Merge pull request #19436 from adityasharad/actions/ga-change-note

Actions: Retroactively add GA changenote
2026-05-16 20:27:06 +02:00 · 2025-05-01 09:21:15 +01:00 · 2025-04-30 16:24:22 -07:00 · 2025-04-28 14:06:52 +01:00 · 2025-04-28 13:55:34 +01:00 · 2025-04-28 12:57:36 +01:00
976 changed files with 32115 additions and 7172 deletions
--- a/actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-code-quality.qls.expected
@@ -0,0 +1 @@
+
--- a/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-code-scanning.qls.expected
@@ -0,0 +1,17 @@
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-and-quality.qls.expected
@@ -0,0 +1,27 @@
+ql/actions/ql/src/Debug/SyntaxError.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueCritical.ql
+ql/actions/ql/src/Security/CWE-571/ExpressionIsAlwaysTrueHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
+ql/actions/ql/src/Violations Of Best Practice/CodeQL/UnnecessaryUseOfAdvancedConfig.ql
--- a/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
+++ b/actions/ql/integration-tests/query-suite/actions-security-extended.qls.expected
@@ -0,0 +1,23 @@
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
+ql/actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql
+ql/actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql
+ql/actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql
+ql/actions/ql/src/Security/CWE-285/ImproperAccessControl.ql
+ql/actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql
+ql/actions/ql/src/Security/CWE-312/SecretsInArtifacts.ql
+ql/actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaDirectCache.ql
+ql/actions/ql/src/Security/CWE-349/CachePoisoningViaPoisonableStep.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUCritical.ql
+ql/actions/ql/src/Security/CWE-367/UntrustedCheckoutTOCTOUHigh.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql
+ql/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
+ql/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql
+ql/actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql
--- a/actions/ql/integration-tests/query-suite/not_included_in_qls.expected
+++ b/actions/ql/integration-tests/query-suite/not_included_in_qls.expected
@@ -0,0 +1,17 @@
+ql/actions/ql/src/Debug/partial.ql
+ql/actions/ql/src/Models/CompositeActionsSinks.ql
+ql/actions/ql/src/Models/CompositeActionsSources.ql
+ql/actions/ql/src/Models/CompositeActionsSummaries.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSinks.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSources.ql
+ql/actions/ql/src/Models/ReusableWorkflowsSummaries.ql
+ql/actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql
+ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql
+ql/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql
+ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql
+ql/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
+ql/actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql
+ql/actions/ql/src/experimental/Security/CWE-284/CodeExecutionOnSelfHostedRunner.ql
+ql/actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql
+ql/actions/ql/src/experimental/Security/CWE-829/UnversionedImmutableAction.ql
+ql/actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql
--- a/actions/ql/integration-tests/query-suite/test.py
+++ b/actions/ql/integration-tests/query-suite/test.py
@@ -0,0 +1,14 @@
+import runs_on
+import pytest
+from query_suites import *
+
+well_known_query_suites = ['actions-code-quality.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
+
+@runs_on.posix
+@pytest.mark.parametrize("query_suite", well_known_query_suites)
+def test(codeql, actions, check_query_suite, query_suite):
+    check_query_suite(query_suite)
+
+@runs_on.posix
+def test_not_included_queries(codeql, actions, check_queries_not_included):
+    check_queries_not_included('actions', well_known_query_suites)
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,7 +1,13 @@
-## 0.4.7
+## 0.4.8

 No user-facing changes.

+## 0.4.7
+
+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+
 ## 0.4.6

 ### Bug Fixes
--- a/actions/ql/lib/change-notes/released/0.4.7.md
+++ b/actions/ql/lib/change-notes/released/0.4.7.md
@@ -1,3 +1,5 @@
 ## 0.4.7

-No user-facing changes.
+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
--- a/actions/ql/lib/change-notes/released/0.4.8.md
+++ b/actions/ql/lib/change-notes/released/0.4.8.md
@@ -0,0 +1,3 @@
+## 0.4.8
+
+No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.7
+lastReleaseVersion: 0.4.8
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.8-dev
+version: 0.4.8
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,5 +1,29 @@
+## 0.6.0
+
+### Breaking Changes
+
+* The following queries have been removed from the `security-and-quality` suite.
+  They are not intended to produce user-facing
+  alerts describing vulnerabilities.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/composite-action-sinks`
+  * `actions/composite-action-sources`
+  * `actions/composite-action-summaries`
+  * `actions/reusable-workflow-sinks`
+    (renamed from `actions/reusable-wokflow-sinks`)
+  * `actions/reusable-workflow-sources`
+  * `actions/reusable-workflow-summaries`
+
+### Bug Fixes
+
+* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
+
 ## 0.5.4

+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+
 ### Bug Fixes

 * Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
--- a/actions/ql/src/Models/ReusableWorkflowsSinks.ql
+++ b/actions/ql/src/Models/ReusableWorkflowsSinks.ql
@@ -5,7 +5,7 @@
 * @problem.severity warning
 * @security-severity 9.3
 * @precision high
- * @id actions/reusable-wokflow-sinks
+ * @id actions/reusable-workflow-sinks
 * @tags actions
 *       model-generator
 *       external/cwe/cwe-020
--- a/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md
+++ b/actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md
@@ -1,4 +0,0 @@
---
-category: fix
---
-* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
--- a/actions/ql/src/change-notes/released/0.5.4.md
+++ b/actions/ql/src/change-notes/released/0.5.4.md
@@ -1,5 +1,9 @@
 ## 0.5.4

+### New Features
+
+* CodeQL and Copilot Autofix support for GitHub Actions is now Generally Available.
+
 ### Bug Fixes

 * Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.
--- a/actions/ql/src/change-notes/released/0.6.0.md
+++ b/actions/ql/src/change-notes/released/0.6.0.md
@@ -0,0 +1,19 @@
+## 0.6.0
+
+### Breaking Changes
+
+* The following queries have been removed from the `security-and-quality` suite.
+  They are not intended to produce user-facing
+  alerts describing vulnerabilities.
+  Any existing alerts for these queries will be closed automatically.
+  * `actions/composite-action-sinks`
+  * `actions/composite-action-sources`
+  * `actions/composite-action-summaries`
+  * `actions/reusable-workflow-sinks`
+    (renamed from `actions/reusable-wokflow-sinks`)
+  * `actions/reusable-workflow-sources`
+  * `actions/reusable-workflow-summaries`
+
+### Bug Fixes
+
+* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.4
+lastReleaseVersion: 0.6.0
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.5.5-dev
+version: 0.6.0
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/annotateOverlayLocal.py
+++ b/annotateOverlayLocal.py
@@ -1,123 +0,0 @@
-#!/usr/bin/python
-
-import os
-
-
-def process_single_file(filename):
-    if not filename.endswith(".qll"):
-        return
-
-    with open(filename, 'r') as file_in:
-        lines = [line for line in file_in]
-
-    configuresDataflow = any(
-        "implements DataFlow::ConfigSig" in line for line in lines)
-
-    moduleAnnotations = ""
-    if any(line for line in lines if line.rstrip().endswith("module;")):
-        for line in lines:
-            moduleAnnotations += line
-            if line.rstrip().endswith("module;"):
-                break
-
-    moduleAnnotations = strip_comments(moduleAnnotations)
-
-    isFileLevelAnnotated = ("overlay[local]" in moduleAnnotations or
-                            "overlay[local?]" in moduleAnnotations)
-
-    if configuresDataflow or isFileLevelAnnotated or filename.endswith("Query.qll"):
-        if isFileLevelAnnotated and configuresDataflow:
-            print("WARNING: file \""+filename +
-                  "\" configures dataflow, but is annotated local")
-        elif configuresDataflow and not filename.endswith("Query.qll"):
-            print("WARNING: file \""+filename +
-                  "\" configures dataflow but is not a [...]Query.qll file")
-        elif filename.endswith("Query.qll") and not configuresDataflow:
-            print("WARNING: file \""+filename +
-                  "\" is a [...]Query.qll file that does not configure dataflow")
-        elif isFileLevelAnnotated and filename.endswith("Query.qll"):
-            print("WARNING: file \""+filename +
-                  "\" is a [...]Query.qll file, but is annotated local")
-    elif any(line for line in lines if line.rstrip().endswith("module;")):
-        print("file \""+filename +
-              " was annotated using an existing file-level module statment")
-        with open(filename, "w") as file_out:
-            for line in lines:
-                if line.rstrip().endswith("module;"):
-                    file_out.write("overlay[local?]\n")
-                file_out.write(line)
-    elif (lines[0].startswith("import ") or lines[0].startswith("private ") or
-          lines[0].startswith("newtype ") or lines[0].startswith("module ") or
-          lines[0].startswith("signature ")):
-        print("file \""+filename+" was annotated at the very start of the file")
-        with open(filename, "w") as file_out:
-            file_out.write("overlay[local?]\nmodule;\n\n")
-            for line in lines:
-                file_out.write(line)
-    elif (strip_comments("".join(lines)).lstrip().startswith("import") or
-          strip_comments("".join(lines)).lstrip().startswith("private import")):
-        print("file \""+filename+" was annotated at the first import statement")
-        with open(filename, "w") as file_out:
-            firstImport = True
-            addEmptyLine = ""
-            for line in lines:
-                if not line.strip():
-                    if addEmptyLine:
-                        file_out.write(addEmptyLine)
-                    addEmptyLine = line
-                else:
-                    if firstImport and (line.startswith("import") or line.startswith("private")):
-                        file_out.write("overlay[local?]\nmodule;\n")
-                        firstImport = False
-
-                    if addEmptyLine:
-                        file_out.write(addEmptyLine)
-                        addEmptyLine = ""
-                    file_out.write(line)
-    elif (len(lines) > 2 and lines[0].startswith("/** ") and lines[0].endswith(" */\n") and
-          not lines[1].strip() and lines[2].startswith("/**")):
-        print("file \""+filename+" was annotated after single-line file module qldoc")
-        with open(filename, "w") as file_out:
-            file_out.write(lines[0])
-            file_out.write("overlay[local?]\nmodule;\n")
-            for line in lines[1:]:
-                file_out.write(line)
-    else:
-        print("ERROR: failure to annotate file \""+filename+"\"")
-
-
-def strip_comments(str):
-    prev = ""
-    in_multiline = False
-    in_singleline = False
-
-    result = ""
-    for c in str:
-        if c == '*' and prev == '/':
-            in_multiline = True
-            prev = ""
-        elif c == '/' and prev == '/':
-            in_singleline = True
-            prev = ""
-        elif in_multiline and c == '/' and prev == '*':
-            in_multiline = False
-            prev = ""
-        elif in_singleline and c == '\n':
-            in_singleline = False
-            result += '\n'
-            prev = ""
-        else:
-            if not in_multiline and not in_singleline:
-                if prev == '/':
-                    result += '/'
-                if c != '/':
-                    result += c
-            prev = c
-    return result
-
-
-for roots in ["java/ql/lib/semmle/code", "shared"]:
-    for dirpath, dirnames, filenames in os.walk(roots):
-        for filename in filenames:
-            if filename.endswith(".qll"):
-                process_single_file(os.path.join(dirpath, filename))
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/decltypes.ql
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/decltypes.ql
@@ -0,0 +1,11 @@
+class Type extends @type {
+  string toString() { none() }
+}
+
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+from Type decltype, Expr expr, Type basetype, boolean parentheses
+where decltypes(decltype, expr, _, basetype, parentheses)
+select decltype, expr, basetype, parentheses
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/derivedtypes.ql
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/derivedtypes.ql
@@ -0,0 +1,19 @@
+class Type extends @type {
+  string toString() { none() }
+}
+
+predicate derivedType(Type type, string name, int kind, Type type_id) {
+  derivedtypes(type, name, kind, type_id)
+}
+
+predicate typeTransformation(Type type, string name, int kind, Type type_id) {
+  type_operators(type, _, _, type_id) and
+  name = "" and
+  kind = 3 // @type_with_specifiers
+}
+
+from Type type, string name, int kind, Type type_id
+where
+  derivedType(type, name, kind, type_id) or
+  typeTransformation(type, name, kind, type_id)
+select type, name, kind, type_id
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/old.dbscheme
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/old.dbscheme
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/upgrade.properties
+++ b/cpp/downgrades/9a7c3c14c1076f64b871719117a558733d987b48/upgrade.properties
@@ -0,0 +1,5 @@
+description: Support C23 typeof and typeof_unqual
+compatibility: backwards
+decltypes.rel: run decltypes.qlo
+derivedtypes.rel: run derivedtypes.qlo
+type_operators.rel: delete
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,12 @@
+## 4.3.0
+
+### New Features
+
+* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
+* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.
+* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
+* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
+
 ## 4.2.0

 ### New Features
--- a/cpp/ql/lib/change-notes/2025-04-14-variable-length-arrays.md
+++ b/cpp/ql/lib/change-notes/2025-04-14-variable-length-arrays.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
--- a/cpp/ql/lib/change-notes/2025-04-15-field-array-designator.md
+++ b/cpp/ql/lib/change-notes/2025-04-15-field-array-designator.md
@@ -1,4 +0,0 @@
---
-category: feature
---
-* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
--- a/cpp/ql/lib/change-notes/released/4.3.0.md
+++ b/cpp/ql/lib/change-notes/released/4.3.0.md
@@ -0,0 +1,8 @@
+## 4.3.0
+
+### New Features
+
+* New classes `TypeofType`, `TypeofExprType`, and `TypeofTypeType` were introduced, which represent the C23 `typeof` and `typeof_unqual` operators. The `TypeofExprType` class represents the variant taking an expression as its argument. The `TypeofTypeType` class represents the variant taking a type as its argument.
+* A new class `IntrinsicTransformedType` was introduced, which represents the type transforming intrinsics supported by clang, gcc, and MSVC.
+* Introduced `hasDesignator()` predicates to distinguish between designated and positional initializations for both struct/union fields and array elements.
+* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.2.0
+lastReleaseVersion: 4.3.0
--- a/cpp/ql/lib/ext/generated/empty.model.yml
+++ b/cpp/ql/lib/ext/generated/empty.model.yml
@@ -0,0 +1,5 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: []
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.2.1-dev
+version: 4.3.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -16,6 +16,7 @@ dependencies:
  codeql/xml: ${workspace}
 dataExtensions:
  - ext/*.model.yml
+  - ext/generated/*.model.yml
  - ext/deallocation/*.model.yml
  - ext/allocation/*.model.yml
 warnOnImplicitThis: true
--- a/cpp/ql/lib/semmle/code/cpp/Print.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Print.qll
@@ -176,6 +176,30 @@ private class DecltypeDumpType extends DumpType, Decltype {
  }
 }

+private class TypeofDumpType extends DumpType, TypeofType {
+  override string getTypeSpecifier() { result = this.getBaseType().(DumpType).getTypeSpecifier() }
+
+  override string getDeclaratorPrefix() {
+    result = this.getBaseType().(DumpType).getDeclaratorPrefix()
+  }
+
+  override string getDeclaratorSuffix() {
+    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
+  }
+}
+
+private class IntrinsicTransformedDumpType extends DumpType, IntrinsicTransformedType {
+  override string getTypeSpecifier() { result = this.getBaseType().(DumpType).getTypeSpecifier() }
+
+  override string getDeclaratorPrefix() {
+    result = this.getBaseType().(DumpType).getDeclaratorPrefix()
+  }
+
+  override string getDeclaratorSuffix() {
+    result = this.getBaseType().(DumpType).getDeclaratorSuffix()
+  }
+}
+
 private class PointerIshDumpType extends DerivedDumpType {
  PointerIshDumpType() {
    this instanceof PointerType or
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -92,8 +92,9 @@ class Type extends Locatable, @type {
  /**
   * Gets this type after typedefs have been resolved.
   *
-   * The result of this predicate will be the type itself, except in the case of a TypedefType or a Decltype,
-   * in which case the result will be type which results from (possibly recursively) resolving typedefs.
+   * The result of this predicate will be the type itself, except in the case of a TypedefType, a Decltype,
+   * or a TypeofType, in which case the result will be type which results from (possibly recursively)
+   * resolving typedefs.
   */
  pragma[nomagic]
  Type getUnderlyingType() { result = this }
@@ -1117,18 +1118,20 @@ class DerivedType extends Type, @derivedtype {
 * decltype(a) b;
 * ```
 */
-class Decltype extends Type, @decltype {
+class Decltype extends Type {
+  Decltype() { decltypes(underlyingElement(this), _, 0, _, _) }
+
  override string getAPrimaryQlClass() { result = "Decltype" }

  /**
-   * The expression whose type is being obtained by this decltype.
+   * Gets the expression whose type is being obtained by this decltype.
   */
-  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _) }
+  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _, _) }

  /**
-   * The type immediately yielded by this decltype.
+   * Gets the type immediately yielded by this decltype.
   */
-  Type getBaseType() { decltypes(underlyingElement(this), _, unresolveElement(result), _) }
+  Type getBaseType() { decltypes(underlyingElement(this), _, _, unresolveElement(result), _) }

  /**
   * Whether an extra pair of parentheses around the expression would change the semantics of this decltype.
@@ -1142,7 +1145,7 @@ class Decltype extends Type, @decltype {
   * ```
   * Please consult the C++11 standard for more details.
   */
-  predicate parenthesesWouldChangeMeaning() { decltypes(underlyingElement(this), _, _, true) }
+  predicate parenthesesWouldChangeMeaning() { decltypes(underlyingElement(this), _, _, _, true) }

  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }

@@ -1183,6 +1186,215 @@ class Decltype extends Type, @decltype {
  }
 }

+/**
+ * An instance of the C23 `typeof` or `typeof_unqual` operator. For example:
+ * ```
+ * int a;
+ * typeof(a) b;
+ * typeof_unqual(const int) b;
+ * ```
+ */
+class TypeofType extends Type {
+  TypeofType() {
+    decltypes(underlyingElement(this), _, 1, _, _) or
+    type_operators(underlyingElement(this), _, 0, _)
+  }
+
+  /**
+   * Gets the type immediately yielded by this typeof.
+   */
+  Type getBaseType() {
+    decltypes(underlyingElement(this), _, _, unresolveElement(result), _)
+    or
+    type_operators(underlyingElement(this), _, _, unresolveElement(result))
+  }
+
+  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
+
+  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
+
+  override Type stripType() { result = this.getBaseType().stripType() }
+
+  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
+
+  override string toString() { result = "typeof(...)" }
+
+  override string getName() { none() }
+
+  override int getSize() { result = this.getBaseType().getSize() }
+
+  override int getAlignment() { result = this.getBaseType().getAlignment() }
+
+  override int getPointerIndirectionLevel() {
+    result = this.getBaseType().getPointerIndirectionLevel()
+  }
+
+  override string explain() {
+    result = "typeof resulting in {" + this.getBaseType().explain() + "}"
+  }
+
+  override predicate involvesReference() { this.getBaseType().involvesReference() }
+
+  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
+
+  override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() }
+
+  override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConstBelow() }
+
+  override Specifier internal_getAnAdditionalSpecifier() {
+    result = this.getBaseType().getASpecifier()
+  }
+}
+
+/**
+ * An instance of the C23 `typeof` or `typeof_unqual` operator taking an expression
+ * as its argument. For example:
+ * ```
+ * int a;
+ * typeof(a) b;
+ * ```
+ */
+class TypeofExprType extends TypeofType {
+  TypeofExprType() { decltypes(underlyingElement(this), _, 1, _, _) }
+
+  override string getAPrimaryQlClass() { result = "TypeofExprType" }
+
+  /**
+   * Gets the expression whose type is being obtained by this typeof.
+   */
+  Expr getExpr() { decltypes(underlyingElement(this), unresolveElement(result), _, _, _) }
+
+  override Location getLocation() { result = this.getExpr().getLocation() }
+}
+
+/**
+ * A type obtained by C23 `typeof` or `typeof_unqual` operator taking a type as its
+ * argument. For example:
+ * ```
+ * typeof_unqual(const int) b;
+ * ```
+ */
+class TypeofTypeType extends TypeofType {
+  TypeofTypeType() { type_operators(underlyingElement(this), _, 0, _) }
+
+  /**
+   * Gets the expression whose type is being obtained by this typeof.
+   */
+  Type getType() { type_operators(underlyingElement(this), unresolveElement(result), _, _) }
+
+  override string getAPrimaryQlClass() { result = "TypeofTypeType" }
+
+  override string toString() { result = "typeof(...)" }
+}
+
+/**
+ * A type obtained by applying a type transforming intrinsic. For example:
+ * ```
+ * __make_unsigned(int) x;
+ * ```
+ */
+class IntrinsicTransformedType extends Type {
+  int intrinsic;
+
+  IntrinsicTransformedType() {
+    type_operators(underlyingElement(this), _, intrinsic, _) and
+    intrinsic in [1 .. 19]
+  }
+
+  override string getAPrimaryQlClass() { result = "IntrinsicTransformedType" }
+
+  override string toString() { result = this.getIntrinsicName() + "(...)" }
+
+  /**
+   * Gets the type immediately yielded by this transformation.
+   */
+  Type getBaseType() { type_operators(underlyingElement(this), _, _, unresolveElement(result)) }
+
+  /**
+   * Gets the type that is transformed.
+   */
+  Type getType() { type_operators(underlyingElement(this), unresolveElement(result), _, _) }
+
+  /**
+   * Gets the name of the intrinsic used to transform the type.
+   */
+  string getIntrinsicName() {
+    intrinsic = 1 and result = "__underlying_type"
+    or
+    intrinsic = 2 and result = "__bases"
+    or
+    intrinsic = 3 and result = "__direct_bases"
+    or
+    intrinsic = 4 and result = "__add_lvalue_reference"
+    or
+    intrinsic = 5 and result = "__add_pointer"
+    or
+    intrinsic = 6 and result = "__add_rvalue_reference"
+    or
+    intrinsic = 7 and result = "__decay"
+    or
+    intrinsic = 8 and result = "__make_signed"
+    or
+    intrinsic = 9 and result = "__make_unsigned"
+    or
+    intrinsic = 10 and result = "__remove_all_extents"
+    or
+    intrinsic = 11 and result = "__remove_const"
+    or
+    intrinsic = 12 and result = "__remove_cv"
+    or
+    intrinsic = 13 and result = "__remove_cvref"
+    or
+    intrinsic = 14 and result = "__remove_extent"
+    or
+    intrinsic = 15 and result = "__remove_pointer"
+    or
+    intrinsic = 16 and result = "__remove_reference_t"
+    or
+    intrinsic = 17 and result = "__remove_restrict"
+    or
+    intrinsic = 18 and result = "__remove_volatile"
+    or
+    intrinsic = 19 and result = "__remove_reference"
+  }
+
+  override Type getUnderlyingType() { result = this.getBaseType().getUnderlyingType() }
+
+  override Type stripTopLevelSpecifiers() { result = this.getBaseType().stripTopLevelSpecifiers() }
+
+  override Type stripType() { result = this.getBaseType().stripType() }
+
+  override Type resolveTypedefs() { result = this.getBaseType().resolveTypedefs() }
+
+  override string getName() { none() }
+
+  override int getSize() { result = this.getBaseType().getSize() }
+
+  override int getAlignment() { result = this.getBaseType().getAlignment() }
+
+  override int getPointerIndirectionLevel() {
+    result = this.getBaseType().getPointerIndirectionLevel()
+  }
+
+  override string explain() {
+    result =
+      "application of " + this.getIntrinsicName() + " resulting in {" + this.getBaseType().explain()
+        + "}"
+  }
+
+  override predicate involvesReference() { this.getBaseType().involvesReference() }
+
+  override predicate involvesTemplateParameter() { this.getBaseType().involvesTemplateParameter() }
+
+  override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() }
+
+  override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConstBelow() }
+
+  override Specifier internal_getAnAdditionalSpecifier() {
+    result = this.getBaseType().getASpecifier()
+  }
+}
+
 /**
 * A C/C++ pointer type. See 4.9.1.
 * ```
--- a/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
+++ b/cpp/ql/lib/semmle/code/cpp/exprs/Expr.qll
@@ -310,6 +310,8 @@ class Expr extends StmtParent, @expr {
    or
    exists(Decltype d | d.getExpr() = this.getParentWithConversions*())
    or
+    exists(TypeofExprType t | t.getExpr() = this.getParentWithConversions*())
+    or
    exists(ConstexprIfStmt constIf |
      constIf.getControllingExpr() = this.getParentWithConversions*()
    )
--- a/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/SideEffects.qll
@@ -16,6 +16,10 @@ private predicate isDeeplyConst(Type t) {
  or
  isDeeplyConst(t.(Decltype).getBaseType())
  or
+  isDeeplyConst(t.(TypeofType).getBaseType())
+  or
+  isDeeplyConst(t.(IntrinsicTransformedType).getBaseType())
+  or
  isDeeplyConst(t.(ReferenceType).getBaseType())
  or
  exists(SpecifiedType specType | specType = t |
@@ -36,6 +40,10 @@ private predicate isDeeplyConstBelow(Type t) {
  or
  isDeeplyConstBelow(t.(Decltype).getBaseType())
  or
+  isDeeplyConstBelow(t.(TypeofType).getBaseType())
+  or
+  isDeeplyConstBelow(t.(IntrinsicTransformedType).getBaseType())
+  or
  isDeeplyConst(t.(PointerType).getBaseType())
  or
  isDeeplyConst(t.(ReferenceType).getBaseType())
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -743,15 +743,17 @@ typedefbase(
 );

 /**
- * An instance of the C++11 `decltype` operator.  For example:
+ * An instance of the C++11 `decltype` operator or C23 `typeof`/`typeof_unqual`
+ * operator taking an expression as its argument.  For example:
 * ```
 * int a;
 * decltype(1+a) b;
+ * typeof(1+a) c;
 * ```
 * Here `expr` is `1+a`.
 *
 * Sometimes an additional pair of parentheses around the expression
- * would change the semantics of this decltype, e.g.
+ * changes the semantics of the decltype, e.g.
 * ```
 * struct A { double x; };
 * const A* a = new A();
@@ -761,14 +763,55 @@ typedefbase(
 * (Please consult the C++11 standard for more details).
 * `parentheses_would_change_meaning` is `true` iff that is the case.
 */
+
+/*
+case @decltype.kind of
+|  0 = @decltype
+|  1 = @typeof // The frontend does not differentiate between typeof and typeof_unqual
+;
+*/
+
 #keyset[id, expr]
 decltypes(
    int id: @decltype,
    int expr: @expr ref,
+    int kind: int ref,
    int base_type: @type ref,
    boolean parentheses_would_change_meaning: boolean ref
 );

+/*
+case @type_operator.kind of
+|  0 = @typeof // The frontend does not differentiate between typeof and typeof_unqual
+|  1 = @underlying_type
+|  2 = @bases
+|  3 = @direct_bases
+|  4 = @add_lvalue_reference
+|  5 = @add_pointer
+|  6 = @add_rvalue_reference
+|  7 = @decay
+|  8 = @make_signed
+|  9 = @make_unsigned
+| 10 = @remove_all_extents
+| 11 = @remove_const
+| 12 = @remove_cv
+| 13 = @remove_cvref
+| 14 = @remove_extent
+| 15 = @remove_pointer
+| 16 = @remove_reference_t
+| 17 = @remove_restrict
+| 18 = @remove_volatile
+| 19 = @remove_reference
+;
+*/
+
+type_operators(
+    unique int id: @type_operator,
+    int arg_type: @type ref,
+    int kind: int ref,
+    int base_type: @type ref
+)
+
 /*
 case @usertype.kind of
 |  0 = @unknown_usertype
@@ -1103,10 +1146,10 @@ stmtattributes(
@type = @builtintype
      | @derivedtype
      | @usertype
-      /* TODO | @fixedpointtype */
      | @routinetype
      | @ptrtomember
-      | @decltype;
+      | @decltype
+      | @type_operator;

 unspecifiedtype(
    unique int type_id: @type ref,
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme.stats
--- a/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/decltypes.ql
+++ b/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/decltypes.ql
@@ -0,0 +1,11 @@
+class Type extends @type {
+  string toString() { none() }
+}
+
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+from Type decltype, Expr expr, Type basetype, boolean parentheses
+where decltypes(decltype, expr, basetype, parentheses)
+select decltype, expr, 0, basetype, parentheses
--- a/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/old.dbscheme
+++ b/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/old.dbscheme
--- a/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/upgrade.properties
+++ b/cpp/ql/lib/upgrades/2e2d805ef93d060b813403cb9b51dc72455a4c68/upgrade.properties
@@ -0,0 +1,3 @@
+description: Support C23 typeof and typeof_unqual
+compatibility: partial
+decltypes.rel: run decltypes.qlo
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.3.9
+
+No user-facing changes.
+
 ## 1.3.8

 No user-facing changes.
--- a/Bugs/Arithmetic/IntMultToLong.ql
+++ b/Bugs/Arithmetic/IntMultToLong.ql
@@ -179,6 +179,7 @@ predicate overflows(MulExpr me, Type t) {

 from MulExpr me, Type t1, Type t2
 where
+  not any(Compilation c).buildModeNone() and
  t1 = me.getType().getUnderlyingType() and
  t2 = me.getConversion().getType().getUnderlyingType() and
  t1.getSize() < t2.getSize() and
--- a/Bugs/Format/WrongTypeFormatArguments.ql
+++ b/Bugs/Format/WrongTypeFormatArguments.ql
@@ -154,6 +154,7 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) }

 from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
 where
+  not any(Compilation c).buildModeNone() and
  (
    formattingFunctionCallExpectedType(ffc, n, expected) and
    formattingFunctionCallActualType(ffc, n, arg, actual) and
--- a/Management/SuspiciousCallToMemset.ql
+++ b/Management/SuspiciousCallToMemset.ql
@@ -47,11 +47,17 @@ Type stripType(Type t) {
  or
  result = stripType(t.(Decltype).getBaseType())
  or
+  result = stripType(t.(TypeofType).getBaseType())
+  or
+  result = stripType(t.(IntrinsicTransformedType).getBaseType())
+  or
  not t instanceof TypedefType and
  not t instanceof ArrayType and
  not t instanceof ReferenceType and
  not t instanceof SpecifiedType and
  not t instanceof Decltype and
+  not t instanceof TypeofType and
+  not t instanceof IntrinsicTransformedType and
  result = t
 }

--- a/Functions/ImplicitFunctionDeclaration.ql
+++ b/Functions/ImplicitFunctionDeclaration.ql
@@ -38,6 +38,7 @@ predicate isCompiledAsC(File f) {

 from FunctionDeclarationEntry fdeIm, FunctionCall fc
 where
+  not any(Compilation c).buildModeNone() and
  isCompiledAsC(fdeIm.getFile()) and
  not isFromMacroDefinition(fc) and
  fdeIm.isImplicit() and
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -51,6 +51,7 @@ int getComparisonSizeAdjustment(Expr e) {

 from Loop l, RelationalOperation rel, VariableAccess small, Expr large
 where
+  not any(Compilation c).buildModeNone() and
  small = rel.getLesserOperand() and
  large = rel.getGreaterOperand() and
  rel = l.getCondition().getAChild*() and
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -24,10 +24,12 @@ private predicate isCharSzPtrExpr(Expr e) {

 from Expr sizeofExpr, Expr e
 where
+  not any(Compilation c).buildModeNone() and
  // If we see an addWithSizeof then we expect the type of
  // the pointer expression to be `char*` or `void*`. Otherwise it
  // is probably a mistake.
-  addWithSizeof(e, sizeofExpr, _) and not isCharSzPtrExpr(e)
+  addWithSizeof(e, sizeofExpr, _) and
+  not isCharSzPtrExpr(e)
 select sizeofExpr,
  "Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@.",
  e.getFullyConverted().getType() as t, t.toString()
--- a/cpp/ql/src/change-notes/released/1.3.9.md
+++ b/cpp/ql/src/change-notes/released/1.3.9.md
@@ -0,0 +1,3 @@
+## 1.3.9
+
+No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.8
+lastReleaseVersion: 1.3.9
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.3.9-dev
+version: 1.3.9
 groups:
  - cpp
  - queries
--- a/cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
+++ b/cpp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
@@ -0,0 +1,13 @@
+/**
+ * @name Capture content based summary models.
+ * @description Finds applicable content based summary models to be used by other queries.
+ * @kind diagnostic
+ * @id cpp/utils/modelgenerator/contentbased-summary-models
+ * @tags modelgenerator
+ */
+
+import internal.CaptureModels
+
+from DataFlowSummaryTargetApi api, string flow
+where flow = ContentSensitive::captureFlow(api, _)
+select flow order by flow
--- a/csharp/ql/src/utils/modelgenerator/CaptureMixedNeutralModels.ql
+++ b/csharp/ql/src/utils/modelgenerator/CaptureMixedNeutralModels.ql
@@ -1,13 +1,13 @@
 /**
- * @name Capture mixed neutral models.
+ * @name Capture neutral models.
 * @description Finds neutral models to be used by other queries.
 * @kind diagnostic
- * @id cs/utils/modelgenerator/mixed-neutral-models
+ * @id cpp/utils/modelgenerator/neutral-models
 * @tags modelgenerator
 */

 import internal.CaptureModels

 from DataFlowSummaryTargetApi api, string noflow
-where noflow = captureMixedNeutral(api)
+where noflow = captureNeutral(api)
 select noflow order by noflow
--- a/cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql
+++ b/cpp/ql/src/utils/modelgenerator/CaptureSinkModels.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Capture sink models.
+ * @description Finds public methods that act as sinks as they flow into a known sink.
+ * @kind diagnostic
+ * @id cpp/utils/modelgenerator/sink-models
+ * @tags modelgenerator
+ */
+
+import internal.CaptureModels
+import Heuristic
+
+from DataFlowSinkTargetApi api, string sink
+where sink = captureSink(api)
+select sink order by sink
--- a/cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql
+++ b/cpp/ql/src/utils/modelgenerator/CaptureSourceModels.ql
@@ -0,0 +1,14 @@
+/**
+ * @name Capture source models.
+ * @description Finds APIs that act as sources as they expose already known sources.
+ * @kind diagnostic
+ * @id cpp/utils/modelgenerator/source-models
+ * @tags modelgenerator
+ */
+
+import internal.CaptureModels
+import Heuristic
+
+from DataFlowSourceTargetApi api, string source
+where source = captureSource(api)
+select source order by source
--- a/csharp/ql/src/utils/modelgenerator/CaptureMixedSummaryModels.ql
+++ b/csharp/ql/src/utils/modelgenerator/CaptureMixedSummaryModels.ql
@@ -1,13 +1,13 @@
 /**
- * @name Capture mixed summary models.
+ * @name Capture summary models.
 * @description Finds applicable summary models to be used by other queries.
 * @kind diagnostic
- * @id cs/utils/modelgenerator/mixed-summary-models
+ * @id cpp/utils/modelgenerator/summary-models
 * @tags modelgenerator
 */

 import internal.CaptureModels

 from DataFlowSummaryTargetApi api, string flow
-where flow = captureMixedFlow(api, _)
+where flow = captureFlow(api, _)
 select flow order by flow
--- a/cpp/ql/src/utils/modelgenerator/GenerateFlowModel.py
+++ b/cpp/ql/src/utils/modelgenerator/GenerateFlowModel.py
@@ -0,0 +1,15 @@
+#!/usr/bin/python3
+
+import sys
+import os.path
+import subprocess
+
+# Add Model as Data script directory to sys.path.
+gitroot = subprocess.check_output(["git", "rev-parse", "--show-toplevel"]).decode("utf-8").strip()
+madpath = os.path.join(gitroot, "misc/scripts/models-as-data/")
+sys.path.append(madpath)
+
+import generate_flow_model as model
+
+language = "cpp"
+model.Generator.make(language).run()
--- a/cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
+++ b/cpp/ql/src/utils/modelgenerator/internal/CaptureModels.qll
@@ -0,0 +1,404 @@
+/**
+ * Provides predicates related to capturing summary models of the Standard or a 3rd party library.
+ */
+
+private import cpp
+private import semmle.code.cpp.ir.IR
+private import semmle.code.cpp.dataflow.ExternalFlow as ExternalFlow
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplCommon as DataFlowImplCommon
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowImplSpecific
+private import semmle.code.cpp.ir.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+private import semmle.code.cpp.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
+private import semmle.code.cpp.ir.dataflow.internal.TaintTrackingImplSpecific
+private import semmle.code.cpp.dataflow.new.TaintTracking
+private import codeql.mad.modelgenerator.internal.ModelGeneratorImpl
+
+module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CppDataFlow> {
+  class Type = DataFlowPrivate::DataFlowType;
+
+  // Note: This also includes `this`
+  class Parameter = DataFlow::ParameterNode;
+
+  class Callable = Declaration;
+
+  class NodeExtended extends DataFlow::Node {
+    Callable getAsExprEnclosingCallable() { result = this.asExpr().getEnclosingDeclaration() }
+  }
+
+  Parameter asParameter(NodeExtended n) { result = n }
+
+  Callable getEnclosingCallable(NodeExtended n) {
+    result = n.getEnclosingCallable().asSourceCallable()
+  }
+
+  Callable getAsExprEnclosingCallable(NodeExtended n) {
+    result = n.asExpr().getEnclosingDeclaration()
+  }
+
+  /** Gets `api` if it is relevant. */
+  private Callable liftedImpl(Callable api) { result = api and relevant(api) }
+
+  private predicate hasManualSummaryModel(Callable api) {
+    api = any(FlowSummaryImpl::Public::SummarizedCallable sc | sc.applyManualModel()) or
+    api = any(FlowSummaryImpl::Public::NeutralSummaryCallable sc | sc.hasManualModel())
+  }
+
+  private predicate hasManualSourceModel(Callable api) {
+    api = any(FlowSummaryImpl::Public::NeutralSourceCallable sc | sc.hasManualModel())
+  }
+
+  private predicate hasManualSinkModel(Callable api) {
+    api = any(FlowSummaryImpl::Public::NeutralSinkCallable sc | sc.hasManualModel())
+  }
+
+  /**
+   * Holds if `f` is a "private" function.
+   *
+   * A "private" function does not contribute any models as it is assumed
+   * to be an implementation detail of some other "public" function for which
+   * we will generate a summary.
+   */
+  private predicate isPrivateOrProtected(Function f) {
+    f.getNamespace().getParentNamespace*().isAnonymous()
+    or
+    exists(MemberFunction mf | mf = f |
+      mf.isPrivate()
+      or
+      mf.isProtected()
+    )
+    or
+    f.isStatic()
+  }
+
+  private predicate isUninterestingForModels(Callable api) {
+    // Note: This also makes all global/static-local variables
+    // not relevant (which is good!)
+    not api.(Function).hasDefinition()
+    or
+    isPrivateOrProtected(api)
+    or
+    api instanceof Destructor
+    or
+    api = any(LambdaExpression lambda).getLambdaFunction()
+    or
+    api.isFromUninstantiatedTemplate(_)
+  }
+
+  private predicate relevant(Callable api) {
+    api.fromSource() and
+    not isUninterestingForModels(api)
+  }
+
+  class SummaryTargetApi extends Callable {
+    private Callable lift;
+
+    SummaryTargetApi() {
+      lift = liftedImpl(this) and
+      not hasManualSummaryModel(lift)
+    }
+
+    Callable lift() { result = lift }
+
+    predicate isRelevant() {
+      relevant(this) and
+      not hasManualSummaryModel(this)
+    }
+  }
+
+  class SourceOrSinkTargetApi extends Callable {
+    SourceOrSinkTargetApi() { relevant(this) }
+  }
+
+  class SinkTargetApi extends SourceOrSinkTargetApi {
+    SinkTargetApi() { not hasManualSinkModel(this) }
+  }
+
+  class SourceTargetApi extends SourceOrSinkTargetApi {
+    SourceTargetApi() { not hasManualSourceModel(this) }
+  }
+
+  class InstanceParameterNode extends DataFlow::ParameterNode {
+    InstanceParameterNode() {
+      DataFlowPrivate::nodeHasInstruction(this,
+        any(InitializeParameterInstruction i | i.hasIndex(-1)), 1)
+    }
+  }
+
+  private predicate isFinalMemberFunction(MemberFunction mf) {
+    mf.isFinal()
+    or
+    mf.getDeclaringType().isFinal()
+  }
+
+  /**
+   * Holds if the summary generated for `c` should also apply to overrides
+   * of `c`.
+   */
+  private string isExtensible(Callable c) {
+    if isFinalMemberFunction(c) then result = "false" else result = "true"
+  }
+
+  /**
+   * Gets the string representing the list of template parameters declared
+   * by `template`.
+   *
+   * `template` must either be:
+   * - An uninstantiated template, or
+   * - A declaration that is not from a template instantiation.
+   */
+  private string templateParams(Declaration template) {
+    exists(string params |
+      params =
+        concat(int i |
+          |
+          template.getTemplateArgument(i).(TypeTemplateParameter).getName(), "," order by i
+        )
+    |
+      if params = "" then result = "" else result = "<" + params + ">"
+    )
+  }
+
+  /**
+   * Gets the string representing the list of parameters declared
+   * by `functionTemplate`.
+   *
+   * `functionTemplate` must either be:
+   * - An uninstantiated template, or
+   * - A declaration that is not from a template instantiation.
+   */
+  private string params(Function functionTemplate) {
+    exists(string params |
+      params =
+        concat(int i |
+          |
+          ExternalFlow::getParameterTypeWithoutTemplateArguments(functionTemplate, i, true), ","
+          order by
+            i
+        ) and
+      result = "(" + params + ")"
+    )
+  }
+
+  /**
+   * Holds if the callable `c` is:
+   * - In the namespace represented by `namespace`, and
+   * - Has a declaring type represented by `type`, and
+   * - Has the name `name`, and
+   * - Has a list of parameters represented by `params`
+   *
+   * This is the predicate that computes the columns that it put into the MaD
+   * row for `callable`.
+   */
+  private predicate qualifiedName(
+    Callable callable, string namespace, string type, string name, string params
+  ) {
+    exists(
+      Function functionTemplate, string typeWithoutTemplateArgs, string nameWithoutTemplateArgs
+    |
+      functionTemplate = ExternalFlow::getFullyTemplatedFunction(callable) and
+      functionTemplate.hasQualifiedName(namespace, typeWithoutTemplateArgs, nameWithoutTemplateArgs) and
+      nameWithoutTemplateArgs = functionTemplate.getName() and
+      name = nameWithoutTemplateArgs + templateParams(functionTemplate) and
+      params = params(functionTemplate)
+    |
+      exists(Class classTemplate |
+        classTemplate = functionTemplate.getDeclaringType() and
+        type = typeWithoutTemplateArgs + templateParams(classTemplate)
+      )
+      or
+      not exists(functionTemplate.getDeclaringType()) and
+      type = ""
+    )
+  }
+
+  predicate isRelevantType(Type t) { any() }
+
+  Type getUnderlyingContentType(DataFlow::ContentSet c) {
+    result = c.(DataFlow::FieldContent).getField().getUnspecifiedType() or
+    result = c.(DataFlow::UnionContent).getUnion().getUnspecifiedType()
+  }
+
+  string qualifierString() { result = "Argument[-1]" }
+
+  private predicate parameterContentAccessImpl(Parameter p, string argument) {
+    exists(int indirectionIndex, int argumentIndex, DataFlowPrivate::Position pos |
+      p.isSourceParameterOf(_, pos) and
+      pos.getArgumentIndex() = argumentIndex and
+      argumentIndex != -1 and // handled elsewhere
+      pos.getIndirectionIndex() = indirectionIndex
+    |
+      indirectionIndex = 0 and
+      argument = "Argument[" + argumentIndex + "]"
+      or
+      indirectionIndex > 0 and
+      argument = "Argument[" + DataFlow::repeatStars(indirectionIndex) + argumentIndex + "]"
+    )
+  }
+
+  string parameterAccess(Parameter p) { parameterContentAccessImpl(p, result) }
+
+  string parameterContentAccess(Parameter p) { parameterContentAccessImpl(p, result) }
+
+  bindingset[c]
+  string paramReturnNodeAsOutput(Callable c, DataFlowPrivate::Position pos) {
+    exists(Parameter p |
+      p.isSourceParameterOf(c, pos) and
+      result = parameterAccess(p)
+    )
+    or
+    pos.getArgumentIndex() = -1 and
+    result = qualifierString() and
+    pos.getIndirectionIndex() = 1
+  }
+
+  bindingset[c]
+  string paramReturnNodeAsContentOutput(Callable c, DataFlowPrivate::ParameterPosition pos) {
+    result = paramReturnNodeAsOutput(c, pos)
+  }
+
+  pragma[nomagic]
+  Callable returnNodeEnclosingCallable(DataFlow::Node ret) {
+    result = DataFlowImplCommon::getNodeEnclosingCallable(ret).asSourceCallable()
+  }
+
+  /** Holds if this instance access is to an enclosing instance of type `t`. */
+  pragma[nomagic]
+  private predicate isEnclosingInstanceAccess(DataFlowPrivate::ReturnNode n, Class t) {
+    n.getKind().isIndirectReturn(-1) and
+    t = n.getType().stripType() and
+    t != n.getEnclosingCallable().asSourceCallable().(Function).getDeclaringType()
+  }
+
+  pragma[nomagic]
+  predicate isOwnInstanceAccessNode(DataFlowPrivate::ReturnNode node) {
+    node.getKind().isIndirectReturn(-1) and
+    not isEnclosingInstanceAccess(node, _)
+  }
+
+  predicate sinkModelSanitizer(DataFlow::Node node) { none() }
+
+  predicate apiSource(DataFlow::Node source) {
+    DataFlowPrivate::nodeHasOperand(source, any(DataFlow::FieldAddress fa), 1)
+    or
+    source instanceof DataFlow::ParameterNode
+  }
+
+  string getInputArgument(DataFlow::Node source) {
+    exists(DataFlowPrivate::Position pos, int argumentIndex, int indirectionIndex |
+      source.(DataFlow::ParameterNode).isParameterOf(_, pos) and
+      argumentIndex = pos.getArgumentIndex() and
+      indirectionIndex = pos.getIndirectionIndex() and
+      result = "Argument[" + DataFlow::repeatStars(indirectionIndex) + argumentIndex + "]"
+    )
+    or
+    DataFlowPrivate::nodeHasOperand(source, any(DataFlow::FieldAddress fa), 1) and
+    result = qualifierString()
+  }
+
+  string getReturnValueString(DataFlowPrivate::ReturnKind k) {
+    k.isNormalReturn() and
+    exists(int indirectionIndex | indirectionIndex = k.getIndirectionIndex() |
+      indirectionIndex = 0 and
+      result = "ReturnValue"
+      or
+      indirectionIndex > 0 and
+      result = "ReturnValue[" + DataFlow::repeatStars(indirectionIndex) + "]"
+    )
+  }
+
+  predicate irrelevantSourceSinkApi(Callable source, SourceTargetApi api) { none() }
+
+  bindingset[kind]
+  predicate isRelevantSourceKind(string kind) { any() }
+
+  bindingset[kind]
+  predicate isRelevantSinkKind(string kind) { any() }
+
+  predicate containerContent(DataFlow::ContentSet cs) { cs instanceof DataFlow::ElementContent }
+
+  predicate isAdditionalContentFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    TaintTracking::defaultAdditionalTaintStep(node1, node2, _) and
+    not exists(DataFlow::Content f |
+      DataFlowPrivate::readStep(node1, f, node2) and containerContent(f)
+    )
+  }
+
+  predicate isField(DataFlow::ContentSet cs) {
+    exists(DataFlow::Content c | cs.isSingleton(c) |
+      c instanceof DataFlow::FieldContent or
+      c instanceof DataFlow::UnionContent
+    )
+  }
+
+  predicate isCallback(DataFlow::ContentSet c) { none() }
+
+  string getSyntheticName(DataFlow::ContentSet c) {
+    exists(Field f |
+      not f.isPublic() and
+      f = c.(DataFlow::FieldContent).getField() and
+      result = f.getName()
+    )
+  }
+
+  string printContent(DataFlow::ContentSet c) {
+    exists(int indirectionIndex, string name, string kind |
+      exists(DataFlow::UnionContent uc |
+        c.isSingleton(uc) and
+        name = uc.getUnion().getName() and
+        indirectionIndex = uc.getIndirectionIndex() and
+        // Note: We don't actually support the union string in MaD, but we should do that eventually
+        kind = "Union["
+      )
+      or
+      exists(DataFlow::FieldContent fc |
+        c.isSingleton(fc) and
+        name = fc.getField().getName() and
+        indirectionIndex = fc.getIndirectionIndex() and
+        kind = "Field["
+      )
+    |
+      result = kind + DataFlow::repeatStars(indirectionIndex) + name + "]"
+    )
+    or
+    exists(DataFlow::ElementContent ec |
+      c.isSingleton(ec) and
+      result = "Element[" + ec.getIndirectionIndex() + "]"
+    )
+  }
+
+  predicate isUninterestingForDataFlowModels(Callable api) { none() }
+
+  predicate isUninterestingForHeuristicDataFlowModels(Callable api) {
+    isUninterestingForDataFlowModels(api)
+  }
+
+  string partialModelRow(Callable api, int i) {
+    i = 0 and qualifiedName(api, result, _, _, _) // namespace
+    or
+    i = 1 and qualifiedName(api, _, result, _, _) // type
+    or
+    i = 2 and result = isExtensible(api) // extensible
+    or
+    i = 3 and qualifiedName(api, _, _, result, _) // name
+    or
+    i = 4 and qualifiedName(api, _, _, _, result) // parameters
+    or
+    i = 5 and result = "" and exists(api) // ext
+  }
+
+  string partialNeutralModelRow(Callable api, int i) {
+    i = 0 and qualifiedName(api, result, _, _, _) // namespace
+    or
+    i = 1 and qualifiedName(api, _, result, _, _) // type
+    or
+    i = 2 and qualifiedName(api, _, _, result, _) // name
+    or
+    i = 3 and qualifiedName(api, _, _, _, result) // parameters
+  }
+
+  predicate sourceNode = ExternalFlow::sourceNode/2;
+
+  predicate sinkNode = ExternalFlow::sinkNode/2;
+}
+
+import MakeModelGenerator<Location, CppDataFlow, CppTaintTracking, ModelGeneratorInput>
--- a/cpp/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll
+++ b/cpp/ql/src/utils/modelgenerator/internal/CaptureModelsPrinting.qll
@@ -0,0 +1,13 @@
+private import cpp as Cpp
+private import codeql.mad.modelgenerator.internal.ModelPrinting
+private import CaptureModels::ModelGeneratorInput as ModelGeneratorInput
+
+private module ModelPrintingLang implements ModelPrintingLangSig {
+  class Callable = Cpp::Declaration;
+
+  predicate partialModelRow = ModelGeneratorInput::partialModelRow/2;
+
+  predicate partialNeutralModelRow = ModelGeneratorInput::partialNeutralModelRow/2;
+}
+
+import ModelPrintingImpl<ModelPrintingLang>
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.expected
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.expected
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.ext.yml
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data:
+      - [ "models", "ManuallyModelled", False, "hasSummary", "(void *)", "", "Argument[0]", "ReturnValue", "value", "manual"]
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.ql
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureContentSummaryModels.ql
@@ -0,0 +1,11 @@
+import cpp
+import utils.modelgenerator.internal.CaptureModels
+import InlineModelsAsDataTest
+
+module InlineMadTestConfig implements InlineMadTestConfigSig {
+  string getCapturedModel(MadRelevantFunction c) { result = ContentSensitive::captureFlow(c, _) }
+
+  string getKind() { result = "contentbased-summary" }
+}
+
+import InlineMadTest<InlineMadTestConfig>
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.expected
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.expected
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.ext.yml
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.ext.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data:
+      - [ "Models", "ManuallyModelled", False, "hasSummary", "(void *)", "", "Argument[0]", "ReturnValue", "value", "manual"]
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.ql
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/CaptureHeuristicSummaryModels.ql
@@ -0,0 +1,11 @@
+import cpp
+import utils.modelgenerator.internal.CaptureModels
+import InlineModelsAsDataTest
+
+module InlineMadTestConfig implements InlineMadTestConfigSig {
+  string getCapturedModel(MadRelevantFunction c) { result = Heuristic::captureFlow(c) }
+
+  string getKind() { result = "heuristic-summary" }
+}
+
+import InlineMadTest<InlineMadTestConfig>
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/InlineModelsAsDataTest.qll
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/InlineModelsAsDataTest.qll
@@ -0,0 +1,34 @@
+private import cpp
+private import codeql.mad.test.InlineMadTest
+
+class MadRelevantFunction extends Function {
+  MadRelevantFunction() { not this.isFromUninstantiatedTemplate(_) }
+}
+
+private module InlineMadTestLang implements InlineMadTestLangSig {
+  class Callable = MadRelevantFunction;
+
+  /**
+   * Holds if `c` is the closest `Callable` that succeeds `comment` in the file.
+   */
+  private predicate hasClosestCallable(CppStyleComment comment, Callable c) {
+    c =
+      min(Callable cand, int dist |
+        // This has no good join order, but should hopefully be good enough for tests.
+        cand.getFile() = comment.getFile() and
+        dist = cand.getLocation().getStartLine() - comment.getLocation().getStartLine() and
+        dist > 0
+      |
+        cand order by dist
+      )
+  }
+
+  string getComment(Callable c) {
+    exists(CppStyleComment comment |
+      hasClosestCallable(comment, c) and
+      result = comment.getContents().suffix(2)
+    )
+  }
+}
+
+import InlineMadTestImpl<InlineMadTestLang>
--- a/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/summaries.cpp
+++ b/cpp/ql/test/library-tests/dataflow/modelgenerator/dataflow/summaries.cpp
@@ -0,0 +1,201 @@
+using size_t = decltype(sizeof(int));
+
+size_t strlen(const char* str);
+char* strcpy(char* dest, const char* src);
+
+namespace Models {
+    struct BasicFlow {
+        int* tainted;
+
+        //No model as destructors are excluded from model generation.
+        ~BasicFlow() = default;
+
+        //heuristic-summary=Models;BasicFlow;true;returnThis;(int *);;Argument[-1];ReturnValue[*];taint;df-generated
+        //contentbased-summary=Models;BasicFlow;true;returnThis;(int *);;Argument[-1];ReturnValue[*];value;dfc-generated
+        BasicFlow* returnThis(int* input) {
+            return this;
+        }
+
+        //heuristic-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[0];ReturnValue;taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[*0];ReturnValue[*];taint;df-generated
+        //contentbased-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[0];ReturnValue;value;dfc-generated
+        //contentbased-summary=Models;BasicFlow;true;returnParam0;(int *,int *);;Argument[*0];ReturnValue[*];value;dfc-generated
+        int* returnParam0(int* input0, int* input1) {
+            return input0;
+        }
+
+        //heuristic-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[1];ReturnValue;taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[*1];ReturnValue[*];taint;df-generated
+        //contentbased-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[1];ReturnValue;value;dfc-generated
+        //contentbased-summary=Models;BasicFlow;true;returnParam1;(int *,int *);;Argument[*1];ReturnValue[*];value;dfc-generated
+        int* returnParam1(int* input0, int* input1) {
+            return input1;
+        }
+
+        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[1];ReturnValue;taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*1];ReturnValue[*];taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[2];ReturnValue;taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*2];ReturnValue[*];taint;df-generated
+        //contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[1];ReturnValue;value;dfc-generated
+        //contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*1];ReturnValue[*];value;dfc-generated
+        //contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[2];ReturnValue;value;dfc-generated
+        //contentbased-summary=Models;BasicFlow;true;returnParamMultiple;(bool,int *,int *);;Argument[*2];ReturnValue[*];value;dfc-generated
+        int* returnParamMultiple(bool b, int* input0, int* input1) {
+            return b ? input0 : input1;
+        }
+
+        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];Argument[*1];taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];ReturnValue[*];taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];ReturnValue[*];taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[1];ReturnValue;taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];Argument[*1];taint;df-generated
+        //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];Argument[*1];taint;dfc-generated
+        //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[0];ReturnValue[*];taint;dfc-generated
+        //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];ReturnValue[*];value;dfc-generated
+        //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[1];ReturnValue;value;dfc-generated
+        //contentbased-summary=Models;BasicFlow;true;returnSubstring;(const char *,char *);;Argument[*0];Argument[*1];value;dfc-generated
+        char* returnSubstring(const char* source, char* dest) {
+            return strcpy(dest, source + 1);
+        }
+
+        //heuristic-summary=Models;BasicFlow;true;setField;(int *);;Argument[0];Argument[-1];taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;setField;(int *);;Argument[*0];Argument[-1];taint;df-generated
+        //contentbased-summary=Models;BasicFlow;true;setField;(int *);;Argument[0];Argument[-1].Field[*tainted];value;dfc-generated
+        //contentbased-summary=Models;BasicFlow;true;setField;(int *);;Argument[*0];Argument[-1].Field[**tainted];value;dfc-generated
+        void setField(int* s) {
+            tainted = s;
+        }
+
+        //heuristic-summary=Models;BasicFlow;true;returnField;();;Argument[-1];ReturnValue;taint;df-generated
+        //heuristic-summary=Models;BasicFlow;true;returnField;();;Argument[-1];ReturnValue[*];taint;df-generated
+        //contentbased-summary=Models;BasicFlow;true;returnField;();;Argument[-1].Field[*tainted];ReturnValue;value;dfc-generated
+        //contentbased-summary=Models;BasicFlow;true;returnField;();;Argument[-1].Field[**tainted];ReturnValue[*];value;dfc-generated
+        int* returnField() {
+            return tainted;
+        }
+    };
+
+    template<typename T>
+    struct TemplatedFlow {
+        T tainted;
+
+        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnThis;(T);;Argument[-1];ReturnValue[*];taint;df-generated
+        //contentbased-summary=Models;TemplatedFlow<T>;true;template_returnThis;(T);;Argument[-1];ReturnValue[*];value;dfc-generated
+        TemplatedFlow<T>* template_returnThis(T input) {
+            return this;
+        }
+
+        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[0];ReturnValue;taint;df-generated
+        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[*0];ReturnValue[*];taint;df-generated
+        //contentbased-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[0];ReturnValue;value;dfc-generated
+        //contentbased-summary=Models;TemplatedFlow<T>;true;template_returnParam0;(T *,T *);;Argument[*0];ReturnValue[*];value;dfc-generated
+        T* template_returnParam0(T* input0, T* input1) {
+            return input0;
+        }
+
+        //heuristic-summary=Models;TemplatedFlow<T>;true;template_setField;(T);;Argument[0];Argument[-1];taint;df-generated
+        //contentbased-summary=Models;TemplatedFlow<T>;true;template_setField;(T);;Argument[0];Argument[-1].Field[*tainted];value;dfc-generated
+        void template_setField(T s) {
+            tainted = s;
+        }
+
+        //heuristic-summary=Models;TemplatedFlow<T>;true;template_returnField;();;Argument[-1];ReturnValue[*];taint;df-generated
+        //contentbased-summary=Models;TemplatedFlow<T>;true;template_returnField;();;Argument[-1].Field[*tainted];ReturnValue[*];value;dfc-generated
+        T& template_returnField() {
+            return tainted;
+        }
+
+        //heuristic-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[0];ReturnValue;taint;df-generated
+        //heuristic-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[*0];ReturnValue[*];taint;df-generated
+        //contentbased-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[0];ReturnValue;value;dfc-generated
+        //contentbased-summary=Models;TemplatedFlow<T>;true;templated_function<U>;(U *,T *);;Argument[*0];ReturnValue[*];value;dfc-generated
+        template<typename U>
+        U* templated_function(U* u, T* t) {
+            return u;
+        }
+    };
+
+    void test_templated_flow() {
+        // Ensure that we have an instantiation of the templated class
+        TemplatedFlow<int> intFlow;
+        intFlow.template_returnThis(0);
+
+        intFlow.template_returnParam0(nullptr, nullptr);
+
+        intFlow.template_setField(0);
+        intFlow.template_returnField();
+
+        intFlow.templated_function<int>(nullptr, nullptr);
+    }
+}
+
+//heuristic-summary=;;true;toplevel_function;(int *);;Argument[0];ReturnValue;taint;df-generated
+//heuristic-summary=;;true;toplevel_function;(int *);;Argument[*0];ReturnValue;taint;df-generated
+//contentbased-summary=;;true;toplevel_function;(int *);;Argument[0];ReturnValue;taint;dfc-generated
+//contentbased-summary=;;true;toplevel_function;(int *);;Argument[*0];ReturnValue;value;dfc-generated
+int toplevel_function(int* p) {
+    return *p;
+}
+
+//No model as static functions are excluded from model generation.
+static int static_toplevel_function(int* p) {
+    return *p;
+}
+
+struct NonFinalStruct {
+    //heuristic-summary=;NonFinalStruct;true;public_not_final_member_function;(int);;Argument[0];ReturnValue;taint;df-generated
+    //contentbased-summary=;NonFinalStruct;true;public_not_final_member_function;(int);;Argument[0];ReturnValue;value;dfc-generated
+    virtual int public_not_final_member_function(int x) {
+        return x;
+    }
+
+    //heuristic-summary=;NonFinalStruct;false;public_final_member_function;(int);;Argument[0];ReturnValue;taint;df-generated
+    //contentbased-summary=;NonFinalStruct;false;public_final_member_function;(int);;Argument[0];ReturnValue;value;dfc-generated
+    virtual int public_final_member_function(int x) final {
+        return x;
+    }
+
+private:
+    //No model as private members are excluded from model generation.
+    int private_member_function(int x) {
+        return x;
+    }
+
+protected:
+    //No model as protected members are excluded from model generation.
+    int protected_member_function(int x) {
+        return x;
+    }
+};
+
+struct FinalStruct final {
+    //heuristic-summary=;FinalStruct;false;public_not_final_member_function_2;(int);;Argument[0];ReturnValue;taint;df-generated
+    //contentbased-summary=;FinalStruct;false;public_not_final_member_function_2;(int);;Argument[0];ReturnValue;value;dfc-generated
+    virtual int public_not_final_member_function_2(int x) {
+        return x;
+    }
+
+    //heuristic-summary=;FinalStruct;false;public_final_member_function_2;(int);;Argument[0];ReturnValue;taint;df-generated
+    //contentbased-summary=;FinalStruct;false;public_final_member_function_2;(int);;Argument[0];ReturnValue;value;dfc-generated
+    virtual int public_final_member_function_2(int x) final {
+        return x;
+    }
+};
+
+union U {
+    int x, y;
+};
+
+//heuristic-summary=;;true;get_x_from_union;(U *);;Argument[0];ReturnValue;taint;df-generated
+//heuristic-summary=;;true;get_x_from_union;(U *);;Argument[*0];ReturnValue;taint;df-generated
+//contentbased-summary=;;true;get_x_from_union;(U *);;Argument[0];ReturnValue;taint;dfc-generated
+//contentbased-summary=;;true;get_x_from_union;(U *);;Argument[*0].Union[*U];ReturnValue;value;dfc-generated
+int get_x_from_union(U* u) {
+    return u->x;
+}
+
+//heuristic-summary=;;true;set_x_in_union;(U *,int);;Argument[1];Argument[*0];taint;df-generated
+//contentbased-summary=;;true;set_x_in_union;(U *,int);;Argument[1];Argument[*0].Union[*U];value;dfc-generated
+void set_x_in_union(U* u, int x) {
+    u->x = x;
+}
--- a/cpp/ql/test/library-tests/declstmt/getDeclaration.expected
+++ b/cpp/ql/test/library-tests/declstmt/getDeclaration.expected
@@ -1,5 +1,7 @@
 | cpp.cpp:3:5:3:51 | declaration | 0 | cpp.cpp:3:19:3:24 | twisty |
 | cpp.cpp:3:5:3:51 | declaration | 0 | cpp.cpp:3:43:3:48 | twisty |
+| cpp.cpp:3:15:3:27 | declaration | 0 | cpp.cpp:3:19:3:24 | twisty |
+| cpp.cpp:3:15:3:27 | declaration | 0 | cpp.cpp:3:43:3:48 | twisty |
 | cpp.cpp:5:5:5:62 | declaration | 0 | cpp.cpp:5:61:5:61 | i |
 | cpp.cpp:5:38:5:51 | declaration | 0 | cpp.cpp:5:44:5:44 | t |
 | declstmt.c:7:5:7:19 | declaration | 0 | declstmt.c:7:9:7:12 | fun1 |
--- a/cpp/ql/test/library-tests/declstmt/getDeclarationEntry.expected
+++ b/cpp/ql/test/library-tests/declstmt/getDeclarationEntry.expected
@@ -1,4 +1,5 @@
 | cpp.cpp:3:5:3:51 | declaration | 0 | cpp.cpp:3:43:3:48 | declaration of twisty |
+| cpp.cpp:3:15:3:27 | declaration | 0 | cpp.cpp:3:19:3:24 | declaration of twisty |
 | cpp.cpp:5:5:5:62 | declaration | 0 | cpp.cpp:5:61:5:61 | definition of i |
 | cpp.cpp:5:38:5:51 | declaration | 0 | cpp.cpp:5:44:5:44 | declaration of t |
 | declstmt.c:7:5:7:19 | declaration | 0 | declstmt.c:7:9:7:12 | definition of fun1 |
--- a/cpp/ql/test/library-tests/enums/typedefs/exprs.expected
+++ b/cpp/ql/test/library-tests/enums/typedefs/exprs.expected
@@ -1,2 +1,3 @@
 | file://:0:0:0:0 | 0 | file://:0:0:0:0 | int |
-| test.c:7:20:7:21 | E | file://:0:0:0:0 | int |
+| test.c:7:14:7:14 | E | file://:0:0:0:0 | int |
+| test.c:7:20:7:21 | E | test.c:7:14:7:14 | typeof(...) |
--- a/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
+++ b/cpp/ql/test/library-tests/syntax-zoo/dataflow-consistency.expected
@@ -8,7 +8,10 @@ uniqueEnclosingCallable
 | misc.c:210:24:210:24 | 0 | Node should have one enclosing callable but has 0. |
 | misc.c:210:24:210:28 | ... + ... | Node should have one enclosing callable but has 0. |
 | misc.c:210:28:210:28 | 1 | Node should have one enclosing callable but has 0. |
+| stmt_in_type.cpp:3:12:3:40 | (statement expression) | Node should have one enclosing callable but has 0. |
+| stmt_in_type.cpp:3:29:3:34 | call to twisty | Node should have one enclosing callable but has 0. |
 uniqueCallEnclosingCallable
+| stmt_in_type.cpp:3:29:3:34 | call to twisty | Call should have one enclosing callable but has 0. |
 uniqueType
 uniqueNodeLocation
 | file://:0:0:0:0 | (unnamed parameter 2) | Node should have one location but has 0. |
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.39
+
+No user-facing changes.
+
 ## 1.7.38

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.39.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.39.md
@@ -0,0 +1,3 @@
+## 1.7.39
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.38
+lastReleaseVersion: 1.7.39
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.39-dev
+version: 1.7.39
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.39
+
+No user-facing changes.
+
 ## 1.7.38

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.39.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.39.md
@@ -0,0 +1,3 @@
+## 1.7.39
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.38
+lastReleaseVersion: 1.7.39
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.39-dev
+version: 1.7.39
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-code-quality.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-code-quality.qls.expected
@@ -0,0 +1,13 @@
+ql/csharp/ql/src/API Abuse/FormatInvalid.ql
+ql/csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql
+ql/csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql
+ql/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql
+ql/csharp/ql/src/Likely Bugs/Collections/ContainerLengthCmpOffByOne.ql
+ql/csharp/ql/src/Likely Bugs/Collections/ContainerSizeCmpZero.ql
+ql/csharp/ql/src/Likely Bugs/DangerousNonShortCircuitLogic.ql
+ql/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.ql
+ql/csharp/ql/src/Likely Bugs/SelfAssignment.ql
+ql/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql
+ql/csharp/ql/src/Performance/UseTryGetValue.ql
+ql/csharp/ql/src/Useless code/DefaultToString.ql
+ql/csharp/ql/src/Useless code/IntGetHashCode.ql
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-code-scanning.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-code-scanning.qls.expected
@@ -0,0 +1,57 @@
+ql/csharp/ql/src/Diagnostics/CompilerError.ql
+ql/csharp/ql/src/Diagnostics/CompilerMessage.ql
+ql/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
+ql/csharp/ql/src/Diagnostics/ExtractedFiles.ql
+ql/csharp/ql/src/Diagnostics/ExtractorError.ql
+ql/csharp/ql/src/Diagnostics/ExtractorMessage.ql
+ql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql
+ql/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql
+ql/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql
+ql/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql
+ql/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql
+ql/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql
+ql/csharp/ql/src/Security Features/CWE-079/XSS.ql
+ql/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql
+ql/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
+ql/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
+ql/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
+ql/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
+ql/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
+ql/csharp/ql/src/Security Features/CWE-117/LogForging.ql
+ql/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql
+ql/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql
+ql/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql
+ql/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql
+ql/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql
+ql/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql
+ql/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql
+ql/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql
+ql/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql
+ql/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql
+ql/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql
+ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
+ql/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
+ql/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
+ql/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
+ql/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
+ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
+ql/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
+ql/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql
+ql/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
+ql/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
+ql/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
+ql/csharp/ql/src/Security Features/Encryption using ECB.ql
+ql/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql
+ql/csharp/ql/src/Security Features/InadequateRSAPadding.ql
+ql/csharp/ql/src/Security Features/InsecureRandomness.ql
+ql/csharp/ql/src/Security Features/InsufficientKeySize.ql
+ql/csharp/ql/src/Security Features/PersistentCookie.ql
+ql/csharp/ql/src/Security Features/WeakEncryption.ql
+ql/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
+ql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql
+ql/csharp/ql/src/Telemetry/ExtractorInformation.ql
+ql/csharp/ql/src/Telemetry/SupportedExternalApis.ql
+ql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql
+ql/csharp/ql/src/Telemetry/SupportedExternalSources.ql
+ql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql
+ql/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-security-and-quality.qls.expected
@@ -0,0 +1,173 @@
+ql/csharp/ql/src/API Abuse/CallToGCCollect.ql
+ql/csharp/ql/src/API Abuse/CallToObsoleteMethod.ql
+ql/csharp/ql/src/API Abuse/ClassDoesNotImplementEquals.ql
+ql/csharp/ql/src/API Abuse/ClassImplementsICloneable.ql
+ql/csharp/ql/src/API Abuse/DisposeNotCalledOnException.ql
+ql/csharp/ql/src/API Abuse/FormatInvalid.ql
+ql/csharp/ql/src/API Abuse/InconsistentEqualsGetHashCode.ql
+ql/csharp/ql/src/API Abuse/IncorrectCompareToSignature.ql
+ql/csharp/ql/src/API Abuse/IncorrectEqualsSignature.ql
+ql/csharp/ql/src/API Abuse/NoDisposeCallOnLocalIDisposable.ql
+ql/csharp/ql/src/API Abuse/NullArgumentToEquals.ql
+ql/csharp/ql/src/ASP/BlockCodeResponseWrite.ql
+ql/csharp/ql/src/Architecture/Refactoring Opportunities/InappropriateIntimacy.ql
+ql/csharp/ql/src/Bad Practices/CallsUnmanagedCode.ql
+ql/csharp/ql/src/Bad Practices/CatchOfNullReferenceException.ql
+ql/csharp/ql/src/Bad Practices/Control-Flow/ConstantCondition.ql
+ql/csharp/ql/src/Bad Practices/Declarations/LocalScopeVariableShadowsMember.ql
+ql/csharp/ql/src/Bad Practices/Declarations/TooManyRefParameters.ql
+ql/csharp/ql/src/Bad Practices/EmptyCatchBlock.ql
+ql/csharp/ql/src/Bad Practices/ErroneousClassCompare.ql
+ql/csharp/ql/src/Bad Practices/Implementation Hiding/AbstractToConcreteCollection.ql
+ql/csharp/ql/src/Bad Practices/Implementation Hiding/ExposeRepresentation.ql
+ql/csharp/ql/src/Bad Practices/Naming Conventions/FieldMasksSuperField.ql
+ql/csharp/ql/src/Bad Practices/Naming Conventions/SameNameAsSuper.ql
+ql/csharp/ql/src/Bad Practices/PathCombine.ql
+ql/csharp/ql/src/Bad Practices/UnmanagedCodeCheck.ql
+ql/csharp/ql/src/Bad Practices/VirtualCallInConstructorOrDestructor.ql
+ql/csharp/ql/src/CSI/CompareIdenticalValues.ql
+ql/csharp/ql/src/CSI/NullAlways.ql
+ql/csharp/ql/src/CSI/NullMaybe.ql
+ql/csharp/ql/src/Complexity/BlockWithTooManyStatements.ql
+ql/csharp/ql/src/Complexity/ComplexCondition.ql
+ql/csharp/ql/src/Concurrency/FutileSyncOnField.ql
+ql/csharp/ql/src/Concurrency/LockOrder.ql
+ql/csharp/ql/src/Concurrency/LockThis.ql
+ql/csharp/ql/src/Concurrency/LockedWait.ql
+ql/csharp/ql/src/Concurrency/SynchSetUnsynchGet.ql
+ql/csharp/ql/src/Concurrency/UnsafeLazyInitialization.ql
+ql/csharp/ql/src/Concurrency/UnsynchronizedStaticAccess.ql
+ql/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
+ql/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
+ql/csharp/ql/src/Dead Code/DeadStoreOfLocal.ql
+ql/csharp/ql/src/Diagnostics/CompilerError.ql
+ql/csharp/ql/src/Diagnostics/CompilerMessage.ql
+ql/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
+ql/csharp/ql/src/Diagnostics/ExtractedFiles.ql
+ql/csharp/ql/src/Diagnostics/ExtractorError.ql
+ql/csharp/ql/src/Diagnostics/ExtractorMessage.ql
+ql/csharp/ql/src/Documentation/XmldocMissingSummary.ql
+ql/csharp/ql/src/Input Validation/UseOfFileUpload.ql
+ql/csharp/ql/src/Input Validation/ValueShadowing.ql
+ql/csharp/ql/src/Input Validation/ValueShadowingServerVariable.ql
+ql/csharp/ql/src/Language Abuse/CastThisToTypeParameter.ql
+ql/csharp/ql/src/Language Abuse/CatchOfGenericException.ql
+ql/csharp/ql/src/Language Abuse/ChainedIs.ql
+ql/csharp/ql/src/Language Abuse/DubiousDowncastOfThis.ql
+ql/csharp/ql/src/Language Abuse/DubiousTypeTestOfThis.ql
+ql/csharp/ql/src/Language Abuse/MissedReadonlyOpportunity.ql
+ql/csharp/ql/src/Language Abuse/MissedTernaryOpportunity.ql
+ql/csharp/ql/src/Language Abuse/MissedUsingOpportunity.ql
+ql/csharp/ql/src/Language Abuse/NestedIf.ql
+ql/csharp/ql/src/Language Abuse/RethrowException.ql
+ql/csharp/ql/src/Language Abuse/SimplifyBoolExpr.ql
+ql/csharp/ql/src/Language Abuse/UnusedPropertyValue.ql
+ql/csharp/ql/src/Language Abuse/UselessCastToSelf.ql
+ql/csharp/ql/src/Language Abuse/UselessNullCoalescingExpression.ql
+ql/csharp/ql/src/Language Abuse/UselessTypeTest.ql
+ql/csharp/ql/src/Language Abuse/UselessUpcast.ql
+ql/csharp/ql/src/Likely Bugs/Collections/ContainerLengthCmpOffByOne.ql
+ql/csharp/ql/src/Likely Bugs/Collections/ContainerSizeCmpZero.ql
+ql/csharp/ql/src/Likely Bugs/Collections/ReadOnlyContainer.ql
+ql/csharp/ql/src/Likely Bugs/Collections/WriteOnlyContainer.ql
+ql/csharp/ql/src/Likely Bugs/ConstantComparison.ql
+ql/csharp/ql/src/Likely Bugs/DangerousNonShortCircuitLogic.ql
+ql/csharp/ql/src/Likely Bugs/Dynamic/BadDynamicCall.ql
+ql/csharp/ql/src/Likely Bugs/EqualityCheckOnFloats.ql
+ql/csharp/ql/src/Likely Bugs/EqualsArray.ql
+ql/csharp/ql/src/Likely Bugs/EqualsUsesAs.ql
+ql/csharp/ql/src/Likely Bugs/EqualsUsesIs.ql
+ql/csharp/ql/src/Likely Bugs/HashedButNoHash.ql
+ql/csharp/ql/src/Likely Bugs/ImpossibleArrayCast.ql
+ql/csharp/ql/src/Likely Bugs/IncomparableEquals.ql
+ql/csharp/ql/src/Likely Bugs/InconsistentCompareTo.ql
+ql/csharp/ql/src/Likely Bugs/LeapYear/UnsafeYearConstruction.ql
+ql/csharp/ql/src/Likely Bugs/MishandlingJapaneseEra.ql
+ql/csharp/ql/src/Likely Bugs/NestedLoopsSameVariable.ql
+ql/csharp/ql/src/Likely Bugs/ObjectComparison.ql
+ql/csharp/ql/src/Likely Bugs/PossibleLossOfPrecision.ql
+ql/csharp/ql/src/Likely Bugs/RecursiveEquals.ql
+ql/csharp/ql/src/Likely Bugs/RecursiveOperatorEquals.ql
+ql/csharp/ql/src/Likely Bugs/ReferenceEqualsOnValueTypes.ql
+ql/csharp/ql/src/Likely Bugs/SelfAssignment.ql
+ql/csharp/ql/src/Likely Bugs/Statements/EmptyBlock.ql
+ql/csharp/ql/src/Likely Bugs/Statements/EmptyLockStatement.ql
+ql/csharp/ql/src/Likely Bugs/Statements/UseBraces.ql
+ql/csharp/ql/src/Likely Bugs/StaticFieldWrittenByInstance.ql
+ql/csharp/ql/src/Likely Bugs/StringBuilderCharInit.ql
+ql/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql
+ql/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql
+ql/csharp/ql/src/Likely Bugs/UncheckedCastInEquals.ql
+ql/csharp/ql/src/Linq/BadMultipleIteration.ql
+ql/csharp/ql/src/Linq/MissedAllOpportunity.ql
+ql/csharp/ql/src/Linq/MissedCastOpportunity.ql
+ql/csharp/ql/src/Linq/MissedOfTypeOpportunity.ql
+ql/csharp/ql/src/Linq/MissedSelectOpportunity.ql
+ql/csharp/ql/src/Linq/MissedWhereOpportunity.ql
+ql/csharp/ql/src/Linq/RedundantSelect.ql
+ql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql
+ql/csharp/ql/src/Performance/StringBuilderInLoop.ql
+ql/csharp/ql/src/Performance/StringConcatenationInLoop.ql
+ql/csharp/ql/src/Performance/UseTryGetValue.ql
+ql/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql
+ql/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql
+ql/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql
+ql/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql
+ql/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql
+ql/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql
+ql/csharp/ql/src/Security Features/CWE-079/XSS.ql
+ql/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql
+ql/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
+ql/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
+ql/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
+ql/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
+ql/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql
+ql/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
+ql/csharp/ql/src/Security Features/CWE-117/LogForging.ql
+ql/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql
+ql/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql
+ql/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql
+ql/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql
+ql/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql
+ql/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql
+ql/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql
+ql/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql
+ql/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql
+ql/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql
+ql/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql
+ql/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql
+ql/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql
+ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
+ql/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
+ql/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
+ql/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
+ql/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
+ql/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql
+ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
+ql/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
+ql/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql
+ql/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
+ql/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
+ql/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
+ql/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
+ql/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
+ql/csharp/ql/src/Security Features/Encryption using ECB.ql
+ql/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql
+ql/csharp/ql/src/Security Features/InadequateRSAPadding.ql
+ql/csharp/ql/src/Security Features/InsecureRandomness.ql
+ql/csharp/ql/src/Security Features/InsufficientKeySize.ql
+ql/csharp/ql/src/Security Features/PersistentCookie.ql
+ql/csharp/ql/src/Security Features/WeakEncryption.ql
+ql/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
+ql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql
+ql/csharp/ql/src/Telemetry/ExtractorInformation.ql
+ql/csharp/ql/src/Telemetry/SupportedExternalApis.ql
+ql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql
+ql/csharp/ql/src/Telemetry/SupportedExternalSources.ql
+ql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql
+ql/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
+ql/csharp/ql/src/Useless code/DefaultToString.ql
+ql/csharp/ql/src/Useless code/FutileConditional.ql
+ql/csharp/ql/src/Useless code/IntGetHashCode.ql
+ql/csharp/ql/src/Useless code/RedundantToStringCall.ql
+ql/csharp/ql/src/Useless code/UnusedLabel.ql
--- a/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/csharp-security-extended.qls.expected
@@ -0,0 +1,71 @@
+ql/csharp/ql/src/Configuration/EmptyPasswordInConfigurationFile.ql
+ql/csharp/ql/src/Configuration/PasswordInConfigurationFile.ql
+ql/csharp/ql/src/Diagnostics/CompilerError.ql
+ql/csharp/ql/src/Diagnostics/CompilerMessage.ql
+ql/csharp/ql/src/Diagnostics/DiagnosticExtractionErrors.ql
+ql/csharp/ql/src/Diagnostics/ExtractedFiles.ql
+ql/csharp/ql/src/Diagnostics/ExtractorError.ql
+ql/csharp/ql/src/Diagnostics/ExtractorMessage.ql
+ql/csharp/ql/src/Input Validation/UseOfFileUpload.ql
+ql/csharp/ql/src/Input Validation/ValueShadowing.ql
+ql/csharp/ql/src/Input Validation/ValueShadowingServerVariable.ql
+ql/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransform.ql
+ql/csharp/ql/src/Likely Bugs/ThreadUnsafeICryptoTransformLambda.ql
+ql/csharp/ql/src/Metrics/Summaries/LinesOfCode.ql
+ql/csharp/ql/src/Security Features/CWE-011/ASPNetDebug.ql
+ql/csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.ql
+ql/csharp/ql/src/Security Features/CWE-020/RuntimeChecksBypass.ql
+ql/csharp/ql/src/Security Features/CWE-022/TaintedPath.ql
+ql/csharp/ql/src/Security Features/CWE-022/ZipSlip.ql
+ql/csharp/ql/src/Security Features/CWE-078/CommandInjection.ql
+ql/csharp/ql/src/Security Features/CWE-079/XSS.ql
+ql/csharp/ql/src/Security Features/CWE-089/SqlInjection.ql
+ql/csharp/ql/src/Security Features/CWE-090/LDAPInjection.ql
+ql/csharp/ql/src/Security Features/CWE-091/XMLInjection.ql
+ql/csharp/ql/src/Security Features/CWE-094/CodeInjection.ql
+ql/csharp/ql/src/Security Features/CWE-099/ResourceInjection.ql
+ql/csharp/ql/src/Security Features/CWE-112/MissingXMLValidation.ql
+ql/csharp/ql/src/Security Features/CWE-114/AssemblyPathInjection.ql
+ql/csharp/ql/src/Security Features/CWE-117/LogForging.ql
+ql/csharp/ql/src/Security Features/CWE-119/LocalUnvalidatedArithmetic.ql
+ql/csharp/ql/src/Security Features/CWE-134/UncontrolledFormatString.ql
+ql/csharp/ql/src/Security Features/CWE-201/ExposureInTransmittedData.ql
+ql/csharp/ql/src/Security Features/CWE-209/ExceptionInformationExposure.ql
+ql/csharp/ql/src/Security Features/CWE-248/MissingASPNETGlobalErrorHandler.ql
+ql/csharp/ql/src/Security Features/CWE-285/MissingAccessControl.ql
+ql/csharp/ql/src/Security Features/CWE-312/CleartextStorage.ql
+ql/csharp/ql/src/Security Features/CWE-327/InsecureSQLConnection.ql
+ql/csharp/ql/src/Security Features/CWE-352/MissingAntiForgeryTokenValidation.ql
+ql/csharp/ql/src/Security Features/CWE-359/ExposureOfPrivateInformation.ql
+ql/csharp/ql/src/Security Features/CWE-384/AbandonSession.ql
+ql/csharp/ql/src/Security Features/CWE-451/MissingXFrameOptions.ql
+ql/csharp/ql/src/Security Features/CWE-502/DeserializedDelegate.ql
+ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserializationUntrustedInput.ql
+ql/csharp/ql/src/Security Features/CWE-548/ASPNetDirectoryListing.ql
+ql/csharp/ql/src/Security Features/CWE-601/UrlRedirect.ql
+ql/csharp/ql/src/Security Features/CWE-611/UntrustedDataInsecureXml.ql
+ql/csharp/ql/src/Security Features/CWE-614/RequireSSL.ql
+ql/csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql
+ql/csharp/ql/src/Security Features/CWE-643/XPathInjection.ql
+ql/csharp/ql/src/Security Features/CWE-730/ReDoS.ql
+ql/csharp/ql/src/Security Features/CWE-730/RegexInjection.ql
+ql/csharp/ql/src/Security Features/CWE-798/HardcodedConnectionString.ql
+ql/csharp/ql/src/Security Features/CWE-798/HardcodedCredentials.ql
+ql/csharp/ql/src/Security Features/CWE-807/ConditionalBypass.ql
+ql/csharp/ql/src/Security Features/CookieWithOverlyBroadDomain.ql
+ql/csharp/ql/src/Security Features/CookieWithOverlyBroadPath.ql
+ql/csharp/ql/src/Security Features/Encryption using ECB.ql
+ql/csharp/ql/src/Security Features/HeaderCheckingDisabled.ql
+ql/csharp/ql/src/Security Features/InadequateRSAPadding.ql
+ql/csharp/ql/src/Security Features/InsecureRandomness.ql
+ql/csharp/ql/src/Security Features/InsufficientKeySize.ql
+ql/csharp/ql/src/Security Features/PersistentCookie.ql
+ql/csharp/ql/src/Security Features/WeakEncryption.ql
+ql/csharp/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
+ql/csharp/ql/src/Telemetry/ExternalLibraryUsage.ql
+ql/csharp/ql/src/Telemetry/ExtractorInformation.ql
+ql/csharp/ql/src/Telemetry/SupportedExternalApis.ql
+ql/csharp/ql/src/Telemetry/SupportedExternalSinks.ql
+ql/csharp/ql/src/Telemetry/SupportedExternalSources.ql
+ql/csharp/ql/src/Telemetry/SupportedExternalTaint.ql
+ql/csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql
--- a/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
+++ b/csharp/ql/integration-tests/posix/query-suite/not_included_in_qls.expected
@@ -0,0 +1,126 @@
+ql/csharp/ql/src/API Abuse/MissingDisposeCall.ql
+ql/csharp/ql/src/API Abuse/MissingDisposeMethod.ql
+ql/csharp/ql/src/API Abuse/NonOverridingMethod.ql
+ql/csharp/ql/src/API Abuse/UncheckedReturnValue.ql
+ql/csharp/ql/src/ASP/ComplexInlineCode.ql
+ql/csharp/ql/src/ASP/NonInternationalizedText.ql
+ql/csharp/ql/src/ASP/SplitControlStructure.ql
+ql/csharp/ql/src/AlertSuppression.ql
+ql/csharp/ql/src/Architecture/Dependencies/MutualDependency.ql
+ql/csharp/ql/src/Architecture/Refactoring Opportunities/FeatureEnvy.ql
+ql/csharp/ql/src/Bad Practices/Comments/CommentedOutCode.ql
+ql/csharp/ql/src/Bad Practices/Comments/TodoComments.ql
+ql/csharp/ql/src/Bad Practices/Declarations/EmptyInterface.ql
+ql/csharp/ql/src/Bad Practices/Declarations/NoConstantsOnly.ql
+ql/csharp/ql/src/Bad Practices/Implementation Hiding/StaticArray.ql
+ql/csharp/ql/src/Bad Practices/LeftoverDebugCode.ql
+ql/csharp/ql/src/Bad Practices/Magic Constants/MagicConstantsNumbers.ql
+ql/csharp/ql/src/Bad Practices/Magic Constants/MagicConstantsString.ql
+ql/csharp/ql/src/Bad Practices/Magic Constants/MagicNumbersUseConstant.ql
+ql/csharp/ql/src/Bad Practices/Magic Constants/MagicStringsUseConstant.ql
+ql/csharp/ql/src/Bad Practices/Naming Conventions/ConfusingMethodNames.ql
+ql/csharp/ql/src/Bad Practices/Naming Conventions/ConfusingOverridesNames.ql
+ql/csharp/ql/src/Bad Practices/Naming Conventions/ConstantNaming.ql
+ql/csharp/ql/src/Bad Practices/Naming Conventions/ControlNamePrefixes.ql
+ql/csharp/ql/src/Bad Practices/Naming Conventions/DefaultControlNames.ql
+ql/csharp/ql/src/Bad Practices/Naming Conventions/VariableNameTooShort.ql
+ql/csharp/ql/src/Bad Practices/UseOfHtmlInputHidden.ql
+ql/csharp/ql/src/Bad Practices/UseOfSystemOutputStream.ql
+ql/csharp/ql/src/Dead Code/DeadRefTypes.ql
+ql/csharp/ql/src/Dead Code/NonAssignedFields.ql
+ql/csharp/ql/src/Dead Code/UnusedField.ql
+ql/csharp/ql/src/Dead Code/UnusedMethod.ql
+ql/csharp/ql/src/Documentation/XmldocExtraParam.ql
+ql/csharp/ql/src/Documentation/XmldocExtraTypeParam.ql
+ql/csharp/ql/src/Documentation/XmldocMissing.ql
+ql/csharp/ql/src/Documentation/XmldocMissingException.ql
+ql/csharp/ql/src/Documentation/XmldocMissingParam.ql
+ql/csharp/ql/src/Documentation/XmldocMissingReturn.ql
+ql/csharp/ql/src/Documentation/XmldocMissingTypeParam.ql
+ql/csharp/ql/src/Language Abuse/ForeachCapture.ql
+ql/csharp/ql/src/Language Abuse/UselessIsBeforeAs.ql
+ql/csharp/ql/src/Likely Bugs/BadCheckOdd.ql
+ql/csharp/ql/src/Likely Bugs/RandomUsedOnce.ql
+ql/csharp/ql/src/Metrics/Callables/CCyclomaticComplexity.ql
+ql/csharp/ql/src/Metrics/Callables/CLinesOfCode.ql
+ql/csharp/ql/src/Metrics/Callables/CLinesOfComment.ql
+ql/csharp/ql/src/Metrics/Callables/CNumberOfParameters.ql
+ql/csharp/ql/src/Metrics/Callables/CNumberOfStatements.ql
+ql/csharp/ql/src/Metrics/Callables/CPercentageOfComments.ql
+ql/csharp/ql/src/Metrics/Callables/StatementNestingDepth.ql
+ql/csharp/ql/src/Metrics/Dependencies/ExternalDependencies.ql
+ql/csharp/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
+ql/csharp/ql/src/Metrics/Files/FCommentRatio.ql
+ql/csharp/ql/src/Metrics/Files/FCyclomaticComplexity.ql
+ql/csharp/ql/src/Metrics/Files/FLines.ql
+ql/csharp/ql/src/Metrics/Files/FLinesOfCode.ql
+ql/csharp/ql/src/Metrics/Files/FLinesOfComment.ql
+ql/csharp/ql/src/Metrics/Files/FLinesOfCommentedCode.ql
+ql/csharp/ql/src/Metrics/Files/FNumberOfClasses.ql
+ql/csharp/ql/src/Metrics/Files/FNumberOfInterfaces.ql
+ql/csharp/ql/src/Metrics/Files/FNumberOfStructs.ql
+ql/csharp/ql/src/Metrics/Files/FNumberOfTests.ql
+ql/csharp/ql/src/Metrics/Files/FNumberOfUsingNamespaces.ql
+ql/csharp/ql/src/Metrics/Files/FSelfContainedness.ql
+ql/csharp/ql/src/Metrics/RefTypes/TAfferentCoupling.ql
+ql/csharp/ql/src/Metrics/RefTypes/TEfferentCoupling.ql
+ql/csharp/ql/src/Metrics/RefTypes/TInheritanceDepth.ql
+ql/csharp/ql/src/Metrics/RefTypes/TLackOfCohesionCK.ql
+ql/csharp/ql/src/Metrics/RefTypes/TLackOfCohesionHS.ql
+ql/csharp/ql/src/Metrics/RefTypes/TNumberOfCallables.ql
+ql/csharp/ql/src/Metrics/RefTypes/TNumberOfEvents.ql
+ql/csharp/ql/src/Metrics/RefTypes/TNumberOfFields.ql
+ql/csharp/ql/src/Metrics/RefTypes/TNumberOfIndexers.ql
+ql/csharp/ql/src/Metrics/RefTypes/TNumberOfNonConstFields.ql
+ql/csharp/ql/src/Metrics/RefTypes/TNumberOfProperties.ql
+ql/csharp/ql/src/Metrics/RefTypes/TNumberOfStatements.ql
+ql/csharp/ql/src/Metrics/RefTypes/TResponse.ql
+ql/csharp/ql/src/Metrics/RefTypes/TSizeOfAPI.ql
+ql/csharp/ql/src/Metrics/RefTypes/TSpecialisationIndex.ql
+ql/csharp/ql/src/Metrics/RefTypes/TUnmanagedCode.ql
+ql/csharp/ql/src/Metrics/Summaries/FrameworkCoverage.ql
+ql/csharp/ql/src/Metrics/internal/ExtractorDiagnostics.ql
+ql/csharp/ql/src/Security Features/CWE-016/ASPNetMaxRequestLength.ql
+ql/csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql
+ql/csharp/ql/src/Security Features/CWE-020/ExternalAPIsUsedWithUntrustedData.ql
+ql/csharp/ql/src/Security Features/CWE-020/UntrustedDataToExternalAPI.ql
+ql/csharp/ql/src/Security Features/CWE-321/HardcodedEncryptionKey.ql
+ql/csharp/ql/src/Security Features/CWE-321/HardcodedSymmetricEncryptionKey.ql
+ql/csharp/ql/src/Security Features/CWE-327/DontInstallRootCert.ql
+ql/csharp/ql/src/Security Features/CWE-502/UnsafeDeserialization.ql
+ql/csharp/ql/src/Security Features/CWE-611/UseXmlSecureResolver.ql
+ql/csharp/ql/src/Security Features/CWE-838/InappropriateEncoding.ql
+ql/csharp/ql/src/Useless code/PointlessForwardingMethod.ql
+ql/csharp/ql/src/definitions.ql
+ql/csharp/ql/src/experimental/CWE-099/TaintedWebClient.ql
+ql/csharp/ql/src/experimental/CWE-918/RequestForgery.ql
+ql/csharp/ql/src/experimental/Security Features/CWE-1004/CookieWithoutHttpOnly.ql
+ql/csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
+ql/csharp/ql/src/experimental/Security Features/CWE-614/CookieWithoutSecure.ql
+ql/csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql
+ql/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/delegated-security-validations-always-return-true.ql
+ql/csharp/ql/src/experimental/Security Features/JsonWebTokenHandler/security-validation-disabled.ql
+ql/csharp/ql/src/experimental/Security Features/Serialization/DefiningDatasetRelatedType.ql
+ql/csharp/ql/src/experimental/Security Features/Serialization/DefiningPotentiallyUnsafeXmlSerializer.ql
+ql/csharp/ql/src/experimental/Security Features/Serialization/UnsafeTypeUsedDataContractSerializer.ql
+ql/csharp/ql/src/experimental/Security Features/Serialization/XmlDeserializationWithDataSet.ql
+ql/csharp/ql/src/experimental/Security Features/backdoor/DangerousNativeFunctionCall.ql
+ql/csharp/ql/src/experimental/Security Features/backdoor/PotentialTimeBomb.ql
+ql/csharp/ql/src/experimental/Security Features/backdoor/ProcessNameToHashTaintFlow.ql
+ql/csharp/ql/src/filters/ClassifyFiles.ql
+ql/csharp/ql/src/meta/frameworks/Coverage.ql
+ql/csharp/ql/src/meta/frameworks/UnsupportedExternalAPIs.ql
+ql/csharp/ql/src/utils/modelconverter/ExtractNeutrals.ql
+ql/csharp/ql/src/utils/modelconverter/ExtractSinks.ql
+ql/csharp/ql/src/utils/modelconverter/ExtractSources.ql
+ql/csharp/ql/src/utils/modelconverter/ExtractSummaries.ql
+ql/csharp/ql/src/utils/modeleditor/ApplicationModeEndpoints.ql
+ql/csharp/ql/src/utils/modeleditor/FrameworkModeEndpoints.ql
+ql/csharp/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
+ql/csharp/ql/src/utils/modelgenerator/CaptureNeutralModels.ql
+ql/csharp/ql/src/utils/modelgenerator/CaptureSinkModels.ql
+ql/csharp/ql/src/utils/modelgenerator/CaptureSourceModels.ql
+ql/csharp/ql/src/utils/modelgenerator/CaptureSummaryModels.ql
+ql/csharp/ql/src/utils/modelgenerator/CaptureTypeBasedSummaryModels.ql
+ql/csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql
+ql/csharp/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql
--- a/csharp/ql/integration-tests/posix/query-suite/test.py
+++ b/csharp/ql/integration-tests/posix/query-suite/test.py
@@ -0,0 +1,14 @@
+import runs_on
+import pytest
+from query_suites import *
+
+well_known_query_suites = ['csharp-code-quality.qls', 'csharp-security-and-quality.qls', 'csharp-security-extended.qls', 'csharp-code-scanning.qls']
+
+@runs_on.posix
+@pytest.mark.parametrize("query_suite", well_known_query_suites)
+def test(codeql, csharp, check_query_suite, query_suite):
+    check_query_suite(query_suite)
+
+@runs_on.posix
+def test_not_included_queries(codeql, csharp, check_queries_not_included):
+    check_queries_not_included('csharp', well_known_query_suites)
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 5.1.5
+
+### Minor Analysis Improvements
+
+* Improved autobuilder logic for detecting whether a project references a SDK (and should be built using `dotnet`).
+
 ## 5.1.4

 ### Minor Analysis Improvements
--- a/csharp/ql/lib/change-notes/2025-04-11-auto-builder-sdk.md
+++ b/csharp/ql/lib/change-notes/2025-04-11-auto-builder-sdk.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 5.1.5
+
+### Minor Analysis Improvements
+
 * Improved autobuilder logic for detecting whether a project references a SDK (and should be built using `dotnet`).
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.1.4
+lastReleaseVersion: 5.1.5
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.1.5-dev
+version: 5.1.5
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/lib/semmle/code/csharp/Stmt.qll
+++ b/csharp/ql/lib/semmle/code/csharp/Stmt.qll
@@ -278,9 +278,14 @@ class CaseStmt extends Case, @case_stmt {
  override PatternExpr getPattern() { result = this.getChild(0) }

  override Stmt getBody() {
-    exists(int i |
+    exists(int i, Stmt next |
      this = this.getParent().getChild(i) and
-      result = this.getParent().getChild(i + 1)
+      next = this.getParent().getChild(i + 1)
+    |
+      result = next and
+      not result instanceof CaseStmt
+      or
+      result = next.(CaseStmt).getBody()
    )
  }

--- a/csharp/ql/lib/semmle/code/csharp/commons/Collections.qll
+++ b/csharp/ql/lib/semmle/code/csharp/commons/Collections.qll
@@ -97,7 +97,8 @@ private class ParamsConstructedCollectionTypes extends ParamsCollectionTypeImpl
      unboundbase instanceof SystemCollectionsGenericIReadOnlyListTInterface or
      unboundbase instanceof SystemSpanStruct or
      unboundbase instanceof SystemReadOnlySpanStruct
-    )
+    ) and
+    not this instanceof SystemStringClass
  }

  override Type getElementType() { result = base.getTypeArgument(0) }
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
@@ -1153,7 +1153,13 @@ module Statements {
      )
      or
      // Flow from last element of `case` statement `i` to first element of statement `i+1`
-      exists(int i | last(super.getStmt(i).(CaseStmt).getBody(), pred, c) |
+      exists(int i, Stmt body |
+        body = super.getStmt(i).(CaseStmt).getBody() and
+        // in case of fall-through cases, make sure to not jump from their shared body back
+        // to one of the fall-through cases
+        not body = super.getStmt(i + 1).(CaseStmt).getBody() and
+        last(body, pred, c)
+      |
        c instanceof NormalCompletion and
        first(super.getStmt(i + 1), succ)
      )
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll
@@ -1,8 +1,6 @@
 /**
 * Provides classes for representing abstract bounds for use in, for example, range analysis.
 */
-overlay[local?]
-module;

 private import internal.rangeanalysis.BoundSpecific

--- a/csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll
@@ -3,8 +3,6 @@
 * an expression, `b` is a `Bound` (typically zero or the value of an SSA
 * variable), and `v` is an integer in the range `[0 .. m-1]`.
 */
-overlay[local?]
-module;

 private import internal.rangeanalysis.ModulusAnalysisSpecific::Private
 private import Bound
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
@@ -408,7 +408,8 @@ Declaration interpretBaseDeclaration(string namespace, string type, string name,
  )
 }

-pragma[inline]
+bindingset[d, ext]
+pragma[inline_late]
 private Declaration interpretExt(Declaration d, ExtPath ext) {
  ext = "" and result = d
  or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/Sign.qll
@@ -1,6 +1,3 @@
-overlay[local?]
-module;
-
 newtype TSign =
  TNeg() or
  TZero() or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll
@@ -5,8 +5,6 @@
 * The analysis is implemented as an abstract interpretation over the
 * three-valued domain `{negative, zero, positive}`.
 */
-overlay[local?]
-module;

 private import SignAnalysisSpecific::Private
 private import SsaReadPositionCommon
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SsaReadPositionCommon.qll
@@ -1,8 +1,6 @@
 /**
 * Provides classes for representing a position at which an SSA variable is read.
 */
-overlay[local?]
-module;

 private import SsaReadPositionSpecific
 import SsaReadPositionSpecific::Public
--- a/csharp/ql/lib/semmle/code/csharp/frameworks/Format.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/Format.qll
@@ -8,69 +8,122 @@ private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.frameworks.system.Text

 /** A method that formats a string, for example `string.Format()`. */
-class FormatMethod extends Method {
-  FormatMethod() {
-    exists(Class declType | declType = this.getDeclaringType() |
-      this.getParameter(0).getType() instanceof SystemIFormatProviderInterface and
-      this.getParameter(1).getType() instanceof StringType and
-      (
-        this = any(SystemStringClass c).getFormatMethod()
-        or
-        this = any(SystemTextStringBuilderClass c).getAppendFormatMethod()
-      )
-      or
-      this.getParameter(0).getType() instanceof StringType and
-      (
-        this = any(SystemStringClass c).getFormatMethod()
-        or
-        this = any(SystemTextStringBuilderClass c).getAppendFormatMethod()
-        or
-        (this.hasName("Write") or this.hasName("WriteLine")) and
-        (
-          declType.hasFullyQualifiedName("System", "Console")
-          or
-          declType.hasFullyQualifiedName("System.IO", "TextWriter")
-          or
-          declType.hasFullyQualifiedName("System.Diagnostics", "Debug") and
-          this.getParameter(1).getType() instanceof ArrayType
-        )
-        or
-        declType.hasFullyQualifiedName("System.Diagnostics", "Trace") and
-        (
-          this.hasName("TraceError") or
-          this.hasName("TraceInformation") or
-          this.hasName("TraceWarning")
-        )
-        or
-        this.hasName("TraceInformation") and
-        declType.hasFullyQualifiedName("System.Diagnostics", "TraceSource")
-        or
-        this.hasName("Print") and
-        declType.hasFullyQualifiedName("System.Diagnostics", "Debug")
-      )
-      or
-      this.hasName("Assert") and
-      declType.hasFullyQualifiedName("System.Diagnostics", "Debug") and
-      this.getNumberOfParameters() = 4
-    )
-  }
-
+abstract private class FormatMethodImpl extends Method {
  /**
   * Gets the argument containing the format string. For example, the argument of
   * `string.Format(IFormatProvider, String, Object)` is `1`.
   */
-  int getFormatArgument() {
+  abstract int getFormatArgument();
+
+  /**
+   * Gets the argument number of the first supplied insert.
+   */
+  int getFirstArgument() { result = this.getFormatArgument() + 1 }
+}
+
+final class FormatMethod = FormatMethodImpl;
+
+/** A class of types used for formatting. */
+private class FormatType extends Type {
+  FormatType() {
+    this instanceof StringType or
+    this instanceof SystemTextCompositeFormatClass
+  }
+}
+
+private class StringAndStringBuilderFormatMethods extends FormatMethodImpl {
+  StringAndStringBuilderFormatMethods() {
+    (
+      this.getParameter(0).getType() instanceof SystemIFormatProviderInterface and
+      this.getParameter(1).getType() instanceof FormatType
+      or
+      this.getParameter(0).getType() instanceof StringType
+    ) and
+    (
+      this = any(SystemStringClass c).getFormatMethod()
+      or
+      this = any(SystemTextStringBuilderClass c).getAppendFormatMethod()
+    )
+  }
+
+  override int getFormatArgument() {
    if this.getParameter(0).getType() instanceof SystemIFormatProviderInterface
    then result = 1
-    else
-      if
-        this.hasName("Assert") and
-        this.getDeclaringType().hasFullyQualifiedName("System.Diagnostics", "Debug")
-      then result = 2
-      else result = 0
+    else result = 0
  }
 }

+private class SystemMemoryExtensionsFormatMethods extends FormatMethodImpl {
+  SystemMemoryExtensionsFormatMethods() {
+    this = any(SystemMemoryExtensionsClass c).getTryWriteMethod() and
+    this.getParameter(1).getType() instanceof SystemIFormatProviderInterface and
+    this.getParameter(2).getType() instanceof SystemTextCompositeFormatClass
+  }
+
+  override int getFormatArgument() { result = 2 }
+
+  override int getFirstArgument() { result = this.getFormatArgument() + 2 }
+}
+
+private class SystemConsoleAndSystemIoTextWriterFormatMethods extends FormatMethodImpl {
+  SystemConsoleAndSystemIoTextWriterFormatMethods() {
+    this.getParameter(0).getType() instanceof StringType and
+    this.getNumberOfParameters() > 1 and
+    exists(Class declType | declType = this.getDeclaringType() |
+      this.hasName(["Write", "WriteLine"]) and
+      (
+        declType.hasFullyQualifiedName("System", "Console")
+        or
+        declType.hasFullyQualifiedName("System.IO", "TextWriter")
+      )
+    )
+  }
+
+  override int getFormatArgument() { result = 0 }
+}
+
+private class SystemDiagnosticsDebugAssert extends FormatMethodImpl {
+  SystemDiagnosticsDebugAssert() {
+    this.hasName("Assert") and
+    this.getDeclaringType().hasFullyQualifiedName("System.Diagnostics", "Debug") and
+    this.getNumberOfParameters() = 4
+  }
+
+  override int getFormatArgument() { result = 2 }
+}
+
+private class SystemDiagnosticsFormatMethods extends FormatMethodImpl {
+  SystemDiagnosticsFormatMethods() {
+    this.getParameter(0).getType() instanceof StringType and
+    this.getNumberOfParameters() > 1 and
+    exists(Class declType |
+      declType = this.getDeclaringType() and
+      declType.getNamespace().getFullName() = "System.Diagnostics"
+    |
+      declType.hasName("Trace") and
+      (
+        this.hasName("TraceError")
+        or
+        this.hasName("TraceInformation")
+        or
+        this.hasName("TraceWarning")
+      )
+      or
+      declType.hasName("TraceSource") and this.hasName("TraceInformation")
+      or
+      declType.hasName("Debug") and
+      (
+        this.hasName("Print")
+        or
+        this.hasName(["Write", "WriteLine"]) and
+        this.getParameter(1).getType() instanceof ArrayType
+      )
+    )
+  }
+
+  override int getFormatArgument() { result = 0 }
+}
+
 pragma[nomagic]
 private predicate parameterReadPostDominatesEntry(ParameterRead pr) {
  pr.getAControlFlowNode().postDominates(pr.getEnclosingCallable().getEntryPoint()) and
@@ -194,24 +247,36 @@ class FormatCall extends MethodCall {
  int getFormatArgument() { result = this.getTarget().(FormatMethod).getFormatArgument() }

  /** Gets the argument number of the first supplied insert. */
-  int getFirstArgument() { result = this.getFormatArgument() + 1 }
+  int getFirstArgument() { result = this.getTarget().(FormatMethod).getFirstArgument() }

  /** Holds if this call has one or more insertions. */
  predicate hasInsertions() { exists(this.getArgument(this.getFirstArgument())) }

-  /** Holds if the arguments are supplied in an array, not individually. */
-  predicate hasArrayExpr() {
+  /**
+   * DEPRECATED: use `hasCollectionExpr` instead.
+   *
+   * Holds if the arguments are supplied in an array, not individually.
+   */
+  deprecated predicate hasArrayExpr() {
    this.getNumberOfArguments() = this.getFirstArgument() + 1 and
    this.getArgument(this.getFirstArgument()).getType() instanceof ArrayType
  }

+  /**
+   * Holds if the arguments are supplied in a collection, not individually.
+   */
+  predicate hasCollectionExpr() {
+    this.getNumberOfArguments() = this.getFirstArgument() + 1 and
+    this.getArgument(this.getFirstArgument()).getType() instanceof ParamsCollectionType
+  }
+
  /**
   * Gets the number of supplied arguments (excluding the format string and format
   * provider). Does not return a value if the arguments are supplied in an array,
   * in which case we generally can't assess the size of the array.
   */
  int getSuppliedArguments() {
-    not this.hasArrayExpr() and
+    not this.hasCollectionExpr() and
    result = this.getNumberOfArguments() - this.getFirstArgument()
  }

--- a/csharp/ql/lib/semmle/code/csharp/frameworks/System.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/System.qll
@@ -365,7 +365,7 @@ class SystemStringClass extends StringType {
  /** Gets a `Format(...)` method. */
  Method getFormatMethod() {
    result.getDeclaringType() = this and
-    result.hasName("Format") and
+    result.getName().regexpMatch("Format(<.*>)?") and
    result.getNumberOfParameters() in [2 .. 5] and
    result.getReturnType() instanceof StringType
  }
@@ -751,6 +751,18 @@ class SystemNotImplementedExceptionClass extends SystemClass {
  SystemNotImplementedExceptionClass() { this.hasName("NotImplementedException") }
 }

+/** The `System.MemoryExtensions` class. */
+class SystemMemoryExtensionsClass extends SystemClass {
+  SystemMemoryExtensionsClass() { this.hasName("MemoryExtensions") }
+
+  /** Gets a `TryWrite` method. */
+  Method getTryWriteMethod() {
+    result.getDeclaringType() = this and
+    result.getName().regexpMatch("TryWrite(<.*>)?") and
+    result.getParameter(0).getType().getUnboundDeclaration() instanceof SystemSpanStruct
+  }
+}
+
 /** The `System.DateTime` struct. */
 class SystemDateTimeStruct extends SystemStruct {
  SystemDateTimeStruct() { this.hasName("DateTime") }
--- a/Show More
+++ b/Show More