Kotlin extractor: scope Object-method redeclaration recovery

Why this is needed:
- library-tests/java-kotlin-collection-type-generic-methods/test.ql regressed with extra equals(Object) rows on generic collection/map/list declaration variants.
- At the same time, java-interface-redeclares-tostring must still recover Object-method redeclarations for Java binary interfaces under K2.

What changed:
- In K2 ASM probing, treat classes with kotlin.Metadata as non-Java binaries for javaBinaryDeclaresMethod, so Java-redeclaration recovery does not fire on Kotlin binary classes.
- Keep equals(Object) K2 Any/Any? compatibility handling, but constrain the workaround to non-generic parent classes and skip it when a concrete sibling declaration already exists.
- Preserve the existing toString/hashCode redeclaration recovery path for affected Java binaries.

Effect:
- Removes the spurious equals(Object) rows in java-kotlin-collection-type-generic-methods while retaining expected Object-method extraction in java-interface-redeclares-tostring.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

CODEOWNERS

@@ -28,7 +28,6 @@
 /swift/extractor/ @github/codeql-swift @github/code-scanning-language-coverage
 /misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin @github/code-scanning-language-coverage
-/java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
 # Experimental CodeQL cryptography

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.38
+version: 0.4.39-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.30
+version: 0.6.31-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 11.0.0
+version: 11.0.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.5
+version: 1.6.6-dev
 groups:
   - cpp
   - queries

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.69
+version: 1.7.70-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.69
+version: 1.7.70-dev
 groups:
   - csharp
   - solorigate

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 7.0.0
+version: 7.0.1-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.5
+version: 1.7.6-dev
 groups:
   - csharp
   - queries

go/extractor/go.mod

@@ -10,7 +10,7 @@ toolchain go1.26.4
 //    bazel mod tidy
 require (
 	golang.org/x/mod v0.37.0
-	golang.org/x/tools v0.46.0
+	golang.org/x/tools v0.47.0
 )
 
 require github.com/stretchr/testify v1.11.1

go/extractor/go.sum

@@ -10,8 +10,8 @@ golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
 golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
 golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
 golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/tools v0.46.0 h1:7jTurBkPZu4moS/Uy4OQT1M+QBlsj3wejyZwsT8Z7rk=
-golang.org/x/tools v0.46.0/go.mod h1:FrD85F8l+NWL+9XWBSyVSHO6Ne4jutsfIFba7AWQ5Ys=
+golang.org/x/tools v0.47.0 h1:7Kn5x/d1svx/PzryTsqeoZN4TZwqeH5pGWjefhLi/1Q=
+golang.org/x/tools v0.47.0/go.mod h1:dFHnyTvFWY212G+h7ZY4Vsp/K3U4/7W9TyVaAul8uCA=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.52
+version: 1.0.53-dev
 groups:
   - go
   - queries

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.2.0
+version: 7.2.1-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/lib/semmle/go/security/StoredXssCustomizations.qll

@@ -33,9 +33,11 @@ module StoredXss {
         walkFn.getACall().getArgument(1) = f.getASuccessor*()
       )
       or
-      // A call to os.FileInfo.Name
-      exists(Method m | m.implements("io/fs", "FileInfo", "Name") |
-        m = this.(DataFlow::CallNode).getTarget()
+      // The return value of a call to `os.DirEntry.Name`, `os.FileInfo.Name`
+      // or `os.File.ReadDirNames`.
+      exists(DataFlow::CallNode cn, Method m | m = cn.getTarget() and this = cn.getResult(0) |
+        m.implements("io/fs", ["DirEntry", "FileInfo"], "Name") or
+        m.hasQualifiedName("os", "File", "ReadDirNames")
       )
     }
   }

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.5
+version: 1.6.6-dev
 groups:
   - go
   - queries

go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected

@@ -156,12 +156,3 @@ nodes
 | websocketXss.go:54:3:54:38 | ... := ...[1] | semmle.label | ... := ...[1] |
 | websocketXss.go:55:24:55:31 | gorilla3 | semmle.label | gorilla3 |
 subpaths
-testFailures
-| websocketXss.go:30:32:30:60 | comment | Missing result: Source[go/reflected-xss] |
-| websocketXss.go:31:11:31:14 | xnet [postupdate] | Unexpected result: Source |
-| websocketXss.go:34:30:34:58 | comment | Missing result: Source[go/reflected-xss] |
-| websocketXss.go:35:21:35:25 | xnet2 [postupdate] | Unexpected result: Source |
-| websocketXss.go:46:38:46:66 | comment | Missing result: Source[go/reflected-xss] |
-| websocketXss.go:47:26:47:35 | gorillaMsg [postupdate] | Unexpected result: Source |
-| websocketXss.go:50:33:50:61 | comment | Missing result: Source[go/reflected-xss] |
-| websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | Unexpected result: Source |

go/ql/test/query-tests/Security/CWE-079/StoredXss.expected

@@ -1,7 +1,9 @@
 #select
+| StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value |
 | stored.go:30:22:30:25 | name | stored.go:18:3:18:28 | ... := ...[0] | stored.go:30:22:30:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:18:3:18:28 | ... := ...[0] | stored value |
 | stored.go:61:22:61:25 | path | stored.go:59:30:59:33 | SSA def(path) | stored.go:61:22:61:25 | path | Stored cross-site scripting vulnerability due to $@. | stored.go:59:30:59:33 | SSA def(path) | stored value |
 edges
+| StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | provenance |  |
 | stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | Src:MaD:1  |
 | stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... [postupdate] | provenance | FunctionModel |
 | stored.go:25:29:25:33 | &... [postupdate] | stored.go:30:22:30:25 | name | provenance |  |
@@ -9,6 +11,8 @@ edges
 models
 | 1 | Source: database/sql; DB; true; Query; ; ; ReturnValue[0]; database; manual |
 nodes
+| StoredXss.go:13:21:13:31 | call to Name | semmle.label | call to Name |
+| StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... |
 | stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] |
 | stored.go:25:14:25:17 | rows | semmle.label | rows |
 | stored.go:25:29:25:33 | &... [postupdate] | semmle.label | &... [postupdate] |
@@ -16,5 +20,3 @@ nodes
 | stored.go:59:30:59:33 | SSA def(path) | semmle.label | SSA def(path) |
 | stored.go:61:22:61:25 | path | semmle.label | path |
 subpaths
-testFailures
-| StoredXss.go:13:39:13:63 | comment | Missing result: Alert[go/stored-xss] |

go/ql/test/query-tests/Security/CWE-079/websocketXss.go

@@ -27,12 +27,12 @@ func xss(w http.ResponseWriter, r *http.Request) {
 	origin := "test"
 	{
 		ws, _ := websocket.Dial(uri, "", origin)
-		var xnet = make([]byte, 512) // $ Source[go/reflected-xss]
-		ws.Read(xnet)
+		var xnet = make([]byte, 512)
+		ws.Read(xnet)              // $ Source[go/reflected-xss]
 		fmt.Fprintf(w, "%v", xnet) // $ Alert[go/reflected-xss]
 		codec := &websocket.Codec{Marshal: marshal, Unmarshal: unmarshal}
-		xnet2 := make([]byte, 512) // $ Source[go/reflected-xss]
-		codec.Receive(ws, xnet2)
+		xnet2 := make([]byte, 512)
+		codec.Receive(ws, xnet2)    // $ Source[go/reflected-xss]
 		fmt.Fprintf(w, "%v", xnet2) // $ Alert[go/reflected-xss]
 	}
 	{
@@ -43,12 +43,12 @@ func xss(w http.ResponseWriter, r *http.Request) {
 	{
 		dialer := gorilla.Dialer{}
 		conn, _, _ := dialer.Dial(uri, nil)
-		var gorillaMsg = make([]byte, 512) // $ Source[go/reflected-xss]
-		gorilla.ReadJSON(conn, gorillaMsg)
-		fmt.Fprintf(w, "%v", gorillaMsg) // $ Alert[go/reflected-xss]
+		var gorillaMsg = make([]byte, 512)
+		gorilla.ReadJSON(conn, gorillaMsg) // $ Source[go/reflected-xss]
+		fmt.Fprintf(w, "%v", gorillaMsg)   // $ Alert[go/reflected-xss]
 
-		gorilla2 := make([]byte, 512) // $ Source[go/reflected-xss]
-		conn.ReadJSON(gorilla2)
+		gorilla2 := make([]byte, 512)
+		conn.ReadJSON(gorilla2)        // $ Source[go/reflected-xss]
 		fmt.Fprintf(w, "%v", gorilla2) // $ Alert[go/reflected-xss]
 
 		_, gorilla3, _ := conn.ReadMessage() // $ Source[go/reflected-xss]

java/kotlin-extractor/dev/wrapper.py

@@ -75,6 +75,9 @@ def get_version():
 
 
 def install(version: str, quiet: bool):
+    if install_dir.exists():
+        return
+
     if quiet:
         info_out = subprocess.DEVNULL
         info = lambda *args: None
@@ -83,8 +86,6 @@ def install(version: str, quiet: bool):
         info = lambda *args: print(*args, file=sys.stderr)
     file = file_template.format(version=version)
     url = url_template.format(version=version)
-    if install_dir.exists():
-        shutil.rmtree(install_dir)
     install_dir.mkdir()
     zips_dir.mkdir(exist_ok=True)
     zip = zips_dir / file
@@ -156,8 +157,11 @@ def main(opts, forwarded_opts):
         selected_version = current_version or DEFAULT_VERSION
     if selected_version != current_version:
         # don't print information about install procedure unless explicitly using --select
-        install(selected_version, quiet=opts.select is None)
+        if install_dir.exists():
+            shutil.rmtree(install_dir)
         version_file.write_text(selected_version)
+    # don't print information about install procedure unless explicitly using --select
+    install(selected_version, quiet=opts.select is None)
     if opts.select and not forwarded_opts and not opts.version:
         print(f"selected {selected_version}")
         return

java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt

@@ -6,6 +6,8 @@ import com.github.codeql.utils.*
 import com.github.codeql.utils.versions.*
 import com.semmle.extractor.java.OdasaOutput
 import java.io.Closeable
+import java.nio.file.Files
+import java.nio.file.Path
 import java.util.*
 import kotlin.collections.ArrayList
 import org.jetbrains.kotlin.backend.common.extensions.IrPluginContext
@@ -50,6 +52,7 @@ import org.jetbrains.kotlin.load.java.structure.JavaMethod
 import org.jetbrains.kotlin.load.java.structure.JavaTypeParameter
 import org.jetbrains.kotlin.load.java.structure.JavaTypeParameterListOwner
 import org.jetbrains.kotlin.load.java.structure.impl.classFiles.BinaryJavaClass
+import org.jetbrains.kotlin.fir.java.VirtualFileBasedSourceElement
 import org.jetbrains.kotlin.name.FqName
 import org.jetbrains.kotlin.types.Variance
 import org.jetbrains.kotlin.util.OperatorNameConventions
@@ -161,23 +164,100 @@ open class KotlinFileExtractor(
         }
     }
 
-    private fun javaBinaryDeclaresMethod(c: IrClass, name: String) =
-        ((c.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass)?.methods?.any {
-            it.name.asString() == name
+    private fun javaBinaryDeclaresMethod(c: IrClass, name: String): Boolean? {
+        // K1 path: source is JavaSourceElement wrapping a BinaryJavaClass - inspect class metadata
+        val binaryJavaClass = (c.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass
+        if (binaryJavaClass != null) {
+            return binaryJavaClass.methods.any { it.name.asString() == name }
         }
 
+        // K2 path: binary Java classes use VirtualFileBasedSourceElement instead of
+        // JavaSourceElement. The BinaryJavaClass is not stored in the source element, so we parse
+        // the class bytes directly using ASM to check if the method is explicitly declared.
+        if (c.source is VirtualFileBasedSourceElement) {
+            val virtualFile = (c.source as VirtualFileBasedSourceElement).virtualFile
+            if (!virtualFile.name.endsWith(".class")) return null
+            return try {
+                val bytes = virtualFile.contentsToByteArray()
+                var found = false
+                var hasKotlinMetadata = false
+                val reader = org.jetbrains.org.objectweb.asm.ClassReader(bytes)
+                reader.accept(
+                    object : org.jetbrains.org.objectweb.asm.ClassVisitor(
+                        org.jetbrains.org.objectweb.asm.Opcodes.ASM9
+                    ) {
+                        override fun visitAnnotation(
+                            descriptor: String,
+                            visible: Boolean
+                        ): org.jetbrains.org.objectweb.asm.AnnotationVisitor? {
+                            if (descriptor == "Lkotlin/Metadata;") hasKotlinMetadata = true
+                            return null
+                        }
+
+                        override fun visitMethod(
+                            access: Int,
+                            methodName: String,
+                            descriptor: String,
+                            signature: String?,
+                            exceptions: Array<String>?
+                        ): org.jetbrains.org.objectweb.asm.MethodVisitor? {
+                            if (methodName == name) found = true
+                            return null
+                        }
+                    },
+                    org.jetbrains.org.objectweb.asm.ClassReader.SKIP_CODE or
+                        org.jetbrains.org.objectweb.asm.ClassReader.SKIP_DEBUG or
+                        org.jetbrains.org.objectweb.asm.ClassReader.SKIP_FRAMES
+                )
+                if (hasKotlinMetadata) false else found
+            } catch (e: Exception) {
+                logger.warn("Failed to check binary class methods for ${c.fqNameWhenAvailable}: $e")
+                null
+            }
+        }
+        return null
+    }
+
     private fun isJavaBinaryDeclaration(f: IrFunction) =
         f.parentClassOrNull?.let { javaBinaryDeclaresMethod(it, f.name.asString()) } ?: false
 
+    private fun hasConcreteSiblingObjectMethod(f: IrFunction): Boolean {
+        val parentClass = f.parentClassOrNull ?: return false
+        return parentClass.declarations
+            .asSequence()
+            .filterIsInstance<IrFunction>()
+            .filter { sibling ->
+                sibling !== f &&
+                    sibling.name == f.name &&
+                    sibling.codeQlValueParameters.size == f.codeQlValueParameters.size
+            }
+            .any { sibling ->
+                val hasInvisibleFakeVisibility =
+                    sibling.visibility.let {
+                        it is DelegatedDescriptorVisibility && it.delegate == Visibilities.InvisibleFake
+                    }
+                !sibling.isFakeOverride && !hasInvisibleFakeVisibility
+            }
+    }
+
     private fun isJavaBinaryObjectMethodRedeclaration(d: IrDeclaration) =
         when (d) {
             is IrFunction ->
+                d.parentClassOrNull?.typeParameters?.isEmpty() == true &&
                 when (d.name.asString()) {
                     "toString" -> d.codeQlValueParameters.isEmpty()
                     "hashCode" -> d.codeQlValueParameters.isEmpty()
-                    "equals" -> d.codeQlValueParameters.singleOrNull()?.type?.isNullableAny() ?: false
+                    // Under K2 (language version 2.0+), the Object.equals(Object) parameter is
+                    // typed as Any (non-nullable) rather than Any? (nullable). Accept both.
+                    "equals" ->
+                        d.codeQlValueParameters
+                            .singleOrNull()
+                            ?.type
+                            ?.let { it.isNullableAny() || it.isAny() } ?: false
                     else -> false
-                } && isJavaBinaryDeclaration(d)
+                } &&
+                    !hasConcreteSiblingObjectMethod(d) &&
+                    isJavaBinaryDeclaration(d)
             else -> false
         }
 
@@ -1312,27 +1392,28 @@ open class KotlinFileExtractor(
     ): TypeResults {
         with("value parameter", vp) {
             val location = locOverride ?: getLocation(vp, classTypeArgsIncludingOuterClasses)
+            val parentFunction = vp.parent as? IrFunction
+            val javaCallable = parentFunction?.let { getJavaCallable(it) }
             val maybeAlteredType =
-                (vp.parent as? IrFunction)?.let {
+                parentFunction?.let {
                     if (overridesCollectionsMethodWithAlteredParameterTypes(it))
                         eraseCollectionsMethodParameterType(vp.type, it.name.asString(), idx)
                     else if (
-                        (vp.parent as? IrConstructor)?.parentClassOrNull?.kind ==
+                        (parentFunction as? IrConstructor)?.parentClassOrNull?.kind ==
                             ClassKind.ANNOTATION_CLASS
                     )
                         kClassToJavaClass(vp.type)
                     else null
                 } ?: vp.type
-            val javaType =
-                (vp.parent as? IrFunction)?.let {
-                    getJavaCallable(it)?.let { jCallable ->
-                        getJavaValueParameterType(jCallable, idx)
-                    }
-                }
+            val javaType = javaCallable?.let { jCallable -> getJavaValueParameterType(jCallable, idx) }
+            val addParameterWildcardsByDefault =
+                !getInnermostWildcardSupppressionAnnotation(vp) &&
+                    !(javaCallable == null &&
+                        parentFunction?.origin == IrDeclarationOrigin.IR_EXTERNAL_JAVA_DECLARATION_STUB)
             val typeWithWildcards =
                 addJavaLoweringWildcards(
                     maybeAlteredType,
-                    !getInnermostWildcardSupppressionAnnotation(vp),
+                    addParameterWildcardsByDefault,
                     javaType
                 )
             val substitutedType =
@@ -1346,9 +1427,9 @@ open class KotlinFileExtractor(
                 vp.origin == IrDeclarationOrigin.UNDERSCORE_PARAMETER ||
                     ((vp.parent as? IrFunction)?.let { hasSynthesizedParameterNames(it) } ?: true)
             val javaParameter =
-                when (val callable = (vp.parent as? IrFunction)?.let { getJavaCallable(it) }) {
-                    is JavaConstructor -> callable.valueParameters.getOrNull(idx)
-                    is JavaMethod -> callable.valueParameters.getOrNull(idx)
+                when (javaCallable) {
+                    is JavaConstructor -> javaCallable.valueParameters.getOrNull(idx)
+                    is JavaMethod -> javaCallable.valueParameters.getOrNull(idx)
                     else -> null
                 }
             val extraAnnotations =
@@ -2874,6 +2955,45 @@ open class KotlinFileExtractor(
         return v
     }
 
+    private val sourceTextCache = mutableMapOf<String, String?>()
+
+    private fun getCurrentFileSourceText() =
+        sourceTextCache.getOrPut(filePath) {
+            runCatching { Files.readString(Path.of(filePath)) }.getOrNull()
+        }
+
+    private fun getVariableNameLocation(v: IrVariable): Label<DbLocation>? {
+        if (v.startOffset < 0 || v.endOffset < v.startOffset) return null
+
+        val source = getCurrentFileSourceText() ?: return null
+        if (v.startOffset >= source.length) return null
+
+        val name = v.name.asString()
+        if (name.isEmpty()) return null
+
+        val endExclusive = minOf(v.endOffset + 1, source.length)
+        val declarationText = source.substring(v.startOffset, endExclusive)
+        val nameOffsetInDeclaration = declarationText.indexOf(name)
+        if (nameOffsetInDeclaration < 0) return null
+
+        val nameStartOffset = v.startOffset + nameOffsetInDeclaration
+        val nameEndOffset = nameStartOffset + name.length - 1
+        return tw.getLocation(nameStartOffset, nameEndOffset)
+    }
+
+    private fun shouldUseVariableNameLocation(v: IrVariable): Boolean {
+        val initializer = v.initializer
+        return initializer is IrTypeOperatorCall && initializer.operator == IrTypeOperator.IMPLICIT_NOTNULL
+    }
+
+    private fun getVariableLocation(v: IrVariable): Label<DbLocation> {
+        if (shouldUseVariableNameLocation(v)) {
+            val nameLocation = getVariableNameLocation(v)
+            if (nameLocation != null) return nameLocation
+        }
+        return tw.getLocation(getVariableLocationProvider(v))
+    }
+
     private fun extractVariable(
         v: IrVariable,
         callable: Label<out DbCallable>,
@@ -2882,7 +3002,7 @@ open class KotlinFileExtractor(
     ) {
         with("variable", v) {
             val stmtId = tw.getFreshIdLabel<DbLocalvariabledeclstmt>()
-            val locId = tw.getLocation(getVariableLocationProvider(v))
+            val locId = getVariableLocation(v)
             tw.writeStmts_localvariabledeclstmt(stmtId, parent, idx, callable)
             tw.writeHasLocation(stmtId, locId)
             extractVariableExpr(v, callable, stmtId, 1, stmtId)
@@ -2900,7 +3020,7 @@ open class KotlinFileExtractor(
         with("variable expr", v) {
             val varId = useVariable(v)
             val exprId = tw.getFreshIdLabel<DbLocalvariabledeclexpr>()
-            val locId = tw.getLocation(getVariableLocationProvider(v))
+            val locId = getVariableLocation(v)
             val type = useType(v.type)
             tw.writeLocalvars(varId, v.name.asString(), type.javaResult.id, exprId)
             tw.writeLocalvarsKotlinType(varId, type.kotlinResult.id)
@@ -4066,6 +4186,28 @@ open class KotlinFileExtractor(
             else -> false
         }
 
+    private fun getCallResultType(c: IrCall, syntacticCallTarget: IrFunction): IrType {
+        if (syntacticCallTarget.origin != IrDeclarationOrigin.IR_EXTERNAL_JAVA_DECLARATION_STUB) {
+            return c.type
+        }
+
+        val primitiveInfo =
+            (c.type as? IrSimpleType)?.let { primitiveTypeMapping.getPrimitiveInfo(it) } ?: return c.type
+        val parentClass = syntacticCallTarget.parentClassOrNull ?: return c.type
+        val returnIsClassifier =
+            javaBinaryMethodReturnIsClassifierType(
+                parentClass,
+                getFunctionShortName(syntacticCallTarget).nameInDB,
+                syntacticCallTarget.codeQlValueParameters.size,
+                syntacticCallTarget is IrConstructor
+            )
+        return if (returnIsClassifier == true) {
+            primitiveInfo.javaClass.symbol.typeWith()
+        } else {
+            c.type
+        }
+    }
+
     private fun isGenericArrayType(typeName: String) =
         when (typeName) {
             "Array" -> true
@@ -4111,7 +4253,7 @@ open class KotlinFileExtractor(
                 extractRawMethodAccess(
                     syntacticCallTarget,
                     c,
-                    c.type,
+                    getCallResultType(c, syntacticCallTarget),
                     callable,
                     parent,
                     idx,

java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt

@@ -36,6 +36,7 @@ import org.jetbrains.kotlin.load.java.BuiltinMethodsWithSpecialGenericSignature
 import org.jetbrains.kotlin.load.java.JvmAbi
 import org.jetbrains.kotlin.load.java.sources.JavaSourceElement
 import org.jetbrains.kotlin.load.java.structure.*
+import org.jetbrains.kotlin.load.java.structure.impl.classFiles.BinaryJavaClass
 import org.jetbrains.kotlin.load.java.typeEnhancement.hasEnhancedNullability
 import org.jetbrains.kotlin.name.FqName
 import org.jetbrains.kotlin.name.NameUtils
@@ -996,7 +997,20 @@ open class KotlinUsesExtractor(
                 )
                 return null
             }
-            return extractFileClass(fqName)
+            val fileClassId = extractFileClass(fqName)
+            // Under K2, external file class members sit directly under IrExternalPackageFragment
+            // rather than under their IrClass parent. In that case the file class entity won't
+            // get a location set through the normal extractClassSource path.
+            if (d is IrMemberWithContainerSource && tw.lm.externalFileClassLocationsExtracted.add(fqName)) {
+                val binaryPath =
+                    getContainerSourceBinaryPath(d.containerSource)
+                        ?.let { normalizeExternalFileClassBinaryPath(it, fqName) }
+                if (binaryPath != null && shouldUseConcreteExternalFileClassLocation(binaryPath)) {
+                    val fileId = tw.mkFileId(binaryPath, true)
+                    tw.writeHasLocation(fileClassId, tw.getWholeFileLocation(fileId))
+                }
+            }
+            return fileClassId
         }
         return useDeclarationParent(parent, canBeTopLevel, classTypeArguments, inReceiverContext)
     }
@@ -1371,8 +1385,13 @@ open class KotlinUsesExtractor(
         parentId: Label<out DbElement>,
         classTypeArgsIncludingOuterClasses: List<IrTypeArgument>?,
         maybeParameterList: List<IrValueParameter>? = null
-    ): String =
-        getFunctionLabel(
+    ): String {
+        val javaCallable = getJavaCallable(f)
+        val addParameterWildcardsByDefault =
+            !getInnermostWildcardSupppressionAnnotation(f) &&
+                !(javaCallable == null && f.origin == IrDeclarationOrigin.IR_EXTERNAL_JAVA_DECLARATION_STUB)
+
+        return getFunctionLabel(
             f.parent,
             parentId,
             getFunctionShortName(f).nameInDB,
@@ -1382,9 +1401,10 @@ open class KotlinUsesExtractor(
             getFunctionTypeParameters(f),
             classTypeArgsIncludingOuterClasses,
             overridesCollectionsMethodWithAlteredParameterTypes(f),
-            getJavaCallable(f),
-            !getInnermostWildcardSupppressionAnnotation(f)
+            javaCallable,
+            addParameterWildcardsByDefault
         )
+    }
 
     /*
      * This function actually generates the label for a function.
@@ -1471,15 +1491,41 @@ open class KotlinUsesExtractor(
             // Finally, mimic the Java extractor's behaviour by naming functions with type
             // parameters for their erased types;
             // those without type parameters are named for the generic type.
-            val maybeErased =
+            var maybeErased =
                 if (functionTypeParameters.isEmpty()) maybeSubbed else erase(maybeSubbed)
+            // K2 compatibility: under K2, Java @NotNull reference types such as @NotNull Integer
+            // are enhanced to Kotlin primitives (e.g. kotlin.Int). But the Java extractor uses
+            // the original reference type (java.lang.Integer) in callable labels. When we detect
+            // that the original Java parameter type is a reference (classifier) type but the
+            // Kotlin IR type is a primitive, revert to the boxed Java class so both extractors
+            // produce matching callable IDs.
+            if (functionTypeParameters.isEmpty()) {
+                val primitiveInfo = (maybeErased as? IrSimpleType)?.let {
+                    primitiveTypeMapping.getPrimitiveInfo(it)
+                }
+                if (primitiveInfo != null) {
+                    val parentClass = parent as? IrClass
+                    if (parentClass != null) {
+                        val isClassifierType = javaBinaryMethodParamIsClassifierType(
+                            parentClass,
+                            name,
+                            allParamTypes.size,
+                            name == "<init>",
+                            it.index
+                        )
+                        if (isClassifierType == true) {
+                            maybeErased = primitiveInfo.javaClass.symbol.typeWith()
+                        }
+                    }
+                }
+            }
             "{${useType(maybeErased).javaResult.id}}"
         }
         val paramTypeIds =
             allParamTypes
                 .withIndex()
                 .joinToString(separator = ",", transform = getIdForFunctionLabel)
-        val labelReturnType =
+        var labelReturnType =
             if (name == "<init>") pluginContext.irBuiltIns.unitType
             else
                 erase(
@@ -1489,6 +1535,28 @@ open class KotlinUsesExtractor(
                         pluginContext
                     )
                 )
+        // K2 compatibility: same as for parameters, if the Java binary method return type is a
+        // reference type but K2 enhanced it to a Kotlin primitive, use the boxed Java class.
+        if (functionTypeParameters.isEmpty() && name != "<init>") {
+            val primitiveInfo = (labelReturnType as? IrSimpleType)?.let {
+                primitiveTypeMapping.getPrimitiveInfo(it)
+            }
+            if (primitiveInfo != null) {
+                val parentClass = parent as? IrClass
+                if (parentClass != null) {
+                    val returnIsClassifier =
+                        javaBinaryMethodReturnIsClassifierType(
+                            parentClass,
+                            name,
+                            allParamTypes.size,
+                            false
+                        )
+                    if (returnIsClassifier == true) {
+                        labelReturnType = primitiveInfo.javaClass.symbol.typeWith()
+                    }
+                }
+            }
+        }
         // Note that `addJavaLoweringWildcards` is not required here because the return type used to
         // form the function
         // label is always erased.
@@ -1594,9 +1662,23 @@ open class KotlinUsesExtractor(
     }
 
     @OptIn(ObsoleteDescriptorBasedAPI::class)
-    fun getJavaCallable(f: IrFunction) =
-        (f.descriptor.source as? JavaSourceElement)?.javaElement as? JavaMember
+    fun getJavaCallable(f: IrFunction): JavaMember? {
+        val fromDescriptor = (f.descriptor.source as? JavaSourceElement)?.javaElement as? JavaMember
+        if (fromDescriptor != null) return fromDescriptor
 
+        // K2 fallback: under K2, descriptor.source may not carry JavaSourceElement for binary Java
+        // methods. Try to get the JavaMember from the parent class's binary class directly.
+        val parentClass = f.parentClassOrNull ?: return null
+        val binaryJavaClass = (parentClass.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass
+            ?: return null
+        val name = getFunctionShortName(f).nameInDB
+        val nParams = f.codeQlValueParameters.size
+        return if (f is IrConstructor) {
+            binaryJavaClass.constructors.find { it.valueParameters.size == nParams }
+        } else {
+            binaryJavaClass.methods.find { it.name.asString() == name && it.valueParameters.size == nParams }
+        }
+    }
     fun getJavaValueParameterType(m: JavaMember, idx: Int) =
         when (m) {
             is JavaMethod -> m.valueParameters[idx].type

java/kotlin-extractor/src/main/kotlin/TrapWriter.kt

@@ -51,6 +51,13 @@ class TrapLabelManager {
      * to avoid duplication.
      */
     val fileClassLocationsExtracted = HashSet<IrFile>()
+
+    /**
+     * Tracks external file classes (by FqName) whose location has been set from a binary path.
+     * Used to avoid writing duplicate hasLocation facts for external file class entities extracted
+     * through the K2 code path where declarations sit directly under IrExternalPackageFragment.
+     */
+    val externalFileClassLocationsExtracted = HashSet<org.jetbrains.kotlin.name.FqName>()
 }
 
 /**

java/kotlin-extractor/src/main/kotlin/utils/ClassNames.kt

@@ -17,6 +17,7 @@ import org.jetbrains.kotlin.load.kotlin.JvmPackagePartSource
 import org.jetbrains.kotlin.load.kotlin.KotlinJvmBinarySourceElement
 import org.jetbrains.kotlin.load.kotlin.VirtualFileKotlinClass
 import org.jetbrains.kotlin.name.FqName
+import org.jetbrains.kotlin.serialization.deserialization.descriptors.DeserializedContainerSource
 
 // Adapted from Kotlin's interpreter/Utils.kt function 'internalName'
 // Translates class names into their JLS section 13.1 binary name,
@@ -176,15 +177,238 @@ fun getIrDeclarationBinaryPath(d: IrDeclaration): String? {
         // This is in a file class.
         val fqName = getFileClassFqName(d)
         if (fqName != null) {
+            if (d is IrMemberWithContainerSource) {
+                val containerBinaryPath = getContainerSourceBinaryPath(d.containerSource)
+                if (containerBinaryPath != null) {
+                    return normalizeExternalFileClassBinaryPath(containerBinaryPath, fqName)
+                }
+            }
             return getUnknownBinaryLocation(fqName.asString())
         }
     }
     return null
 }
 
+/**
+ * Attempts to get the binary file path from a container source (typically a
+ * [JvmPackagePartSource]). Returns null if the path is unavailable.
+ */
+fun getContainerSourceBinaryPath(containerSource: org.jetbrains.kotlin.serialization.deserialization.descriptors.DeserializedContainerSource?): String? {
+    if (containerSource !is JvmPackagePartSource) return null
+    val binaryClass = containerSource.knownJvmBinaryClass ?: return null
+    return when (binaryClass) {
+        is VirtualFileKotlinClass -> {
+            val vf = binaryClass.file
+            val path = vf.path
+            if (vf.fileSystem.protocol == StandardFileSystems.JRT_PROTOCOL)
+                "/${path.split("!/", limit = 2)[1]}"
+            else path
+        }
+        else -> binaryClass.location.takeIf { it.isNotEmpty() }
+    }
+}
+
 private fun getUnknownBinaryLocation(s: String): String {
     return "/!unknown-binary-location/${s.replace(".", "/")}.class"
 }
 
+fun normalizeExternalFileClassBinaryPath(path: String, fqName: FqName): String {
+    if (path.contains(".kotlinc_installed")) {
+        return getUnknownBinaryLocation(fqName.asString())
+    }
+    val normalizedPath = path.replace('\\', '/')
+    val classInternalPath = "${fqName.asString().replace(".", "/")}.class"
+    val classSuffix = "/$classInternalPath"
+    if (normalizedPath.endsWith(classSuffix)) {
+        val classpathRoot = normalizedPath.removeSuffix(classSuffix).substringAfterLast('/')
+        if (classpathRoot.isNotEmpty()) {
+            return "$classpathRoot/$classInternalPath"
+        }
+    }
+    return path
+}
+
+fun shouldUseConcreteExternalFileClassLocation(path: String): Boolean {
+    val normalizedPath = path.replace('\\', '/')
+    return normalizedPath.contains("/") &&
+        !normalizedPath.startsWith("/!unknown-binary-location/")
+}
+
 fun getJavaEquivalentClassId(c: IrClass) =
     c.fqNameWhenAvailable?.toUnsafe()?.let { JavaToKotlinClassMap.mapKotlinToJava(it) }
+
+/**
+ * Checks whether a specific parameter of a Java binary method (identified by [methodName] and
+ * [paramIndex]) is a reference type (as opposed to a Java primitive). This is used to detect
+ * cases where K2 FIR has enhanced a reference type parameter (e.g. `@NotNull Integer`) to a
+ * Kotlin primitive (e.g. `kotlin.Int`), so that callable labels can use the original reference
+ * type and remain compatible with the Java extractor's callable IDs.
+ *
+ * Under K1, binary Java classes use [JavaSourceElement] and we can check [BinaryJavaClass.methods]
+ * directly. Under K2, they use [VirtualFileBasedSourceElement] and we fall back to reading the
+ * class bytes with ASM.
+ *
+ * Returns `null` if the information cannot be determined.
+ */
+fun javaBinaryMethodParamIsClassifierType(
+    parentClass: IrClass,
+    methodName: String,
+    nParams: Int,
+    isConstructor: Boolean,
+    paramIndex: Int
+): Boolean? {
+    // K1 path: binary Java class has JavaSourceElement with a BinaryJavaClass.
+    val k1ParamKinds =
+        ((parentClass.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass)?.let {
+            binaryJavaClass ->
+            if (isConstructor)
+                binaryJavaClass.constructors
+                    .asSequence()
+                    .filter { it.valueParameters.size == nParams }
+                    .mapNotNull { it.valueParameters.getOrNull(paramIndex)?.type }
+                    .map { it is org.jetbrains.kotlin.load.java.structure.JavaClassifierType }
+                    .toSet()
+            else
+                binaryJavaClass.methods
+                    .asSequence()
+                    .filter { it.name.asString() == methodName && it.valueParameters.size == nParams }
+                    .mapNotNull { it.valueParameters.getOrNull(paramIndex)?.type }
+                    .map { it is org.jetbrains.kotlin.load.java.structure.JavaClassifierType }
+                    .toSet()
+        }
+    if (k1ParamKinds != null && k1ParamKinds.isNotEmpty()) {
+        return k1ParamKinds.singleOrNull()
+    }
+
+    // K2 path: binary Java class has VirtualFileBasedSourceElement
+    if (parentClass.source !is VirtualFileBasedSourceElement) return null
+    val vf = (parentClass.source as VirtualFileBasedSourceElement).virtualFile
+    if (!vf.name.endsWith(".class")) return null
+
+    return try {
+        val bytes = vf.contentsToByteArray()
+        val expectedMethodName = if (isConstructor) "<init>" else methodName
+        val descriptorKinds = mutableSetOf<Boolean>()
+        val reader = org.jetbrains.org.objectweb.asm.ClassReader(bytes)
+        reader.accept(
+            object : org.jetbrains.org.objectweb.asm.ClassVisitor(
+                org.jetbrains.org.objectweb.asm.Opcodes.ASM9
+            ) {
+                override fun visitMethod(
+                    access: Int,
+                    name: String,
+                    descriptor: String,
+                    signature: String?,
+                    exceptions: Array<String>?
+                ): org.jetbrains.org.objectweb.asm.MethodVisitor? {
+                    if (name != expectedMethodName) return null
+                    val paramDescriptors = parseAsmMethodDescriptorParams(descriptor)
+                    if (paramDescriptors.size != nParams) return null
+                    val paramDesc = paramDescriptors.getOrNull(paramIndex) ?: return null
+                    // Reference types start with 'L' or '['; Java primitives are single chars
+                    descriptorKinds.add(paramDesc.startsWith("L") || paramDesc.startsWith("["))
+                    return null
+                }
+            },
+            org.jetbrains.org.objectweb.asm.ClassReader.SKIP_CODE or
+                org.jetbrains.org.objectweb.asm.ClassReader.SKIP_DEBUG or
+                org.jetbrains.org.objectweb.asm.ClassReader.SKIP_FRAMES
+        )
+        descriptorKinds.singleOrNull()
+    } catch (e: Exception) {
+        null
+    }
+}
+
+/**
+ * Checks whether the return type of a Java binary method (identified by [methodName] and
+ * [nParams]) is a reference type (as opposed to a Java primitive).
+ *
+ * Returns `null` if the information cannot be determined.
+ */
+fun javaBinaryMethodReturnIsClassifierType(
+    parentClass: IrClass,
+    methodName: String,
+    nParams: Int,
+    isConstructor: Boolean
+): Boolean? {
+    if (isConstructor) return false
+
+    // K1 path: binary Java class has JavaSourceElement with a BinaryJavaClass.
+    val k1ReturnKinds =
+        ((parentClass.source as? JavaSourceElement)?.javaElement as? BinaryJavaClass)?.methods
+            ?.asSequence()
+            ?.filter { it.name.asString() == methodName && it.valueParameters.size == nParams }
+            ?.map { it.returnType is org.jetbrains.kotlin.load.java.structure.JavaClassifierType }
+            ?.toSet()
+    if (k1ReturnKinds != null && k1ReturnKinds.isNotEmpty()) {
+        return k1ReturnKinds.singleOrNull()
+    }
+
+    // K2 path: binary Java class has VirtualFileBasedSourceElement
+    if (parentClass.source !is VirtualFileBasedSourceElement) return null
+    val vf = (parentClass.source as VirtualFileBasedSourceElement).virtualFile
+    if (!vf.name.endsWith(".class")) return null
+
+    return try {
+        val bytes = vf.contentsToByteArray()
+        val returnKinds = mutableSetOf<Boolean>()
+        val reader = org.jetbrains.org.objectweb.asm.ClassReader(bytes)
+        reader.accept(
+            object : org.jetbrains.org.objectweb.asm.ClassVisitor(
+                org.jetbrains.org.objectweb.asm.Opcodes.ASM9
+            ) {
+                override fun visitMethod(
+                    access: Int,
+                    name: String,
+                    descriptor: String,
+                    signature: String?,
+                    exceptions: Array<String>?
+                ): org.jetbrains.org.objectweb.asm.MethodVisitor? {
+                    if (name != methodName) return null
+                    if (parseAsmMethodDescriptorParams(descriptor).size != nParams) return null
+                    val returnDescriptor = descriptor.substring(descriptor.lastIndexOf(')') + 1)
+                    returnKinds.add(
+                        returnDescriptor.startsWith("L") || returnDescriptor.startsWith("[")
+                    )
+                    return null
+                }
+            },
+            org.jetbrains.org.objectweb.asm.ClassReader.SKIP_CODE or
+                org.jetbrains.org.objectweb.asm.ClassReader.SKIP_DEBUG or
+                org.jetbrains.org.objectweb.asm.ClassReader.SKIP_FRAMES
+        )
+        returnKinds.singleOrNull()
+    } catch (e: Exception) {
+        null
+    }
+}
+
+fun parseAsmMethodDescriptorParams(descriptor: String): List<String> {
+    val params = mutableListOf<String>()
+    var i = descriptor.indexOf('(') + 1
+    val end = descriptor.lastIndexOf(')')
+    while (i < end) {
+        when (val c = descriptor[i]) {
+            'L' -> {
+                val semi = descriptor.indexOf(';', i)
+                params.add(descriptor.substring(i, semi + 1))
+                i = semi + 1
+            }
+            '[' -> {
+                var j = i + 1
+                while (j < end && descriptor[j] == '[') j++
+                if (descriptor[j] == 'L') {
+                    val semi = descriptor.indexOf(';', j)
+                    params.add(descriptor.substring(i, semi + 1))
+                    i = semi + 1
+                } else {
+                    params.add(descriptor.substring(i, j + 1))
+                    i = j + 1
+                }
+            }
+            else -> { params.add(c.toString()); i++ }
+        }
+    }
+    return params
+}

java/ql/integration-tests/java/android-8-sample/settings.gradle

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-kotlin-build-script-no-wrapper/settings.gradle.kts

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-kotlin-build-script/settings.gradle.kts

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-no-wrapper/settings.gradle

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script-no-wrapper/build.gradle.kts

@@ -13,7 +13,9 @@ buildscript {
 
     repositories {
         google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 
     /**
@@ -39,6 +41,8 @@ buildscript {
 allprojects {
     repositories {
         google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }

java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script/build.gradle.kts

@@ -13,7 +13,9 @@ buildscript {
 
     repositories {
         google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 
     /**
@@ -39,6 +41,8 @@ buildscript {
 allprojects {
     repositories {
         google()
-        jcenter()
+        maven {
+            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+        }
     }
 }

java/ql/integration-tests/java/android-sample-old-style-no-wrapper/build.gradle

@@ -13,7 +13,9 @@ buildscript {
 
     repositories {
         google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 
     /**
@@ -39,6 +41,8 @@ buildscript {
 allprojects {
     repositories {
         google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }

java/ql/integration-tests/java/android-sample-old-style/build.gradle

@@ -13,7 +13,9 @@ buildscript {
 
     repositories {
         google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 
     /**
@@ -32,13 +34,15 @@ buildscript {
  * dependencies used by all modules in your project, such as third-party plugins
  * or libraries. However, you should configure module-specific dependencies in
  * each module-level build.gradle file. For new projects, Android Studio
- * includes JCenter and Google's Maven repository by default, but it does not
+ * includes Maven Central and Google's Maven repository by default, but it does not
  * configure any dependencies (unless you select a template that requires some).
  */
 
 allprojects {
     repositories {
         google()
-        jcenter()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }

java/ql/integration-tests/java/android-sample/settings.gradle

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/buildless-gradle-boms/build.gradle

@@ -8,7 +8,9 @@
 apply plugin: 'java-library'
 
 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-gradle-boms/buildless-fetches.expected

@@ -1,5 +1,5 @@
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
-https://repo.maven.apache.org/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
-https://repo.maven.apache.org/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
-https://repo.maven.apache.org/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
-https://repo.maven.apache.org/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar

java/ql/integration-tests/java/buildless-gradle-classifiers/build.gradle

@@ -8,7 +8,9 @@
 apply plugin: 'java-library'
 
 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-gradle-classifiers/buildless-fetches.expected

@@ -1,2 +1,2 @@
-https://repo.maven.apache.org/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

java/ql/integration-tests/java/buildless-gradle-timeout/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/buildless-gradle/build.gradle

@@ -8,7 +8,9 @@
 apply plugin: 'java-library'
 
 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-gradle/buildless-fetches.expected

@@ -1 +1 @@
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

java/ql/integration-tests/java/buildless-proxy-gradle/build.gradle

@@ -8,7 +8,9 @@
 apply plugin: 'java-library'
 
 repositories {
-  mavenCentral()
+  maven {
+    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+  }
 }
 
 dependencies {

java/ql/integration-tests/java/buildless-proxy-gradle/buildless-fetches.expected

@@ -1 +1 @@
-https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar

java/ql/integration-tests/java/buildless-sibling-projects/buildless-fetches.expected

@@ -1,3 +1,7 @@
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
+https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.12/junit-4.12.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
+https://maven-central.storage-download.googleapis.com/maven2/org/slf4j/slf4j-api/1.7.21/slf4j-api-1.7.21.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -9,10 +13,7 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
-https://repo.maven.apache.org/maven2/junit/junit/4.12/junit-4.12.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
-https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar

java/ql/integration-tests/java/buildless-sibling-projects/diagnostics.expected

@@ -98,7 +98,7 @@
   }
 }
 {
-  "markdownMessage": "Reading the dependency graph from build files provided 3 classpath entries",
+  "markdownMessage": "Reading the dependency graph from build files provided 4 classpath entries",
   "severity": "unknown",
   "source": {
     "extractorName": "java",
@@ -111,31 +111,3 @@
     "telemetry": true
   }
 }
-{
-  "markdownMessage": "Running the Gradle plugin `org.gradle:github-dependency-graph-gradle-plugin` failed. This means precise dependency information will be unavailable, and so dependencies will be guessed based on Java package names. Consider investigating why this plugin fails to run.",
-  "severity": "note",
-  "source": {
-    "extractorName": "java",
-    "id": "java/autobuilder/buildless/github-dependency-graph-gradle-plugin-failed",
-    "name": "Java analysis failed to extract a dependency graph from Gradle"
-  },
-  "visibility": {
-    "cliSummaryTable": true,
-    "statusPage": true,
-    "telemetry": true
-  }
-}
-{
-  "markdownMessage": "Running the Gradle plugin `org.gradle:github-dependency-graph-gradle-plugin` failed. This means precise dependency information will be unavailable, and so dependencies will be guessed based on Java package names. Consider investigating why this plugin fails to run.",
-  "severity": "note",
-  "source": {
-    "extractorName": "java",
-    "id": "java/autobuilder/buildless/github-dependency-graph-gradle-plugin-failed",
-    "name": "Java analysis failed to extract a dependency graph from Gradle"
-  },
-  "visibility": {
-    "cliSummaryTable": true,
-    "statusPage": true,
-    "telemetry": true
-  }
-}

java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample2/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/buildless-sibling-projects/settings.xml

@@ -0,0 +1,10 @@
+<settings>
+  <mirrors>
+    <mirror>
+      <id>google-maven-central</id>
+      <name>GCS Maven Central mirror</name>
+      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
+      <mirrorOf>central</mirrorOf>
+    </mirror>
+  </mirrors>
+</settings>

java/ql/integration-tests/java/buildless-sibling-projects/source_archive.expected

@@ -26,4 +26,5 @@ maven-project-2/src/main/resources/my-app.properties
 maven-project-2/src/main/resources/page.xml
 maven-project-2/src/main/resources/struts.xml
 maven-project-2/src/test/java/com/example/AppTest4.java
+settings.xml
 test-db/working/settings.xml

java/ql/integration-tests/java/buildless-sibling-projects/test.py

@@ -1,3 +1,5 @@
+import os
+
 def test(codeql, use_java_11, java, actions_toolchains_file, check_diagnostics_java):
     # The version of gradle used doesn't work on java 17
     codeql.database.create(
@@ -5,5 +7,6 @@ def test(codeql, use_java_11, java, actions_toolchains_file, check_diagnostics_j
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
             "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
             "LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file),
+            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
         }
     )

java/ql/integration-tests/java/diagnostics/android-gradle-incompatibility/settings.gradle

@@ -14,7 +14,9 @@ pluginManagement {
     repositories {
         gradlePluginPortal()
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 dependencyResolutionManagement {
@@ -33,7 +35,9 @@ dependencyResolutionManagement {
     repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
     repositories {
         google()
-        mavenCentral()
+        maven {
+            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+        }
     }
 }
 rootProject.name = "Android Sample"

java/ql/integration-tests/java/diagnostics/java-version-too-old/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/diagnostics/no-gradle-wrapper/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/gradle-sample-kotlin-script/app/build.gradle.kts

@@ -12,8 +12,9 @@ plugins {
 }
 
 repositories {
-    // Use Maven Central for resolving dependencies.
-    mavenCentral()
+    maven {
+        url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
+    }
 }
 
 dependencies {

java/ql/integration-tests/java/gradle-sample-without-wrapper-or-gradle-buildless/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/gradle-sample/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/partial-gradle-sample-without-gradle/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/partial-gradle-sample/build.gradle

@@ -12,9 +12,9 @@ apply plugin: 'java'
 
 // In this section you declare where to find the dependencies of your project
 repositories {
-    // Use 'jcenter' for resolving your dependencies.
-    // You can declare any Maven/Ivy/file repository here.
-    jcenter()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 // In this section you declare the dependencies for your production and test code

java/ql/integration-tests/java/spring-boot-sample/build.gradle

@@ -11,7 +11,9 @@ version = '0.0.1-SNAPSHOT'
 // but I omit it to test we recognise the Spring Boot plugin version.
 
 repositories {
-	mavenCentral()
+	maven {
+		url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+	}
 }
 
 dependencies {

java/ql/integration-tests/kotlin/all-platforms/compiler_arguments/app/build.gradle

@@ -15,8 +15,9 @@ plugins {
 }
 
 repositories {
-    // Use Maven Central for resolving dependencies.
-    mavenCentral()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 application {

java/ql/integration-tests/kotlin/all-platforms/enhanced-nullability/test.py

@@ -1,11 +1,11 @@
 import pathlib
 
 
-def test(codeql, java_full, kotlinc_2_3_20):
+def test(codeql, java_full):
     java_srcs = " ".join([str(s) for s in pathlib.Path().glob("*.java")])
     codeql.database.create(
         command=[
             f"javac {java_srcs} -d build",
-            "kotlinc -language-version 1.9 user.kt -cp build",
+            "kotlinc -language-version 2.0 user.kt -cp build",
         ]
     )

java/ql/integration-tests/kotlin/all-platforms/external-property-overloads/test.py

@@ -1,6 +1,6 @@
 import commands
 
 
-def test(codeql, java_full, kotlinc_2_3_20):
-    commands.run("kotlinc -language-version 1.9 test.kt -d lib")
-    codeql.database.create(command="kotlinc -language-version 1.9 user.kt -cp lib")
+def test(codeql, java_full):
+    commands.run("kotlinc -language-version 2.0 test.kt -d lib")
+    codeql.database.create(command="kotlinc -language-version 2.0 user.kt -cp lib")

java/ql/integration-tests/kotlin/all-platforms/extractor_information_kotlin1/ExtractorInformation.expected

@@ -9,4 +9,4 @@
 | Percentage of calls with call target | 100 |
 | Total number of lines | 3 |
 | Total number of lines with extension kt | 3 |
-| Uses Kotlin 2: false | 1 |
+| Uses Kotlin 2: true | 1 |

java/ql/integration-tests/kotlin/all-platforms/extractor_information_kotlin1/test.py

@@ -1,2 +1,2 @@
-def test(codeql, java_full, kotlinc_2_3_20):
-    codeql.database.create(command=f"kotlinc -J-Xmx2G -language-version 1.9 SomeClass.kt")
+def test(codeql, java_full):
+    codeql.database.create(command="kotlinc -J-Xmx2G -language-version 2.0 SomeClass.kt")

java/ql/integration-tests/kotlin/all-platforms/file_classes/test.py

@@ -1,6 +1,6 @@
 import commands
 
 
-def test(codeql, java_full, kotlinc_2_3_20):
-    commands.run("kotlinc -language-version 1.9 A.kt")
-    codeql.database.create(command="kotlinc -cp . -language-version 1.9 B.kt C.kt")
+def test(codeql, java_full):
+    commands.run("kotlinc -language-version 2.0 A.kt")
+    codeql.database.create(command="kotlinc -cp . -language-version 2.0 B.kt C.kt")

java/ql/integration-tests/kotlin/all-platforms/gradle_groovy_app/app/build.gradle

@@ -15,8 +15,9 @@ plugins {
 }
 
 repositories {
-    // Use Maven Central for resolving dependencies.
-    mavenCentral()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 application {

java/ql/integration-tests/kotlin/all-platforms/gradle_kotlinx_serialization/app/build.gradle

@@ -4,7 +4,9 @@ plugins {
 }
 
 repositories {
-    mavenCentral()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 dependencies {

java/ql/integration-tests/kotlin/all-platforms/java-interface-redeclares-tostring/test.py

@@ -1,6 +1,6 @@
 import commands
 
 
-def test(codeql, java_full, kotlinc_2_3_20):
+def test(codeql, java_full):
     commands.run(["javac", "Test.java", "-d", "bin"])
-    codeql.database.create(command="kotlinc -language-version 1.9 user.kt -cp bin")
+    codeql.database.create(command="kotlinc -language-version 2.0 user.kt -cp bin")

java/ql/integration-tests/kotlin/all-platforms/kotlin_java_lowering_wildcards/test.py

@@ -1,13 +1,13 @@
 import commands
 
 
-def test(codeql, java_full, kotlinc_2_3_20):
+def test(codeql, java_full):
     # Compile the JavaDefns2 copy outside tracing, to make sure the Kotlin view of it matches the Java view seen by the traced javac compilation of JavaDefns.java below.
     commands.run(["javac", "JavaDefns2.java"])
     codeql.database.create(
         command=[
             "kotlinc kotlindefns.kt",
             "javac JavaUser.java JavaDefns.java -cp .",
-            "kotlinc -language-version 1.9 -cp . kotlinuser.kt",
+            "kotlinc -language-version 2.0 -cp . kotlinuser.kt",
         ]
     )

java/ql/integration-tests/kotlin/all-platforms/kotlin_kfunction/app/build.gradle

@@ -15,8 +15,9 @@ plugins {
 }
 
 repositories {
-    // Use Maven Central for resolving dependencies.
-    mavenCentral()
+    maven {
+        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
+    }
 }
 
 application {

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 9.2.0
+version: 9.2.1-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.11.5
+version: 1.11.6-dev
 groups:
   - java
   - queries

javascript/ql/lib/change-notes/2026-06-22-angular-hostlistener-postmessage.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for Angular's `@HostListener('window:message', ...)` and `@HostListener('document:message', ...)` decorators as `postMessage` event handlers. The decorated method's event parameter is now recognized as a client-side remote flow source, and is considered by the `js/missing-origin-check` query.

javascript/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.8.0
+version: 2.8.1-dev
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript

javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll

@@ -195,6 +195,18 @@ class PostMessageEventHandler extends Function {
       rhs = DataFlow::globalObjectRef().getAPropertyWrite("onmessage").getRhs() and
       rhs.getABoundFunctionValue(paramIndex).getFunction() = this
     )
+    or
+    // Angular's `@HostListener('window:message', ['$event'])` decorator registers
+    // a method as a `message` event handler on the global `window` or `document`
+    // target.  The decorated method receives the `MessageEvent` as its first
+    // parameter, so it is equivalent to `window.addEventListener('message', ...)`.
+    exists(MethodDefinition method, DataFlow::CallNode decorator |
+      decorator = DataFlow::moduleMember("@angular/core", "HostListener").getACall() and
+      decorator = method.getADecorator().getExpression().flow() and
+      decorator.getArgument(0).mayHaveStringValue(["window:message", "document:message"]) and
+      method.getBody() = this and
+      paramIndex = 0
+    )
   }
 
   /**

javascript/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.4.0
+version: 2.4.1-dev
 groups:
   - javascript
   - queries

javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/Angular.ts

@@ -0,0 +1,29 @@
+import { Component, HostListener } from '@angular/core';
+
+@Component({ selector: 'app-root' })
+class AngularComponent {
+  // Angular registers this as a `window` message handler via the decorator,
+  // equivalent to `window.addEventListener('message', ...)`.
+  @HostListener('window:message', ['$event'])
+  onWindowMessage(event: MessageEvent): void { // $ Alert - no origin check
+    eval(event.data);
+  }
+
+  @HostListener('document:message', ['$event'])
+  onDocumentMessage(event: MessageEvent): void { // $ Alert - no origin check
+    eval(event.data);
+  }
+
+  @HostListener('window:message', ['$event'])
+  onCheckedMessage(event: MessageEvent): void { // OK - has an origin check
+    if (event.origin === 'https://www.example.com') {
+      eval(event.data);
+    }
+  }
+
+  // Not a message event, so it is not a postMessage handler.
+  @HostListener('window:resize', ['$event'])
+  onResize(event: MessageEvent): void { // OK - not a message handler
+    eval(event.data);
+  }
+}

javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/MissingOriginCheck.expected

@@ -1,3 +1,5 @@
+| Angular.ts:8:19:8:23 | event | Postmessage handler has no origin check. |
+| Angular.ts:13:21:13:25 | event | Postmessage handler has no origin check. |
 | tst.js:11:20:11:24 | event | Postmessage handler has no origin check. |
 | tst.js:24:27:24:27 | e | Postmessage handler has no origin check. |
 | tst.js:40:27:40:27 | e | Postmessage handler has no origin check. |

misc/suite-helpers/qlpack.yml

@@ -1,4 +1,4 @@
 name: codeql/suite-helpers
-version: 1.0.52
+version: 1.0.53-dev
 groups: shared
 warnOnImplicitThis: true

python/ql/lib/change-notes/2026-05-19-flask-subclasses.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* `Flask::FlaskApp::instance()` will now also return instances of subclasses defined in the source tree. Previously, these were filtered out. `Flask::FlaskApp::classRef()` has been deprecated in favor of `Flask::FlaskApp::subclassRef()` since it already returned some subclasses.

python/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 7.2.0
+version: 7.2.1-dev
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python

python/ql/lib/semmle/python/frameworks/Flask.qll

@@ -71,14 +71,21 @@ module Flask {
    * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.
    */
   module FlaskApp {
-    /** Gets a reference to the `flask.Flask` class. */
-    API::Node classRef() {
-      result = API::moduleImport("flask").getMember("Flask") or
+    /**
+     * Gets a reference to the `flask.Flask` class or any subclass.
+     *
+     * Deprecated: Use `subclassRef()` instead, this predicate always returned some subclasses.
+     */
+    deprecated API::Node classRef() { result = subclassRef() }
+
+    /** Gets a reference to the `flask.Flask` class or any subclass. */
+    API::Node subclassRef() {
+      result = API::moduleImport("flask").getMember("Flask").getASubclass*() or
       result = ModelOutput::getATypeNode("flask.Flask~Subclass").getASubclass*()
     }
 
     /** Gets a reference to an instance of `flask.Flask` (a flask application). */
-    API::Node instance() { result = classRef().getReturn() }
+    API::Node instance() { result = subclassRef().getReturn() }
   }
 
   /**
@@ -132,7 +139,7 @@ module Flask {
     API::Node classRef() {
       result = API::moduleImport("flask").getMember("Response")
       or
-      result = [FlaskApp::classRef(), FlaskApp::instance()].getMember("response_class")
+      result = [FlaskApp::subclassRef(), FlaskApp::instance()].getMember("response_class")
       or
       result = ModelOutput::getATypeNode("flask.Response~Subclass").getASubclass*()
     }

python/ql/src/meta/ClassHierarchy/Find.ql

@@ -351,7 +351,7 @@ class DjangoHttpRequest extends FindSubclassesSpec {
 class FlaskClass extends FindSubclassesSpec {
   FlaskClass() { this = "flask.Flask~Subclass" }
 
-  override API::Node getAlreadyModeledClass() { result = Flask::FlaskApp::classRef() }
+  override API::Node getAlreadyModeledClass() { result = Flask::FlaskApp::subclassRef() }
 }
 
 class FlaskBlueprint extends FindSubclassesSpec {

python/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 1.8.5
+version: 1.8.6-dev
 groups:
   - python
   - queries

python/ql/test/experimental/meta/InlineInstanceTest.qll

@@ -0,0 +1,29 @@
+/**
+ * Defines an InlineExpectationsTest for class instances, that is,
+ * for any API::Node that is an instance of a class (e.g. `Flask`).
+ */
+
+import python
+import semmle.python.ApiGraphs
+import utils.test.InlineExpectationsTest
+private import semmle.python.dataflow.new.internal.PrintNode
+
+signature API::Node getInstanceSig();
+
+module MakeInlineInstanceTest<getInstanceSig/0 getInstance> {
+  private module InlineInstanceTest implements TestSig {
+    string getARelevantTag() { result = "instance" }
+
+    predicate hasActualResult(Location location, string element, string tag, string value) {
+      exists(location.getFile().getRelativePath()) and
+      exists(API::Node instance | instance = getInstance() |
+        location = instance.getLocation() and
+        element = prettyNode(instance.asSource()) and
+        value = "" and
+        tag = "instance"
+      )
+    }
+  }
+
+  import MakeTest<InlineInstanceTest>
+}

python/ql/test/library-tests/frameworks/flask/InlineInstanceTest.ql

@@ -0,0 +1,8 @@
+import python
+import semmle.python.frameworks.Flask
+import semmle.python.ApiGraphs
+import experimental.meta.InlineInstanceTest
+
+API::Node getInstance() { result = Flask::FlaskApp::instance() }
+
+import MakeInlineInstanceTest<getInstance/0>

python/ql/test/library-tests/frameworks/flask/flask_subclass.py

@@ -0,0 +1,14 @@
+from flask import Flask
+
+
+class Sub(Flask):
+    def __init__(self, *args, **kwargs):
+        Flask.__init__(self, *args, **kwargs)
+
+
+app = Sub(__name__) # $ instance
+
+
+@app.route("/") # $ routeSetup="/"
+def hello(): # $ requestHandler
+    return "world" # $ HttpResponse

python/ql/test/library-tests/frameworks/flask/old_test.py

@@ -1,7 +1,7 @@
 import flask
 
 from flask import Flask, request, make_response
-app = Flask(__name__)
+app = Flask(__name__) # $ instance
 
 @app.route("/")  # $ routeSetup="/"
 def hello_world():  # $ requestHandler

python/ql/test/library-tests/frameworks/flask/response_test.py

@@ -3,7 +3,7 @@ import json
 from flask import Flask, make_response, jsonify, Response, request, redirect
 from werkzeug.datastructures import Headers
 
-app = Flask(__name__)
+app = Flask(__name__) # $ instance
 
 
 @app.route("/html1")  # $ routeSetup="/html1"

python/ql/test/library-tests/frameworks/flask/routing_test.py

@@ -1,7 +1,7 @@
 import flask
 
 from flask import Flask, make_response
-app = Flask(__name__)
+app = Flask(__name__) # $ instance
 
 
 SOME_ROUTE = "/some/route"

python/ql/test/library-tests/frameworks/flask/save_uploaded_file.py

@@ -1,5 +1,5 @@
 from flask import Flask, request
-app = Flask(__name__)
+app = Flask(__name__) # $ instance
 
 @app.route("/save-uploaded-file")  # $ routeSetup="/save-uploaded-file"
 def test_taint():  # $ requestHandler

python/ql/test/library-tests/frameworks/flask/taint_test.py

@@ -1,5 +1,5 @@
 from flask import Flask, request, render_template_string, stream_template_string
-app = Flask(__name__)
+app = Flask(__name__) # $ instance
 
 @app.route("/test_taint/<name>/<int:number>")  # $ routeSetup="/test_taint/<name>/<int:number>"
 def test_taint(name = "World!", number="0", foo="foo"):  # $ requestHandler routedParameter=name routedParameter=number

python/ql/test/library-tests/frameworks/flask/template_test.py

@@ -1,5 +1,5 @@
 from flask import Flask, Response, stream_with_context, render_template_string, stream_template_string
-app = Flask(__name__)
+app = Flask(__name__) # $ instance
 
 @app.route("/a")  # $ routeSetup="/a"
 def a():  # $ requestHandler

ql/ql/src/codeql_ql/ast/internal/TreeSitter.qll

@@ -1312,6 +1312,244 @@ module QL {
     /** Gets a field or child node of this node. */
     final override AstNode getAFieldOrChild() { ql_variable_def(this, result) }
   }
+
+  /** Provides predicates for mapping AST nodes to their named children. */
+  module PrintAst {
+    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
+    AstNode getChild(AstNode node, string name, int i) {
+      result = node.(AddExpr).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(AddExpr).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(AddExpr).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Aggregate).getChild(i) and name = "getChild"
+      or
+      result = node.(AnnotArg).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Annotation).getArgs(i) and name = "getArgs"
+      or
+      result = node.(Annotation).getName() and i = -1 and name = "getName"
+      or
+      result = node.(AritylessPredicateExpr).getName() and i = -1 and name = "getName"
+      or
+      result = node.(AritylessPredicateExpr).getQualifier() and i = -1 and name = "getQualifier"
+      or
+      result = node.(AsExpr).getChild(i) and name = "getChild"
+      or
+      result = node.(AsExprs).getChild(i) and name = "getChild"
+      or
+      result = node.(Body).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Bool).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(CallBody).getChild(i) and name = "getChild"
+      or
+      result = node.(CallOrUnqualAggExpr).getChild(i) and name = "getChild"
+      or
+      result = node.(Charpred).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Charpred).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(ClassMember).getChild(i) and name = "getChild"
+      or
+      result = node.(ClasslessPredicate).getName() and i = -1 and name = "getName"
+      or
+      result = node.(ClasslessPredicate).getReturnType() and i = -1 and name = "getReturnType"
+      or
+      result = node.(ClasslessPredicate).getChild(i) and name = "getChild"
+      or
+      result = node.(CompTerm).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(CompTerm).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(CompTerm).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Conjunction).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(Conjunction).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(Dataclass).getExtends(i) and name = "getExtends"
+      or
+      result = node.(Dataclass).getInstanceof(i) and name = "getInstanceof"
+      or
+      result = node.(Dataclass).getName() and i = -1 and name = "getName"
+      or
+      result = node.(Dataclass).getChild(i) and name = "getChild"
+      or
+      result = node.(Datatype).getName() and i = -1 and name = "getName"
+      or
+      result = node.(Datatype).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(DatatypeBranch).getName() and i = -1 and name = "getName"
+      or
+      result = node.(DatatypeBranch).getChild(i) and name = "getChild"
+      or
+      result = node.(DatatypeBranches).getChild(i) and name = "getChild"
+      or
+      result = node.(Disjunction).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(Disjunction).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(ExprAggregateBody).getAsExprs() and i = -1 and name = "getAsExprs"
+      or
+      result = node.(ExprAggregateBody).getOrderBys() and i = -1 and name = "getOrderBys"
+      or
+      result = node.(ExprAnnotation).getAnnotArg() and i = -1 and name = "getAnnotArg"
+      or
+      result = node.(ExprAnnotation).getName() and i = -1 and name = "getName"
+      or
+      result = node.(ExprAnnotation).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Field).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(FullAggregateBody).getAsExprs() and i = -1 and name = "getAsExprs"
+      or
+      result = node.(FullAggregateBody).getGuard() and i = -1 and name = "getGuard"
+      or
+      result = node.(FullAggregateBody).getOrderBys() and i = -1 and name = "getOrderBys"
+      or
+      result = node.(FullAggregateBody).getChild(i) and name = "getChild"
+      or
+      result = node.(HigherOrderTerm).getName() and i = -1 and name = "getName"
+      or
+      result = node.(HigherOrderTerm).getChild(i) and name = "getChild"
+      or
+      result = node.(IfTerm).getCond() and i = -1 and name = "getCond"
+      or
+      result = node.(IfTerm).getFirst() and i = -1 and name = "getFirst"
+      or
+      result = node.(IfTerm).getSecond() and i = -1 and name = "getSecond"
+      or
+      result = node.(Implication).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(Implication).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(ImportDirective).getChild(i) and name = "getChild"
+      or
+      result = node.(ImportModuleExpr).getQualName(i) and name = "getQualName"
+      or
+      result = node.(ImportModuleExpr).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(InExpr).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(InExpr).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(InstanceOf).getChild(i) and name = "getChild"
+      or
+      result = node.(Literal).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(MemberPredicate).getName() and i = -1 and name = "getName"
+      or
+      result = node.(MemberPredicate).getReturnType() and i = -1 and name = "getReturnType"
+      or
+      result = node.(MemberPredicate).getChild(i) and name = "getChild"
+      or
+      result = node.(Module).getImplements(i) and name = "getImplements"
+      or
+      result = node.(Module).getName() and i = -1 and name = "getName"
+      or
+      result = node.(Module).getParameter(i) and name = "getParameter"
+      or
+      result = node.(Module).getChild(i) and name = "getChild"
+      or
+      result = node.(ModuleAliasBody).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(ModuleExpr).getName() and i = -1 and name = "getName"
+      or
+      result = node.(ModuleExpr).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(ModuleInstantiation).getName() and i = -1 and name = "getName"
+      or
+      result = node.(ModuleInstantiation).getChild(i) and name = "getChild"
+      or
+      result = node.(ModuleMember).getChild(i) and name = "getChild"
+      or
+      result = node.(ModuleName).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(ModuleParam).getParameter() and i = -1 and name = "getParameter"
+      or
+      result = node.(ModuleParam).getSignature() and i = -1 and name = "getSignature"
+      or
+      result = node.(MulExpr).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(MulExpr).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(MulExpr).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Negation).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(OrderBy).getChild(i) and name = "getChild"
+      or
+      result = node.(OrderBys).getChild(i) and name = "getChild"
+      or
+      result = node.(ParExpr).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(PredicateAliasBody).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(PredicateExpr).getChild(i) and name = "getChild"
+      or
+      result = node.(PrefixCast).getChild(i) and name = "getChild"
+      or
+      result = node.(Ql).getChild(i) and name = "getChild"
+      or
+      result = node.(QualifiedRhs).getName() and i = -1 and name = "getName"
+      or
+      result = node.(QualifiedRhs).getChild(i) and name = "getChild"
+      or
+      result = node.(QualifiedExpr).getChild(i) and name = "getChild"
+      or
+      result = node.(Quantified).getExpr() and i = -1 and name = "getExpr"
+      or
+      result = node.(Quantified).getFormula() and i = -1 and name = "getFormula"
+      or
+      result = node.(Quantified).getRange() and i = -1 and name = "getRange"
+      or
+      result = node.(Quantified).getChild(i) and name = "getChild"
+      or
+      result = node.(Range).getLower() and i = -1 and name = "getLower"
+      or
+      result = node.(Range).getUpper() and i = -1 and name = "getUpper"
+      or
+      result = node.(Select).getChild(i) and name = "getChild"
+      or
+      result = node.(SetLiteral).getChild(i) and name = "getChild"
+      or
+      result = node.(SignatureExpr).getModExpr() and i = -1 and name = "getModExpr"
+      or
+      result = node.(SignatureExpr).getPredicate() and i = -1 and name = "getPredicate"
+      or
+      result = node.(SignatureExpr).getTypeExpr() and i = -1 and name = "getTypeExpr"
+      or
+      result = node.(SpecialCall).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(SuperRef).getChild(i) and name = "getChild"
+      or
+      result = node.(TypeAliasBody).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(TypeExpr).getName() and i = -1 and name = "getName"
+      or
+      result = node.(TypeExpr).getQualifier() and i = -1 and name = "getQualifier"
+      or
+      result = node.(TypeExpr).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(TypeUnionBody).getChild(i) and name = "getChild"
+      or
+      result = node.(UnaryExpr).getChild(i) and name = "getChild"
+      or
+      result = node.(UnqualAggBody).getAsExprs(i) and name = "getAsExprs"
+      or
+      result = node.(UnqualAggBody).getGuard() and i = -1 and name = "getGuard"
+      or
+      result = node.(UnqualAggBody).getChild(i) and name = "getChild"
+      or
+      result = node.(VarDecl).getChild(i) and name = "getChild"
+      or
+      result = node.(VarName).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Variable).getChild() and i = -1 and name = "getChild"
+    }
+  }
 }
 
 overlay[local]
@@ -1669,6 +1907,60 @@ module Dbscheme {
     /** Gets the name of the primary QL class for this element. */
     final override string getAPrimaryQlClass() { result = "Varchar" }
   }
+
+  /** Provides predicates for mapping AST nodes to their named children. */
+  module PrintAst {
+    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
+    AstNode getChild(AstNode node, string name, int i) {
+      result = node.(Annotation).getArgsAnnotation() and i = -1 and name = "getArgsAnnotation"
+      or
+      result = node.(Annotation).getSimpleAnnotation() and i = -1 and name = "getSimpleAnnotation"
+      or
+      result = node.(ArgsAnnotation).getName() and i = -1 and name = "getName"
+      or
+      result = node.(ArgsAnnotation).getChild(i) and name = "getChild"
+      or
+      result = node.(Branch).getQldoc() and i = -1 and name = "getQldoc"
+      or
+      result = node.(Branch).getChild(i) and name = "getChild"
+      or
+      result = node.(CaseDecl).getBase() and i = -1 and name = "getBase"
+      or
+      result = node.(CaseDecl).getDiscriminator() and i = -1 and name = "getDiscriminator"
+      or
+      result = node.(CaseDecl).getChild(i) and name = "getChild"
+      or
+      result = node.(ColType).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Column).getColName() and i = -1 and name = "getColName"
+      or
+      result = node.(Column).getColType() and i = -1 and name = "getColType"
+      or
+      result = node.(Column).getIsRef() and i = -1 and name = "getIsRef"
+      or
+      result = node.(Column).getIsUnique() and i = -1 and name = "getIsUnique"
+      or
+      result = node.(Column).getQldoc() and i = -1 and name = "getQldoc"
+      or
+      result = node.(Column).getReprType() and i = -1 and name = "getReprType"
+      or
+      result = node.(Dbscheme).getChild(i) and name = "getChild"
+      or
+      result = node.(Entry).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(ReprType).getChild(i) and name = "getChild"
+      or
+      result = node.(Table).getTableName() and i = -1 and name = "getTableName"
+      or
+      result = node.(Table).getChild(i) and name = "getChild"
+      or
+      result = node.(TableName).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(UnionDecl).getBase() and i = -1 and name = "getBase"
+      or
+      result = node.(UnionDecl).getChild(i) and name = "getChild"
+    }
+  }
 }
 
 overlay[local]
@@ -1803,6 +2095,24 @@ module Blame {
     /** Gets the name of the primary QL class for this element. */
     final override string getAPrimaryQlClass() { result = "Number" }
   }
+
+  /** Provides predicates for mapping AST nodes to their named children. */
+  module PrintAst {
+    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
+    AstNode getChild(AstNode node, string name, int i) {
+      result = node.(BlameEntry).getDate() and i = -1 and name = "getDate"
+      or
+      result = node.(BlameEntry).getLine(i) and name = "getLine"
+      or
+      result = node.(BlameInfo).getFileEntry(i) and name = "getFileEntry"
+      or
+      result = node.(BlameInfo).getToday() and i = -1 and name = "getToday"
+      or
+      result = node.(FileEntry).getBlameEntry(i) and name = "getBlameEntry"
+      or
+      result = node.(FileEntry).getFileName() and i = -1 and name = "getFileName"
+    }
+  }
 }
 
 overlay[local]
@@ -1977,4 +2287,22 @@ module JSON {
     /** Gets the name of the primary QL class for this element. */
     final override string getAPrimaryQlClass() { result = "True" }
   }
+
+  /** Provides predicates for mapping AST nodes to their named children. */
+  module PrintAst {
+    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
+    AstNode getChild(AstNode node, string name, int i) {
+      result = node.(Array).getChild(i) and name = "getChild"
+      or
+      result = node.(Document).getChild(i) and name = "getChild"
+      or
+      result = node.(Object).getChild(i) and name = "getChild"
+      or
+      result = node.(Pair).getKey() and i = -1 and name = "getKey"
+      or
+      result = node.(Pair).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(String).getChild(i) and name = "getChild"
+    }
+  }
 }

ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll

@@ -1964,6 +1964,340 @@ module Ruby {
     /** Gets a field or child node of this node. */
     final override AstNode getAFieldOrChild() { ruby_yield_child(this, result) }
   }
+
+  /** Provides predicates for mapping AST nodes to their named children. */
+  module PrintAst {
+    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
+    AstNode getChild(AstNode node, string name, int i) {
+      result = node.(Alias).getAlias() and i = -1 and name = "getAlias"
+      or
+      result = node.(Alias).getName() and i = -1 and name = "getName"
+      or
+      result = node.(AlternativePattern).getAlternatives(i) and name = "getAlternatives"
+      or
+      result = node.(ArgumentList).getChild(i) and name = "getChild"
+      or
+      result = node.(Array).getChild(i) and name = "getChild"
+      or
+      result = node.(ArrayPattern).getClass() and i = -1 and name = "getClass"
+      or
+      result = node.(ArrayPattern).getChild(i) and name = "getChild"
+      or
+      result = node.(AsPattern).getName() and i = -1 and name = "getName"
+      or
+      result = node.(AsPattern).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Assignment).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(Assignment).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(BareString).getChild(i) and name = "getChild"
+      or
+      result = node.(BareSymbol).getChild(i) and name = "getChild"
+      or
+      result = node.(Begin).getChild(i) and name = "getChild"
+      or
+      result = node.(BeginBlock).getChild(i) and name = "getChild"
+      or
+      result = node.(Binary).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(Binary).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(Block).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Block).getParameters() and i = -1 and name = "getParameters"
+      or
+      result = node.(BlockArgument).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(BlockBody).getChild(i) and name = "getChild"
+      or
+      result = node.(BlockParameter).getName() and i = -1 and name = "getName"
+      or
+      result = node.(BlockParameters).getLocals(i) and name = "getLocals"
+      or
+      result = node.(BlockParameters).getChild(i) and name = "getChild"
+      or
+      result = node.(BodyStatement).getChild(i) and name = "getChild"
+      or
+      result = node.(Break).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Call).getArguments() and i = -1 and name = "getArguments"
+      or
+      result = node.(Call).getBlock() and i = -1 and name = "getBlock"
+      or
+      result = node.(Call).getMethod() and i = -1 and name = "getMethod"
+      or
+      result = node.(Call).getOperator() and i = -1 and name = "getOperator"
+      or
+      result = node.(Call).getReceiver() and i = -1 and name = "getReceiver"
+      or
+      result = node.(Case).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Case).getChild(i) and name = "getChild"
+      or
+      result = node.(CaseMatch).getClauses(i) and name = "getClauses"
+      or
+      result = node.(CaseMatch).getElse() and i = -1 and name = "getElse"
+      or
+      result = node.(CaseMatch).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(ChainedString).getChild(i) and name = "getChild"
+      or
+      result = node.(Class).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Class).getName() and i = -1 and name = "getName"
+      or
+      result = node.(Class).getSuperclass() and i = -1 and name = "getSuperclass"
+      or
+      result = node.(Complex).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Conditional).getAlternative() and i = -1 and name = "getAlternative"
+      or
+      result = node.(Conditional).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(Conditional).getConsequence() and i = -1 and name = "getConsequence"
+      or
+      result = node.(DelimitedSymbol).getChild(i) and name = "getChild"
+      or
+      result = node.(DestructuredLeftAssignment).getChild(i) and name = "getChild"
+      or
+      result = node.(DestructuredParameter).getChild(i) and name = "getChild"
+      or
+      result = node.(Do).getChild(i) and name = "getChild"
+      or
+      result = node.(DoBlock).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(DoBlock).getParameters() and i = -1 and name = "getParameters"
+      or
+      result = node.(ElementReference).getBlock() and i = -1 and name = "getBlock"
+      or
+      result = node.(ElementReference).getObject() and i = -1 and name = "getObject"
+      or
+      result = node.(ElementReference).getChild(i) and name = "getChild"
+      or
+      result = node.(Else).getChild(i) and name = "getChild"
+      or
+      result = node.(Elsif).getAlternative() and i = -1 and name = "getAlternative"
+      or
+      result = node.(Elsif).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(Elsif).getConsequence() and i = -1 and name = "getConsequence"
+      or
+      result = node.(EndBlock).getChild(i) and name = "getChild"
+      or
+      result = node.(Ensure).getChild(i) and name = "getChild"
+      or
+      result = node.(ExceptionVariable).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Exceptions).getChild(i) and name = "getChild"
+      or
+      result = node.(ExpressionReferencePattern).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(FindPattern).getClass() and i = -1 and name = "getClass"
+      or
+      result = node.(FindPattern).getChild(i) and name = "getChild"
+      or
+      result = node.(For).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(For).getPattern() and i = -1 and name = "getPattern"
+      or
+      result = node.(For).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Hash).getChild(i) and name = "getChild"
+      or
+      result = node.(HashPattern).getClass() and i = -1 and name = "getClass"
+      or
+      result = node.(HashPattern).getChild(i) and name = "getChild"
+      or
+      result = node.(HashSplatArgument).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(HashSplatParameter).getName() and i = -1 and name = "getName"
+      or
+      result = node.(HeredocBody).getChild(i) and name = "getChild"
+      or
+      result = node.(If).getAlternative() and i = -1 and name = "getAlternative"
+      or
+      result = node.(If).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(If).getConsequence() and i = -1 and name = "getConsequence"
+      or
+      result = node.(IfGuard).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(IfModifier).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(IfModifier).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(In).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(InClause).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(InClause).getGuard() and i = -1 and name = "getGuard"
+      or
+      result = node.(InClause).getPattern() and i = -1 and name = "getPattern"
+      or
+      result = node.(Interpolation).getChild(i) and name = "getChild"
+      or
+      result = node.(KeywordParameter).getName() and i = -1 and name = "getName"
+      or
+      result = node.(KeywordParameter).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(KeywordPattern).getKey() and i = -1 and name = "getKey"
+      or
+      result = node.(KeywordPattern).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Lambda).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Lambda).getParameters() and i = -1 and name = "getParameters"
+      or
+      result = node.(LambdaParameters).getChild(i) and name = "getChild"
+      or
+      result = node.(LeftAssignmentList).getChild(i) and name = "getChild"
+      or
+      result = node.(MatchPattern).getPattern() and i = -1 and name = "getPattern"
+      or
+      result = node.(MatchPattern).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Method).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Method).getName() and i = -1 and name = "getName"
+      or
+      result = node.(Method).getParameters() and i = -1 and name = "getParameters"
+      or
+      result = node.(MethodParameters).getChild(i) and name = "getChild"
+      or
+      result = node.(Module).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Module).getName() and i = -1 and name = "getName"
+      or
+      result = node.(Next).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(OperatorAssignment).getLeft() and i = -1 and name = "getLeft"
+      or
+      result = node.(OperatorAssignment).getRight() and i = -1 and name = "getRight"
+      or
+      result = node.(OptionalParameter).getName() and i = -1 and name = "getName"
+      or
+      result = node.(OptionalParameter).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Pair).getKey() and i = -1 and name = "getKey"
+      or
+      result = node.(Pair).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(ParenthesizedPattern).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(ParenthesizedStatements).getChild(i) and name = "getChild"
+      or
+      result = node.(Pattern).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Program).getChild(i) and name = "getChild"
+      or
+      result = node.(Range).getBegin() and i = -1 and name = "getBegin"
+      or
+      result = node.(Range).getEnd() and i = -1 and name = "getEnd"
+      or
+      result = node.(Rational).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Redo).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Regex).getChild(i) and name = "getChild"
+      or
+      result = node.(Rescue).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Rescue).getExceptions() and i = -1 and name = "getExceptions"
+      or
+      result = node.(Rescue).getVariable() and i = -1 and name = "getVariable"
+      or
+      result = node.(RescueModifier).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(RescueModifier).getHandler() and i = -1 and name = "getHandler"
+      or
+      result = node.(RestAssignment).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Retry).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Return).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(RightAssignmentList).getChild(i) and name = "getChild"
+      or
+      result = node.(ScopeResolution).getName() and i = -1 and name = "getName"
+      or
+      result = node.(ScopeResolution).getScope() and i = -1 and name = "getScope"
+      or
+      result = node.(Setter).getName() and i = -1 and name = "getName"
+      or
+      result = node.(SingletonClass).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(SingletonClass).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(SingletonMethod).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(SingletonMethod).getName() and i = -1 and name = "getName"
+      or
+      result = node.(SingletonMethod).getObject() and i = -1 and name = "getObject"
+      or
+      result = node.(SingletonMethod).getParameters() and i = -1 and name = "getParameters"
+      or
+      result = node.(SplatArgument).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(SplatParameter).getName() and i = -1 and name = "getName"
+      or
+      result = node.(String).getChild(i) and name = "getChild"
+      or
+      result = node.(StringArray).getChild(i) and name = "getChild"
+      or
+      result = node.(Subshell).getChild(i) and name = "getChild"
+      or
+      result = node.(Superclass).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(SymbolArray).getChild(i) and name = "getChild"
+      or
+      result = node.(TestPattern).getPattern() and i = -1 and name = "getPattern"
+      or
+      result = node.(TestPattern).getValue() and i = -1 and name = "getValue"
+      or
+      result = node.(Then).getChild(i) and name = "getChild"
+      or
+      result = node.(Unary).getOperand() and i = -1 and name = "getOperand"
+      or
+      result = node.(Undef).getChild(i) and name = "getChild"
+      or
+      result = node.(Unless).getAlternative() and i = -1 and name = "getAlternative"
+      or
+      result = node.(Unless).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(Unless).getConsequence() and i = -1 and name = "getConsequence"
+      or
+      result = node.(UnlessGuard).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(UnlessModifier).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(UnlessModifier).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(Until).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(Until).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(UntilModifier).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(UntilModifier).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(VariableReferencePattern).getName() and i = -1 and name = "getName"
+      or
+      result = node.(When).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(When).getPattern(i) and name = "getPattern"
+      or
+      result = node.(While).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(While).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(WhileModifier).getBody() and i = -1 and name = "getBody"
+      or
+      result = node.(WhileModifier).getCondition() and i = -1 and name = "getCondition"
+      or
+      result = node.(Yield).getChild() and i = -1 and name = "getChild"
+    }
+  }
 }
 
 overlay[local]
@@ -2107,4 +2441,20 @@ module Erb {
     /** Gets a field or child node of this node. */
     final override AstNode getAFieldOrChild() { erb_template_child(this, _, result) }
   }
+
+  /** Provides predicates for mapping AST nodes to their named children. */
+  module PrintAst {
+    /** Gets a child of `node` returned by the member predicate with the given `name`. If the predicate takes an index argument, `i` is bound to that index, otherwise `i` is `-1` (which is never a valid index). */
+    AstNode getChild(AstNode node, string name, int i) {
+      result = node.(CommentDirective).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Directive).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(GraphqlDirective).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(OutputDirective).getChild() and i = -1 and name = "getChild"
+      or
+      result = node.(Template).getChild(i) and name = "getChild"
+    }
+  }
 }

ruby/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/ruby-all
-version: 6.0.0
+version: 6.0.1-dev
 groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme

ruby/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/ruby-queries
-version: 1.6.5
+version: 1.6.6-dev
 groups:
   - ruby
   - queries

ruby/ql/test/library-tests/dataflow/string-flow/string-flow.expected

@@ -28,8 +28,6 @@ nodes
 | string_flow.rb:227:10:227:10 | a | semmle.label | a |
 subpaths
 testFailures
-| string_flow.rb:85:10:85:10 | a | Unexpected result: hasValueFlow=a |
-| string_flow.rb:227:10:227:10 | a | Unexpected result: hasValueFlow=a |
 #select
 | string_flow.rb:3:10:3:22 | call to new | string_flow.rb:2:9:2:18 | call to source | string_flow.rb:3:10:3:22 | call to new | $@ | string_flow.rb:2:9:2:18 | call to source | call to source |
 | string_flow.rb:85:10:85:10 | a | string_flow.rb:83:9:83:18 | call to source | string_flow.rb:85:10:85:10 | a | $@ | string_flow.rb:83:9:83:18 | call to source | call to source |

ruby/ql/test/library-tests/dataflow/string-flow/string_flow.rb

@@ -82,7 +82,7 @@ end
 def m_clear
     a = source "a"
     a.clear
-    sink a
+    sink a # $ SPURIOUS: hasValueFlow=a
 end
 
 # concat and prepend omitted because they clash with the summaries for
@@ -224,7 +224,7 @@ def m_replace
     b = source "b"
     sink a.replace(b) # $ hasTaintFlow=b
     # TODO: currently we get value flow for a, because we don't clear content
-    sink a # $ hasTaintFlow=b
+    sink a # $ hasTaintFlow=b SPURIOUS: hasValueFlow=a
 end
 
 def m_reverse
@@ -316,4 +316,4 @@ def m_upto(i)
     a.upto("b", true) { |x| sink x } # $ hasTaintFlow=a
     "b".upto(a) { |x| sink x } # $ hasTaintFlow=a
     "b".upto(a, true) { |x| sink x }
-end
+end

ruby/ql/test/library-tests/frameworks/action_controller/filter_flow.rb

@@ -9,7 +9,7 @@ end
 class OneController < ActionController::Base
   before_action :a
   after_action :c
-  
+
   def a
     @foo = params[:foo]
   end
@@ -18,14 +18,14 @@ class OneController < ActionController::Base
   end
 
   def c
-    sink @foo
+    sink @foo # $ hasTaintFlow
   end
 end
 
 class TwoController < ActionController::Base
   before_action :a
   after_action :c
-  
+
   def a
     @foo = params[:foo]
   end
@@ -35,14 +35,14 @@ class TwoController < ActionController::Base
   end
 
   def c
-    sink @foo
+    sink @foo # $ SPURIOUS: hasTaintFlow
   end
 end
 
 class ThreeController < ActionController::Base
   before_action :a
   after_action :c
-  
+
   def a
     @foo = params[:foo]
     @foo = "safe"
@@ -52,14 +52,14 @@ class ThreeController < ActionController::Base
   end
 
   def c
-    sink @foo
+    sink @foo # $ SPURIOUS: hasTaintFlow
   end
 end
 
 class FourController < ActionController::Base
   before_action :a
   after_action :c
-  
+
   def a
     @foo.bar = params[:foo]
   end
@@ -68,14 +68,14 @@ class FourController < ActionController::Base
   end
 
   def c
-    sink(@foo.bar)
+    sink(@foo.bar) # $ hasTaintFlow
   end
 end
 
 class FiveController < ActionController::Base
   before_action :a
   after_action :c
-  
+
   def a
     self.taint_foo
   end
@@ -84,10 +84,10 @@ class FiveController < ActionController::Base
   end
 
   def c
-    sink  @foo
+    sink  @foo # $ hasTaintFlow
   end
-  
+
   def taint_foo
     @foo = params[:foo]
   end
-end
+end

ruby/ql/test/library-tests/frameworks/action_controller/params-flow.expected

@@ -270,11 +270,6 @@ nodes
 | params_flow.rb:205:10:205:10 | a | semmle.label | a |
 subpaths
 testFailures
-| filter_flow.rb:21:10:21:13 | @foo | Unexpected result: hasTaintFlow |
-| filter_flow.rb:38:10:38:13 | @foo | Unexpected result: hasTaintFlow |
-| filter_flow.rb:55:10:55:13 | @foo | Unexpected result: hasTaintFlow |
-| filter_flow.rb:71:10:71:17 | call to bar | Unexpected result: hasTaintFlow |
-| filter_flow.rb:87:11:87:14 | @foo | Unexpected result: hasTaintFlow |
 #select
 | filter_flow.rb:21:10:21:13 | @foo | filter_flow.rb:14:12:14:17 | call to params | filter_flow.rb:21:10:21:13 | @foo | $@ | filter_flow.rb:14:12:14:17 | call to params | call to params |
 | filter_flow.rb:38:10:38:13 | @foo | filter_flow.rb:30:12:30:17 | call to params | filter_flow.rb:38:10:38:13 | @foo | $@ | filter_flow.rb:30:12:30:17 | call to params | call to params |