeArgument)
+    )
   }
 
   pragma[nomagic]
@@ -713,7 +718,7 @@ private class SignedIntegralConstantExpr extends Expr {
 }
 
 private predicate convConstantIntExpr(SignedIntegralConstantExpr e, SimpleType toType) {
-  exists(int n | n = e.getIntValue() |
+  exists(int n | n = e.getValue().toInt() |
     toType = any(SByteType t | n in [t.minValue() .. t.maxValue()])
     or
     toType = any(ByteType t | n in [t.minValue() .. t.maxValue()])
@@ -730,7 +735,7 @@ private predicate convConstantIntExpr(SignedIntegralConstantExpr e, SimpleType t
 
 private predicate convConstantLongExpr(SignedIntegralConstantExpr e) {
   e.getType() instanceof LongType and
-  e.getIntValue() >= 0
+  e.getValue().toInt() >= 0
 }
 
 /** 6.1.10: Implicit reference conversions involving type parameters. */
@@ -924,16 +929,19 @@ private module Variance {
   private predicate convTypeArguments(
     TypeArgument fromTypeArgument, TypeArgument toTypeArgument, int i, TVariance v
   ) {
-    fromTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i), _) and
-    toTypeArgument = getTypeArgumentRanked(_, _, pragma[only_bind_into](i), _) and
-    (
+    exists(int j |
+      fromTypeArgument = getTypeArgumentRanked(_, _, i, _) and
+      toTypeArgument = getTypeArgumentRanked(_, _, j, _) and
+      i <= j and
+      j <= i
+    |
       convIdentity(fromTypeArgument, toTypeArgument) and
       v = TNone()
       or
-      convRefTypeTypeArgumentOut(fromTypeArgument, toTypeArgument, i) and
+      convRefTypeTypeArgumentOut(fromTypeArgument, toTypeArgument, j) and
       v = TOut()
       or
-      convRefTypeTypeArgumentIn(toTypeArgument, fromTypeArgument, i) and
+      convRefTypeTypeArgumentIn(toTypeArgument, fromTypeArgument, j) and
       v = TIn()
     )
   }

csharp/ql/lib/semmle/code/csharp/ExprOrStmtParent.qll

@@ -129,6 +129,13 @@ private module Cached {
     result = parent.getAChildStmt()
   }
 
+  pragma[inline]
+  private ControlFlowElement enclosingStart(ControlFlowElement cfe) {
+    result = cfe
+    or
+    getAChild(result).(AnonymousFunctionExpr) = cfe
+  }
+
   private predicate parent(ControlFlowElement child, ExprOrStmtParent parent) {
     child = getAChild(parent) and
     not child = getBody(_)
@@ -138,7 +145,7 @@ private module Cached {
   cached
   predicate enclosingBody(ControlFlowElement cfe, ControlFlowElement body) {
     body = getBody(_) and
-    parent*(cfe, body)
+    parent*(enclosingStart(cfe), body)
   }
 
   /** Holds if the enclosing callable of `cfe` is `c`. */
@@ -146,7 +153,7 @@ private module Cached {
   predicate enclosingCallable(ControlFlowElement cfe, Callable c) {
     enclosingBody(cfe, getBody(c))
     or
-    parent*(cfe, c.(Constructor).getInitializer())
+    parent*(enclosingStart(cfe), c.(Constructor).getInitializer())
     or
     parent*(cfe, c.(Constructor).getObjectInitializerCall())
     or

csharp/ql/lib/semmle/code/csharp/commons/Collections.qll

@@ -54,44 +54,21 @@ private string genericCollectionTypeName() {
     ]
 }
 
-/** A collection type */
-abstract private class CollectionTypeImpl extends RefType {
-  /**
-   * Gets the element type of this collection, for example `int` in `List<int>`.
-   */
-  abstract Type getElementType();
-}
-
-private class GenericCollectionType extends CollectionTypeImpl {
-  private ConstructedType base;
-
-  GenericCollectionType() {
-    base = this.getABaseType*() and
-    base.getUnboundGeneric()
-        .hasFullyQualifiedName(genericCollectionNamespaceName(), genericCollectionTypeName())
-  }
-
-  override Type getElementType() {
-    result = base.getTypeArgument(0) and base.getNumberOfTypeArguments() = 1
-  }
-}
-
-private class NonGenericCollectionType extends CollectionTypeImpl {
-  NonGenericCollectionType() {
+/** A collection type. */
+class CollectionType extends RefType {
+  CollectionType() {
     exists(RefType base | base = this.getABaseType*() |
       base.hasFullyQualifiedName(collectionNamespaceName(), collectionTypeName())
+      or
+      base.(ConstructedType)
+          .getUnboundGeneric()
+          .hasFullyQualifiedName(genericCollectionNamespaceName(), genericCollectionTypeName())
     )
+    or
+    this instanceof ArrayType
   }
-
-  override Type getElementType() { none() }
 }
 
-private class ArrayCollectionType extends CollectionTypeImpl instanceof ArrayType {
-  override Type getElementType() { result = ArrayType.super.getElementType() }
-}
-
-final class CollectionType = CollectionTypeImpl;
-
 /**
  * A collection type that can be used as a `params` parameter type.
  */

csharp/ql/lib/semmle/code/csharp/commons/ComparisonTest.qll

@@ -161,7 +161,7 @@ private newtype TComparisonTest =
       compare.getComparisonKind().isCompare() and
       outerKind = outer.getComparisonKind() and
       outer.getAnArgument() = compare.getExpr() and
-      i = outer.getAnArgument().getIntValue()
+      i = outer.getAnArgument().getValue().toInt()
     |
       outerKind.isEquality() and
       (

csharp/ql/lib/semmle/code/csharp/commons/Constants.qll

@@ -32,13 +32,13 @@ private module ConstantComparisonOperation {
 
   private int maxValue(Expr expr) {
     if convertedType(expr) instanceof IntegralType and exists(expr.getValue())
-    then result = expr.getIntValue()
+    then result = expr.getValue().toInt()
     else result = convertedType(expr).maxValue()
   }
 
   private int minValue(Expr expr) {
     if convertedType(expr) instanceof IntegralType and exists(expr.getValue())
-    then result = expr.getIntValue()
+    then result = expr.getValue().toInt()
     else result = convertedType(expr).minValue()
   }
 

csharp/ql/lib/semmle/code/csharp/commons/Strings.qll

@@ -29,7 +29,7 @@ class ImplicitToStringExpr extends Expr {
       m = p.getCallable()
     |
       m = any(SystemTextStringBuilderClass c).getAMethod() and
-      m.getName() = "Append" and
+      m.getName().regexpMatch("Append(Line)?") and
       not p.getType() instanceof ArrayType
       or
       p instanceof StringFormatItemParameter and

csharp/ql/lib/semmle/code/csharp/controlflow/BasicBlocks.qll

@@ -0,0 +1,356 @@
+/**
+ * Provides classes representing basic blocks.
+ */
+
+import csharp
+private import ControlFlow
+private import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl as CfgImpl
+private import CfgImpl::BasicBlocks as BasicBlocksImpl
+private import codeql.controlflow.BasicBlock as BB
+
+/**
+ * A basic block, that is, a maximal straight-line sequence of control flow nodes
+ * without branches or joins.
+ */
+final class BasicBlock extends BasicBlocksImpl::BasicBlock {
+  /** Gets an immediate successor of this basic block of a given type, if any. */
+  BasicBlock getASuccessor(ControlFlow::SuccessorType t) { result = super.getASuccessor(t) }
+
+  /** DEPRECATED: Use `getASuccessor` instead. */
+  deprecated BasicBlock getASuccessorByType(ControlFlow::SuccessorType t) {
+    result = this.getASuccessor(t)
+  }
+
+  /** Gets an immediate predecessor of this basic block of a given type, if any. */
+  BasicBlock getAPredecessorByType(ControlFlow::SuccessorType t) {
+    result = this.getAPredecessor(t)
+  }
+
+  /**
+   * Gets an immediate `true` successor, if any.
+   *
+   * An immediate `true` successor is a successor that is reached when
+   * the condition that ends this basic block evaluates to `true`.
+   *
+   * Example:
+   *
+   * ```csharp
+   * if (x < 0)
+   *   x = -x;
+   * ```
+   *
+   * The basic block on line 2 is an immediate `true` successor of the
+   * basic block on line 1.
+   */
+  BasicBlock getATrueSuccessor() { result.getFirstNode() = this.getLastNode().getATrueSuccessor() }
+
+  /**
+   * Gets an immediate `false` successor, if any.
+   *
+   * An immediate `false` successor is a successor that is reached when
+   * the condition that ends this basic block evaluates to `false`.
+   *
+   * Example:
+   *
+   * ```csharp
+   * if (!(x >= 0))
+   *   x = -x;
+   * ```
+   *
+   * The basic block on line 2 is an immediate `false` successor of the
+   * basic block on line 1.
+   */
+  BasicBlock getAFalseSuccessor() {
+    result.getFirstNode() = this.getLastNode().getAFalseSuccessor()
+  }
+
+  BasicBlock getASuccessor() { result = super.getASuccessor() }
+
+  /** Gets the control flow node at a specific (zero-indexed) position in this basic block. */
+  ControlFlow::Node getNode(int pos) { result = super.getNode(pos) }
+
+  /** Gets a control flow node in this basic block. */
+  ControlFlow::Node getANode() { result = super.getANode() }
+
+  /** Gets the first control flow node in this basic block. */
+  ControlFlow::Node getFirstNode() { result = super.getFirstNode() }
+
+  /** Gets the last control flow node in this basic block. */
+  ControlFlow::Node getLastNode() { result = super.getLastNode() }
+
+  /** Gets the callable that this basic block belongs to. */
+  final Callable getCallable() { result = this.getFirstNode().getEnclosingCallable() }
+
+  /**
+   * Holds if this basic block immediately dominates basic block `bb`.
+   *
+   * That is, this basic block is the unique basic block satisfying:
+   * 1. This basic block strictly dominates `bb`
+   * 2. There exists no other basic block that is strictly dominated by this
+   *    basic block and which strictly dominates `bb`.
+   *
+   * All basic blocks, except entry basic blocks, have a unique immediate
+   * dominator.
+   *
+   * Example:
+   *
+   * ```csharp
+   * int M(string s) {
+   *   if (s == null)
+   *     throw new ArgumentNullException(nameof(s));
+   *   return s.Length;
+   * }
+   * ```
+   *
+   * The basic block starting on line 2 strictly dominates the
+   * basic block on line 4 (all paths from the entry point of `M`
+   * to `return s.Length;` must go through the null check).
+   */
+  predicate immediatelyDominates(BasicBlock bb) { super.immediatelyDominates(bb) }
+
+  /**
+   * Holds if this basic block strictly dominates basic block `bb`.
+   *
+   * That is, all paths reaching basic block `bb` from some entry point
+   * basic block must go through this basic block (which must be different
+   * from `bb`).
+   *
+   * Example:
+   *
+   * ```csharp
+   * int M(string s) {
+   *   if (s == null)
+   *     throw new ArgumentNullException(nameof(s));
+   *   return s.Length;
+   * }
+   * ```
+   *
+   * The basic block starting on line 2 strictly dominates the
+   * basic block on line 4 (all paths from the entry point of `M`
+   * to `return s.Length;` must go through the null check).
+   */
+  predicate strictlyDominates(BasicBlock bb) { super.strictlyDominates(bb) }
+
+  /**
+   * Holds if this basic block dominates basic block `bb`.
+   *
+   * That is, all paths reaching basic block `bb` from some entry point
+   * basic block must go through this basic block.
+   *
+   * Example:
+   *
+   * ```csharp
+   * int M(string s) {
+   *   if (s == null)
+   *     throw new ArgumentNullException(nameof(s));
+   *   return s.Length;
+   * }
+   * ```
+   *
+   * The basic block starting on line 2 dominates the basic
+   * block on line 4 (all paths from the entry point of `M` to
+   * `return s.Length;` must go through the null check).
+   *
+   * This predicate is *reflexive*, so for example `if (s == null)` dominates
+   * itself.
+   */
+  predicate dominates(BasicBlock bb) {
+    bb = this or
+    this.strictlyDominates(bb)
+  }
+
+  /**
+   * Holds if `df` is in the dominance frontier of this basic block.
+   * That is, this basic block dominates a predecessor of `df`, but
+   * does not dominate `df` itself.
+   *
+   * Example:
+   *
+   * ```csharp
+   * if (x < 0) {
+   *   x = -x;
+   *   if (x > 10)
+   *     x--;
+   * }
+   * Console.Write(x);
+   * ```
+   *
+   * The basic block on line 6 is in the dominance frontier
+   * of the basic block starting on line 2 because that block
+   * dominates the basic block on line 4, which is a predecessor of
+   * `Console.Write(x);`. Also, the basic block starting on line 2
+   * does not dominate the basic block on line 6.
+   */
+  predicate inDominanceFrontier(BasicBlock df) { super.inDominanceFrontier(df) }
+
+  /**
+   * Gets the basic block that immediately dominates this basic block, if any.
+   *
+   * That is, the result is the unique basic block satisfying:
+   * 1. The result strictly dominates this basic block.
+   * 2. There exists no other basic block that is strictly dominated by the
+   *    result and which strictly dominates this basic block.
+   *
+   * All basic blocks, except entry basic blocks, have a unique immediate
+   * dominator.
+   *
+   * Example:
+   *
+   * ```csharp
+   * int M(string s) {
+   *   if (s == null)
+   *     throw new ArgumentNullException(nameof(s));
+   *   return s.Length;
+   * }
+   * ```
+   *
+   * The basic block starting on line 2 is an immediate dominator of
+   * the basic block online 4 (all paths from the entry point of `M`
+   * to `return s.Length;` must go through the null check.
+   */
+  BasicBlock getImmediateDominator() { result = super.getImmediateDominator() }
+
+  /**
+   * Holds if the edge with successor type `s` out of this basic block is a
+   * dominating edge for `dominated`.
+   *
+   * That is, all paths reaching `dominated` from the entry point basic
+   * block must go through the `s` edge out of this basic block.
+   *
+   * Edge dominance is similar to node dominance except it concerns edges
+   * instead of nodes: A basic block is dominated by a _basic block_ `bb` if it
+   * can only be reached through `bb` and dominated by an _edge_ `e` if it can
+   * only be reached through `e`.
+   *
+   * Note that where all basic blocks (except the entry basic block) are
+   * strictly dominated by at least one basic block, a basic block may not be
+   * dominated by any edge. If an edge dominates a basic block `bb`, then
+   * both endpoints of the edge dominates `bb`. The converse is not the case,
+   * as there may be multiple paths between the endpoints with none of them
+   * dominating.
+   */
+  predicate edgeDominates(BasicBlock dominated, ControlFlow::SuccessorType s) {
+    super.edgeDominates(dominated, s)
+  }
+
+  /**
+   * Holds if this basic block strictly post-dominates basic block `bb`.
+   *
+   * That is, all paths reaching a normal exit point basic block from basic
+   * block `bb` must go through this basic block (which must be different
+   * from `bb`).
+   *
+   * Example:
+   *
+   * ```csharp
+   * int M(string s) {
+   *   try {
+   *     return s.Length;
+   *   }
+   *   finally {
+   *     Console.WriteLine("M");
+   *   }
+   * }
+   * ```
+   *
+   * The basic block on line 6 strictly post-dominates the basic block on
+   * line 3 (all paths to the exit point of `M` from `return s.Length;`
+   * must go through the `WriteLine` call).
+   */
+  predicate strictlyPostDominates(BasicBlock bb) { super.strictlyPostDominates(bb) }
+
+  /**
+   * Holds if this basic block post-dominates basic block `bb`.
+   *
+   * That is, all paths reaching a normal exit point basic block from basic
+   * block `bb` must go through this basic block.
+   *
+   * Example:
+   *
+   * ```csharp
+   * int M(string s) {
+   *   try {
+   *     return s.Length;
+   *   }
+   *   finally {
+   *     Console.WriteLine("M");
+   *   }
+   * }
+   * ```
+   *
+   * The basic block on line 6 post-dominates the basic block on line 3
+   * (all paths to the exit point of `M` from `return s.Length;` must go
+   * through the `WriteLine` call).
+   *
+   * This predicate is *reflexive*, so for example `Console.WriteLine("M");`
+   * post-dominates itself.
+   */
+  predicate postDominates(BasicBlock bb) { super.postDominates(bb) }
+
+  /**
+   * Holds if this basic block is in a loop in the control flow graph. This
+   * includes loops created by `goto` statements. This predicate may not hold
+   * even if this basic block is syntactically inside a `while` loop if the
+   * necessary back edges are unreachable.
+   */
+  predicate inLoop() { this.getASuccessor+() = this }
+}
+
+/**
+ * An entry basic block, that is, a basic block whose first node is
+ * an entry node.
+ */
+final class EntryBasicBlock extends BasicBlock, BasicBlocksImpl::EntryBasicBlock { }
+
+/**
+ * An annotated exit basic block, that is, a basic block that contains an
+ * annotated exit node.
+ */
+final class AnnotatedExitBasicBlock extends BasicBlock, BasicBlocksImpl::AnnotatedExitBasicBlock { }
+
+/**
+ * An exit basic block, that is, a basic block whose last node is
+ * an exit node.
+ */
+final class ExitBasicBlock extends BasicBlock, BasicBlocksImpl::ExitBasicBlock { }
+
+/** A basic block with more than one predecessor. */
+final class JoinBlock extends BasicBlock, BasicBlocksImpl::JoinBasicBlock {
+  JoinBlockPredecessor getJoinBlockPredecessor(int i) { result = super.getJoinBlockPredecessor(i) }
+}
+
+/** A basic block that is an immediate predecessor of a join block. */
+final class JoinBlockPredecessor extends BasicBlock, BasicBlocksImpl::JoinPredecessorBasicBlock { }
+
+/**
+ * A basic block that terminates in a condition, splitting the subsequent
+ * control flow.
+ */
+final class ConditionBlock extends BasicBlock, BasicBlocksImpl::ConditionBasicBlock {
+  /** DEPRECATED: Use `edgeDominates` instead. */
+  deprecated predicate immediatelyControls(BasicBlock succ, ConditionalSuccessor s) {
+    this.getASuccessor(s) = succ and
+    BasicBlocksImpl::dominatingEdge(this, succ)
+  }
+
+  /** DEPRECATED: Use `edgeDominates` instead. */
+  deprecated predicate controls(BasicBlock controlled, ConditionalSuccessor s) {
+    super.edgeDominates(controlled, s)
+  }
+}
+
+private class BasicBlockAlias = BasicBlock;
+
+private class EntryBasicBlockAlias = EntryBasicBlock;
+
+module Cfg implements BB::CfgSig<Location> {
+  class ControlFlowNode = ControlFlow::Node;
+
+  class BasicBlock = BasicBlockAlias;
+
+  class EntryBasicBlock = EntryBasicBlockAlias;
+
+  predicate dominatingEdge(BasicBlock bb1, BasicBlock bb2) {
+    BasicBlocksImpl::dominatingEdge(bb1, bb2)
+  }
+}

csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowElement.qll

@@ -4,21 +4,20 @@ import csharp
 private import semmle.code.csharp.ExprOrStmtParent
 private import semmle.code.csharp.commons.Compilation
 private import ControlFlow
+private import ControlFlow::BasicBlocks
 private import semmle.code.csharp.Caching
-
-private class TControlFlowElementOrCallable = @callable or @control_flow_element;
-
-/** A `ControlFlowElement` or a `Callable`. */
-class ControlFlowElementOrCallable extends ExprOrStmtParent, TControlFlowElementOrCallable { }
+private import internal.ControlFlowGraphImpl as Impl
 
 /**
  * A program element that can possess control flow. That is, either a statement or
  * an expression.
  *
- * A control flow element can be mapped to a control flow node (`ControlFlowNode`)
- * via `getControlFlowNode()`.
+ * A control flow element can be mapped to a control flow node (`ControlFlow::Node`)
+ * via `getAControlFlowNode()`. There is a one-to-many relationship between
+ * control flow elements and control flow nodes. This allows control flow
+ * splitting, for example modeling the control flow through `finally` blocks.
  */
-class ControlFlowElement extends ControlFlowElementOrCallable, @control_flow_element {
+class ControlFlowElement extends ExprOrStmtParent, @control_flow_element {
   /** Gets the enclosing callable of this element, if any. */
   Callable getEnclosingCallable() { none() }
 
@@ -31,26 +30,41 @@ class ControlFlowElement extends ControlFlowElementOrCallable, @control_flow_ele
   }
 
   /**
-   * DEPRECATED: Use `getControlFlowNode()` instead.
-   *
    * Gets a control flow node for this element. That is, a node in the
    * control flow graph that corresponds to this element.
+   *
+   * Typically, there is exactly one `ControlFlow::Node` associated with a
+   * `ControlFlowElement`, but a `ControlFlowElement` may be split into
+   * several `ControlFlow::Node`s, for example to represent the continuation
+   * flow in a `try/catch/finally` construction.
    */
-  deprecated ControlFlowNodes::ElementNode getAControlFlowNode() {
-    result = this.getControlFlowNode()
-  }
+  Nodes::ElementNode getAControlFlowNode() { result.getAstNode() = this }
 
-  /** Gets the control flow node for this element, if any. */
-  ControlFlowNode getControlFlowNode() { result.injects(this) }
+  /** Gets the control flow node for this element. */
+  ControlFlow::Node getControlFlowNode() { result.getAstNode() = this }
 
   /** Gets the basic block in which this element occurs. */
-  BasicBlock getBasicBlock() { result = this.getControlFlowNode().getBasicBlock() }
+  BasicBlock getBasicBlock() { result = this.getAControlFlowNode().getBasicBlock() }
+
+  /**
+   * Gets a first control flow node executed within this element.
+   */
+  Nodes::ElementNode getAControlFlowEntryNode() {
+    result = Impl::getAControlFlowEntryNode(this).(ControlFlowElement).getAControlFlowNode()
+  }
+
+  /**
+   * Gets a potential last control flow node executed within this element.
+   */
+  Nodes::ElementNode getAControlFlowExitNode() {
+    result = Impl::getAControlFlowExitNode(this).(ControlFlowElement).getAControlFlowNode()
+  }
 
   /**
    * Holds if this element is live, that is this element can be reached
    * from the entry point of its enclosing callable.
    */
-  predicate isLive() { exists(this.getControlFlowNode()) }
+  predicate isLive() { exists(this.getAControlFlowNode()) }
 
   /** Holds if the current element is reachable from `src`. */
   // potentially very large predicate, so must be inlined
@@ -63,13 +77,31 @@ class ControlFlowElement extends ControlFlowElementOrCallable, @control_flow_ele
   ControlFlowElement getAReachableElement() {
     // Reachable in same basic block
     exists(BasicBlock bb, int i, int j |
-      bb.getNode(i) = this.getControlFlowNode() and
-      bb.getNode(j) = result.getControlFlowNode() and
+      bb.getNode(i) = this.getAControlFlowNode() and
+      bb.getNode(j) = result.getAControlFlowNode() and
       i < j
     )
     or
     // Reachable in different basic blocks
-    this.getControlFlowNode().getBasicBlock().getASuccessor+().getANode() =
-      result.getControlFlowNode()
+    this.getAControlFlowNode().getBasicBlock().getASuccessor+().getANode() =
+      result.getAControlFlowNode()
+  }
+
+  /**
+   * DEPRECATED: Use `Guard` class instead.
+   *
+   * Holds if basic block `controlled` is controlled by this control flow element
+   * with conditional value `s`. That is, `controlled` can only be reached from
+   * the callable entry point by going via the `s` edge out of *some* basic block
+   * ending with this element.
+   *
+   * `cb` records all of the possible condition blocks for this control flow element
+   * that a path from the callable entry point to `controlled` may go through.
+   */
+  deprecated predicate controlsBlock(
+    BasicBlock controlled, ConditionalSuccessor s, ConditionBlock cb
+  ) {
+    cb.getLastNode() = this.getAControlFlowNode() and
+    cb.edgeDominates(controlled, s)
   }
 }