docs: update supported Swift version

Merge pull request #15013 from github/release-prep/2.15.4
Release preparation for version 2.15.4
2026-05-26 09:01:22 +02:00 · 2023-12-06 13:19:06 +01:00 · 2023-12-05 09:50:46 -08:00 · 2023-12-05 17:04:52 +00:00
407 changed files with 4130 additions and 12884 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -28,7 +28,7 @@ jobs:

    steps:
    - name: Setup dotnet
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v3
      with:
        dotnet-version: 7.0.102

--- a/.github/workflows/csharp-qltest.yml
+++ b/.github/workflows/csharp-qltest.yml
@@ -72,7 +72,7 @@ jobs:
    steps:
      - uses: actions/checkout@v4
      - name: Setup dotnet
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@v3
        with:
          dotnet-version: 7.0.102
      - name: Extractor unit tests
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -9,6 +9,6 @@ jobs:
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/labeler@v5
+    - uses: actions/labeler@v4
      with:
        repo-token: "${{ secrets.GITHUB_TOKEN }}"
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -462,6 +462,10 @@
    "ruby/ql/lib/codeql/ruby/security/internal/SensitiveDataHeuristics.qll",
    "swift/ql/lib/codeql/swift/security/internal/SensitiveDataHeuristics.qll"
  ],
+  "TypeTracker": [
+    "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
+    "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
+  ],
  "SummaryTypeTracker": [
    "python/ql/lib/semmle/python/dataflow/new/internal/SummaryTypeTracker.qll",
    "ruby/ql/lib/codeql/ruby/typetracking/internal/SummaryTypeTracker.qll"
@@ -530,4 +534,4 @@
    "python/ql/test/experimental/dataflow/model-summaries/InlineTaintTest.ext.yml",
    "python/ql/test/experimental/dataflow/model-summaries/NormalDataflowTest.ext.yml"
  ]
-}
+}
--- a/cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/old.dbscheme
+++ b/cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/old.dbscheme
--- a/cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/upgrade.properties
+++ b/cpp/downgrades/fc81eb5a3a7cdde8d9ad813da1e8f1e90dadbb91/upgrade.properties
@@ -1,2 +0,0 @@
-description: Revert removal of uniqueness constraint on link_targets/2
-compatibility: backwards
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.12.1
+
+### New Features
+
+* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.
+
 ## 0.12.0

 ### Breaking Changes
--- a/cpp/ql/lib/change-notes/2023-11-30-as-definition.md
+++ b/cpp/ql/lib/change-notes/2023-11-30-as-definition.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added a new predicate `Node.asDefinition` on `DataFlow::Node`s for selecting the dataflow node corresponding to a particular definition.
--- a/cpp/ql/lib/change-notes/2023-11-28-prototyped.md
+++ b/cpp/ql/lib/change-notes/2023-11-28-prototyped.md
@@ -1,4 +1,5 @@
---
-category: feature
---
+## 0.12.1
+
+### New Features
+
 * Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.12.0
+lastReleaseVersion: 0.12.1
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.12.1-dev
+version: 0.12.1
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
+++ b/cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll
@@ -5,8 +5,6 @@

 import cpp
 import semmle.code.cpp.ir.IR
-private import semmle.code.cpp.ir.implementation.raw.internal.TranslatedExpr
-private import semmle.code.cpp.ir.implementation.raw.internal.InstructionTag

 /**
 * Holds if `block` consists of an `UnreachedInstruction`.
@@ -203,25 +201,10 @@ private class GuardConditionFromIR extends GuardCondition {
   * `&&` and `||`. See the detailed explanation on predicate `controls`.
   */
  private predicate controlsBlock(BasicBlock controlled, boolean testIsTrue) {
-    exists(IRBlock irb, Instruction instr |
+    exists(IRBlock irb |
      ir.controls(irb, testIsTrue) and
-      instr = irb.getAnInstruction() and
-      instr.getAst().(ControlFlowNode).getBasicBlock() = controlled and
-      not isUnreachedBlock(irb) and
-      not this.excludeAsControlledInstruction(instr)
-    )
-  }
-
-  private predicate excludeAsControlledInstruction(Instruction instr) {
-    // Exclude the temporaries generated by a ternary expression.
-    exists(TranslatedConditionalExpr tce |
-      instr = tce.getInstruction(ConditionValueFalseStoreTag())
-      or
-      instr = tce.getInstruction(ConditionValueTrueStoreTag())
-      or
-      instr = tce.getInstruction(ConditionValueTrueTempAddressTag())
-      or
-      instr = tce.getInstruction(ConditionValueFalseTempAddressTag())
+      irb.getAnInstruction().getAst().(ControlFlowNode).getBasicBlock() = controlled and
+      not isUnreachedBlock(irb)
    )
  }
 }
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
@@ -260,71 +260,6 @@ class Node extends TIRDataFlowNode {
   */
  Expr asDefiningArgument() { result = this.asDefiningArgument(_) }

-  /**
-   * Gets the definition associated with this node, if any.
-   *
-   * For example, consider the following example
-   * ```cpp
-   * int x = 42;     // 1
-   * x = 34;         // 2
-   * ++x;            // 3
-   * x++;            // 4
-   * x += 1;         // 5
-   * int y = x += 2; // 6
-   * ```
-   * - For (1) the result is `42`.
-   * - For (2) the result is `x = 34`.
-   * - For (3) the result is `++x`.
-   * - For (4) the result is `x++`.
-   * - For (5) the result is `x += 1`.
-   * - For (6) there are two results:
-   *   - For the definition generated by `x += 2` the result is `x += 2`
-   *   - For the definition generated by `int y = ...` the result is
-   *     also `x += 2`.
-   *
-   * For assignments, `node.asDefinition()` and `node.asExpr()` will both exist
-   * for the same dataflow node. However, for expression such as `x++` that
-   * both write to `x` and read the current value of `x`, `node.asDefinition()`
-   * will give the node corresponding to the value after the increment, and
-   * `node.asExpr()` will give the node corresponding to the value before the
-   * increment. For an example of this, consider the following:
-   *
-   * ```cpp
-   * sink(x++);
-   * ```
-   * in the above program, there will not be flow from a node `n` such that
-   * `n.asDefinition() instanceof IncrementOperation` to the argument of `sink`
-   * since the value passed to `sink` is the value before to the increment.
-   * However, there will be dataflow from a node `n` such that
-   * `n.asExpr() instanceof IncrementOperation` since the result of evaluating
-   * the expression `x++` is passed to `sink`.
-   */
-  Expr asDefinition() {
-    exists(StoreInstruction store |
-      store = this.asInstruction() and
-      result = asDefinitionImpl(store)
-    )
-  }
-
-  /**
-   * Gets the indirect definition at a given indirection corresponding to this
-   * node, if any.
-   *
-   * See the comments on `Node.asDefinition` for examples.
-   */
-  Expr asIndirectDefinition(int indirectionIndex) {
-    exists(StoreInstruction store |
-      this.(IndirectInstruction).hasInstructionAndIndirectionIndex(store, indirectionIndex) and
-      result = asDefinitionImpl(store)
-    )
-  }
-
-  /**
-   * Gets the indirect definition at some indirection corresponding to this
-   * node, if any.
-   */
-  Expr asIndirectDefinition() { result = this.asIndirectDefinition(_) }
-
  /**
   * Gets the argument that defines this `DefinitionByReferenceNode`, if any.
   *
@@ -1207,6 +1142,22 @@ private module GetConvertedResultExpression {
  }

  private Expr getConvertedResultExpressionImpl0(Instruction instr) {
+    // For an expression such as `i += 2` we pretend that the generated
+    // `StoreInstruction` contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedAssignOperation tao |
+      result = tao.getExpr() and
+      instr = tao.getInstruction(any(AssignmentStoreTag tag))
+    )
+    or
+    // Similarly for `i++` and `++i` we pretend that the generated
+    // `StoreInstruction` is contains the result of the expression even though
+    // this isn't totally aligned with the C/C++ standard.
+    exists(TranslatedCrementOperation tco |
+      result = tco.getExpr() and
+      instr = tco.getInstruction(any(CrementStoreTag tag))
+    )
+    or
    // IR construction inserts an additional cast to a `size_t` on the extent
    // of a `new[]` expression. The resulting `ConvertInstruction` doesn't have
    // a result for `getConvertedResultExpression`. We remap this here so that
@@ -1214,7 +1165,7 @@ private module GetConvertedResultExpression {
    // represents the extent.
    exists(TranslatedNonConstantAllocationSize tas |
      result = tas.getExtent().getExpr() and
-      instr = tas.getInstruction(AllocationExtentConvertTag())
+      instr = tas.getInstruction(any(AllocationExtentConvertTag tag))
    )
    or
    // There's no instruction that returns `ParenthesisExpr`, but some queries
@@ -1223,39 +1174,6 @@ private module GetConvertedResultExpression {
      result = ttc.getExpr().(ParenthesisExpr) and
      instr = ttc.getResult()
    )
-    or
-    // Certain expressions generate `CopyValueInstruction`s only when they
-    // are needed. Examples of this include crement operations and compound
-    // assignment operations. For example:
-    // ```cpp
-    // int x = ...
-    // int y = x++;
-    // ```
-    // this generate IR like:
-    // ```
-    // r1(glval<int>) = VariableAddress[x] :
-    // r2(int)        = Constant[0]        :
-    // m3(int)        = Store[x]           : &:r1, r2
-    // r4(glval<int>) = VariableAddress[y] :
-    // r5(glval<int>) = VariableAddress[x] :
-    // r6(int)        = Load[x]            : &:r5, m3
-    // r7(int)        = Constant[1]        :
-    // r8(int)        = Add                : r6, r7
-    // m9(int)        = Store[x]           : &:r5, r8
-    // r11(int)       = CopyValue         : r6
-    // m12(int)       = Store[y]          : &:r4, r11
-    // ```
-    // When the `CopyValueInstruction` is not generated there is no instruction
-    // whose `getConvertedResultExpression` maps back to the expression. When
-    // such an instruction doesn't exist it means that the old value is not
-    // needed, and in that case the only value that will propagate forward in
-    // the program is the value that's been updated. So in those cases we just
-    // use the result of `node.asDefinition()` as the result of `node.asExpr()`.
-    exists(TranslatedCoreExpr tco |
-      tco.getInstruction(_) = instr and
-      tco.producesExprResult() and
-      result = asDefinitionImpl0(instr)
-    )
  }

  private Expr getConvertedResultExpressionImpl(Instruction instr) {
@@ -1264,75 +1182,6 @@ private module GetConvertedResultExpression {
    not exists(getConvertedResultExpressionImpl0(instr)) and
    result = instr.getConvertedResultExpression()
  }
-
-  /**
-   * Gets the result for `node.asDefinition()` (when `node` is the instruction
-   * node that wraps `store`) in the cases where `store.getAst()` should not be
-   * used to define the result of `node.asDefinition()`.
-   */
-  private Expr asDefinitionImpl0(StoreInstruction store) {
-    // For an expression such as `i += 2` we pretend that the generated
-    // `StoreInstruction` contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedAssignOperation tao |
-      store = tao.getInstruction(AssignmentStoreTag()) and
-      result = tao.getExpr()
-    )
-    or
-    // Similarly for `i++` and `++i` we pretend that the generated
-    // `StoreInstruction` is contains the result of the expression even though
-    // this isn't totally aligned with the C/C++ standard.
-    exists(TranslatedCrementOperation tco |
-      store = tco.getInstruction(CrementStoreTag()) and
-      result = tco.getExpr()
-    )
-  }
-
-  /**
-   * Holds if the expression returned by `store.getAst()` should not be
-   * returned as the result of `node.asDefinition()` when `node` is the
-   * instruction node that wraps `store`.
-   */
-  private predicate excludeAsDefinitionResult(StoreInstruction store) {
-    // Exclude the store to the temporary generated by a ternary expression.
-    exists(TranslatedConditionalExpr tce |
-      store = tce.getInstruction(ConditionValueFalseStoreTag())
-      or
-      store = tce.getInstruction(ConditionValueTrueStoreTag())
-    )
-  }
-
-  /**
-   * Gets the expression that represents the result of `StoreInstruction` for
-   * dataflow purposes.
-   *
-   * For example, consider the following example
-   * ```cpp
-   * int x = 42;     // 1
-   * x = 34;         // 2
-   * ++x;            // 3
-   * x++;            // 4
-   * x += 1;         // 5
-   * int y = x += 2; // 6
-   * ```
-   * For (1) the result is `42`.
-   * For (2) the result is `x = 34`.
-   * For (3) the result is `++x`.
-   * For (4) the result is `x++`.
-   * For (5) the result is `x += 1`.
-   * For (6) there are two results:
-   *   - For the `StoreInstruction` generated by `x += 2` the result
-   *     is `x += 2`
-   *   - For the `StoreInstruction` generated by `int y = ...` the result
-   *     is also `x += 2`
-   */
-  Expr asDefinitionImpl(StoreInstruction store) {
-    not exists(asDefinitionImpl0(store)) and
-    not excludeAsDefinitionResult(store) and
-    result = store.getAst().(Expr).getUnconverted()
-    or
-    result = asDefinitionImpl0(store)
-  }
 }

 private import GetConvertedResultExpression
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll
@@ -23,8 +23,9 @@ private module Internal {
  newtype TOperand =
    // RAW
    TRegisterOperand(TRawInstruction useInstr, RegisterOperandTag tag, TRawInstruction defInstr) {
-      defInstr = unique( | | RawConstruction::getRegisterOperandDefinition(useInstr, tag)) and
-      not RawConstruction::isInCycle(useInstr)
+      defInstr = RawConstruction::getRegisterOperandDefinition(useInstr, tag) and
+      not RawConstruction::isInCycle(useInstr) and
+      strictcount(RawConstruction::getRegisterOperandDefinition(useInstr, tag)) = 1
    } or
    // Placeholder for Phi and Chi operands in stages that don't have the corresponding instructions
    TNoOperand() { none() } or
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -2149,7 +2149,7 @@ includes(
 );

 link_targets(
-    int id: @link_target,
+    unique int id: @link_target,
    int binary: @file ref
 );

--- a/cpp/ql/lib/upgrades/0a9eb01d3650642e013eb86be45d952289537f91/old.dbscheme
+++ b/cpp/ql/lib/upgrades/0a9eb01d3650642e013eb86be45d952289537f91/old.dbscheme
--- a/cpp/ql/lib/upgrades/0a9eb01d3650642e013eb86be45d952289537f91/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/0a9eb01d3650642e013eb86be45d952289537f91/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/0a9eb01d3650642e013eb86be45d952289537f91/upgrade.properties
+++ b/cpp/ql/lib/upgrades/0a9eb01d3650642e013eb86be45d952289537f91/upgrade.properties
@@ -1,2 +0,0 @@
-description: Remove uniqueness constraint on link_targets/2
-compatibility: full
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,13 @@
+## 0.9.0
+
+### Breaking Changes
+
+* The `cpp/tainted-format-string-through-global` query has been deleted. This does not lead to a loss of relevant alerts, as the query duplicated a subset of the alerts from `cpp/tainted-format-string`.
+
+### New Queries
+
+* Added a new query, `cpp/use-of-string-after-lifetime-ends`, to detect calls to `c_str` on strings that will be destroyed immediately.
+
 ## 0.8.3

 ### Minor Analysis Improvements
--- a/Year/LeapYear.qll
+++ b/Year/LeapYear.qll
@@ -345,8 +345,6 @@ private module PossibleYearArithmeticOperationCheckConfig implements DataFlow::C
    )
  }

-  predicate isBarrierIn(DataFlow::Node node) { isSource(node) }
-
  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
    // flow from anything on the RHS of an assignment to a time/date structure to that
    // assignment.
--- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -35,10 +35,10 @@ predicate isSource(FS::FlowSource source, string sourceType) { sourceType = sour

 predicate isSink(DataFlow::Node sink, string kind) {
  exists(Expr use |
+    use = sink.asExpr() and
    not use.getUnspecifiedType() instanceof PointerType and
    outOfBoundsExpr(use, kind) and
-    not inSystemMacroExpansion(use) and
-    use = sink.asExpr()
+    not inSystemMacroExpansion(use)
  )
 }

--- a/cpp/ql/src/change-notes/2023-11-28-use-of-string-after-lifetime-ends.md
+++ b/cpp/ql/src/change-notes/2023-11-28-use-of-string-after-lifetime-ends.md
@@ -1,4 +0,0 @@
---
-category: newQuery
---
-* Added a new query, `cpp/use-of-string-after-lifetime-ends`, to detect calls to `c_str` on strings that will be destroyed immediately.
--- a/cpp/ql/src/change-notes/2023-11-16-tainted-format-string-through-global-deleted.md
+++ b/cpp/ql/src/change-notes/2023-11-16-tainted-format-string-through-global-deleted.md
@@ -1,4 +1,9 @@
---
-category: breaking
---
+## 0.9.0
+
+### Breaking Changes
+
 * The `cpp/tainted-format-string-through-global` query has been deleted. This does not lead to a loss of relevant alerts, as the query duplicated a subset of the alerts from `cpp/tainted-format-string`.
+
+### New Queries
+
+* Added a new query, `cpp/use-of-string-after-lifetime-ends`, to detect calls to `c_str` on strings that will be destroyed immediately.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.3
+lastReleaseVersion: 0.9.0
--- a/cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql
+++ b/cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql
@@ -12,6 +12,7 @@
 */

 import cpp
+import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.controlflow.Nullness

 class StarOperator extends Operator {
--- a/cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql
+++ b/cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql
@@ -9,6 +9,7 @@
 */

 import cpp
+import semmle.code.cpp.dataflow.DataFlow as ASTDataFlow
 import experimental.cryptography.Concepts

 from HashAlgorithm alg, Expr confSink, string msg
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.8.4-dev
+version: 0.9.0
 groups:
  - cpp
  - queries
--- a/cpp/ql/test/library-tests/controlflow/guards-ir/test.c
+++ b/cpp/ql/test/library-tests/controlflow/guards-ir/test.c
@@ -167,10 +167,3 @@ int ptr_test(int *x, int *y) {

    return 0;
 }
-
-int foo(const char*, int);
-
-int ternary_test(const char *path, int mode)
-{
-    return (foo(path, mode) == 0 ? 1 : 0);
-}
--- a/cpp/ql/test/library-tests/controlflow/guards-ir/tests.expected
+++ b/cpp/ql/test/library-tests/controlflow/guards-ir/tests.expected
@@ -34,7 +34,6 @@ astGuards
 | test.c:159:9:159:19 | ... == ... |
 | test.c:162:9:162:18 | ... < ... |
 | test.c:165:9:165:18 | ... < ... |
-| test.c:175:13:175:32 | ... == ... |
 | test.cpp:18:8:18:10 | call to get |
 | test.cpp:31:7:31:13 | ... == ... |
 | test.cpp:42:13:42:20 | call to getABool |
@@ -159,10 +158,6 @@ astGuardsCompare
 | 165 | x >= y+-42 when ... < ... is false |
 | 165 | y < x+43 when ... < ... is false |
 | 165 | y >= x+43 when ... < ... is true |
-| 175 | 0 != call to foo+0 when ... == ... is false |
-| 175 | 0 == call to foo+0 when ... == ... is true |
-| 175 | call to foo != 0+0 when ... == ... is false |
-| 175 | call to foo == 0+0 when ... == ... is true |
 astGuardsControl
 | test.c:7:9:7:13 | ... > ... | false | 10 | 11 |
 | test.c:7:9:7:13 | ... > ... | true | 7 | 9 |
@@ -253,8 +248,6 @@ astGuardsControl
 | test.c:159:9:159:19 | ... == ... | true | 159 | 160 |
 | test.c:162:9:162:18 | ... < ... | true | 162 | 163 |
 | test.c:165:9:165:18 | ... < ... | true | 165 | 166 |
-| test.c:175:13:175:32 | ... == ... | false | 175 | 175 |
-| test.c:175:13:175:32 | ... == ... | true | 175 | 175 |
 | test.cpp:18:8:18:10 | call to get | true | 19 | 19 |
 | test.cpp:31:7:31:13 | ... == ... | false | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | false | 34 | 34 |
@@ -427,10 +420,6 @@ astGuardsEnsure
 | test.c:165:9:165:18 | ... < ... | test.c:165:9:165:9 | x | < | test.c:165:13:165:18 | ... - ... | 0 | 165 | 166 |
 | test.c:165:9:165:18 | ... < ... | test.c:165:13:165:13 | y | >= | test.c:165:9:165:9 | x | 43 | 165 | 166 |
 | test.c:165:9:165:18 | ... < ... | test.c:165:13:165:18 | ... - ... | >= | test.c:165:9:165:9 | x | 1 | 165 | 166 |
-| test.c:175:13:175:32 | ... == ... | test.c:175:13:175:15 | call to foo | != | test.c:175:32:175:32 | 0 | 0 | 175 | 175 |
-| test.c:175:13:175:32 | ... == ... | test.c:175:13:175:15 | call to foo | == | test.c:175:32:175:32 | 0 | 0 | 175 | 175 |
-| test.c:175:13:175:32 | ... == ... | test.c:175:32:175:32 | 0 | != | test.c:175:13:175:15 | call to foo | 0 | 175 | 175 |
-| test.c:175:13:175:32 | ... == ... | test.c:175:32:175:32 | 0 | == | test.c:175:13:175:15 | call to foo | 0 | 175 | 175 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | test.cpp:31:12:31:13 | - ... | 0 | 30 | 30 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | != | test.cpp:31:12:31:13 | - ... | 0 | 34 | 34 |
 | test.cpp:31:7:31:13 | ... == ... | test.cpp:31:7:31:7 | x | == | test.cpp:31:12:31:13 | - ... | 0 | 30 | 30 |
@@ -469,7 +458,6 @@ irGuards
 | test.c:159:9:159:19 | CompareEQ: ... == ... |
 | test.c:162:9:162:18 | CompareLT: ... < ... |
 | test.c:165:9:165:18 | CompareLT: ... < ... |
-| test.c:175:13:175:32 | CompareEQ: ... == ... |
 | test.cpp:18:8:18:12 | CompareNE: (bool)... |
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... |
 | test.cpp:42:13:42:20 | Call: call to getABool |
@@ -578,10 +566,6 @@ irGuardsCompare
 | 165 | x >= y+-42 when CompareLT: ... < ... is false |
 | 165 | y < x+43 when CompareLT: ... < ... is false |
 | 165 | y >= x+43 when CompareLT: ... < ... is true |
-| 175 | 0 != call to foo+0 when CompareEQ: ... == ... is false |
-| 175 | 0 == call to foo+0 when CompareEQ: ... == ... is true |
-| 175 | call to foo != 0+0 when CompareEQ: ... == ... is false |
-| 175 | call to foo == 0+0 when CompareEQ: ... == ... is true |
 irGuardsControl
 | test.c:7:9:7:13 | CompareGT: ... > ... | false | 11 | 11 |
 | test.c:7:9:7:13 | CompareGT: ... > ... | true | 8 | 8 |
@@ -665,8 +649,6 @@ irGuardsControl
 | test.c:159:9:159:19 | CompareEQ: ... == ... | true | 159 | 160 |
 | test.c:162:9:162:18 | CompareLT: ... < ... | true | 162 | 163 |
 | test.c:165:9:165:18 | CompareLT: ... < ... | true | 165 | 166 |
-| test.c:175:13:175:32 | CompareEQ: ... == ... | false | 175 | 175 |
-| test.c:175:13:175:32 | CompareEQ: ... == ... | true | 175 | 175 |
 | test.cpp:18:8:18:12 | CompareNE: (bool)... | true | 19 | 19 |
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... | false | 34 | 34 |
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... | true | 30 | 30 |
@@ -822,10 +804,6 @@ irGuardsEnsure
 | test.c:165:9:165:18 | CompareLT: ... < ... | test.c:165:9:165:9 | Load: x | < | test.c:165:13:165:18 | PointerSub: ... - ... | 0 | 165 | 166 |
 | test.c:165:9:165:18 | CompareLT: ... < ... | test.c:165:13:165:13 | Load: y | >= | test.c:165:9:165:9 | Load: x | 43 | 165 | 166 |
 | test.c:165:9:165:18 | CompareLT: ... < ... | test.c:165:13:165:18 | PointerSub: ... - ... | >= | test.c:165:9:165:9 | Load: x | 1 | 165 | 166 |
-| test.c:175:13:175:32 | CompareEQ: ... == ... | test.c:175:13:175:15 | Call: call to foo | != | test.c:175:32:175:32 | Constant: 0 | 0 | 175 | 175 |
-| test.c:175:13:175:32 | CompareEQ: ... == ... | test.c:175:13:175:15 | Call: call to foo | == | test.c:175:32:175:32 | Constant: 0 | 0 | 175 | 175 |
-| test.c:175:13:175:32 | CompareEQ: ... == ... | test.c:175:32:175:32 | Constant: 0 | != | test.c:175:13:175:15 | Call: call to foo | 0 | 175 | 175 |
-| test.c:175:13:175:32 | CompareEQ: ... == ... | test.c:175:32:175:32 | Constant: 0 | == | test.c:175:13:175:15 | Call: call to foo | 0 | 175 | 175 |
 | test.cpp:18:8:18:12 | CompareNE: (bool)... | test.cpp:18:8:18:10 | Call: call to get | != | test.cpp:18:8:18:12 | Constant: (bool)... | 0 | 19 | 19 |
 | test.cpp:18:8:18:12 | CompareNE: (bool)... | test.cpp:18:8:18:12 | Constant: (bool)... | != | test.cpp:18:8:18:10 | Call: call to get | 0 | 19 | 19 |
 | test.cpp:31:7:31:13 | CompareEQ: ... == ... | test.cpp:31:7:31:7 | Load: x | != | test.cpp:31:12:31:13 | Constant: - ... | 0 | 34 | 34 |
--- a/Year/Adding365DaysPerYear/Adding365daysPerYear.expected
+++ b/Year/Adding365DaysPerYear/Adding365daysPerYear.expected
@@ -1,5 +1,9 @@
 | test.cpp:173:29:173:51 | ... & ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:170:2:170:47 | ... += ... | ... += ... |
+| test.cpp:173:29:173:51 | ... & ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:170:16:170:47 | ... * ... | ... * ... |
 | test.cpp:174:30:174:45 | ... >> ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:170:2:170:47 | ... += ... | ... += ... |
+| test.cpp:174:30:174:45 | ... >> ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:170:16:170:47 | ... * ... | ... * ... |
 | test.cpp:193:15:193:24 | ... / ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:193:15:193:24 | ... / ... | ... / ... |
 | test.cpp:217:29:217:51 | ... & ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:214:2:214:47 | ... += ... | ... += ... |
+| test.cpp:217:29:217:51 | ... & ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:214:16:214:47 | ... * ... | ... * ... |
 | test.cpp:218:30:218:45 | ... >> ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:214:2:214:47 | ... += ... | ... += ... |
+| test.cpp:218:30:218:45 | ... >> ... | An arithmetic operation $@ that uses a constant value of 365 ends up modifying this date/time, without considering leap year scenarios. | test.cpp:214:16:214:47 | ... * ... | ... * ... |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowBuffer.expected
@@ -47,8 +47,6 @@
 | tests.cpp:546:6:546:10 | call to fread | This 'fread' operation may access 400 bytes but the $@ is only 100 bytes. | tests.cpp:532:7:532:16 | charBuffer | destination buffer |
 | tests.cpp:569:6:569:15 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
 | tests.cpp:577:7:577:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:565:7:565:12 | buffer | array |
-| tests.cpp:637:6:637:15 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:633:7:633:12 | buffer | array |
-| tests.cpp:645:7:645:13 | access to array | This array indexing operation accesses a negative index -1 on the $@. | tests.cpp:633:7:633:12 | buffer | array |
 | tests_restrict.c:12:2:12:7 | call to memcpy | This 'memcpy' operation accesses 2 bytes but the $@ is only 1 byte. | tests_restrict.c:7:6:7:13 | smallbuf | source buffer |
 | unions.cpp:26:2:26:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:21:10:21:11 | mu | destination buffer |
 | unions.cpp:30:2:30:7 | call to memset | This 'memset' operation accesses 200 bytes but the $@ is only 100 bytes. | unions.cpp:15:7:15:11 | small | destination buffer |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/UnboundedWrite.expected
@@ -1,6 +1,6 @@
 edges
 | main.cpp:6:27:6:30 | argv indirection | main.cpp:10:20:10:23 | argv indirection |
-| main.cpp:10:20:10:23 | argv indirection | tests.cpp:657:32:657:35 | argv indirection |
+| main.cpp:10:20:10:23 | argv indirection | tests.cpp:631:32:631:35 | argv indirection |
 | tests.cpp:613:19:613:24 | source indirection | tests.cpp:615:17:615:22 | source indirection |
 | tests.cpp:622:19:622:24 | source indirection | tests.cpp:625:2:625:16 | ... = ... indirection |
 | tests.cpp:625:2:625:16 | ... = ... indirection | tests.cpp:625:4:625:7 | s indirection [post update] [home indirection] |
@@ -8,10 +8,10 @@ edges
 | tests.cpp:628:14:628:14 | s indirection [home indirection] | tests.cpp:628:14:628:19 | home indirection |
 | tests.cpp:628:14:628:14 | s indirection [home indirection] | tests.cpp:628:16:628:19 | home indirection |
 | tests.cpp:628:16:628:19 | home indirection | tests.cpp:628:14:628:19 | home indirection |
-| tests.cpp:657:32:657:35 | argv indirection | tests.cpp:682:9:682:15 | access to array indirection |
-| tests.cpp:657:32:657:35 | argv indirection | tests.cpp:683:9:683:15 | access to array indirection |
-| tests.cpp:682:9:682:15 | access to array indirection | tests.cpp:613:19:613:24 | source indirection |
-| tests.cpp:683:9:683:15 | access to array indirection | tests.cpp:622:19:622:24 | source indirection |
+| tests.cpp:631:32:631:35 | argv indirection | tests.cpp:656:9:656:15 | access to array indirection |
+| tests.cpp:631:32:631:35 | argv indirection | tests.cpp:657:9:657:15 | access to array indirection |
+| tests.cpp:656:9:656:15 | access to array indirection | tests.cpp:613:19:613:24 | source indirection |
+| tests.cpp:657:9:657:15 | access to array indirection | tests.cpp:622:19:622:24 | source indirection |
 nodes
 | main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
 | main.cpp:10:20:10:23 | argv indirection | semmle.label | argv indirection |
@@ -23,9 +23,9 @@ nodes
 | tests.cpp:628:14:628:14 | s indirection [home indirection] | semmle.label | s indirection [home indirection] |
 | tests.cpp:628:14:628:19 | home indirection | semmle.label | home indirection |
 | tests.cpp:628:16:628:19 | home indirection | semmle.label | home indirection |
-| tests.cpp:657:32:657:35 | argv indirection | semmle.label | argv indirection |
-| tests.cpp:682:9:682:15 | access to array indirection | semmle.label | access to array indirection |
-| tests.cpp:683:9:683:15 | access to array indirection | semmle.label | access to array indirection |
+| tests.cpp:631:32:631:35 | argv indirection | semmle.label | argv indirection |
+| tests.cpp:656:9:656:15 | access to array indirection | semmle.label | access to array indirection |
+| tests.cpp:657:9:657:15 | access to array indirection | semmle.label | access to array indirection |
 subpaths
 #select
 | tests.cpp:615:2:615:7 | call to strcpy | main.cpp:6:27:6:30 | argv indirection | tests.cpp:615:17:615:22 | source indirection | This 'call to strcpy' with input from $@ may overflow the destination. | main.cpp:6:27:6:30 | argv indirection | a command-line argument |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/tests.cpp
@@ -628,32 +628,6 @@ void test25(char* source) {
 	strcpy(buf, s.home); // BAD
 }

-void test26(bool cond)
-{
-	char buffer[100];
-	char *ptr;
-	int i;
-
-	if (buffer[-1] == 0) { return; } // BAD: accesses buffer[-1]
-
-	ptr = buffer;
-	if (cond)
-	{
-		ptr += 1;
-		if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[0]
-	} else {
-		if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1]
-	}
-	if (ptr[-1] == 0) { return; } // BAD: accesses buffer[-1] or buffer[0] [NOT DETECTED]
-
-	ptr = buffer;
-	for (i = 0; i < 2; i++)
-	{
-		ptr += 1;
-	}
-	if (ptr[-1] == 0) { return; } // GOOD: accesses buffer[1]
-}
-
 int tests_main(int argc, char *argv[])
 {
 	long long arr17[19];
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-134/semmle/argv/argvLocal.expected
@@ -16,6 +16,7 @@ edges
 | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:131:9:131:14 | ... + ... indirection |
 | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:132:15:132:20 | ... + ... indirection |
 | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:135:9:135:12 | ... ++ indirection |
+| argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:135:9:135:12 | ... ++ indirection |
 | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:136:15:136:18 | -- ... indirection |
 | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:139:9:139:26 | ... ? ... : ... indirection |
 | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:140:15:140:32 | ... ? ... : ... indirection |
@@ -42,6 +43,7 @@ nodes
 | argvLocal.c:131:9:131:14 | ... + ... indirection | semmle.label | ... + ... indirection |
 | argvLocal.c:132:15:132:20 | ... + ... indirection | semmle.label | ... + ... indirection |
 | argvLocal.c:135:9:135:12 | ... ++ indirection | semmle.label | ... ++ indirection |
+| argvLocal.c:135:9:135:12 | ... ++ indirection | semmle.label | ... ++ indirection |
 | argvLocal.c:136:15:136:18 | -- ... indirection | semmle.label | -- ... indirection |
 | argvLocal.c:139:9:139:26 | ... ? ... : ... indirection | semmle.label | ... ? ... : ... indirection |
 | argvLocal.c:140:15:140:32 | ... ? ... : ... indirection | semmle.label | ... ? ... : ... indirection |
@@ -68,6 +70,7 @@ subpaths
 | argvLocal.c:131:9:131:14 | ... + ... indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:131:9:131:14 | ... + ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
 | argvLocal.c:132:15:132:20 | ... + ... indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:132:15:132:20 | ... + ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
 | argvLocal.c:135:9:135:12 | ... ++ indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:135:9:135:12 | ... ++ indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
+| argvLocal.c:135:9:135:12 | ... ++ indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:135:9:135:12 | ... ++ indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
 | argvLocal.c:136:15:136:18 | -- ... indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:136:15:136:18 | -- ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
 | argvLocal.c:139:9:139:26 | ... ? ... : ... indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:139:9:139:26 | ... ? ... : ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
 | argvLocal.c:140:15:140:32 | ... ? ... : ... indirection | argvLocal.c:13:27:13:30 | argv indirection | argvLocal.c:140:15:140:32 | ... ? ... : ... indirection | The value of this argument may come from $@ and is being used as a formatting argument to printWrapper(correct), which calls printf(format). | argvLocal.c:13:27:13:30 | argv indirection | a command-line argument |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-367/semmle/test2.cpp
@@ -19,7 +19,7 @@ bool stat(const char *path, stat_data *buf);
 bool fstat(int file, stat_data *buf);
 bool lstat(const char *path, stat_data *buf);
 bool fstatat(int dir, const char *path, stat_data *buf);
-int chmod(const char *path, int setting);
+void chmod(const char *path, int setting);
 int rename(const char *from, const char *to);
 bool remove(const char *path);

@@ -408,8 +408,3 @@ void test7_1(const char *path1, const char *path2)
 		chmod(path2, 1234); // BAD
 	}
 }
-
-int test8(const char *path, int mode)
-{
-    return (chmod(path, mode) == 0 ? 1 : 0); // GOOD
-}
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/AssemblyCache.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/AssemblyCache.cs
@@ -1,4 +1,5 @@
-using System.Collections.Generic;
+using System;
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;

@@ -19,7 +20,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
        /// assembly cache.
        /// </param>
        /// <param name="progressMonitor">Callback for progress.</param>
-        public AssemblyCache(IEnumerable<string> paths, IEnumerable<string> frameworkPaths, ProgressMonitor progressMonitor)
+        public AssemblyCache(IEnumerable<string> paths, ProgressMonitor progressMonitor)
        {
            foreach (var path in paths)
            {
@@ -39,7 +40,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                    progressMonitor.LogInfo("AssemblyCache: Path not found: " + path);
                }
            }
-            IndexReferences(frameworkPaths);
+            IndexReferences();
        }

        /// <summary>
@@ -56,11 +57,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
            }
        }

+        private static readonly Version emptyVersion = new Version(0, 0, 0, 0);
+
        /// <summary>
        /// Indexes all DLLs we have located.
        /// Because this is a potentially time-consuming operation, it is put into a separate stage.
        /// </summary>
-        private void IndexReferences(IEnumerable<string> frameworkPaths)
+        private void IndexReferences()
        {
            // Read all of the files
            foreach (var filename in pendingDllsToIndex)
@@ -68,9 +71,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                IndexReference(filename);
            }

+            // Index "assemblyInfo" by version string
+            // The OrderBy is used to ensure that we by default select the highest version number.
            foreach (var info in assemblyInfoByFileName.Values
                .OrderBy(info => info.Name)
-                .OrderAssemblyInfosByPreference(frameworkPaths))
+                .ThenBy(info => info.NetCoreVersion ?? emptyVersion)
+                .ThenBy(info => info.Version ?? emptyVersion)
+                .ThenBy(info => info.Filename))
            {
                foreach (var index in info.IndexStrings)
                {
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/AssemblyCacheExtensions.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/AssemblyCacheExtensions.cs
@@ -1,29 +0,0 @@
-using System;
-using System.Collections.Generic;
-using System.Linq;
-
-namespace Semmle.Extraction.CSharp.DependencyFetching
-{
-    internal static class AssemblyCacheExtensions
-    {
-        private static readonly Version emptyVersion = new Version(0, 0, 0, 0);
-
-        /// <summary>
-        /// This method orders AssemblyInfos. The method is used to define the assembly preference order in case of conflicts.
-        /// </summary>
-        public static IOrderedEnumerable<AssemblyInfo> OrderAssemblyInfosByPreference(this IEnumerable<AssemblyInfo> assemblies, IEnumerable<string> frameworkPaths)
-        {
-            // prefer framework assemblies over others
-            int initialOrdering(AssemblyInfo info) => frameworkPaths.Any(framework => info.Filename.StartsWith(framework, StringComparison.OrdinalIgnoreCase)) ? 1 : 0;
-
-            var ordered = assemblies is IOrderedEnumerable<AssemblyInfo> o
-                ? o.ThenBy(initialOrdering)
-                : assemblies.OrderBy(initialOrdering);
-
-            return ordered
-                .ThenBy(info => info.Version ?? emptyVersion)
-                .ThenBy(info => info.NetCoreVersion ?? emptyVersion)
-                .ThenBy(info => info.Filename);
-        }
-    }
-}
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs
@@ -128,18 +128,16 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                DownloadMissingPackages(allNonBinaryFiles, dllPaths);
            }

-            var frameworkLocations = new HashSet<string>();
-
            // Find DLLs in the .Net / Asp.Net Framework
            // This block needs to come after the nuget restore, because the nuget restore might fetch the .NET Core/Framework reference assemblies.
            if (options.ScanNetFrameworkDlls)
            {
-                AddNetFrameworkDlls(dllPaths, frameworkLocations);
-                AddAspNetCoreFrameworkDlls(dllPaths, frameworkLocations);
-                AddMicrosoftWindowsDesktopDlls(dllPaths, frameworkLocations);
+                AddNetFrameworkDlls(dllPaths);
+                AddAspNetCoreFrameworkDlls(dllPaths);
+                AddMicrosoftWindowsDesktopDlls(dllPaths);
            }

-            assemblyCache = new AssemblyCache(dllPaths, frameworkLocations, progressMonitor);
+            assemblyCache = new AssemblyCache(dllPaths, progressMonitor);
            AnalyseSolutions(solutions);

            foreach (var filename in assemblyCache.AllAssemblies.Select(a => a.Filename))
@@ -148,7 +146,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
            }

            RemoveNugetAnalyzerReferences();
-            ResolveConflicts(frameworkLocations);
+            ResolveConflicts();

            // Output the findings
            foreach (var r in usedReferences.Keys.OrderBy(r => r))
@@ -230,7 +228,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
            }
        }

-        private void AddNetFrameworkDlls(ISet<string> dllPaths, ISet<string> frameworkLocations)
+        private void AddNetFrameworkDlls(ISet<string> dllPaths)
        {
            // Multiple dotnet framework packages could be present.
            // The order of the packages is important, we're adding the first one that is present in the nuget cache.
@@ -243,7 +241,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
            if (frameworkPath.Path is not null)
            {
                dllPaths.Add(frameworkPath.Path);
-                frameworkLocations.Add(frameworkPath.Path);
                progressMonitor.LogInfo($"Found .NET Core/Framework DLLs in NuGet packages at {frameworkPath.Path}. Not adding installation directory.");

                for (var i = frameworkPath.Index + 1; i < packagesInPrioOrder.Length; i++)
@@ -273,7 +270,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching

            progressMonitor.LogInfo($".NET runtime location selected: {runtimeLocation}");
            dllPaths.Add(runtimeLocation);
-            frameworkLocations.Add(runtimeLocation);
        }

        private void RemoveNugetPackageReference(string packagePrefix, ISet<string> dllPaths)
@@ -298,7 +294,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
            }
        }

-        private void AddAspNetCoreFrameworkDlls(ISet<string> dllPaths, ISet<string> frameworkLocations)
+        private void AddAspNetCoreFrameworkDlls(ISet<string> dllPaths)
        {
            if (!fileContent.IsNewProjectStructureUsed || !fileContent.UseAspNetCoreDlls)
            {
@@ -310,25 +306,20 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
            {
                progressMonitor.LogInfo($"Found ASP.NET Core in NuGet packages. Not adding installation directory.");
                dllPaths.Add(aspNetCorePackage);
-                frameworkLocations.Add(aspNetCorePackage);
-                return;
            }
-
-            if (Runtime.AspNetCoreRuntime is string aspNetCoreRuntime)
+            else if (Runtime.AspNetCoreRuntime is string aspNetCoreRuntime)
            {
                progressMonitor.LogInfo($"ASP.NET runtime location selected: {aspNetCoreRuntime}");
                dllPaths.Add(aspNetCoreRuntime);
-                frameworkLocations.Add(aspNetCoreRuntime);
            }
        }

-        private void AddMicrosoftWindowsDesktopDlls(ISet<string> dllPaths, ISet<string> frameworkLocations)
+        private void AddMicrosoftWindowsDesktopDlls(ISet<string> dllPaths)
        {
            if (GetPackageDirectory(FrameworkPackageNames.WindowsDesktopFramework) is string windowsDesktopApp)
            {
                progressMonitor.LogInfo($"Found Windows Desktop App in NuGet packages.");
                dllPaths.Add(windowsDesktopApp);
-                frameworkLocations.Add(windowsDesktopApp);
            }
        }

@@ -354,13 +345,12 @@ namespace Semmle.Extraction.CSharp.DependencyFetching

            return new DirectoryInfo(packageDirectory.DirInfo.FullName)
                .EnumerateDirectories("*", new EnumerationOptions { MatchCasing = MatchCasing.CaseInsensitive, RecurseSubdirectories = false })
-                .Select(d => d.Name);
+                .Select(d => d.FullName);
        }

        private void LogAllUnusedPackages(DependencyContainer dependencies) =>
            GetAllPackageDirectories()
                .Where(package => !dependencies.Packages.Contains(package))
-                .Order()
                .ForEach(package => progressMonitor.LogInfo($"Unused package: {package}"));

        private void GenerateSourceFileFromImplicitUsings()
@@ -482,7 +472,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
        /// If the same assembly name is duplicated with different versions,
        /// resolve to the higher version number.
        /// </summary>
-        private void ResolveConflicts(IEnumerable<string> frameworkPaths)
+        private void ResolveConflicts()
        {
            var sortedReferences = new List<AssemblyInfo>();
            foreach (var usedReference in usedReferences)
@@ -498,8 +488,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                }
            }

+            var emptyVersion = new Version(0, 0);
            sortedReferences = sortedReferences
-                .OrderAssemblyInfosByPreference(frameworkPaths)
+                .OrderBy(r => r.NetCoreVersion ?? emptyVersion)
+                .ThenBy(r => r.Version ?? emptyVersion)
+                .ThenBy(r => r.Filename)
                .ToList();

            var finalAssemblyList = new Dictionary<string, AssemblyInfo>();
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.4
+
+No user-facing changes.
+
 ## 1.7.3

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.4.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.4.md
@@ -0,0 +1,3 @@
+## 1.7.4
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.3
+lastReleaseVersion: 1.7.4
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.4-dev
+version: 1.7.4
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.4
+
+No user-facing changes.
+
 ## 1.7.3

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.4.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.4.md
@@ -0,0 +1,3 @@
+## 1.7.4
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.3
+lastReleaseVersion: 1.7.4
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.4-dev
+version: 1.7.4
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/integration-tests/posix-only/standalone_dependencies/Assemblies.expected
+++ b/csharp/ql/integration-tests/posix-only/standalone_dependencies/Assemblies.expected
@@ -1,6 +1,5 @@
 | /avalara.avatax/21.10.0/lib/netstandard20/Avalara.AvaTax.netstandard20.dll |
 | /microsoft.bcl.asyncinterfaces/6.0.0/lib/netstandard2.1/Microsoft.Bcl.AsyncInterfaces.dll |
-| /microsoft.netcore.app.ref/3.1.0/ref/netcoreapp3.1/System.Data.DataSetExtensions.dll |
 | /microsoft.netcore.app.ref/3.1.0/ref/netcoreapp3.1/System.Runtime.InteropServices.WindowsRuntime.dll |
 | /microsoft.netcore.app.ref/6.0.13/ref/net6.0/System.Data.dll |
 | /microsoft.netcore.app.ref/6.0.13/ref/net6.0/System.Xml.dll |
@@ -27,6 +26,7 @@
 | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Console.dll |
 | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Core.dll |
 | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Data.Common.dll |
+| /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Data.DataSetExtensions.dll |
 | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Diagnostics.Contracts.dll |
 | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Diagnostics.Debug.dll |
 | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Diagnostics.DiagnosticSource.dll |
--- a/csharp/ql/integration-tests/windows-only/standalone_dependencies/Assemblies.expected
+++ b/csharp/ql/integration-tests/windows-only/standalone_dependencies/Assemblies.expected
@@ -1,6 +1,5 @@
 | /avalara.avatax/21.10.0/lib/netstandard20/Avalara.AvaTax.netstandard20.dll |
 | /microsoft.bcl.asyncinterfaces/6.0.0/lib/netstandard2.1/Microsoft.Bcl.AsyncInterfaces.dll |
-| /microsoft.netcore.app.ref/3.1.0/ref/netcoreapp3.1/System.Data.DataSetExtensions.dll |
 | /microsoft.netcore.app.ref/3.1.0/ref/netcoreapp3.1/System.Runtime.InteropServices.WindowsRuntime.dll |
 | /microsoft.netcore.app.ref/6.0.13/ref/net6.0/System.Data.dll |
 | /microsoft.netcore.app.ref/6.0.13/ref/net6.0/System.Xml.dll |
@@ -26,6 +25,7 @@
 | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Console.dll |
 | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Core.dll |
 | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Data.Common.dll |
+| /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Data.DataSetExtensions.dll |
 | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Diagnostics.Contracts.dll |
 | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Diagnostics.Debug.dll |
 | /microsoft.netcore.app.ref/7.0.2/ref/net7.0/System.Diagnostics.DiagnosticSource.dll |
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.8.4
+
+No user-facing changes.
+
 ## 0.8.3

 ### Minor Analysis Improvements
--- a/csharp/ql/lib/change-notes/released/0.8.4.md
+++ b/csharp/ql/lib/change-notes/released/0.8.4.md
@@ -0,0 +1,3 @@
+## 0.8.4
+
+No user-facing changes.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.3
+lastReleaseVersion: 0.8.4
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.8.4-dev
+version: 0.8.4
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/lib/semmle/code/csharp/Callable.qll
+++ b/csharp/ql/lib/semmle/code/csharp/Callable.qll
@@ -105,10 +105,7 @@ class Callable extends DotNet::Callable, Parameterizable, ExprOrStmtParent, @cal
   * then both `{ return 0; }` and `{ return 1; }` are statement bodies of
   * `N.C.M()`.
   */
-  final BlockStmt getStatementBody() {
-    result = getStatementBody(this) and
-    not this.getFile().isStub()
-  }
+  final BlockStmt getStatementBody() { result = this.getAChildStmt() }

  /**
   * DEPRECATED: Use `getStatementBody` instead.
@@ -146,8 +143,8 @@ class Callable extends DotNet::Callable, Parameterizable, ExprOrStmtParent, @cal
   * then both `0` and `1` are expression bodies of `N.C.M()`.
   */
  final Expr getExpressionBody() {
-    result = getExpressionBody(this) and
-    not this.getFile().isStub()
+    result = this.getAChildExpr() and
+    not result = this.(Constructor).getInitializer()
  }

  /** Holds if this callable has an expression body. */
--- a/csharp/ql/lib/semmle/code/csharp/ExprOrStmtParent.qll
+++ b/csharp/ql/lib/semmle/code/csharp/ExprOrStmtParent.qll
@@ -53,20 +53,6 @@ class TopLevelExprParent extends Element, @top_level_expr_parent {

 private predicate hasNoSourceLocation(Element e) { not e.getALocation() instanceof SourceLocation }

-/** INTERNAL: Do not use. */
-Expr getExpressionBody(Callable c) {
-  result = c.getAChildExpr() and
-  not result = c.(Constructor).getInitializer()
-}
-
-/** INTERNAL: Do not use. */
-BlockStmt getStatementBody(Callable c) { result = c.getAChildStmt() }
-
-private ControlFlowElement getBody(Callable c) {
-  result = getExpressionBody(c) or
-  result = getStatementBody(c)
-}
-
 cached
 private module Cached {
  cached
@@ -175,20 +161,20 @@ private module Cached {

  private predicate parent(ControlFlowElement child, ExprOrStmtParent parent) {
    child = getAChild(parent) and
-    not child = getBody(_)
+    not child = any(Callable c).getBody()
  }

  /** Holds if the enclosing body of `cfe` is `body`. */
  cached
  predicate enclosingBody(ControlFlowElement cfe, ControlFlowElement body) {
-    body = getBody(_) and
+    body = any(Callable c).getBody() and
    parent*(enclosingStart(cfe), body)
  }

  /** Holds if the enclosing callable of `cfe` is `c`. */
  cached
  predicate enclosingCallable(ControlFlowElement cfe, Callable c) {
-    enclosingBody(cfe, getBody(c))
+    enclosingBody(cfe, c.getBody())
    or
    parent*(enclosingStart(cfe), c.(Constructor).getInitializer())
  }
--- a/csharp/ql/lib/semmle/code/csharp/File.qll
+++ b/csharp/ql/lib/semmle/code/csharp/File.qll
@@ -54,14 +54,14 @@ class File extends Container, Impl::File {

  /** Holds if this file is a QL test stub file. */
  pragma[noinline]
-  predicate isStub() {
+  private predicate isStub() {
    this.extractedQlTest() and
    this.getAbsolutePath().matches("%resources/stubs/%")
  }

  /** Holds if this file contains source code. */
  final predicate fromSource() {
-    this.getExtension() = ["cs", "cshtml"] and
+    this.getExtension() = "cs" and
    not this.isStub()
  }

--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
@@ -13,14 +13,11 @@ private import semmle.code.csharp.commons.Compilation
 /** An element that defines a new CFG scope. */
 class CfgScope extends Element, @top_level_exprorstmt_parent {
  CfgScope() {
-    this.getFile().fromSource() and
-    (
-      this instanceof Callable
-      or
-      // For now, static initializer values have their own scope. Eventually, they
-      // should be treated like instance initializers.
-      this.(Assignable).(Modifiable).isStatic()
-    )
+    this instanceof Callable
+    or
+    // For now, static initializer values have their own scope. Eventually, they
+    // should be treated like instance initializers.
+    this.(Assignable).(Modifiable).isStatic()
  }
 }

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll
@@ -168,8 +168,7 @@ private SummaryComponent delegateSelf() {

 private predicate mayInvokeCallback(Callable c, int n) {
  c.getParameter(n).getType() instanceof SystemLinqExpressions::DelegateExtType and
-  not c.hasBody() and
-  (if c instanceof Accessor then not c.fromSource() else any())
+  not c.fromSource()
 }

 private class SummarizedCallableWithCallback extends SummarizedCallable {
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll
@@ -81,9 +81,9 @@ newtype TReturnKind =
 */
 class DataFlowSummarizedCallable instanceof FlowSummary::SummarizedCallable {
  DataFlowSummarizedCallable() {
-    not this.hasBody()
+    not this.fromSource()
    or
-    this.hasBody() and not this.applyGeneratedModel()
+    this.fromSource() and not this.applyGeneratedModel()
  }

  string toString() { result = super.toString() }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll
@@ -310,12 +310,7 @@ private module CallGraph {
      c = any(DelegateCall dc | e = dc.getExpr()) and
      libraryDelegateCall = false
      or
-      exists(Callable target |
-        target = c.getTarget() and
-        not target.hasBody()
-      |
-        if target instanceof Accessor then not target.fromSource() else any()
-      ) and
+      c.getTarget().fromLibrary() and
      e = c.getAnArgument() and
      e.getType() instanceof SystemLinqExpressions::DelegateExtType and
      libraryDelegateCall = true
--- a/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll
+++ b/csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll
@@ -115,24 +115,14 @@ class HttpServerTransferSink extends Sink {
  }
 }

-private predicate isLocalUrlSanitizerMethodCall(MethodCall guard, Expr e, AbstractValue v) {
-  exists(Method m | m = guard.getTarget() |
-    m.hasName("IsLocalUrl") and
-    e = guard.getArgument(0)
-    or
-    m.hasName("IsUrlLocalToHost") and
-    e = guard.getArgument(1)
-  ) and
+private predicate isLocalUrlSanitizer(Guard g, Expr e, AbstractValue v) {
+  g.(MethodCall).getTarget().hasName("IsLocalUrl") and
+  e = g.(MethodCall).getArgument(0) and
  v.(AbstractValues::BooleanValue).getValue() = true
 }

-private predicate isLocalUrlSanitizer(Guard g, Expr e, AbstractValue v) {
-  isLocalUrlSanitizerMethodCall(g, e, v)
-}
-
 /**
- * A URL argument to a call to `UrlHelper.IsLocalUrl()` or `HttpRequestBase.IsUrlLocalToHost()` that
- * is a sanitizer for URL redirects.
+ * A URL argument to a call to `UrlHelper.isLocalUrl()` that is a sanitizer for URL redirects.
 */
 class LocalUrlSanitizer extends Sanitizer {
  LocalUrlSanitizer() { this = DataFlow::BarrierGuard<isLocalUrlSanitizer/3>::getABarrierNode() }
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.8.4
+
+### Minor Analysis Improvements
+
+* Modelled additional flow steps to track flow from a `View` call in an MVC controller to the corresponding Razor View (`.cshtml`) file, which may result in additional results for queries such as `cs/web/xss`.
+
 ## 0.8.3

 ### Minor Analysis Improvements
--- a/Features/CWE-639/InsecureDirectObjectReference.ql
+++ b/Features/CWE-639/InsecureDirectObjectReference.ql
@@ -8,7 +8,7 @@
 * @precision medium
 * @id cs/web/insecure-direct-object-reference
 * @tags security
- *       external/cwe/cwe-639
+ *       external/cwe-639
 */

 import csharp
--- a/csharp/ql/src/change-notes/2023-11-29-url-redirect-false-positive.md
+++ b/csharp/ql/src/change-notes/2023-11-29-url-redirect-false-positive.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Fixed a URL redirection from remote source false positive when guarding a redirect with `HttpRequestBase.IsUrlLocalToHost()`
--- a/csharp/ql/src/change-notes/2023-10-24-xss-flow-steps.md
+++ b/csharp/ql/src/change-notes/2023-10-24-xss-flow-steps.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
-* Modelled additional flow steps to track flow from a `View` call in an MVC controller to the corresponding Razor View (`.cshtml`) file, which may result in additional results for queries such as `cs/web/xss`.
+## 0.8.4
+
+### Minor Analysis Improvements
+
+* Modelled additional flow steps to track flow from a `View` call in an MVC controller to the corresponding Razor View (`.cshtml`) file, which may result in additional results for queries such as `cs/web/xss`.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.3
+lastReleaseVersion: 0.8.4
--- a/Features/CWE-759/HashWithoutSalt.ql
+++ b/Features/CWE-759/HashWithoutSalt.ql
@@ -6,7 +6,7 @@
 * @id cs/hash-without-salt
 * @tags security
 *       experimental
- *       external/cwe/cwe-759
+ *       external/cwe-759
 */

 import csharp
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.8.4-dev
+version: 0.8.4
 groups:
  - csharp
  - queries
--- a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs
+++ b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs
@@ -185,16 +185,16 @@ namespace My.Qltest
        void M1()
        {
            var o = new object();
-            Sink(GeneratedFlow(o)); // no flow because the modelled method exists in source code
+            Sink(GeneratedFlow(o));
        }

        void M2()
        {
            var o1 = new object();
-            Sink(GeneratedFlowArgs(o1, null)); // no flow because the modelled method exists in source code
+            Sink(GeneratedFlowArgs(o1, null));

            var o2 = new object();
-            Sink(GeneratedFlowArgs(null, o2)); // no flow because the modelled method exists in source code
+            Sink(GeneratedFlowArgs(null, o2));
        }

        void M3()
--- a/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected
+++ b/csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected
@@ -61,6 +61,12 @@ edges
 | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object |
 | ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object |
 | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object | ExternalFlow.cs:120:18:120:21 | access to array element |
+| ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | ExternalFlow.cs:188:32:188:32 | access to local variable o : Object |
+| ExternalFlow.cs:188:32:188:32 | access to local variable o : Object | ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow |
+| ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | ExternalFlow.cs:194:36:194:37 | access to local variable o1 : Object |
+| ExternalFlow.cs:194:36:194:37 | access to local variable o1 : Object | ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs |
+| ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | ExternalFlow.cs:197:42:197:43 | access to local variable o2 : Object |
+| ExternalFlow.cs:197:42:197:43 | access to local variable o2 : Object | ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs |
 | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | ExternalFlow.cs:206:38:206:39 | access to local variable o2 : Object |
 | ExternalFlow.cs:206:38:206:39 | access to local variable o2 : Object | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs |
 | ExternalFlow.cs:231:21:231:28 | object creation of type HC : HC | ExternalFlow.cs:232:21:232:21 | access to local variable h : HC |
@@ -145,6 +151,15 @@ nodes
 | ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | semmle.label | access to local variable a : null [element] : Object |
 | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object | semmle.label | access to local variable b : null [element] : Object |
 | ExternalFlow.cs:120:18:120:21 | access to array element | semmle.label | access to array element |
+| ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
+| ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow | semmle.label | call to method GeneratedFlow |
+| ExternalFlow.cs:188:32:188:32 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
+| ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs | semmle.label | call to method GeneratedFlowArgs |
+| ExternalFlow.cs:194:36:194:37 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
+| ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
+| ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs | semmle.label | call to method GeneratedFlowArgs |
+| ExternalFlow.cs:197:42:197:43 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
 | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs | semmle.label | call to method MixedFlowArgs |
 | ExternalFlow.cs:206:38:206:39 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
@@ -174,5 +189,8 @@ subpaths
 | ExternalFlow.cs:104:18:104:25 | access to field Field | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:104:18:104:25 | access to field Field | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:112:18:112:25 | access to property MyProp | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:112:18:112:25 | access to property MyProp | $@ | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:120:18:120:21 | access to array element | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | ExternalFlow.cs:120:18:120:21 | access to array element | $@ | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | object creation of type Object : Object |
+| ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow | ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow | $@ | ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | object creation of type Object : Object |
+| ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs | ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs | $@ | ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | object creation of type Object : Object |
+| ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs | ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs | $@ | ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs | $@ | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:233:18:233:18 | access to local variable o | ExternalFlow.cs:231:21:231:28 | object creation of type HC : HC | ExternalFlow.cs:233:18:233:18 | access to local variable o | $@ | ExternalFlow.cs:231:21:231:28 | object creation of type HC : HC | object creation of type HC : HC |
--- a/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.ql
+++ b/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.ql
@@ -1,5 +1,4 @@
 import semmle.code.csharp.security.dataflow.flowsources.Remote

 from RemoteFlowSource source
-where source.getLocation().getFile().fromSource()
 select source, source.getSourceType()
--- a/csharp/ql/test/query-tests/Nullness/E.cs
+++ b/csharp/ql/test/query-tests/Nullness/E.cs
@@ -431,29 +431,6 @@ public class E
        i = null;
        return @is.Any();
    }
-
-    static void Ex45(string s)
-    {
-        if (s is null)
-        {
-            s.ToString(); // BAD (always)
-        }
-
-        if (s is not not null)
-        {
-            s.ToString(); // BAD (always) (FALSE NEGATIVE)
-        }
-
-        if (s is not null)
-        {
-            s.ToString(); // GOOD
-        }
-
-        if (s is object)
-        {
-            s.ToString(); // GOOD
-        }
-    }
 }

 public static class Extensions
--- a/csharp/ql/test/query-tests/Nullness/EqualityCheck.expected
+++ b/csharp/ql/test/query-tests/Nullness/EqualityCheck.expected
@@ -244,8 +244,6 @@
 | E.cs:423:33:423:44 | ... == ... | true | E.cs:423:38:423:44 | access to property Value | E.cs:423:33:423:33 | access to parameter j |
 | E.cs:430:34:430:45 | ... == ... | true | E.cs:430:34:430:34 | access to parameter j | E.cs:430:39:430:45 | access to property Value |
 | E.cs:430:34:430:45 | ... == ... | true | E.cs:430:39:430:45 | access to property Value | E.cs:430:34:430:34 | access to parameter j |
-| E.cs:437:13:437:21 | ... is ... | true | E.cs:437:13:437:13 | access to parameter s | E.cs:437:18:437:21 | null |
-| E.cs:437:13:437:21 | ... is ... | true | E.cs:437:18:437:21 | null | E.cs:437:13:437:13 | access to parameter s |
 | Forwarding.cs:59:13:59:21 | ... == ... | true | Forwarding.cs:59:13:59:13 | access to parameter o | Forwarding.cs:59:18:59:21 | null |
 | Forwarding.cs:59:13:59:21 | ... == ... | true | Forwarding.cs:59:18:59:21 | null | Forwarding.cs:59:13:59:13 | access to parameter o |
 | Forwarding.cs:78:16:78:39 | call to method ReferenceEquals | true | Forwarding.cs:78:32:78:32 | access to parameter o | Forwarding.cs:78:35:78:38 | null |
--- a/csharp/ql/test/query-tests/Nullness/Implications.expected
+++ b/csharp/ql/test/query-tests/Nullness/Implications.expected
@@ -1300,11 +1300,6 @@
 | E.cs:429:13:429:22 | access to property HasValue | true | E.cs:429:13:429:13 | access to parameter i | non-null |
 | E.cs:432:16:432:24 | call to method Any<Int32> | false | E.cs:432:16:432:18 | access to parameter is | empty |
 | E.cs:432:16:432:24 | call to method Any<Int32> | true | E.cs:432:16:432:18 | access to parameter is | non-empty |
-| E.cs:437:13:437:21 | ... is ... | false | E.cs:437:13:437:13 | access to parameter s | non-null |
-| E.cs:437:13:437:21 | ... is ... | true | E.cs:437:13:437:13 | access to parameter s | null |
-| E.cs:442:13:442:29 | ... is ... | true | E.cs:442:13:442:13 | access to parameter s | non-null |
-| E.cs:447:13:447:25 | ... is ... | true | E.cs:447:13:447:13 | access to parameter s | non-null |
-| E.cs:452:13:452:23 | ... is ... | true | E.cs:452:13:452:13 | access to parameter s | non-null |
 | Forwarding.cs:9:13:9:30 | !... | false | Forwarding.cs:9:14:9:30 | call to method IsNullOrEmpty | true |
 | Forwarding.cs:9:13:9:30 | !... | true | Forwarding.cs:9:14:9:30 | call to method IsNullOrEmpty | false |
 | Forwarding.cs:9:14:9:14 | access to local variable s | empty | Forwarding.cs:7:20:7:23 | null | empty |
--- a/csharp/ql/test/query-tests/Nullness/NullAlways.expected
+++ b/csharp/ql/test/query-tests/Nullness/NullAlways.expected
@@ -37,7 +37,6 @@
 | E.cs:324:13:324:14 | access to parameter s2 | Variable $@ is always null at this dereference. | E.cs:319:40:319:41 | s2 | s2 |
 | E.cs:331:9:331:9 | access to local variable x | Variable $@ is always null at this dereference. | E.cs:330:13:330:13 | x | x |
 | E.cs:405:16:405:16 | access to local variable i | Variable $@ is always null at this dereference. | E.cs:403:14:403:14 | i | i |
-| E.cs:439:13:439:13 | access to parameter s | Variable $@ is always null at this dereference. | E.cs:435:29:435:29 | s | s |
 | Forwarding.cs:36:31:36:31 | access to local variable s | Variable $@ is always null at this dereference. | Forwarding.cs:7:16:7:16 | s | s |
 | Forwarding.cs:40:27:40:27 | access to local variable s | Variable $@ is always null at this dereference. | Forwarding.cs:7:16:7:16 | s | s |
 | NullAlwaysBad.cs:9:30:9:30 | access to parameter s | Variable $@ is always null at this dereference. | NullAlwaysBad.cs:7:29:7:29 | s | s |
--- a/csharp/ql/test/query-tests/Nullness/NullCheck.expected
+++ b/csharp/ql/test/query-tests/Nullness/NullCheck.expected
@@ -298,11 +298,6 @@
 | E.cs:422:13:422:22 | access to property HasValue | E.cs:422:13:422:13 | access to parameter i | true | false |
 | E.cs:429:13:429:22 | access to property HasValue | E.cs:429:13:429:13 | access to parameter i | false | true |
 | E.cs:429:13:429:22 | access to property HasValue | E.cs:429:13:429:13 | access to parameter i | true | false |
-| E.cs:437:13:437:21 | ... is ... | E.cs:437:13:437:13 | access to parameter s | false | false |
-| E.cs:437:13:437:21 | ... is ... | E.cs:437:13:437:13 | access to parameter s | true | true |
-| E.cs:442:13:442:29 | ... is ... | E.cs:442:13:442:13 | access to parameter s | true | false |
-| E.cs:447:13:447:25 | ... is ... | E.cs:447:13:447:13 | access to parameter s | true | false |
-| E.cs:452:13:452:23 | ... is ... | E.cs:452:13:452:13 | access to parameter s | true | false |
 | Forwarding.cs:9:14:9:30 | call to method IsNullOrEmpty | Forwarding.cs:9:14:9:14 | access to local variable s | false | false |
 | Forwarding.cs:14:13:14:32 | call to method IsNotNullOrEmpty | Forwarding.cs:14:13:14:13 | access to local variable s | true | false |
 | Forwarding.cs:19:14:19:23 | call to method IsNull | Forwarding.cs:19:14:19:14 | access to local variable s | false | false |
--- a/csharp/ql/test/query-tests/Nullness/NullMaybe.expected
+++ b/csharp/ql/test/query-tests/Nullness/NullMaybe.expected
@@ -408,9 +408,6 @@ nodes
 | E.cs:405:16:405:16 | access to local variable i |
 | E.cs:417:24:417:40 | SSA capture def(i) |
 | E.cs:417:34:417:34 | access to parameter i |
-| E.cs:435:29:435:29 | SSA param(s) |
-| E.cs:437:13:437:21 | [true] ... is ... |
-| E.cs:439:13:439:13 | access to parameter s |
 | Forwarding.cs:7:16:7:23 | SSA def(s) |
 | Forwarding.cs:9:13:9:30 | [false] !... |
 | Forwarding.cs:14:9:17:9 | if (...) ... |
@@ -801,8 +798,6 @@ edges
 | E.cs:404:9:404:18 | SSA def(i) | E.cs:405:16:405:16 | access to local variable i |
 | E.cs:404:9:404:18 | SSA def(i) | E.cs:405:16:405:16 | access to local variable i |
 | E.cs:417:24:417:40 | SSA capture def(i) | E.cs:417:34:417:34 | access to parameter i |
-| E.cs:435:29:435:29 | SSA param(s) | E.cs:437:13:437:21 | [true] ... is ... |
-| E.cs:437:13:437:21 | [true] ... is ... | E.cs:439:13:439:13 | access to parameter s |
 | Forwarding.cs:7:16:7:23 | SSA def(s) | Forwarding.cs:9:13:9:30 | [false] !... |
 | Forwarding.cs:9:13:9:30 | [false] !... | Forwarding.cs:14:9:17:9 | if (...) ... |
 | Forwarding.cs:14:9:17:9 | if (...) ... | Forwarding.cs:19:9:22:9 | if (...) ... |
--- a/Features/CWE-601/UrlRedirect/UrlRedirect.cs
+++ b/Features/CWE-601/UrlRedirect/UrlRedirect.cs
@@ -1,7 +1,6 @@
 using System;
 using System.Web;
 using System.Web.Mvc;
-using System.Web.WebPages;

 public class UrlRedirectHandler : IHttpHandler
 {
@@ -49,13 +48,6 @@ public class UrlRedirectHandler : IHttpHandler

        // GOOD: request parameter is URL encoded
        ctx.Response.Redirect(HttpUtility.UrlEncode(ctx.Request.QueryString["page"]));
-
-        // GOOD: whitelisted redirect
-        var url3 = ctx.Request.QueryString["page"];
-        if (new HttpRequestWrapper(ctx.Request).IsUrlLocalToHost(url3))
-        {
-            ctx.Response.Redirect(url3);
-        }
    }

    // Implementation as recommended by Microsoft.
--- a/Features/CWE-601/UrlRedirect/UrlRedirect.expected
+++ b/Features/CWE-601/UrlRedirect/UrlRedirect.expected
@@ -1,10 +1,10 @@
 edges
-| UrlRedirect.cs:13:31:13:53 | access to property QueryString : NameValueCollection | UrlRedirect.cs:13:31:13:61 | access to indexer |
-| UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:23:22:23:52 | access to indexer : String |
-| UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:48:29:48:31 | access to local variable url |
-| UrlRedirect.cs:23:22:23:52 | access to indexer : String | UrlRedirect.cs:48:29:48:31 | access to local variable url |
-| UrlRedirect.cs:38:44:38:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:38:44:38:74 | access to indexer |
-| UrlRedirect.cs:39:47:39:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:39:47:39:77 | access to indexer |
+| UrlRedirect.cs:12:31:12:53 | access to property QueryString : NameValueCollection | UrlRedirect.cs:12:31:12:61 | access to indexer |
+| UrlRedirect.cs:22:22:22:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:22:22:22:52 | access to indexer : String |
+| UrlRedirect.cs:22:22:22:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:47:29:47:31 | access to local variable url |
+| UrlRedirect.cs:22:22:22:52 | access to indexer : String | UrlRedirect.cs:47:29:47:31 | access to local variable url |
+| UrlRedirect.cs:37:44:37:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:37:44:37:74 | access to indexer |
+| UrlRedirect.cs:38:47:38:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:38:47:38:77 | access to indexer |
 | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:16:22:16:26 | access to parameter value |
 | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:19:44:19:48 | call to operator implicit conversion |
 | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:25:46:25:50 | call to operator implicit conversion |
@@ -17,15 +17,15 @@ edges
 | UrlRedirectCore.cs:45:51:45:55 | value : String | UrlRedirectCore.cs:56:31:56:35 | access to parameter value |
 | UrlRedirectCore.cs:53:40:53:44 | access to parameter value : String | UrlRedirectCore.cs:53:32:53:45 | object creation of type Uri |
 nodes
-| UrlRedirect.cs:13:31:13:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
-| UrlRedirect.cs:13:31:13:61 | access to indexer | semmle.label | access to indexer |
-| UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
-| UrlRedirect.cs:23:22:23:52 | access to indexer : String | semmle.label | access to indexer : String |
-| UrlRedirect.cs:38:44:38:66 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
-| UrlRedirect.cs:38:44:38:74 | access to indexer | semmle.label | access to indexer |
-| UrlRedirect.cs:39:47:39:69 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
-| UrlRedirect.cs:39:47:39:77 | access to indexer | semmle.label | access to indexer |
-| UrlRedirect.cs:48:29:48:31 | access to local variable url | semmle.label | access to local variable url |
+| UrlRedirect.cs:12:31:12:53 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| UrlRedirect.cs:12:31:12:61 | access to indexer | semmle.label | access to indexer |
+| UrlRedirect.cs:22:22:22:44 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| UrlRedirect.cs:22:22:22:52 | access to indexer : String | semmle.label | access to indexer : String |
+| UrlRedirect.cs:37:44:37:66 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| UrlRedirect.cs:37:44:37:74 | access to indexer | semmle.label | access to indexer |
+| UrlRedirect.cs:38:47:38:69 | access to property QueryString : NameValueCollection | semmle.label | access to property QueryString : NameValueCollection |
+| UrlRedirect.cs:38:47:38:77 | access to indexer | semmle.label | access to indexer |
+| UrlRedirect.cs:47:29:47:31 | access to local variable url | semmle.label | access to local variable url |
 | UrlRedirectCore.cs:13:44:13:48 | value : String | semmle.label | value : String |
 | UrlRedirectCore.cs:16:22:16:26 | access to parameter value | semmle.label | access to parameter value |
 | UrlRedirectCore.cs:19:44:19:48 | call to operator implicit conversion | semmle.label | call to operator implicit conversion |
@@ -41,10 +41,10 @@ nodes
 | UrlRedirectCore.cs:56:31:56:35 | access to parameter value | semmle.label | access to parameter value |
 subpaths
 #select
-| UrlRedirect.cs:13:31:13:61 | access to indexer | UrlRedirect.cs:13:31:13:53 | access to property QueryString : NameValueCollection | UrlRedirect.cs:13:31:13:61 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:13:31:13:53 | access to property QueryString | user-provided value |
-| UrlRedirect.cs:38:44:38:74 | access to indexer | UrlRedirect.cs:38:44:38:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:38:44:38:74 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:38:44:38:66 | access to property QueryString | user-provided value |
-| UrlRedirect.cs:39:47:39:77 | access to indexer | UrlRedirect.cs:39:47:39:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:39:47:39:77 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:39:47:39:69 | access to property QueryString | user-provided value |
-| UrlRedirect.cs:48:29:48:31 | access to local variable url | UrlRedirect.cs:23:22:23:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:48:29:48:31 | access to local variable url | Untrusted URL redirection due to $@. | UrlRedirect.cs:23:22:23:44 | access to property QueryString | user-provided value |
+| UrlRedirect.cs:12:31:12:61 | access to indexer | UrlRedirect.cs:12:31:12:53 | access to property QueryString : NameValueCollection | UrlRedirect.cs:12:31:12:61 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:12:31:12:53 | access to property QueryString | user-provided value |
+| UrlRedirect.cs:37:44:37:74 | access to indexer | UrlRedirect.cs:37:44:37:66 | access to property QueryString : NameValueCollection | UrlRedirect.cs:37:44:37:74 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:37:44:37:66 | access to property QueryString | user-provided value |
+| UrlRedirect.cs:38:47:38:77 | access to indexer | UrlRedirect.cs:38:47:38:69 | access to property QueryString : NameValueCollection | UrlRedirect.cs:38:47:38:77 | access to indexer | Untrusted URL redirection due to $@. | UrlRedirect.cs:38:47:38:69 | access to property QueryString | user-provided value |
+| UrlRedirect.cs:47:29:47:31 | access to local variable url | UrlRedirect.cs:22:22:22:44 | access to property QueryString : NameValueCollection | UrlRedirect.cs:47:29:47:31 | access to local variable url | Untrusted URL redirection due to $@. | UrlRedirect.cs:22:22:22:44 | access to property QueryString | user-provided value |
 | UrlRedirectCore.cs:16:22:16:26 | access to parameter value | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:16:22:16:26 | access to parameter value | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:13:44:13:48 | value | user-provided value |
 | UrlRedirectCore.cs:19:44:19:48 | call to operator implicit conversion | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:19:44:19:48 | call to operator implicit conversion | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:13:44:13:48 | value | user-provided value |
 | UrlRedirectCore.cs:25:46:25:50 | call to operator implicit conversion | UrlRedirectCore.cs:13:44:13:48 | value : String | UrlRedirectCore.cs:25:46:25:50 | call to operator implicit conversion | Untrusted URL redirection due to $@. | UrlRedirectCore.cs:13:44:13:48 | value | user-provided value |
--- a/csharp/ql/test/resources/stubs/System.Web.cs
+++ b/csharp/ql/test/resources/stubs/System.Web.cs
@@ -81,7 +81,7 @@ namespace System.Web.UI

    public class Page
    {
-        public System.Security.Principal.IPrincipal User { get; }
+        public System.Security.Principal.IPrincipal User { get; } 
        public System.Web.HttpRequest Request { get; }
    }

@@ -157,11 +157,6 @@ namespace System.Web
        public HttpCookieCollection Cookies => null;
    }

-    public class HttpRequestWrapper : System.Web.HttpRequestBase
-    {
-        public HttpRequestWrapper(HttpRequest r) { }
-    }
-
    public class HttpResponse
    {
        public void Write(object o) { }
@@ -311,16 +306,15 @@ namespace System.Web.Routing
    {
    }

-    public class Route
+    public class Route 
    {
    }

-    public class RouteTable
-    {
+    public class RouteTable {
        public RouteCollection Routes { get; }
    }

-    public class RouteCollection
+    public class RouteCollection 
    {
        public Route MapPageRoute(string routeName, string routeUrl, string physicalFile, bool checkPhysicalUrlAccess) { return null; }
    }
@@ -375,15 +369,6 @@ namespace System.Web.Helpers
    }
 }

-namespace System.Web.WebPages
-{
-    public static class RequestExtensions
-    {
-        public static bool IsUrlLocalToHost(this System.Web.HttpRequestBase request, string url) => throw null;
-    }
-
-}
-
 namespace System.Web.Script.Serialization
 {
    // Generated from `System.Web.Script.Serialization.JavaScriptSerializer` in `System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35`
--- a/docs/codeql/codeql-for-visual-studio-code/using-the-codeql-model-editor.rst
+++ b/docs/codeql/codeql-for-visual-studio-code/using-the-codeql-model-editor.rst
@@ -18,7 +18,7 @@ When you open the model editor, it analyzes the currently selected CodeQL databa

 The model editor has two different modes:

- Application mode (default view): The editor lists each external framework used by the selected CodeQL database. When you expand a framework, a list of all calls to and from the external API is shown with the options available to model dataflow through each call. This mode is most useful for improving the CodeQL results for a specific codebase.
+- Application mode (default view): The editor lists each external framework used by the selected CodeQL database. When you expand a framework, a list of all calls to and from the external API is shown with the options available to model dataflow through each call. This mode is most useful for improving the CodeQL results for the specific codebase.

 - Dependency mode: The editor identifies all of the publicly accessible APIs in the selected CodeQL database. This view guides you through modeling each public API that the codebase makes available. When you have finished modeling the entire API, you can save the model and use it to improve the CodeQL analysis for all codebases that use the dependency.

@@ -28,45 +28,30 @@ Displaying the CodeQL model editor
 #. Open your CodeQL workspace in VS Code, for example, the ``vscode-codeql-starter`` workspace.
   If you haven't updated the ``ql`` submodule for a while, update it from ``main`` to ensure that you have the queries used to gather data for the model editor.
 #. Open the CodeQL extension and select the CodeQL database that you want to model from the "Databases" section of the left side pane.
-#. In the left side panel, expand the "CodeQL method modeling" section and click **Start modeling** to display the model editor. Alternatively, use the command palette to run the “CodeQL: Open Model Editor (Beta)” command.
-#. The CodeQL model editor runs a series of telemetry queries to identify APIs in the code and the editor is displayed in a new tab.
-#. When the telemetry queries are complete, the APIs that have been identified are shown in the editor.
-
-.. tip::
-
-   The "CodeQL method modeling" section is a view that you can move from the primary sidebar to the secondary sidebar, when you want more space while you are modeling calls or methods. If you close the view, you can reopen it from the "Open Views" option in the **View** menu.
+#. Use the command palette to run the “CodeQL: Open Model Editor (Beta)” command.
+#. The CodeQL model editor will open in a new tab and run a series of telemetry queries to identify APIs in the code.
+#. When the queries are complete, the APIs that have been identified are shown in the editor.

 Modeling the calls your codebase makes to external APIs
 -------------------------------------------------------

-You typically use this approach when you are looking at a specific codebase where you want to improve the precision of CodeQL results. This is useful when the codebase uses frameworks or libraries that are not supported by CodeQL and if the source code of the framework or library is not included in the analysis.
+You typically use this approach when you are looking at a specific codebase where you want to improve the precision of CodeQL results. This is usually when the codebase uses frameworks or libraries that are not supported by CodeQL and if the source code of the framework or library is not included in the analysis.

 #. Select the CodeQL database that you want to improve CodeQL coverage for.
 #. Display the CodeQL model editor. By default the editor runs in application mode, so the list of external APIs used by the selected codebase is shown.

   .. image:: ../images/codeql-for-visual-studio-code/model-application-mode.png
      :width: 800
-      :alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing two of the external Java frameworks used by the "sofa-jraft" codebase.
+      :alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing three of the external frameworks used by the "sofa-jraft" codebase.

 #. Click to expand an external API and view the list of calls from the codebase to the external dependency.
+#. Click **View** associated with an API call or method to show where it is used in your codebase.

   .. image:: ../images/codeql-for-visual-studio-code/model-application-mode-expanded.png
      :width: 800
      :alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing the calls to the "rocksdbjni" framework ready for modeling. The "View" option for the first call is highlighted with a dark orange outline.

-#. Click **View** associated with an API call or method to show where it is used in your codebase.
-
-   .. image:: ../images/codeql-for-visual-studio-code/model-application-mode-view-code.png
-      :width: 800
-      :alt: Screenshot of a file showing a place where your codebase calls the API is highlighted with a dark orange outline.
-
-#. The file containing the first call from your codebase to the API is opened and a "CodeQL methods usage" view is displayed in the VS Code Panel (where the "Problems" and "Terminal" views are usually displayed). The "CodeQL methods usage" view lists of all the calls from your code to the API, grouped by method. You can click through each use to decide how to model your use of the method.
-
-   .. image:: ../images/codeql-for-visual-studio-code/model-application-mode-view-list.png
-      :width: 800
-      :alt: Screenshot of the "CodeQL methods usage" view. The currently displayed call to an external method is highlighted blue.
-
-#. When you have determined how to model your use of the method, you can define the **Model type** in the "CodeQL method modeling" tab of the CodeQL extension. This change is automatically reflected in the main model editor.
+#. When you have determined how to model the call or method, define the **Model type**.
 #. The remaining fields are updated with available options:

   - **Source**: choose the **Output** element to model.
@@ -74,9 +59,9 @@ You typically use this approach when you are looking at a specific codebase wher
   - **Flow summary**: choose the **Input** and **Output** elements to model.

 #. Define the **Kind** of dataflow for the model.
-#. When you have finished modeling, display the main model editor and click **Save all** or **Save** (shown at the bottom right of each expanded list of methods). The percentage of methods modeled in the editor is updated.
+#. When you have finished modeling, click **Save all** or **Save** (shown at the bottom right of each expanded list of calls). The percentage of calls modeled in the editor is updated.

-The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL. For more information, see "`Using CodeQL model packs with code scanning <#using-codeql-model-packs-with-code-scanning>`__".
+The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL.

 The models are stored in a series of YAML data extension files, one for each external API. For example:

@@ -116,7 +101,7 @@ You typically use this method when you want to model a framework or library that
 #. Define the **Kind** of dataflow for the model.
 #. When you have finished modeling, click **Save all** or **Save** (shown at the bottom right of each expanded list of calls). The percentage of calls modeled in the editor is updated.

-The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL. For more information, see "`Using CodeQL model packs with code scanning <#using-codeql-model-packs-with-code-scanning>`__".
+The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL.

 The models are stored in a series of YAML data extension files, one for each public method. For example:

@@ -129,19 +114,10 @@ The models are stored in a series of YAML data extension files, one for each pub

 The editor will create a separate model file for each package that you model.

-Modeling methods with multiple potential flows
----------------------------------------------
+Testing CodeQL model packs
+--------------------------

-Some methods support more than one data flow. It is important to model all the data flows for a method, otherwise you cannot detect all the potential problems associated with using the method. First you model one data flow for the method, and then use the **+** button in the method row to specify a second data flow model.
-
-   .. image:: ../images/codeql-for-visual-studio-code/model-dependency-mode-plus.png
-      :width: 800
-      :alt: Screenshot of the "Dependency mode" view of the CodeQL model pack editor in Visual Studio Code showing one model for the ``com.alipay.sofa.jraft.option.BallotBoxOptions.getClosureQueue()`` method. The "+" button is outlined in dark orange. Click this button to create a second model for the method.
-
-Testing CodeQL model packs in VS Code
-------------------------------------
-
-You can test any CodeQL model packs you create in VS Code by turning the "use model packs" setting on and off. This method works for both databases and for variant analysis repositories.
+You can test any CodeQL model packs you create in VS Code by toggling the "use model packs" setting on and off. This method works for both databases and for variant analysis repositories.

 - To run queries on a CodeQL database with any model packs that are stored within the ``.github/codeql/extensions`` directory of the workspace, update your ``settings.json`` file with: ``"codeQL.runningQueries.useExtensionPacks": "all",``
 - To run queries on a CodeQL database without using model packs, update your ``settings.json`` file with: ``"codeQL.runningQueries.useExtensionPacks": "none",``
@@ -160,4 +136,4 @@ For more information, see the following articles on the GitHub Docs site:

 - Default setup of code scanning: `Extending CodeQL coverage with CodeQL model packs in default setup <https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup>`__
 - Advanced setup of code scanning: `Extending CodeQL coverage with CodeQL model packs <https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs>`__
- CodeQL CLI setup in external CI system: `Using model packs to analyze calls to custom dependencies <https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#using-model-packs-to-analyze-calls-to-custom-dependencies>`__
+- CodeQL CLI setup in external CI system: `Using model packs to analyze calls to custom dependencies <https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#using-model-packs-to-analyze-calls-to-custom-dependencies>`__
--- a/docs/codeql/codeql-language-guides/customizing-library-models-for-java-and-kotlin.rst
+++ b/docs/codeql/codeql-language-guides/customizing-library-models-for-java-and-kotlin.rst
@@ -54,14 +54,14 @@ Data extensions use union semantics, which means that the tuples of all extensio
 Publish data extension files in a CodeQL model pack to share
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-You can group one or more data extension files into a CodeQL model pack and publish it to the GitHub Container Registry. This makes it easy for anyone to download the model pack and use it to extend their analysis. For more information, see `Creating a CodeQL model pack <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack>`__ and `Publishing and using CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs/>`__ in the CodeQL CLI documentation.
+You can group one or more data extention files into a CodeQL model pack and publish it to the GitHub Container Registry. This makes it easy for anyone to download the model pack and use it to extend their analysis. For more information, see "`Creating a CodeQL model pack <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack/>`__ and `Publishing and using CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs/>`__ in the CodeQL CLI documentation.

 Extensible predicates used to create custom models in Java and Kotlin
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 The CodeQL library for Java and Kotlin analysis exposes the following extensible predicates:

- ``sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)``. This is used to model sources of potentially tainted data. The ``kind`` of the sources defined using this predicate determine which threat model they are associated with. Different threat models can be used to customize the sources used in an analysis. For more information, see ":ref:`Threat models <threat-models>`."
+- ``sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)``. This is used to model sources of potentially tainted data.
 - ``sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)``. This is used to model sinks where tainted data maybe used in a way that makes the code vulnerable.
 - ``summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)``. This is used to model flow through elements.
 - ``neutralModel(package, type, name, signature, kind, provenance)``. This is similar to a summary model but used to model the flow of values that have only a minor impact on the dataflow analysis.
@@ -151,7 +151,7 @@ The sixth value should be left empty and is out of scope for this documentation.
 The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the source.

 - The seventh value ``ReturnValue`` is the access path to the return of the method, which means that it is the return value that should be considered a source of tainted input.
- The eighth value ``remote`` is the kind of the source. The source kind is used to define the threat model where the source is in scope. ``remote`` applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses ``remote`` sources. For more information, see ":ref:`Threat models <threat-models>`."
+- The eighth value ``remote`` is the kind of the source. The source kind is used to define the queries where the source is in scope. ``remote`` applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses ``remote`` sources.
 - The ninth value ``manual`` is the provenance of the source, which is used to identify the origin of the source.

 Example: Add flow through the ``concat`` method
@@ -291,19 +291,3 @@ The first four values identify the callable (in this case a method) to be modele
 - The fourth value ``()`` is the method input type signature.
 - The fifth value ``summary`` is the kind of the neutral.
 - The sixth value ``manual`` is the provenance of the neutral.
-
-.. _threat-models:
-
-Threat models
-------------
-
-.. include:: ../reusables/beta-note-threat-models-java.rst
-
-A threat model is a named class of dataflow sources that can be enabled or disabled independently. Threat models allow you to control the set of dataflow sources that you want to consider unsafe. For example, one codebase may only consider remote HTTP requests to be tainted, whereas another may also consider data from local files to be unsafe. You can use threat models to ensure that the relevant taint sources are used in a CodeQL analysis.
-
-The ``kind`` property of the ``sourceModel`` determines which threat model a source is associated with. There are two main categories:
-
- ``remote`` which represents requests and responses from the network. 
- ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), and environment variables(``environment``).
- 
-When running a CodeQL analysis, the ``remote`` threat model is included by default. You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see `Analyzing your code with CodeQL queries <https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>`__ and `Customizing your advanced setup for code scanning <https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models>`__.
--- a/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode-expanded.png
+++ b/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode-expanded.png
--- a/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode-full.png
+++ b/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode-full.png
--- a/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode-view-code.png
+++ b/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode-view-code.png
--- a/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode-view-list.png
+++ b/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode-view-list.png
--- a/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode.png
+++ b/docs/codeql/images/codeql-for-visual-studio-code/model-application-mode.png
--- a/docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode-expanded.png
+++ b/docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode-expanded.png
--- a/docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode-plus.png
+++ b/docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode-plus.png
--- a/docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode.png
+++ b/docs/codeql/images/codeql-for-visual-studio-code/model-dependency-mode.png
--- a/docs/codeql/reusables/beta-note-threat-models-java.rst
+++ b/docs/codeql/reusables/beta-note-threat-models-java.rst
@@ -1,5 +0,0 @@
-.. pull-quote::
-
-    Note
-
-    Threat models are currently in beta and subject to change. During the beta, threat models are supported only by Java analysis.
--- a/docs/codeql/reusables/supported-versions-compilers.rst
+++ b/docs/codeql/reusables/supported-versions-compilers.rst
@@ -4,40 +4,39 @@
   :stub-columns: 1

   Language,Variants,Compilers,Extensions
-   C/C++,"C89, C99, C11, C17, C++98, C++03, C++11, C++14, C++17, C++20 [1]_ [2]_","Clang (including clang-cl [3]_ and armclang) extensions (up to Clang 12.0),
+   C/C++,"C89, C99, C11, C17, C++98, C++03, C++11, C++14, C++17, C++20 [1]_","Clang (including clang-cl [2]_ and armclang) extensions (up to Clang 12.0),

   GNU extensions (up to GCC 11.1),

   Microsoft extensions (up to VS 2019),

-   Arm Compiler 5 [4]_","``.cpp``, ``.c++``, ``.cxx``, ``.hpp``, ``.hh``, ``.h++``, ``.hxx``, ``.c``, ``.cc``, ``.h``"
+   Arm Compiler 5 [3]_","``.cpp``, ``.c++``, ``.cxx``, ``.hpp``, ``.hh``, ``.h++``, ``.hxx``, ``.c``, ``.cc``, ``.h``"
   C#,C# up to 11,"Microsoft Visual Studio up to 2019 with .NET up to 4.8,

   .NET Core up to 3.1

   .NET 5, .NET 6, .NET 7","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
   Go (aka Golang), "Go up to 1.21", "Go 1.11 or more recent", ``.go``
-   Java,"Java 7 to 20 [5]_","javac (OpenJDK and Oracle JDK),
+   Java,"Java 7 to 20 [4]_","javac (OpenJDK and Oracle JDK),

-   Eclipse compiler for Java (ECJ) [6]_",``.java``
-   Kotlin [7]_,"Kotlin 1.5.0 to 1.9.20","kotlinc",``.kt``
-   JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [8]_"
-   Python [9]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12",Not applicable,``.py``
-   Ruby [10]_,"up to 3.2",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
-   Swift [11]_,"Swift 5.4-5.8.1","Swift compiler","``.swift``"
-   TypeScript [12]_,"2.6-5.3",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"
+   Eclipse compiler for Java (ECJ) [5]_",``.java``
+   Kotlin [6]_,"Kotlin 1.5.0 to 1.9.20","kotlinc",``.kt``
+   JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [7]_"
+   Python [8]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12",Not applicable,``.py``
+   Ruby [9]_,"up to 3.2",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"
+   Swift [10]_,"Swift 5.4-5.9.1","Swift compiler","``.swift``"
+   TypeScript [11]_,"2.6-5.3",Standard TypeScript compiler,"``.ts``, ``.tsx``, ``.mts``, ``.cts``"

 .. container:: footnote-group

    .. [1] C++20 support is currently in beta. Supported for GCC on Linux only. Modules are *not* supported.
-    .. [2] Objective-C, Objective-C++, C++/CLI, and C++/CX are not supported.
-    .. [3] Support for the clang-cl compiler is preliminary.
-    .. [4] Support for the Arm Compiler (armcc) is preliminary.
-    .. [5] Builds that execute on Java 7 to 20 can be analyzed. The analysis understands Java 20 standard language features.
-    .. [6] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
-    .. [7] Kotlin support is currently in beta.
-    .. [8] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
-    .. [9] The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python.
-    .. [10] Requires glibc 2.17.
-    .. [11] Swift support is currently in beta. Support for the analysis of Swift 5.4-5.8.1 requires macOS or Linux.
-    .. [12] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default.
+    .. [2] Support for the clang-cl compiler is preliminary.
+    .. [3] Support for the Arm Compiler (armcc) is preliminary.
+    .. [4] Builds that execute on Java 7 to 20 can be analyzed. The analysis understands Java 20 standard language features.
+    .. [5] ECJ is supported when the build invokes it via the Maven Compiler plugin or the Takari Lifecycle plugin.
+    .. [6] Kotlin support is currently in beta.
+    .. [7] JSX and Flow code, YAML, JSON, HTML, and XML files may also be analyzed with JavaScript files.
+    .. [8] The extractor requires Python 3 to run. To analyze Python 2.7 you should install both versions of Python.
+    .. [9] Requires glibc 2.17.
+    .. [10] Swift support is currently in beta. Support for the analysis of Swift 5.4-5.8.1 requires macOS or Linux.
+    .. [11] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default.
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.0.3
+
+No user-facing changes.
+
 ## 0.0.2

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/0.0.3.md
+++ b/go/ql/consistency-queries/change-notes/released/0.0.3.md
@@ -0,0 +1,3 @@
+## 0.0.3
+
+No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.0.2
+lastReleaseVersion: 0.0.3
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 0.0.3-dev
+version: 0.0.3
 groups:
  - go
  - queries
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,8 +1,14 @@
+## 0.7.4
+
+### Bug Fixes
+
+* A bug has been fixed that meant that value flow through a slice expression was not tracked correctly. Taint flow was tracked correctly.
+
 ## 0.7.3

 ### Minor Analysis Improvements

-* Added the [gin cors](https://github.com/gin-contrib/cors) library to the CorsMisconfiguration.ql query
+* Added the [gin-contrib/cors](https://github.com/gin-contrib/cors) library to the experimental query "CORS misconfiguration" (`go/cors-misconfiguration`).

 ### Bug Fixes

--- a/go/ql/lib/change-notes/2023-11-15-bug-fix-value-flow-in-slice-expression.md
+++ b/go/ql/lib/change-notes/2023-11-15-bug-fix-value-flow-in-slice-expression.md
@@ -1,4 +1,5 @@
---
-category: fix
---
+## 0.7.4
+
+### Bug Fixes
+
 * A bug has been fixed that meant that value flow through a slice expression was not tracked correctly. Taint flow was tracked correctly.
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.7.3
+lastReleaseVersion: 0.7.4
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 0.7.4-dev
+version: 0.7.4
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Alex Denisov	3444d9d993	docs: update supported Swift version	2023-12-06 13:19:06 +01:00
Chuan-kai Lin	44d61f2ed4	Merge pull request #15013 from github/release-prep/2.15.4 Release preparation for version 2.15.4	2023-12-05 09:50:46 -08:00
github-actions[bot]	1c4dd78c5f	Release preparation for version 2.15.4	2023-12-05 17:04:52 +00:00