hack: dummy change to trigger qlucie

CODEOWNERS

@@ -8,7 +8,6 @@
 /javascript/ @github/codeql-javascript
 /python/ @github/codeql-python
 /ruby/ @github/codeql-ruby
-/rust/ @github/codeql-rust
 /swift/ @github/codeql-swift
 /misc/codegen/ @github/codeql-swift
 /java/kotlin-extractor/ @github/codeql-kotlin
@@ -42,7 +41,6 @@ MODULE.bazel @github/codeql-ci-reviewers
 /.github/workflows/go-* @github/codeql-go
 /.github/workflows/ql-for-ql-* @github/codeql-ql-for-ql-reviewers
 /.github/workflows/ruby-* @github/codeql-ruby
-/.github/workflows/rust.yml @github/codeql-rust
 /.github/workflows/swift.yml @github/codeql-swift
 
 # Misc

Cargo.lock

@@ -154,15 +154,15 @@ checksum = "bef38d45163c2f1dde094a7dfd33ccf595c92905c8f8f4fdc18d06fb1037718a"
 
 [[package]]
 name = "bitflags"
-version = "2.9.0"
+version = "2.8.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5c8214115b7bf84099f1309324e63141d4c5d7cc26862f97a0a857dbefe165bd"
+checksum = "8f68f53c83ab957f72c32642f3868eec03eb974d1fb82e453128456482613d36"
 
 [[package]]
 name = "borsh"
-version = "1.5.5"
+version = "1.5.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5430e3be710b68d984d1391c854eb431a9d548640711faa54eecb1df93db91cc"
+checksum = "2506947f73ad44e344215ccd6403ac2ae18cd8e046e581a441bf8d199f257f03"
 dependencies = [
  "cfg_aliases",
 ]
@@ -224,9 +224,9 @@ dependencies = [
 
 [[package]]
 name = "cargo_metadata"
-version = "0.19.2"
+version = "0.18.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dd5eb614ed4c27c5d706420e4320fbe3216ab31fa1c33cd8246ac36dae4479ba"
+checksum = "2d886547e41f740c616ae73108f6eb70afe6d940c7bc697cb30f13daec073037"
 dependencies = [
  "camino",
  "cargo-platform",
@@ -275,7 +275,7 @@ version = "0.100.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4f114996bda14c0213f014a4ef31a7867dcf5f539a3900477fc6b20138e7a17b"
 dependencies = [
- "bitflags 2.9.0",
+ "bitflags 2.8.0",
  "chalk-derive",
 ]
 
@@ -301,7 +301,7 @@ dependencies = [
  "chalk-derive",
  "chalk-ir",
  "ena",
- "indexmap 2.9.0",
+ "indexmap 2.7.0",
  "itertools 0.12.1",
  "petgraph",
  "rustc-hash 1.1.0",
@@ -325,9 +325,9 @@ dependencies = [
 
 [[package]]
 name = "clap"
-version = "4.5.35"
+version = "4.5.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d8aa86934b44c19c50f87cc2790e19f54f7a67aedb64101c2e1a2e5ecfb73944"
+checksum = "6088f3ae8c3608d19260cd7445411865a485688711b78b5be70d78cd96136f83"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -335,9 +335,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.35"
+version = "4.5.32"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2414dbb2dd0695280da6ea9261e327479e9d37b0630f6b53ba2a11c60c679fd9"
+checksum = "22a7ef7f676155edfb82daa97f99441f3ebf4a58d5e32f295a56259f1b6facc8"
 dependencies = [
  "anstream",
  "anstyle",
@@ -622,7 +622,7 @@ version = "0.14.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3d248bdd43ce613d87415282f69b9bb99d947d290b10962dd6c56233312c2ad5"
 dependencies = [
- "log 0.4.27",
+ "log 0.4.25",
 ]
 
 [[package]]
@@ -691,9 +691,9 @@ checksum = "a246d82be1c9d791c5dfde9a2bd045fc3cbba3fa2b11ad558f27d01712f00569"
 
 [[package]]
 name = "equivalent"
-version = "1.0.2"
+version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f"
+checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5"
 
 [[package]]
 name = "figment"
@@ -781,7 +781,7 @@ checksum = "cc6bd114ceda131d3b1d665eba35788690ad37f5916457286b32ab6fd3c438dd"
 dependencies = [
  "cfg-if",
  "libc",
- "log 0.4.27",
+ "log 0.4.25",
  "rustversion",
  "windows",
 ]
@@ -812,7 +812,7 @@ checksum = "15f1ce686646e7f1e19bf7d5533fe443a45dbfb990e00629110797578b42fb19"
 dependencies = [
  "aho-corasick",
  "bstr",
- "log 0.4.27",
+ "log 0.4.25",
  "regex-automata 0.4.9",
  "regex-syntax 0.8.5",
 ]
@@ -918,9 +918,9 @@ dependencies = [
 
 [[package]]
 name = "indexmap"
-version = "2.9.0"
+version = "2.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cea70ddb795996207ad57735b50c5982d8844f38ba9ee5f1aedcfb708a2aa11e"
+checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f"
 dependencies = [
  "equivalent",
  "hashbrown 0.15.2",
@@ -939,7 +939,7 @@ version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f37dccff2791ab604f9babef0ba14fbe0be30bd368dc541e2b08d07c8aa908f3"
 dependencies = [
- "bitflags 2.9.0",
+ "bitflags 2.8.0",
  "inotify-sys",
  "libc",
 ]
@@ -979,9 +979,9 @@ dependencies = [
 
 [[package]]
 name = "itoa"
-version = "1.0.15"
+version = "1.0.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c"
+checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674"
 
 [[package]]
 name = "jod-thread"
@@ -1033,9 +1033,9 @@ checksum = "bbd2bcb4c963f2ddae06a2efc7e9f3591312473c50c6685e1f298068316e66fe"
 
 [[package]]
 name = "libc"
-version = "0.2.171"
+version = "0.2.169"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c19937216e9d3aa9956d9bb8dfc0b0c8beb6058fc4f7a4dc4d850edf86a237d6"
+checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"
 
 [[package]]
 name = "libredox"
@@ -1043,7 +1043,7 @@ version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c0ff37bd590ca25063e35af745c343cb7a0271906fb7b37e4813e8f79f00268d"
 dependencies = [
- "bitflags 2.9.0",
+ "bitflags 2.8.0",
  "libc",
  "redox_syscall",
 ]
@@ -1074,14 +1074,14 @@ version = "0.3.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e19e8d5c34a3e0e2223db8e060f9e8264aeeb5c5fc64a4ee9965c062211c024b"
 dependencies = [
- "log 0.4.27",
+ "log 0.4.25",
 ]
 
 [[package]]
 name = "log"
-version = "0.4.27"
+version = "0.4.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94"
+checksum = "04cbf5b083de1c7e0222a7a51dbfdba1cbe1c6ab0b15e29fff3f6c077fd9cd9f"
 
 [[package]]
 name = "loom"
@@ -1096,6 +1096,12 @@ dependencies = [
  "tracing-subscriber",
 ]
 
+[[package]]
+name = "lz4_flex"
+version = "0.11.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75761162ae2b0e580d7e7c390558127e5f01b4194debd6221fd8c207fc80e3f5"
+
 [[package]]
 name = "matchers"
 version = "0.1.0"
@@ -1136,7 +1142,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2886843bf800fba2e3377cff24abf6379b4c4d5c6681eaf9ea5b0d15090450bd"
 dependencies = [
  "libc",
- "log 0.4.27",
+ "log 0.4.25",
  "wasi 0.11.0+wasi-snapshot-preview1",
  "windows-sys 0.52.0",
 ]
@@ -1172,13 +1178,13 @@ version = "8.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2fee8403b3d66ac7b26aee6e40a897d85dc5ce26f44da36b8b73e987cc52e943"
 dependencies = [
- "bitflags 2.9.0",
+ "bitflags 2.8.0",
  "filetime",
  "fsevent-sys",
  "inotify",
  "kqueue",
  "libc",
- "log 0.4.27",
+ "log 0.4.25",
  "mio",
  "notify-types",
  "walkdir",
@@ -1234,9 +1240,9 @@ checksum = "945462a4b81e43c4e3ba96bd7b49d834c6f61198356aa858733bc4acf3cbe62e"
 
 [[package]]
 name = "oorandom"
-version = "11.1.5"
+version = "11.1.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d6790f58c7ff633d8771f42965289203411a5e5c68388703c06e14f24770b41e"
+checksum = "b410bbe7e14ab526a0e86877eb47c6996a2bd7746f027ba551028c925390e4e9"
 
 [[package]]
 name = "os_str_bytes"
@@ -1325,7 +1331,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
 dependencies = [
  "fixedbitset",
- "indexmap 2.9.0",
+ "indexmap 2.7.0",
 ]
 
 [[package]]
@@ -1392,7 +1398,7 @@ version = "0.100.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f1651b0f7e8c3eb7c27a88f39d277e69c32bfe58e3be174d286c1a24d6a7a4d8"
 dependencies = [
- "bitflags 2.9.0",
+ "bitflags 2.8.0",
  "ra-ap-rustc_hashes",
  "ra-ap-rustc_index",
  "tracing",
@@ -1464,16 +1470,18 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_base_db"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8fd761118bbafe29e2b187e694c6b8e800f2c7822bbc1d9d2db4ac21fb8b0365"
+checksum = "4baa9734d254af14fd603528ad594650dea601b1764492bd39988da38598ae67"
 dependencies = [
  "dashmap 5.5.3",
  "la-arena",
+ "lz4_flex",
  "ra_ap_cfg",
  "ra_ap_intern",
  "ra_ap_query-group-macro",
  "ra_ap_span",
+ "ra_ap_stdx",
  "ra_ap_syntax",
  "ra_ap_vfs",
  "rustc-hash 2.1.1",
@@ -1485,9 +1493,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_cfg"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5ce74ce1af24afd86d3529dbbf5a849d026948b2d8ba51d199b6ea6db6e345b6"
+checksum = "0ef2ba45636c5e585040c0c4bee640737a6001b08309f1a25ca78cf04abfbf90"
 dependencies = [
  "ra_ap_intern",
  "ra_ap_tt",
@@ -1497,20 +1505,20 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_edition"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f423b9fb19e3920e4c7039120d09d9c79070a26efe8ff9f787c7234b07f518c5"
+checksum = "8955c1484d5e7274f755187788ba0d51eb149f870c69cdf0d87c3b7edea20ea0"
 
 [[package]]
 name = "ra_ap_hir"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dd4aa8a568b80d288b90c4fa5dc8a3cc405914d261bfd33a3761c1ba41be358d"
+checksum = "a51d7955beff2212701b149bea36d4cf2dc0f5cd129652c9bcf0cb5c0b021078"
 dependencies = [
  "arrayvec",
  "either",
- "indexmap 2.9.0",
- "itertools 0.14.0",
+ "indexmap 2.7.0",
+ "itertools 0.12.1",
  "ra_ap_base_db",
  "ra_ap_cfg",
  "ra_ap_hir_def",
@@ -1529,20 +1537,23 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_hir_def"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "acb18d9378a828a23ccf87b89199db005adb67ba2a05a37d7a3fcad4d1036e66"
+checksum = "e5c97e617e4c585d24b3d4f668861452aedddfbe0262f4c53235dcea77e62f9b"
 dependencies = [
  "arrayvec",
- "bitflags 2.9.0",
+ "bitflags 2.8.0",
  "cov-mark",
+ "dashmap 5.5.3",
  "drop_bomb",
  "either",
  "fst",
- "indexmap 2.9.0",
- "itertools 0.14.0",
+ "hashbrown 0.14.5",
+ "indexmap 2.7.0",
+ "itertools 0.12.1",
  "la-arena",
  "ra-ap-rustc_abi",
+ "ra-ap-rustc_hashes",
  "ra-ap-rustc_parse_format",
  "ra_ap_base_db",
  "ra_ap_cfg",
@@ -1559,20 +1570,21 @@ dependencies = [
  "salsa",
  "smallvec",
  "text-size",
- "thin-vec",
  "tracing",
  "triomphe",
 ]
 
 [[package]]
 name = "ra_ap_hir_expand"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "094fa79d8f661f52cf3b7fb8b3d91c4be2ad9e71a3967d3dacd25429fa44b37d"
+checksum = "be57c0d7e3f2180dd8ea584b11447f34060eadc06f0f6d559e2a790f6e91b6c5"
 dependencies = [
  "cov-mark",
  "either",
- "itertools 0.14.0",
+ "hashbrown 0.14.5",
+ "itertools 0.12.1",
+ "la-arena",
  "ra_ap_base_db",
  "ra_ap_cfg",
  "ra_ap_intern",
@@ -1593,22 +1605,24 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_hir_ty"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "093482d200d5db421db5692e7819bbb14fb717cc8cb0f91f93cce9fde85b3df2"
+checksum = "f260f35748f3035b46a8afcdebda7cb75d95c24750105fad86101d09a9d387c8"
 dependencies = [
  "arrayvec",
- "bitflags 2.9.0",
+ "bitflags 2.8.0",
  "chalk-derive",
  "chalk-ir",
  "chalk-recursive",
  "chalk-solve",
  "cov-mark",
+ "dashmap 5.5.3",
  "either",
  "ena",
- "indexmap 2.9.0",
- "itertools 0.14.0",
+ "indexmap 2.7.0",
+ "itertools 0.12.1",
  "la-arena",
+ "nohash-hasher",
  "oorandom",
  "ra-ap-rustc_abi",
  "ra-ap-rustc_index",
@@ -1633,18 +1647,19 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_ide_db"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b655b92dfa9444db8129321b9217d9e4a83a58ee707aa1004a93052acfb43d57"
+checksum = "0426263be26e27cb55a3b9ef88b120511b66fe7d9b418a2473d6d5f3ac2fe0a6"
 dependencies = [
  "arrayvec",
- "bitflags 2.9.0",
+ "bitflags 2.8.0",
  "cov-mark",
  "crossbeam-channel",
+ "dashmap 5.5.3",
  "either",
  "fst",
- "indexmap 2.9.0",
- "itertools 0.14.0",
+ "indexmap 2.7.0",
+ "itertools 0.12.1",
  "line-index",
  "memchr",
  "nohash-hasher",
@@ -1666,9 +1681,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_intern"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b4e528496b4d4c351806bb073d3d7f6526535741b9e8801776603c924bbec624"
+checksum = "f6ea8c9615b3b0688cf557e7310dbd9432f43860c8ea766d54f4416cbecf3571"
 dependencies = [
  "dashmap 5.5.3",
  "hashbrown 0.14.5",
@@ -1678,16 +1693,17 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_load-cargo"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a97a5070b2f4b99f56683d91b2687aa0c530d8969cc5252ec2ae5644e428ffe"
+checksum = "570907e16725c13a678bfd8050ce8839af2831da042a0878b75ee8c41b0f7b0c"
 dependencies = [
  "anyhow",
  "crossbeam-channel",
- "itertools 0.14.0",
+ "itertools 0.12.1",
  "ra_ap_hir_expand",
  "ra_ap_ide_db",
  "ra_ap_intern",
+ "ra_ap_paths",
  "ra_ap_proc_macro_api",
  "ra_ap_project_model",
  "ra_ap_span",
@@ -1699,9 +1715,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_mbe"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b187ee5ee3fa726eeea5142242a0397e2200d77084026986a68324b9599f9046"
+checksum = "e893fe03b04b30c9b5a339ac2bf39ce32ac9c05a8b50121b7d89ce658346e164"
 dependencies = [
  "arrayvec",
  "cov-mark",
@@ -1710,17 +1726,19 @@ dependencies = [
  "ra_ap_parser",
  "ra_ap_span",
  "ra_ap_stdx",
+ "ra_ap_syntax",
  "ra_ap_syntax-bridge",
  "ra_ap_tt",
  "rustc-hash 2.1.1",
  "smallvec",
+ "tracing",
 ]
 
 [[package]]
 name = "ra_ap_parser"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2306e6c051e60483f3b317fac9dec6c883b7792eeb8db24ec6f39dbfa5430159"
+checksum = "6fd9a264120968b14a66b6ba756cd7f99435385b5dbc2f0a611cf3a12221c385"
 dependencies = [
  "drop_bomb",
  "ra-ap-rustc_lexer",
@@ -1730,20 +1748,20 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_paths"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dcedd00499621bdd0f1fe01955c04e4b388197aa826744003afaf6cc2944bc80"
+checksum = "f47817351651e36b56ff3afc483b41600053c9cb7e67d945467c0abe93416032"
 dependencies = [
  "camino",
 ]
 
 [[package]]
 name = "ra_ap_proc_macro_api"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7a2e49b550015cd4ad152bd78d92d73594497f2e44f61273f9fed3534ad4bbbe"
+checksum = "d96da3b8b9f6b813a98f5357eef303905450741f47ba90adaab8a5371b748416"
 dependencies = [
- "indexmap 2.9.0",
+ "indexmap 2.7.0",
  "ra_ap_intern",
  "ra_ap_paths",
  "ra_ap_span",
@@ -1758,9 +1776,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_profile"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87cdbd27ebe02ec21fdae3df303f194bda036a019ecef80d47e0082646f06c54"
+checksum = "13637377287c84f88a628e40229d271ef0081c0d683956bd99a6c8278a4f8b14"
 dependencies = [
  "cfg-if",
  "libc",
@@ -1770,13 +1788,13 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_project_model"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5eaa3406c891a7840d20ce615f8decca32cbc9d3654b82dcbcc3a31257ce90b9"
+checksum = "053c5207a638fc7a752c7a454bc952b28b0d02f0bf9f6d7ec785ec809579d8fa"
 dependencies = [
  "anyhow",
  "cargo_metadata",
- "itertools 0.14.0",
+ "itertools 0.12.1",
  "la-arena",
  "ra_ap_base_db",
  "ra_ap_cfg",
@@ -1796,20 +1814,22 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_query-group-macro"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1fbc1748e4876a9b0ccfacfc7e2fe254f30e92ef58d98925282b3803e8b004ed"
+checksum = "0f1a38f07b442e47a234cbe2e8fd1b8a41ff0cc5123cb1cf994c5ce20edb5bd6"
 dependencies = [
+ "heck",
  "proc-macro2",
  "quote",
+ "salsa",
  "syn",
 ]
 
 [[package]]
 name = "ra_ap_span"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed1d036e738bf32a057d90698df85bcb83ed6263b5fe9fba132c99e8ec3aecaf"
+checksum = "8818680c6f7da3b32cb2bb0992940b24264b1aa90203aa94812e09ab34d362d1"
 dependencies = [
  "hashbrown 0.14.5",
  "la-arena",
@@ -1823,12 +1843,12 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_stdx"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6e3775954ab24408f71e97079a97558078a166a4082052e83256ae4c22dae18d"
+checksum = "f1c10bee1b03fc48083862c13cf06bd3ed17760463ecce2734103a2f511e5ed4"
 dependencies = [
  "crossbeam-channel",
- "itertools 0.14.0",
+ "itertools 0.12.1",
  "jod-thread",
  "libc",
  "miow",
@@ -1838,12 +1858,14 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_syntax"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b49b081f209a764700f688db91820a66c2ecfe5f138895d831361cf84f716691"
+checksum = "92bc32f3946fc5fcbdc79e61b7e26a8c2a3a56f3ef6ab27c7d298a9e21a462f2"
 dependencies = [
+ "cov-mark",
  "either",
- "itertools 0.14.0",
+ "indexmap 2.7.0",
+ "itertools 0.12.1",
  "ra-ap-rustc_lexer",
  "ra_ap_parser",
  "ra_ap_stdx",
@@ -1856,9 +1878,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_syntax-bridge"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f2740bbe603d527f2cf0aaf51629de7d072694fbbaaeda8264f7591be1493d1b"
+checksum = "a42052c44c98c122c37aac476260c8f19d8fec495edc9c05835307c9ae86194d"
 dependencies = [
  "ra_ap_intern",
  "ra_ap_parser",
@@ -1867,13 +1889,14 @@ dependencies = [
  "ra_ap_syntax",
  "ra_ap_tt",
  "rustc-hash 2.1.1",
+ "tracing",
 ]
 
 [[package]]
 name = "ra_ap_toolchain"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "efbff9f26f307ef958586357d1653d000861dcd3acbaf33a009651e024720c7e"
+checksum = "75996e70b3a0c68cd5157ba01f018964c7c6a5d7b209047d449b393139d0b57f"
 dependencies = [
  "camino",
  "home",
@@ -1881,9 +1904,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_tt"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0b1ce3ac14765e414fa6031fda7dc35d3492c74de225aac689ba8b8bf037e1f8"
+checksum = "0e4ee31e93bfabe83e6720b7469db88d7ad7ec5c59a1f011efec4aa1327ffc5c"
 dependencies = [
  "arrayvec",
  "ra-ap-rustc_lexer",
@@ -1894,13 +1917,13 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_vfs"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "29427a7c27ce8ddfefb52d77c952a4588c74d0a7ab064dc627129088a90423ca"
+checksum = "f6aac1e277ac70bb073f40f8a3fc44e4b1bb9e4d4b1d0e0bd2f8269543560f80"
 dependencies = [
  "crossbeam-channel",
  "fst",
- "indexmap 2.9.0",
+ "indexmap 2.7.0",
  "nohash-hasher",
  "ra_ap_paths",
  "ra_ap_stdx",
@@ -1910,9 +1933,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_vfs-notify"
-version = "0.0.273"
+version = "0.0.270"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d5a0e3095b8216ecc131f38b4b0025cac324a646469a95d2670354aee7278078"
+checksum = "cd95285146049621ee8f7a512c982a008bf036321fcc9b01a95c1ad7e6aeae57"
 dependencies = [
  "crossbeam-channel",
  "notify",
@@ -1982,7 +2005,7 @@ version = "0.5.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "03a862b389f93e68874fbf580b9de08dd02facb9a788ebadaf4a3fd33cf58834"
 dependencies = [
- "bitflags 2.9.0",
+ "bitflags 2.8.0",
 ]
 
 [[package]]
@@ -2070,10 +2093,10 @@ checksum = "2febf9acc5ee5e99d1ad0afcdbccc02d87aa3f857a1f01f825b80eacf8edfcd1"
 
 [[package]]
 name = "rustc_apfloat"
-version = "0.2.2+llvm-462a31f5a5ab"
-source = "git+https://github.com/redsun82/rustc_apfloat.git?rev=32968f16ef1b082243f9bf43a3fbd65c381b3e27#32968f16ef1b082243f9bf43a3fbd65c381b3e27"
+version = "0.2.1+llvm-462a31f5a5ab"
+source = "git+https://github.com/redsun82/rustc_apfloat.git?rev=096d585100636bc2e9f09d7eefec38c5b334d47b#096d585100636bc2e9f09d7eefec38c5b334d47b"
 dependencies = [
- "bitflags 2.9.0",
+ "bitflags 1.3.2",
  "smallvec",
 ]
 
@@ -2100,7 +2123,7 @@ dependencies = [
  "dashmap 6.1.0",
  "hashbrown 0.15.2",
  "hashlink",
- "indexmap 2.9.0",
+ "indexmap 2.7.0",
  "parking_lot",
  "portable-atomic",
  "rayon",
@@ -2153,9 +2176,9 @@ checksum = "94143f37725109f92c262ed2cf5e59bce7498c01bcc1502d7b9afe439a4e9f49"
 
 [[package]]
 name = "semver"
-version = "1.0.26"
+version = "1.0.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0"
+checksum = "3cb6eb87a131f756572d7fb904f6e7b68633f09cca868c5df1c4b8d1a694bbba"
 dependencies = [
  "serde",
 ]
@@ -2211,7 +2234,7 @@ dependencies = [
  "chrono",
  "hex",
  "indexmap 1.9.3",
- "indexmap 2.9.0",
+ "indexmap 2.7.0",
  "serde",
  "serde_derive",
  "serde_json",
@@ -2237,7 +2260,7 @@ version = "0.9.34+deprecated"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
 dependencies = [
- "indexmap 2.9.0",
+ "indexmap 2.7.0",
  "itoa",
  "ryu",
  "serde",
@@ -2321,26 +2344,20 @@ version = "1.1.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f18aa187839b2bdb1ad2fa35ead8c4c2976b64e4363c386d45ac0f7ee85c9233"
 
-[[package]]
-name = "thin-vec"
-version = "0.2.14"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "144f754d318415ac792f9d69fc87abbbfc043ce2ef041c60f16ad828f638717d"
-
 [[package]]
 name = "thiserror"
-version = "2.0.12"
+version = "1.0.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "567b8a2dae586314f7be2a752ec7474332959c6460e02bde30d702a66d488708"
+checksum = "b6aaf5339b578ea85b50e080feb250a3e8ae8cfcdff9a461c9ec2904bc923f52"
 dependencies = [
  "thiserror-impl",
 ]
 
 [[package]]
 name = "thiserror-impl"
-version = "2.0.12"
+version = "1.0.69"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7f7cf42b4507d8ea322120659672cf1b9dbb93f8f2d4ecfd6e51350ff5b17a1d"
+checksum = "4fee6c4efc90059e10f81e6d42c60a18f76588c3d74cb83a0b242a2b6c7504c1"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2415,7 +2432,7 @@ version = "0.22.24"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "17b4795ff5edd201c7cd6dca065ae59972ce77d1b80fa0a84d94950ece7d1474"
 dependencies = [
- "indexmap 2.9.0",
+ "indexmap 2.7.0",
  "serde",
  "serde_spanned",
  "toml_datetime",
@@ -2471,7 +2488,7 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ee855f1f400bd0e5c02d150ae5de3840039a3f54b025156404e34c23c03f47c3"
 dependencies = [
- "log 0.4.27",
+ "log 0.4.25",
  "once_cell",
  "tracing-core",
 ]
@@ -2586,9 +2603,9 @@ checksum = "a3e5df347f0bf3ec1d670aad6ca5c6a1859cd9ea61d2113125794654ccced68f"
 
 [[package]]
 name = "unicode-ident"
-version = "1.0.17"
+version = "1.0.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00e2473a93778eb0bad35909dff6a10d28e63f792f16ed15e404fca9d5eeedbe"
+checksum = "a210d160f08b701c8721ba1c726c11662f877ea6b7094007e1ca9a1041945034"
 
 [[package]]
 name = "unicode-properties"
@@ -2669,7 +2686,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5f89bb38646b4f81674e8f5c3fb81b562be1fd936d84320f3264486418519c79"
 dependencies = [
  "bumpalo",
- "log 0.4.27",
+ "log 0.4.25",
  "proc-macro2",
  "quote",
  "syn",
@@ -2978,7 +2995,7 @@ version = "0.33.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3268f3d866458b787f390cf61f4bbb563b922d091359f9608842999eaee3943c"
 dependencies = [
- "bitflags 2.9.0",
+ "bitflags 2.8.0",
 ]
 
 [[package]]

Cargo.toml

@@ -14,4 +14,4 @@ members = [
 [patch.crates-io]
 # patch for build script bug preventing bazel build
 # see https://github.com/rust-lang/rustc_apfloat/pull/17
-rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "32968f16ef1b082243f9bf43a3fbd65c381b3e27" }
+rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "096d585100636bc2e9f09d7eefec38c5b334d47b" }

MODULE.bazel

@@ -75,7 +75,7 @@ use_repo(
     "vendor_ts__argfile-0.2.1",
     "vendor_ts__chalk-ir-0.100.0",
     "vendor_ts__chrono-0.4.40",
-    "vendor_ts__clap-4.5.35",
+    "vendor_ts__clap-4.5.32",
     "vendor_ts__dunce-1.0.5",
     "vendor_ts__either-1.15.0",
     "vendor_ts__encoding-0.2.33",
@@ -90,22 +90,22 @@ use_repo(
     "vendor_ts__num_cpus-1.16.0",
     "vendor_ts__proc-macro2-1.0.94",
     "vendor_ts__quote-1.0.40",
-    "vendor_ts__ra_ap_base_db-0.0.273",
-    "vendor_ts__ra_ap_cfg-0.0.273",
-    "vendor_ts__ra_ap_hir-0.0.273",
-    "vendor_ts__ra_ap_hir_def-0.0.273",
-    "vendor_ts__ra_ap_hir_expand-0.0.273",
-    "vendor_ts__ra_ap_hir_ty-0.0.273",
-    "vendor_ts__ra_ap_ide_db-0.0.273",
-    "vendor_ts__ra_ap_intern-0.0.273",
-    "vendor_ts__ra_ap_load-cargo-0.0.273",
-    "vendor_ts__ra_ap_parser-0.0.273",
-    "vendor_ts__ra_ap_paths-0.0.273",
-    "vendor_ts__ra_ap_project_model-0.0.273",
-    "vendor_ts__ra_ap_span-0.0.273",
-    "vendor_ts__ra_ap_stdx-0.0.273",
-    "vendor_ts__ra_ap_syntax-0.0.273",
-    "vendor_ts__ra_ap_vfs-0.0.273",
+    "vendor_ts__ra_ap_base_db-0.0.270",
+    "vendor_ts__ra_ap_cfg-0.0.270",
+    "vendor_ts__ra_ap_hir-0.0.270",
+    "vendor_ts__ra_ap_hir_def-0.0.270",
+    "vendor_ts__ra_ap_hir_expand-0.0.270",
+    "vendor_ts__ra_ap_hir_ty-0.0.270",
+    "vendor_ts__ra_ap_ide_db-0.0.270",
+    "vendor_ts__ra_ap_intern-0.0.270",
+    "vendor_ts__ra_ap_load-cargo-0.0.270",
+    "vendor_ts__ra_ap_parser-0.0.270",
+    "vendor_ts__ra_ap_paths-0.0.270",
+    "vendor_ts__ra_ap_project_model-0.0.270",
+    "vendor_ts__ra_ap_span-0.0.270",
+    "vendor_ts__ra_ap_stdx-0.0.270",
+    "vendor_ts__ra_ap_syntax-0.0.270",
+    "vendor_ts__ra_ap_vfs-0.0.270",
     "vendor_ts__rand-0.9.0",
     "vendor_ts__rayon-1.10.0",
     "vendor_ts__regex-1.11.1",

actions/extractor/tools/autobuild-impl.ps1

@@ -1,28 +1,21 @@
-# Note: We're adding the `reusable_workflows` subdirectories to proactively
-# record workflows that were called cross-repo, check them out locally,
-# and enable an interprocedural analysis across the workflow files.
-# These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
-$DefaultPathFilters = @(
-    'exclude:**/*',
-    'include:.github/workflows/*.yml',
-    'include:.github/workflows/*.yaml',
-    'include:.github/reusable_workflows/**/*.yml',
-    'include:.github/reusable_workflows/**/*.yaml',
-    'include:**/action.yml',
-    'include:**/action.yaml'
-)
-
-if ($null -ne $env:LGTM_INDEX_FILTERS) {
-    Write-Output 'LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor.'
-    # Begin with the default path inclusions only,
-    # followed by the user-provided filters.
-    # If the user provided `paths`, those patterns override the default inclusions
-    # (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
-    # If the user provided `paths-ignore`, those patterns are excluded.
-    $PathFilters = ($DefaultPathFilters -join "`n") + "`n" + $env:LGTM_INDEX_FILTERS
-    $env:LGTM_INDEX_FILTERS = $PathFilters
+if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE) -or ($null -ne $env:LGTM_INDEX_FILTERS)) {
+    Write-Output 'Path filters set. Passing them through to the JavaScript extractor.' 
 } else {
-    Write-Output 'LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor.'
+    Write-Output 'No path filters set. Using the default filters.'
+    # Note: We're adding the `reusable_workflows` subdirectories to proactively
+    # record workflows that were called cross-repo, check them out locally,
+    # and enable an interprocedural analysis across the workflow files.
+    # These workflows follow the convention `.github/reusable_workflows/<nwo>/*.ya?ml`
+    $DefaultPathFilters = @(
+        'exclude:**/*',
+        'include:.github/workflows/*.yml',
+        'include:.github/workflows/*.yaml',
+        'include:.github/reusable_workflows/**/*.yml',
+        'include:.github/reusable_workflows/**/*.yaml',
+        'include:**/action.yml',
+        'include:**/action.yaml'
+    )
+
     $env:LGTM_INDEX_FILTERS = $DefaultPathFilters -join "`n"
 }
 

actions/extractor/tools/autobuild.sh

@@ -17,22 +17,10 @@ include:**/action.yaml
 END
 )
 
-if [ -n "${LGTM_INDEX_FILTERS:-}" ]; then
-    echo "LGTM_INDEX_FILTERS set. Using the default filters together with the user-provided filters, and passing through to the JavaScript extractor."
-    # Begin with the default path inclusions only,
-    # followed by the user-provided filters.
-    # If the user provided `paths`, those patterns override the default inclusions
-    # (because `LGTM_INDEX_FILTERS` will begin with `exclude:**/*`).
-    # If the user provided `paths-ignore`, those patterns are excluded.
-    PATH_FILTERS="$(cat << END
-${DEFAULT_PATH_FILTERS}
-${LGTM_INDEX_FILTERS}
-END
-)"
-    LGTM_INDEX_FILTERS="${PATH_FILTERS}"
-    export LGTM_INDEX_FILTERS
+if [ -n "${LGTM_INDEX_INCLUDE:-}" ] || [ -n "${LGTM_INDEX_EXCLUDE:-}" ] || [ -n "${LGTM_INDEX_FILTERS:-}" ] ; then
+    echo "Path filters set. Passing them through to the JavaScript extractor."
 else
-    echo "LGTM_INDEX_FILTERS not set. Using the default filters, and passing through to the JavaScript extractor."
+    echo "No path filters set. Using the default filters."
     LGTM_INDEX_FILTERS="${DEFAULT_PATH_FILTERS}"
     export LGTM_INDEX_FILTERS
 fi

actions/ql/integration-tests/filters-default/actions.expected

@@ -2,4 +2,3 @@
 | src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
 | src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
 | src/action.yml:1:1:11:32 | name: ' ... action' |
-| src/included/action.yml:1:1:11:32 | name: ' ... action' |

actions/ql/integration-tests/filters-default/test.py

@@ -0,0 +1,2 @@
+def test(codeql, actions):
+    codeql.database.create(source_root="src")

actions/ql/integration-tests/filters/actions.default-filters.expected

@@ -1,6 +0,0 @@
-| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
-| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
-| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
-| src/action.yml:1:1:11:32 | name: ' ... action' |
-| src/excluded/action.yml:1:1:11:32 | name: ' ... action' |
-| src/included/action.yml:1:1:11:32 | name: ' ... action' |

actions/ql/integration-tests/filters/actions.paths-and-paths-ignore.expected

@@ -1,2 +0,0 @@
-| src/included/action.yml:1:1:11:32 | name: ' ... action' |
-| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |

actions/ql/integration-tests/filters/actions.paths-only.expected

@@ -1,2 +0,0 @@
-| src/included/action.yml:1:1:11:32 | name: ' ... action' |
-| src/included/unreachable-workflow.yml:1:1:12:33 | name: A ... orkflow |

actions/ql/integration-tests/filters/actions.ql

@@ -1,5 +0,0 @@
-import actions
-
-from AstNode n
-where n instanceof Workflow or n instanceof CompositeAction
-select n

actions/ql/integration-tests/filters/codeql-config.paths-and-paths-ignore.yml

@@ -1,4 +0,0 @@
-paths:
-  - 'included'
-paths-ignore:
-  - 'excluded'

actions/ql/integration-tests/filters/codeql-config.paths-ignore-only.yml

@@ -1,2 +0,0 @@
-paths-ignore:
-  - 'excluded'

actions/ql/integration-tests/filters/codeql-config.paths-only.yml

@@ -1,2 +0,0 @@
-paths:
-  - 'included'

actions/ql/integration-tests/filters/source_archive.default-filters.expected

@@ -1,6 +0,0 @@
-src/.github/action.yaml
-src/.github/actions/action-name/action.yml
-src/.github/workflows/workflow.yml
-src/action.yml
-src/excluded/action.yml
-src/included/action.yml

actions/ql/integration-tests/filters/source_archive.paths-and-paths-ignore.expected

@@ -1,3 +0,0 @@
-src/included/action.yml
-src/included/not-an-action.yml
-src/included/unreachable-workflow.yml

actions/ql/integration-tests/filters/source_archive.paths-ignore-only.expected

@@ -1,5 +0,0 @@
-src/.github/action.yaml
-src/.github/actions/action-name/action.yml
-src/.github/workflows/workflow.yml
-src/action.yml
-src/included/action.yml

actions/ql/integration-tests/filters/source_archive.paths-only.expected

@@ -1,3 +0,0 @@
-src/included/action.yml
-src/included/not-an-action.yml
-src/included/unreachable-workflow.yml

actions/ql/integration-tests/filters/src/excluded/action.yml

@@ -1,11 +0,0 @@
-name: 'A composite action'
-description: 'Do something'
-runs:
-  using: "composite"
-  steps:
-    - name: Print
-      run: echo "Hello world"
-      shell: bash
-
-    - name: Checkout
-      uses: actions/checkout@v4

actions/ql/integration-tests/filters/src/included/action.yml

@@ -1,11 +0,0 @@
-name: 'A composite action'
-description: 'Do something'
-runs:
-  using: "composite"
-  steps:
-    - name: Print
-      run: echo "Hello world"
-      shell: bash
-
-    - name: Checkout
-      uses: actions/checkout@v4

actions/ql/integration-tests/filters/src/included/not-an-action.yml

@@ -1 +0,0 @@
-name: 'Not an action, just a YAML file'

actions/ql/integration-tests/filters/src/included/unreachable-workflow.yml

@@ -1,12 +0,0 @@
-name: An unreachable workflow
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  job:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4

actions/ql/integration-tests/filters/src/unreachable-workflow.yml

@@ -1,12 +0,0 @@
-name: An unreachable workflow
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  job:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4

actions/ql/integration-tests/filters/test.py

@@ -1,18 +0,0 @@
-import pytest
-
-@pytest.mark.ql_test(expected=".default-filters.expected")
-def test_default_filters(codeql, actions, check_source_archive):
-    check_source_archive.expected_suffix = ".default-filters.expected"
-    codeql.database.create(source_root="src")
-
-@pytest.mark.ql_test(expected=".paths-only.expected")
-def test_config_paths_only(codeql, actions):
-    codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-only.yml")
-
-@pytest.mark.ql_test(expected=".paths-ignore-only.expected")
-def test_config_paths_ignore_only(codeql, actions):
-    codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-ignore-only.yml")
-
-@pytest.mark.ql_test(expected=".paths-and-paths-ignore.expected")
-def test_config_paths_and_paths_ignore(codeql, actions):
-    codeql.database.create(source_root="src", codescanning_config="codeql-config.paths-and-paths-ignore.yml")

actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.md

@@ -109,7 +109,7 @@ An attacker could craft a malicious artifact that writes dangerous environment v
 
 ### Exploitation
 
-An attacker would be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
+An attacker is be able to run arbitrary code by injecting environment variables such as `LD_PRELOAD`, `BASH_ENV`, etc.
 
 ## References
 

actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql

@@ -1,6 +1,6 @@
 /**
  * @name Workflow does not contain permissions
- * @description Workflows should contain explicit permissions to restrict the scope of the default GITHUB_TOKEN.
+ * @description Workflows should contain permissions to provide a clear understanding has permissions to run the workflow.
  * @kind problem
  * @security-severity 5.0
  * @problem.severity warning

actions/ql/src/Security/CWE-312/ExcessiveSecretsExposure.ql

@@ -3,7 +3,6 @@
  * @description All organization and repository secrets are passed to the workflow runner.
  * @kind problem
  * @precision high
- * @security-severity 5.0
  * @problem.severity warning
  * @id actions/excessive-secrets-exposure
  * @tags actions

actions/ql/src/Security/CWE-312/UnmaskedSecretExposure.md

@@ -2,11 +2,11 @@
 
 ## Description
 
-Secrets derived from other secrets are not known to the workflow runner, and therefore are not masked unless explicitly registered.
+Secrets derived from other secrets are not know to the workflow runner and therefore not masked unless explicitly registered.
 
 ## Recommendations
 
-Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow, since these read values will not be masked by the workflow runner.
+Avoid defining non-plain secrets. For example, do not define a new secret containing a JSON object and then read properties out of it from the workflow since these read values will not be masked by the workflow runner.
 
 ## Examples
 

actions/ql/src/change-notes/2025-04-14-excessive-secrets-exposure-security-severity.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Assigned a `security-severity` to the query `actions/excessive-secrets-exposure`.

cpp/downgrades/0f0a390468a5eb43d1dc72937c028070b106bf53/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add a new predicate `isVla()` to the `ArrayType` class
-compatibility: full
-type_is_vla.rel: delete

cpp/downgrades/159dbb330468991283454b1ac73b7f8411e97595/aggregate_array_init.ql

@@ -1,11 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class AggregateLiteral extends Expr, @aggregateliteral {
-  override string toString() { none() }
-}
-
-from AggregateLiteral aggregate, Expr initializer, int element_index, int position
-where aggregate_array_init(aggregate, initializer, element_index, position, _)
-select aggregate, initializer, element_index, position

cpp/downgrades/159dbb330468991283454b1ac73b7f8411e97595/aggregate_field_init.ql

@@ -1,15 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class AggregateLiteral extends Expr, @aggregateliteral {
-  override string toString() { none() }
-}
-
-class MemberVariable extends @membervariable {
-  string toString() { none() }
-}
-
-from AggregateLiteral aggregate, Expr initializer, MemberVariable field, int position
-where aggregate_field_init(aggregate, initializer, field, position, _)
-select aggregate, initializer, field, position

cpp/downgrades/159dbb330468991283454b1ac73b7f8411e97595/upgrade.properties

@@ -1,4 +0,0 @@
-description: add `isDesignatorInit`predicate to `ArrayOrVectorAggregateLiteral` and `ClassAggregateLiteral`
-compatibility: backwards
-aggregate_array_init.rel: run aggregate_array_init.qlo
-aggregate_field_init.rel: run aggregate_field_init.qlo

cpp/ql/lib/change-notes/2025-04-14-variable-length-arrays.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added the `isVla()` predicate to the `ArrayType` class. This allows queries to identify variable-length arrays (VLAs).

cpp/ql/lib/change-notes/2025-04-15-field-array-designator.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Introduced `isDesignatorInit()` predicates to distinguish between designator-based and positional initializations for both struct\union fields and array elements.

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -1369,11 +1369,6 @@ class ArrayType extends DerivedType {
   override predicate isDeeplyConst() { this.getBaseType().isDeeplyConst() } // No such thing as a const array type
 
   override predicate isDeeplyConstBelow() { this.getBaseType().isDeeplyConst() }
-
-  /**
-   * Holds if this array is a variable-length array (VLA).
-   */
-  predicate isVla() { type_is_vla(underlyingElement(this)) }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -465,7 +465,7 @@ private predicate isFunctionConstructedFrom(Function f, Function templateFunc) {
 }
 
 /** Gets the fully templated version of `f`. */
-Function getFullyTemplatedFunction(Function f) {
+private Function getFullyTemplatedFunction(Function f) {
   not f.isFromUninstantiatedTemplate(_) and
   (
     exists(Class c, Class templateClass, int i |
@@ -559,15 +559,12 @@ private string getTypeName(Type t, boolean needsSpace) {
 
 /**
  * Gets a type name for the `n`'th parameter of `f` without any template
- * arguments.
- *
- * If `canonical = false` then the result may be a string representing a type
- * for which the typedefs have been resolved. If `canonical = true` then the
- * result will be a string representing a type without resolving `typedefs`.
+ * arguments. The result may be a string representing a type for which the
+ * typedefs have been resolved.
  */
 bindingset[f]
 pragma[inline_late]
-string getParameterTypeWithoutTemplateArguments(Function f, int n, boolean canonical) {
+string getParameterTypeWithoutTemplateArguments(Function f, int n) {
   exists(string s, string base, string specifiers, Type t |
     t = f.getParameter(n).getType() and
     // The name of the string can either be the possibly typedefed name
@@ -575,19 +572,14 @@ string getParameterTypeWithoutTemplateArguments(Function f, int n, boolean canon
     // `getTypeName(t, _)` is almost equal to `t.resolveTypedefs().getName()`,
     // except that `t.resolveTypedefs()` doesn't have a result when the
     // resulting type doesn't appear in the database.
-    (
-      s = t.getName() and canonical = true
-      or
-      s = getTypeName(t, _) and canonical = false
-    ) and
+    s = [t.getName(), getTypeName(t, _)] and
     parseAngles(s, base, _, specifiers) and
     result = base + specifiers
   )
   or
   f.isVarargs() and
   n = f.getNumberOfParameters() and
-  result = "..." and
-  canonical = true
+  result = "..."
 }
 
 /**
@@ -598,7 +590,7 @@ private string getTypeNameWithoutFunctionTemplates(Function f, int n, int remain
   exists(Function templateFunction |
     templateFunction = getFullyTemplatedFunction(f) and
     remaining = templateFunction.getNumberOfTemplateArguments() and
-    result = getParameterTypeWithoutTemplateArguments(templateFunction, n, _)
+    result = getParameterTypeWithoutTemplateArguments(templateFunction, n)
   )
   or
   exists(string mid, TypeTemplateParameter tp, Function templateFunction |
@@ -635,7 +627,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
 }
 
 /** Gets the string representation of the `i`'th parameter of `c`. */
-string getParameterTypeName(Function c, int i) {
+private string getParameterTypeName(Function c, int i) {
   result = getTypeNameWithoutClassTemplates(c, i, 0)
 }
 

cpp/ql/lib/semmle/code/cpp/exprs/Literal.qll

@@ -213,27 +213,7 @@ class ClassAggregateLiteral extends AggregateLiteral {
   Expr getFieldExpr(Field field, int position) {
     field = classType.getAField() and
     aggregate_field_init(underlyingElement(this), unresolveElement(result), unresolveElement(field),
-      position, _)
-  }
-
-  /**
-   * Holds if the `position`-th initialization of `field` in this aggregate initializer
-   * uses a designator (e.g., `.x =`, `[42] =`) rather than a positional initializer.
-   *
-   * This can be used to distinguish explicitly designated initializations from
-   * implicit positional ones.
-   *
-   * For example, in the initializer:
-   * ```c
-   * struct S { int x, y; };
-   * struct S s = { .x = 1, 2 };
-   * ```
-   * - `.x = 1` is a designator init, therefore `isDesignatorInit(x, 0)` holds.
-   * - `2` is a positional init for `.y`, therefore `isDesignatorInit(y, 1)` does **not** hold.
-   */
-  predicate isDesignatorInit(Field field, int position) {
-    field = classType.getAField() and
-    aggregate_field_init(underlyingElement(this), _, unresolveElement(field), position, true)
+      position)
   }
 
   /**
@@ -324,24 +304,7 @@ class ArrayOrVectorAggregateLiteral extends AggregateLiteral {
    * - `a.getElementExpr(0, 2)` gives `789`.
    */
   Expr getElementExpr(int elementIndex, int position) {
-    aggregate_array_init(underlyingElement(this), unresolveElement(result), elementIndex, position,
-      _)
-  }
-
-  /**
-   * Holds if the `position`-th initialization of the array element at `elementIndex`
-   * in this aggregate initializer uses a designator (e.g., `[0] = ...`) rather than
-   * an implicit positional initializer.
-   *
-   * For example, in:
-   * ```c
-   * int x[] = { [0] = 1, 2 };
-   * ```
-   * - `[0] = 1` is a designator init, therefore `isDesignatorInit(0, 0)` holds.
-   * - `2` is a positional init for `x[1]`, therefore `isDesignatorInit(1, 1)` does **not** hold.
-   */
-  predicate isDesignatorInit(int elementIndex, int position) {
-    aggregate_array_init(underlyingElement(this), _, elementIndex, position, true)
+    aggregate_array_init(underlyingElement(this), unresolveElement(result), elementIndex, position)
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -371,7 +371,7 @@ private class PrimaryArgumentNode extends ArgumentNode, OperandNode {
   PrimaryArgumentNode() { exists(CallInstruction call | op = call.getAnArgumentOperand()) }
 
   override predicate argumentOf(DataFlowCall call, ArgumentPosition pos) {
-    op = call.getArgumentOperand(pos.(DirectPosition).getArgumentIndex())
+    op = call.getArgumentOperand(pos.(DirectPosition).getIndex())
   }
 }
 
@@ -410,16 +410,8 @@ class ParameterPosition = Position;
 class ArgumentPosition = Position;
 
 abstract class Position extends TPosition {
-  /** Gets a textual representation of this position. */
   abstract string toString();
 
-  /**
-   * Gets the argument index of this position. The qualifier of a call has
-   * argument index `-1`.
-   */
-  abstract int getArgumentIndex();
-
-  /** Gets the indirection index of this position. */
   abstract int getIndirectionIndex();
 }
 
@@ -436,7 +428,7 @@ class DirectPosition extends Position, TDirectPosition {
     result = index.toString()
   }
 
-  override int getArgumentIndex() { result = index }
+  int getIndex() { result = index }
 
   final override int getIndirectionIndex() { result = 0 }
 }
@@ -453,29 +445,16 @@ class IndirectionPosition extends Position, TIndirectionPosition {
     else result = repeatStars(indirectionIndex) + argumentIndex.toString()
   }
 
-  override int getArgumentIndex() { result = argumentIndex }
+  int getArgumentIndex() { result = argumentIndex }
 
   final override int getIndirectionIndex() { result = indirectionIndex }
 }
 
 newtype TPosition =
-  TDirectPosition(int argumentIndex) {
-    exists(any(CallInstruction c).getArgument(argumentIndex))
-    or
-    // Handle the rare case where there is a function definition but no call to
-    // the function.
-    exists(any(Cpp::Function f).getParameter(argumentIndex))
-  } or
+  TDirectPosition(int argumentIndex) { exists(any(CallInstruction c).getArgument(argumentIndex)) } or
   TIndirectionPosition(int argumentIndex, int indirectionIndex) {
     Ssa::hasIndirectOperand(any(CallInstruction call).getArgumentOperand(argumentIndex),
       indirectionIndex)
-    or
-    // Handle the rare case where there is a function definition but no call to
-    // the function.
-    exists(Cpp::Function f, Cpp::Parameter p |
-      p = f.getParameter(argumentIndex) and
-      indirectionIndex = [1 .. Ssa::getMaxIndirectionsForType(p.getUnspecifiedType()) - 1]
-    )
   }
 
 private newtype TReturnKind =
@@ -522,15 +501,6 @@ class ReturnKind extends TReturnKind {
 
   /** Gets a textual representation of this return kind. */
   abstract string toString();
-
-  /** Holds if this `ReturnKind` is generated from a `return` statement. */
-  abstract predicate isNormalReturn();
-
-  /**
-   * Holds if this `ReturnKind` is generated from a write to the parameter with
-   * index `argumentIndex`
-   */
-  abstract predicate isIndirectReturn(int argumentIndex);
 }
 
 /**
@@ -544,10 +514,6 @@ class NormalReturnKind extends ReturnKind, TNormalReturnKind {
   override int getIndirectionIndex() { result = indirectionIndex }
 
   override string toString() { result = "indirect return" }
-
-  override predicate isNormalReturn() { any() }
-
-  override predicate isIndirectReturn(int argumentIndex) { none() }
 }
 
 /**
@@ -562,10 +528,6 @@ private class IndirectReturnKind extends ReturnKind, TIndirectReturnKind {
   override int getIndirectionIndex() { result = indirectionIndex }
 
   override string toString() { result = "indirect outparam[" + argumentIndex.toString() + "]" }
-
-  override predicate isNormalReturn() { none() }
-
-  override predicate isIndirectReturn(int argumentIndex_) { argumentIndex_ = argumentIndex }
 }
 
 /** A data flow node that occurs as the result of a `ReturnStmt`. */

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll

@@ -1445,7 +1445,7 @@ private class ExplicitParameterInstructionNode extends AbstractExplicitParameter
   ExplicitParameterInstructionNode() { exists(instr.getParameter()) }
 
   override predicate isSourceParameterOf(Function f, ParameterPosition pos) {
-    f.getParameter(pos.(DirectPosition).getArgumentIndex()) = instr.getParameter()
+    f.getParameter(pos.(DirectPosition).getIndex()) = instr.getParameter()
   }
 
   override string toStringImpl() { result = instr.getParameter().toString() }
@@ -1460,7 +1460,7 @@ class ThisParameterInstructionNode extends AbstractExplicitParameterNode,
   ThisParameterInstructionNode() { instr.getIRVariable() instanceof IRThisVariable }
 
   override predicate isSourceParameterOf(Function f, ParameterPosition pos) {
-    pos.(DirectPosition).getArgumentIndex() = -1 and
+    pos.(DirectPosition).getIndex() = -1 and
     instr.getEnclosingFunction() = f
   }
 
@@ -1494,7 +1494,7 @@ private class DirectBodyLessParameterNode extends AbstractExplicitParameterNode,
 
   override predicate isSourceParameterOf(Function f, ParameterPosition pos) {
     this.getFunction() = f and
-    f.getParameter(pos.(DirectPosition).getArgumentIndex()) = p
+    f.getParameter(pos.(DirectPosition).getIndex()) = p
   }
 
   override Parameter getParameter() { result = p }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/TaintTrackingUtil.qll

@@ -229,11 +229,11 @@ private module SpeculativeTaintFlow {
       not exists(DataFlowDispatch::viableCallable(call)) and
       src.(DataFlowPrivate::ArgumentNode).argumentOf(call, argpos)
     |
-      not argpos.(DirectPosition).getArgumentIndex() = -1 and
+      not argpos.(DirectPosition).getIndex() = -1 and
       sink.(PostUpdateNode)
           .getPreUpdateNode()
           .(DataFlowPrivate::ArgumentNode)
-          .argumentOf(call, any(DirectPosition qualpos | qualpos.getArgumentIndex() = -1))
+          .argumentOf(call, any(DirectPosition qualpos | qualpos.getIndex() = -1))
       or
       sink.(DataFlowPrivate::OutNode).getCall() = call
     )

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -2039,8 +2039,7 @@ aggregate_field_init(
     int aggregate: @aggregateliteral ref,
     int initializer: @expr ref,
     int field: @membervariable ref,
-    int position: int ref,
-    boolean designated: boolean ref
+    int position: int ref
 );
 
 /**
@@ -2052,8 +2051,7 @@ aggregate_array_init(
     int aggregate: @aggregateliteral ref,
     int initializer: @expr ref,
     int element_index: int ref,
-    int position: int ref,
-    boolean designated: boolean ref
+    int position: int ref
 );
 
 @ctorinit = @ctordirectinit
@@ -2180,8 +2178,6 @@ variable_vla(
     int decl: @stmt_vla_decl ref
 );
 
-type_is_vla(unique int type_id: @derivedtype ref)
-
 if_initialization(
     unique int if_stmt: @stmt_if ref,
     int init_id: @stmt ref

cpp/ql/lib/upgrades/e594389175c098d7225683d0fd8cefcc47d84bc1/aggregate_array_init.ql

@@ -1,11 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class AggregateLiteral extends Expr, @aggregateliteral {
-  override string toString() { none() }
-}
-
-from AggregateLiteral aggregate, Expr initializer, int element_index, int position
-where aggregate_array_init(aggregate, initializer, element_index, position)
-select aggregate, initializer, element_index, position, false

cpp/ql/lib/upgrades/e594389175c098d7225683d0fd8cefcc47d84bc1/aggregate_field_init.ql

@@ -1,16 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-
-class AggregateLiteral extends Expr, @aggregateliteral {
-  override string toString() { none() }
-}
-
-class MemberVariable extends @membervariable {
-  string toString() { none() }
-}
-
-from AggregateLiteral aggregate, Expr initializer, MemberVariable field, int position
-where aggregate_field_init(aggregate, initializer, field, position)
-select aggregate, initializer, field, position, false

cpp/ql/lib/upgrades/e594389175c098d7225683d0fd8cefcc47d84bc1/upgrade.properties

@@ -1,5 +0,0 @@
-description: add `isDesignatorInit`predicate to `ArrayOrVectorAggregateLiteral` and `ClassAggregateLiteral`
-compatibility: backwards
-aggregate_array_init.rel: run aggregate_array_init.qlo
-aggregate_field_init.rel: run aggregate_field_init.qlo
-

csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs

@@ -162,10 +162,6 @@ namespace Semmle.Autobuild.CSharp.Tests
 
         bool IBuildActions.IsRunningOnAppleSilicon() => IsRunningOnAppleSilicon;
 
-        public bool IsMonoInstalled { get; set; }
-
-        bool IBuildActions.IsMonoInstalled() => IsMonoInstalled;
-
         public string PathCombine(params string[] parts)
         {
             return string.Join(IsWindows ? '\\' : '/', parts.Where(p => !string.IsNullOrWhiteSpace(p)));
@@ -428,7 +424,8 @@ namespace Semmle.Autobuild.CSharp.Tests
             return new CSharpAutobuilder(actions, options);
         }
 
-        private void SetupActionForDotnet()
+        [Fact]
+        public void TestDefaultCSharpAutoBuilder()
         {
             actions.RunProcess["cmd.exe /C dotnet --info"] = 0;
             actions.RunProcess[@"cmd.exe /C dotnet clean C:\Project\test.csproj"] = 0;
@@ -441,80 +438,20 @@ namespace Semmle.Autobuild.CSharp.Tests
             actions.GetEnvironmentVariable["CODEQL_EXTRACTOR_CSHARP_SCRATCH_DIR"] = "scratch";
             actions.EnumerateFiles[@"C:\Project"] = "foo.cs\nbar.cs\ntest.csproj";
             actions.EnumerateDirectories[@"C:\Project"] = "";
-        }
+            var xml = new XmlDocument();
+            xml.LoadXml(@"<Project Sdk=""Microsoft.NET.Sdk"">
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFramework>netcoreapp2.1</TargetFramework>
+  </PropertyGroup>
 
-        private void CreateAndVerifyDotnetScript(XmlDocument xml)
-        {
+</Project>");
             actions.LoadXml[@"C:\Project\test.csproj"] = xml;
 
             var autobuilder = CreateAutoBuilder(true);
             TestAutobuilderScript(autobuilder, 0, 4);
         }
 
-        [Fact]
-        public void TestDefaultCSharpAutoBuilder1()
-        {
-            SetupActionForDotnet();
-            var xml = new XmlDocument();
-            xml.LoadXml(
-            """
-            <Project Sdk="Microsoft.NET.Sdk">
-              <PropertyGroup>
-                <OutputType>Exe</OutputType>
-                <TargetFramework>netcoreapp2.1</TargetFramework>
-              </PropertyGroup>
-            </Project>
-            """);
-            CreateAndVerifyDotnetScript(xml);
-        }
-
-        [Fact]
-        public void TestDefaultCSharpAutoBuilder2()
-        {
-            SetupActionForDotnet();
-            var xml = new XmlDocument();
-
-            xml.LoadXml(
-            """
-            <Project>
-              <Sdk Name="Microsoft.NET.Sdk" />
-
-              <PropertyGroup>
-                <OutputType>Exe</OutputType>
-                <TargetFramework>net9.0</TargetFramework>
-                <ImplicitUsings>enable</ImplicitUsings>
-                <Nullable>enable</Nullable>
-              </PropertyGroup>
-            </Project>
-            """
-            );
-            CreateAndVerifyDotnetScript(xml);
-        }
-
-        [Fact]
-        public void TestDefaultCSharpAutoBuilder3()
-        {
-            SetupActionForDotnet();
-            var xml = new XmlDocument();
-
-            xml.LoadXml(
-            """
-            <Project>
-              <Import Project="Sdk.props" Sdk="Microsoft.NET.Sdk" />
-
-              <PropertyGroup>
-                <OutputType>Exe</OutputType>
-                <TargetFramework>net9.0</TargetFramework>
-                <ImplicitUsings>enable</ImplicitUsings>
-                <Nullable>enable</Nullable>
-              </PropertyGroup>
-              <Import Project="Sdk.targets" Sdk="Microsoft.NET.Sdk" />
-            </Project>
-            """
-            );
-            CreateAndVerifyDotnetScript(xml);
-        }
-
         [Fact]
         public void TestLinuxCSharpAutoBuilder()
         {
@@ -860,32 +797,11 @@ namespace Semmle.Autobuild.CSharp.Tests
         }
 
         [Fact]
-        public void TestDirsProjLinux_WithMono()
+        public void TestDirsProjLinux()
         {
-            actions.IsMonoInstalled = true;
-
             actions.RunProcess[@"nuget restore C:\Project/dirs.proj -DisableParallelProcessing"] = 1;
             actions.RunProcess[@"mono scratch/.nuget/nuget.exe restore C:\Project/dirs.proj -DisableParallelProcessing"] = 0;
             actions.RunProcess[@"msbuild C:\Project/dirs.proj /t:rebuild"] = 0;
-
-            var autobuilder = TestDirsProjLinux();
-            TestAutobuilderScript(autobuilder, 0, 3);
-        }
-
-        [Fact]
-        public void TestDirsProjLinux_WithoutMono()
-        {
-            actions.IsMonoInstalled = false;
-
-            actions.RunProcess[@"dotnet msbuild /t:restore C:\Project/dirs.proj"] = 0;
-            actions.RunProcess[@"dotnet msbuild C:\Project/dirs.proj /t:rebuild"] = 0;
-
-            var autobuilder = TestDirsProjLinux();
-            TestAutobuilderScript(autobuilder, 0, 2);
-        }
-
-        private CSharpAutobuilder TestDirsProjLinux()
-        {
             actions.FileExists["csharp.log"] = true;
             actions.FileExists[@"C:\Project/a/test.csproj"] = true;
             actions.FileExists[@"C:\Project/dirs.proj"] = true;
@@ -914,7 +830,8 @@ namespace Semmle.Autobuild.CSharp.Tests
 </Project>");
             actions.LoadXml[@"C:\Project/dirs.proj"] = dirsproj;
 
-            return CreateAutoBuilder(false);
+            var autobuilder = CreateAutoBuilder(false);
+            TestAutobuilderScript(autobuilder, 0, 3);
         }
 
         [Fact]

csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -150,10 +150,6 @@ namespace Semmle.Autobuild.Cpp.Tests
 
         bool IBuildActions.IsRunningOnAppleSilicon() => IsRunningOnAppleSilicon;
 
-        public bool IsMonoInstalled { get; set; }
-
-        bool IBuildActions.IsMonoInstalled() => IsMonoInstalled;
-
         string IBuildActions.PathCombine(params string[] parts)
         {
             return string.Join(IsWindows ? '\\' : '/', parts.Where(p => !string.IsNullOrWhiteSpace(p)));

csharp/autobuilder/Semmle.Autobuild.Shared/MsBuildRule.cs

@@ -10,15 +10,15 @@ namespace Semmle.Autobuild.Shared
         /// <summary>
         /// Appends a call to msbuild.
         /// </summary>
+        /// <param name="cmdBuilder"></param>
+        /// <param name="builder"></param>
         /// <returns></returns>
-        public static CommandBuilder MsBuildCommand(this CommandBuilder cmdBuilder, IAutobuilder<AutobuildOptionsShared> builder, bool preferDotnet)
+        public static CommandBuilder MsBuildCommand(this CommandBuilder cmdBuilder, IAutobuilder<AutobuildOptionsShared> builder)
         {
             // mono doesn't ship with `msbuild` on Arm-based Macs, but we can fall back to
             // msbuild that ships with `dotnet` which can be invoked with `dotnet msbuild`
             // perhaps we should do this on all platforms?
-            // Similarly, there's no point in trying to rely on mono if it's not installed.
-            // In which case we can still fall back to `dotnet msbuild`.
-            return preferDotnet
+            return builder.Actions.IsRunningOnAppleSilicon()
                 ? cmdBuilder.RunCommand("dotnet").Argument("msbuild")
                 : cmdBuilder.RunCommand("msbuild");
         }
@@ -75,16 +75,13 @@ namespace Semmle.Autobuild.Shared
                         QuoteArgument(projectOrSolution.FullPath).
                         Argument("-DisableParallelProcessing").
                         Script;
-
-                var preferDotnet = builder.Actions.IsRunningOnAppleSilicon() || !builder.Actions.IsWindows() && !builder.Actions.IsMonoInstalled();
-
                 var nugetRestore = GetNugetRestoreScript();
                 var msbuildRestoreCommand = new CommandBuilder(builder.Actions).
-                    MsBuildCommand(builder, preferDotnet).
+                    MsBuildCommand(builder).
                     Argument("/t:restore").
                     QuoteArgument(projectOrSolution.FullPath);
 
-                if (preferDotnet)
+                if (builder.Actions.IsRunningOnAppleSilicon())
                 {
                     // On Apple Silicon, only try package restore with `dotnet msbuild /t:restore`
                     ret &= BuildScript.Try(msbuildRestoreCommand.Script);
@@ -122,7 +119,7 @@ namespace Semmle.Autobuild.Shared
                     command.RunCommand("set Platform=&& type NUL", quoteExe: false);
                 }
 
-                command.MsBuildCommand(builder, preferDotnet);
+                command.MsBuildCommand(builder);
                 command.QuoteArgument(projectOrSolution.FullPath);
 
                 var target = "rebuild";

csharp/autobuilder/Semmle.Autobuild.Shared/Project.cs

@@ -3,6 +3,7 @@ using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 using System.Xml;
+using Semmle.Util.Logging;
 
 namespace Semmle.Autobuild.Shared
 {
@@ -25,26 +26,6 @@ namespace Semmle.Autobuild.Shared
         private readonly Lazy<List<Project<TAutobuildOptions>>> includedProjectsLazy;
         public override IEnumerable<IProjectOrSolution> IncludedProjects => includedProjectsLazy.Value;
 
-        private static bool HasSdkAttribute(XmlElement xml) =>
-            xml.HasAttribute("Sdk");
-
-        private static bool AnyElement(XmlNodeList l, Func<XmlElement, bool> f) =>
-            l.OfType<XmlElement>().Any(f);
-
-        /// <summary>
-        /// According to https://learn.microsoft.com/en-us/visualstudio/msbuild/how-to-use-project-sdk?view=vs-2022#reference-a-project-sdk
-        /// there are three ways to reference a project SDK:
-        ///  1. As an attribute on the &lt;Project/&gt;.
-        ///  2. As a top level element of &lt;Project&gt;.
-        ///  3. As an attribute on an &lt;Import&gt; element.
-        ///
-        /// Returns true, if the Sdk attribute is used, otherwise false.
-        /// </summary>
-        private static bool ReferencesSdk(XmlElement xml) =>
-            HasSdkAttribute(xml) || // Case 1
-            AnyElement(xml.ChildNodes, e => e.Name == "Sdk") || // Case 2
-            AnyElement(xml.GetElementsByTagName("Import"), HasSdkAttribute); // Case 3
-
         public Project(Autobuilder<TAutobuildOptions> builder, string path) : base(builder, path)
         {
             ToolsVersion = new Version();
@@ -68,7 +49,7 @@ namespace Semmle.Autobuild.Shared
 
             if (root?.Name == "Project")
             {
-                if (ReferencesSdk(root))
+                if (root.HasAttribute("Sdk"))
                 {
                     DotNetProject = true;
                     return;

csharp/extractor/Semmle.Util/BuildActions.cs

@@ -125,11 +125,6 @@ namespace Semmle.Util
         /// <returns>True if we are running on Apple Silicon.</returns>
         bool IsRunningOnAppleSilicon();
 
-        /// <summary>
-        /// Checks if Mono is installed.
-        /// </summary>
-        bool IsMonoInstalled();
-
         /// <summary>
         /// Combine path segments, Path.Combine().
         /// </summary>
@@ -266,25 +261,6 @@ namespace Semmle.Util
             }
         }
 
-        bool IBuildActions.IsMonoInstalled()
-        {
-            var thisBuildActions = (IBuildActions)this;
-
-            if (thisBuildActions.IsWindows())
-            {
-                return false;
-            }
-
-            try
-            {
-                return 0 == thisBuildActions.RunProcess("mono", "--version", workingDirectory: null, env: null);
-            }
-            catch (Exception)
-            {
-                return false;
-            }
-        }
-
         string IBuildActions.PathCombine(params string[] parts) => Path.Combine(parts);
 
         void IBuildActions.WriteAllText(string filename, string contents) => File.WriteAllText(filename, contents);

csharp/ql/integration-tests/all-platforms/diag_missing_project_files/test.py

@@ -1,2 +1,8 @@
+import pytest
+import runs_on
+
+
+# Skipping the test on macos-15, as we're running into trouble.
+@pytest.mark.only_if(not runs_on.macos_15)
 def test(codeql, csharp):
     codeql.database.create(_assert_failure=True)

csharp/ql/lib/change-notes/2025-04-11-auto-builder-sdk.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Improved autobuilder logic for detecting whether a project references a SDK (and should be built using `dotnet`).

csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -22,16 +22,10 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, CsharpDat
 
   class Callable = CS::Callable;
 
-  class NodeExtended = CS::DataFlow::Node;
-
-  Callable getAsExprEnclosingCallable(NodeExtended node) {
-    result = node.asExpr().getEnclosingCallable()
+  class NodeExtended extends CS::DataFlow::Node {
+    Callable getAsExprEnclosingCallable() { result = this.asExpr().getEnclosingCallable() }
   }
 
-  Callable getEnclosingCallable(NodeExtended node) { result = node.getEnclosingCallable() }
-
-  Parameter asParameter(NodeExtended node) { result = node.asParameter() }
-
   /**
    * Holds if any of the parameters of `api` are `System.Func<>`.
    */

docs/codeql/reusables/supported-versions-compilers.rst

@@ -16,7 +16,7 @@
    .NET Core up to 3.1
 
    .NET 5, .NET 6, .NET 7, .NET 8, .NET 9","``.sln``, ``.csproj``, ``.cs``, ``.cshtml``, ``.xaml``"
-   GitHub Actions,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``"
+   GitHub Actions [12]_,"Not applicable",Not applicable,"``.github/workflows/*.yml``, ``.github/workflows/*.yaml``, ``**/action.yml``, ``**/action.yaml``"
    Go (aka Golang), "Go up to 1.24", "Go 1.11 or more recent", ``.go``
    Java,"Java 7 to 24 [5]_","javac (OpenJDK and Oracle JDK),
 
@@ -41,3 +41,4 @@
     .. [9] Requires glibc 2.17.
     .. [10] Support for the analysis of Swift requires macOS.
     .. [11] TypeScript analysis is performed by running the JavaScript extractor with TypeScript enabled. This is the default.
+    .. [12] Support for GitHub Actions is in public preview.

java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected

@@ -9,4 +9,3 @@ ql/java/ql/src/Likely Bugs/Likely Typos/ContradictoryTypeChecks.ql
 ql/java/ql/src/Likely Bugs/Likely Typos/SuspiciousDateFormat.ql
 ql/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql
 ql/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql
-ql/java/ql/src/Performance/StringReplaceAllWithNonRegex.ql

java/ql/src/Performance/StringReplaceAllWithNonRegex.md

@@ -1,29 +0,0 @@
-# Use of `String#replaceAll` with a first argument which is not a regular expression
-
-Using `String#replaceAll` is less performant than `String#replace` when the first argument is not a regular expression.
-
-## Overview
-
-The `String#replaceAll` method is designed to work with regular expressions as its first parameter. When you use a simple string without any regex patterns (like special characters or syntax), it's more efficient to use `String#replace` instead. This is because `replaceAll` has to compile the input as a regular expression first, which adds unnecessary overhead when you are just replacing literal text.
-
-## Recommendation
-
-Use `String#replace` instead where a `replaceAll` call uses a trivial string as its first argument.
-
-## Example
-
-```java
-public class Test {
-    void f() {
-        String s1 = "test";
-        s1 = s1.replaceAll("t", "x"); // NON_COMPLIANT
-        s1 = s1.replaceAll(".*", "x"); // COMPLIANT
-    }
-}
-
-```
-
-## References
-
-- Java SE Documentation: [String.replaceAll](https://docs.oracle.com/en/java/javase/20/docs/api/java.base/java/lang/String.html#replaceAll(java.lang.String,java.lang.String)).
-- Common Weakness Enumeration: [CWE-1176](https://cwe.mitre.org/data/definitions/1176.html).

java/ql/src/Performance/StringReplaceAllWithNonRegex.ql

@@ -1,24 +0,0 @@
-/**
- * @id java/string-replace-all-with-non-regex
- * @name Use of `String#replaceAll` with a first argument which is not a regular expression
- * @description Using `String#replaceAll` with a first argument which is not a regular expression
- *              is less efficient than using `String#replace`.
- * @kind problem
- * @precision very-high
- * @problem.severity recommendation
- * @tags quality
- *       reliability
- *       performance
- *       external/cwe/cwe-1176
- */
-
-import java
-
-from StringReplaceAllCall replaceAllCall, StringLiteral firstArg
-where
-  firstArg = replaceAllCall.getArgument(0) and
-  //only contains characters that could be a simple string
-  firstArg.getValue().regexpMatch("^[a-zA-Z0-9]+$")
-select replaceAllCall,
-  "This call to 'replaceAll' should be a call to 'replace' as its $@ is not a regular expression.",
-  firstArg, "first argument"

java/ql/src/codeql-suites/java-code-quality.qls

@@ -1,15 +1,14 @@
 - queries: .
 - include:
     id:
-      - java/contradictory-type-checks
-      - java/equals-on-unrelated-types
-      - java/inconsistent-equals-and-hashcode
-      - java/input-resource-leak
-      - java/integer-multiplication-cast-to-long
-      - java/output-resource-leak
-      - java/reference-equality-of-boxed-types
-      - java/string-replace-all-with-non-regex
       - java/suspicious-date-format
-      - java/type-variable-hides-type
+      - java/integer-multiplication-cast-to-long
+      - java/equals-on-unrelated-types
+      - java/contradictory-type-checks
+      - java/reference-equality-of-boxed-types
+      - java/inconsistent-equals-and-hashcode
       - java/unchecked-cast-in-equals
       - java/unused-container
+      - java/input-resource-leak
+      - java/output-resource-leak
+      - java/type-variable-hides-type

java/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -32,16 +32,10 @@ module ModelGeneratorInput implements ModelGeneratorInputSig<Location, JavaDataF
 
   class Callable = J::Callable;
 
-  class NodeExtended = DataFlow::Node;
-
-  Callable getAsExprEnclosingCallable(NodeExtended node) {
-    result = node.asExpr().getEnclosingCallable()
+  class NodeExtended extends DataFlow::Node {
+    Callable getAsExprEnclosingCallable() { result = this.asExpr().getEnclosingCallable() }
   }
 
-  Callable getEnclosingCallable(NodeExtended node) { result = node.getEnclosingCallable() }
-
-  Parameter asParameter(NodeExtended node) { result = node.asParameter() }
-
   private predicate isInfrequentlyUsed(J::CompilationUnit cu) {
     cu.getPackage().getName().matches("javax.swing%") or
     cu.getPackage().getName().matches("java.awt%")

java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.expected

@@ -1 +0,0 @@
-| Test.java:4:14:4:36 | replaceAll(...) | This call to 'replaceAll' should be a call to 'replace' as its $@ is not a regular expression. | Test.java:4:28:4:30 | "t" | first argument |

java/ql/test/query-tests/StringReplaceAllWithNonRegex/StringReplaceAllWithNonRegex.qlref

@@ -1,2 +0,0 @@
-query: Performance/StringReplaceAllWithNonRegex.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql

java/ql/test/query-tests/StringReplaceAllWithNonRegex/Test.java

@@ -1,7 +0,0 @@
-public class Test {
-    void f() {
-        String s1 = "test";
-        s1 = s1.replaceAll("t", "x"); // $ Alert // NON_COMPLIANT
-        s1 = s1.replaceAll(".*", "x"); // COMPLIANT
-    }
-}

javascript/ql/lib/change-notes/2025-04-07-typed-arrays.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added taint propagation for `Uint8Array`, `ArrayBuffer`, `SharedArrayBuffer` and `TextDecoder.decode()`.

javascript/ql/lib/change-notes/2025-04-07-websocket.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Improved detection of `WebSocket` and `SockJS` usage.
-* Added data received from `WebSocket` clients as a remote flow source.

javascript/ql/lib/change-notes/2025-04-11-nextrequest.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Data passed to the [NextResponse](https://nextjs.org/docs/app/api-reference/functions/next-response) constructor is now treated as a sink for `js/reflected-xss`.
-* Data received from [NextRequest](https://nextjs.org/docs/app/api-reference/functions/next-request) and [Request](https://developer.mozilla.org/en-US/docs/Web/API/Request) is now treated as a remote user input `source`.

javascript/ql/lib/semmle/javascript/frameworks/Next.qll

@@ -213,12 +213,10 @@ module NextJS {
   /**
    * Gets a folder that contains API endpoints for a Next.js application.
    * These API endpoints act as Express-like route-handlers.
-   * It matches both the Pages Router (`pages/api/`) Next.js 12 or earlier and
-   * the App Router (`app/api/`) Next.js 13+ structures.
    */
   Folder apiFolder() {
-    result =
-      getANextPackage().getFile().getParentContainer().getFolder(["pages", "app"]).getFolder("api") or
+    result = getANextPackage().getFile().getParentContainer().getFolder("pages").getFolder("api")
+    or
     result = apiFolder().getAFolder()
   }
 
@@ -273,64 +271,4 @@ module NextJS {
       override string getCredentialsKind() { result = "jwt key" }
     }
   }
-
-  /**
-   * A route handler for Next.js 13+ App Router API endpoints, which are defined by exporting
-   * HTTP method functions (like `GET`, `POST`, `PUT`, `DELETE`) from route.js files inside
-   * the `app/api/` directory.
-   */
-  class NextAppRouteHandler extends DataFlow::FunctionNode, Http::Servers::StandardRouteHandler {
-    NextAppRouteHandler() {
-      exists(Module mod |
-        mod.getFile().getParentContainer() = apiFolder() or
-        mod.getFile().getStem() = "middleware"
-      |
-        this =
-          mod.getAnExportedValue([any(Http::RequestMethodName m), "middleware"]).getAFunctionValue()
-      )
-    }
-
-    /**
-     * Gets the request parameter, which is either a `NextRequest` object (from `next/server`) or a standard web `Request` object.
-     */
-    DataFlow::SourceNode getRequest() { result = this.getParameter(0) }
-  }
-
-  /**
-   * A source of user-controlled data from a `NextRequest` object (from `next/server`) or a standard web `Request` object
-   * in a Next.js App Router route handler.
-   */
-  class NextAppRequestSource extends Http::RequestInputAccess {
-    NextAppRouteHandler handler;
-    string kind;
-
-    NextAppRequestSource() {
-      (
-        this =
-          handler.getRequest().getAMethodCall(["json", "formData", "blob", "arrayBuffer", "text"])
-        or
-        this = handler.getRequest().getAPropertyRead("body")
-      ) and
-      kind = "body"
-      or
-      this = handler.getRequest().getAPropertyRead(["url", "nextUrl"]) and
-      kind = "url"
-      or
-      this =
-        handler
-            .getRequest()
-            .getAPropertyRead("nextUrl")
-            .getAPropertyRead("searchParams")
-            .getAMemberCall("get") and
-      kind = "parameter"
-      or
-      this = handler.getRequest().getAPropertyRead("headers") and kind = "headers"
-    }
-
-    override string getKind() { result = kind }
-
-    override Http::RouteHandler getRouteHandler() { result = handler }
-
-    override string getSourceType() { result = "Next.js App Router request" }
-  }
 }

javascript/ql/lib/semmle/javascript/frameworks/WebResponse.qll

@@ -19,13 +19,10 @@ private class HeadersEntryPoint extends API::EntryPoint {
 }
 
 /**
- * A call to the `Response` and `NextResponse` constructor.
+ * A call to the `Response` constructor.
  */
 private class ResponseCall extends API::InvokeNode {
-  ResponseCall() {
-    this = any(ResponseEntryPoint e).getANode().getAnInstantiation() or
-    this = API::moduleImport("next/server").getMember("NextResponse").getAnInstantiation()
-  }
+  ResponseCall() { this = any(ResponseEntryPoint e).getANode().getAnInstantiation() }
 }
 
 /**

javascript/ql/lib/semmle/javascript/frameworks/WebSocket.qll

@@ -47,20 +47,6 @@ private predicate areLibrariesCompatible(
   (client = LibraryNames::ws() or client = LibraryNames::websocket())
 }
 
-/** Treats `WebSocket` as an entry point for API graphs. */
-private class WebSocketEntryPoint extends API::EntryPoint {
-  WebSocketEntryPoint() { this = "global.WebSocket" }
-
-  override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("WebSocket") }
-}
-
-/** Treats `SockJS` as an entry point for API graphs. */
-private class SockJSEntryPoint extends API::EntryPoint {
-  SockJSEntryPoint() { this = "global.SockJS" }
-
-  override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("SockJS") }
-}
-
 /**
  * Provides classes that model WebSockets clients.
  */
@@ -70,7 +56,7 @@ module ClientWebSocket {
   /**
    * A class that can be used to instantiate a WebSocket instance.
    */
-  deprecated class SocketClass extends DataFlow::SourceNode {
+  class SocketClass extends DataFlow::SourceNode {
     LibraryName library; // the name of the WebSocket library. Can be one of the libraries defined in `LibraryNames`.
 
     SocketClass() {
@@ -92,38 +78,13 @@ module ClientWebSocket {
     LibraryName getLibrary() { result = library }
   }
 
-  /**
-   * A class that can be used to instantiate a WebSocket instance.
-   */
-  class WebSocketClass extends API::Node {
-    LibraryName library; // the name of the WebSocket library. Can be one of the libraries defined in `LibraryNames`.
-
-    WebSocketClass() {
-      this = any(WebSocketEntryPoint e).getANode() and library = websocket()
-      or
-      this = API::moduleImport("ws") and library = ws()
-      or
-      // the sockjs-client library:https://www.npmjs.com/package/sockjs-client
-      library = sockjs() and
-      (
-        this = API::moduleImport("sockjs-client") or
-        this = any(SockJSEntryPoint e).getANode()
-      )
-    }
-
-    /**
-     * Gets the WebSocket library name.
-     */
-    LibraryName getLibrary() { result = library }
-  }
-
   /**
    * A client WebSocket instance.
    */
-  class ClientSocket extends EventEmitter::Range, API::NewNode, ClientRequest::Range {
-    WebSocketClass socketClass;
+  class ClientSocket extends EventEmitter::Range, DataFlow::NewNode, ClientRequest::Range {
+    SocketClass socketClass;
 
-    ClientSocket() { this = socketClass.getAnInvocation() }
+    ClientSocket() { this = socketClass.getAnInstantiation() }
 
     /**
      * Gets the WebSocket library name.
@@ -154,10 +115,10 @@ module ClientWebSocket {
   /**
    * A message sent from a WebSocket client.
    */
-  class SendNode extends EventDispatch::Range, API::CallNode {
+  class SendNode extends EventDispatch::Range, DataFlow::CallNode {
     override ClientSocket emitter;
 
-    SendNode() { this = emitter.getReturn().getMember("send").getACall() }
+    SendNode() { this = emitter.getAMemberCall("send") }
 
     override string getChannel() { result = channelName() }
 
@@ -184,8 +145,8 @@ module ClientWebSocket {
   private DataFlow::FunctionNode getAMessageHandler(
     ClientWebSocket::ClientSocket emitter, string methodName
   ) {
-    exists(API::CallNode call |
-      call = emitter.getReturn().getMember(methodName).getACall() and
+    exists(DataFlow::CallNode call |
+      call = emitter.getAMemberCall(methodName) and
       call.getArgument(0).mayHaveStringValue("message") and
       result = call.getCallback(1)
     )
@@ -200,13 +161,7 @@ module ClientWebSocket {
     WebSocketReceiveNode() {
       this = getAMessageHandler(emitter, "addEventListener")
       or
-      this = emitter.getReturn().getMember("onmessage").getAValueReachingSink()
-      or
-      exists(DataFlow::MethodCallNode bindCall |
-        bindCall = emitter.getReturn().getMember("onmessage").getAValueReachingSink() and
-        bindCall.getMethodName() = "bind" and
-        this = bindCall.getReceiver().getAFunctionValue()
-      )
+      this = emitter.getAPropertyWrite("onmessage").getRhs()
     }
 
     override DataFlow::Node getReceivedItem(int i) {
@@ -237,7 +192,7 @@ module ServerWebSocket {
   /**
    * Gets a server created by a library named `library`.
    */
-  deprecated DataFlow::SourceNode getAServer(LibraryName library) {
+  DataFlow::SourceNode getAServer(LibraryName library) {
     library = ws() and
     result = DataFlow::moduleImport("ws").getAConstructorInvocation("Server")
     or
@@ -245,22 +200,11 @@ module ServerWebSocket {
     result = DataFlow::moduleImport("sockjs").getAMemberCall("createServer")
   }
 
-  /**
-   * Gets a server created by a library named `library`.
-   */
-  API::InvokeNode getAServerInvocation(LibraryName library) {
-    library = ws() and
-    result = API::moduleImport("ws").getMember("Server").getAnInvocation()
-    or
-    library = sockjs() and
-    result = API::moduleImport("sockjs").getMember("createServer").getAnInvocation()
-  }
-
   /**
    * Gets a `socket.on("connection", (msg, req) => {})` call.
    */
   private DataFlow::CallNode getAConnectionCall(LibraryName library) {
-    result = getAServerInvocation(library).getReturn().getMember(EventEmitter::on()).getACall() and
+    result = getAServer(library).getAMemberCall(EventEmitter::on()) and
     result.getArgument(0).mayHaveStringValue("connection")
   }
 
@@ -380,18 +324,15 @@ module ServerWebSocket {
       result = this.getCallback(1).getParameter(0)
     }
   }
-}
 
-/**
- * A data flow node representing data received from a client or server, viewed as remote user input.
- */
-private class ReceivedItemAsRemoteFlow extends RemoteFlowSource {
-  ReceivedItemAsRemoteFlow() {
-    this = any(ClientWebSocket::ReceiveNode rercv).getReceivedItem(_) or
-    this = any(ServerWebSocket::ReceiveNode rercv).getReceivedItem(_)
+  /**
+   * A data flow node representing data received from a client, viewed as remote user input.
+   */
+  private class ReceivedItemAsRemoteFlow extends RemoteFlowSource {
+    ReceivedItemAsRemoteFlow() { this = any(ReceiveNode rercv).getReceivedItem(_) }
+
+    override string getSourceType() { result = "WebSocket client data" }
+
+    override predicate isUserControlledObject() { any() }
   }
-
-  override string getSourceType() { result = "WebSocket transmitted data" }
-
-  override predicate isUserControlledObject() { any() }
 }

javascript/ql/lib/semmle/javascript/internal/flow_summaries/AllFlowSummaries.qll

@@ -12,5 +12,3 @@ private import Sets
 private import Strings
 private import DynamicImportStep
 private import UrlSearchParams
-private import TypedArrays
-private import Decoders

javascript/ql/lib/semmle/javascript/internal/flow_summaries/Decoders.qll

@@ -1,28 +0,0 @@
-private import javascript
-private import semmle.javascript.dataflow.FlowSummary
-private import semmle.javascript.dataflow.InferredTypes
-private import semmle.javascript.dataflow.internal.DataFlowPrivate as Private
-private import FlowSummaryUtil
-
-private class TextDecoderEntryPoint extends API::EntryPoint {
-  TextDecoderEntryPoint() { this = "global.TextDecoder" }
-
-  override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("TextDecoder") }
-}
-
-pragma[nomagic]
-API::Node textDecoderConstructorRef() { result = any(TextDecoderEntryPoint e).getANode() }
-
-class Decode extends SummarizedCallable {
-  Decode() { this = "TextDecoder#decode" }
-
-  override InstanceCall getACall() {
-    result = textDecoderConstructorRef().getInstance().getMember("decode").getACall()
-  }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    preservesValue = false and
-    input = "Argument[0].ArrayElement" and
-    output = "ReturnValue"
-  }
-}

javascript/ql/lib/semmle/javascript/internal/flow_summaries/Strings.qll

@@ -99,19 +99,3 @@ class StringSplitHashOrQuestionMark extends SummarizedCallable {
     )
   }
 }
-
-class StringFromCharCode extends SummarizedCallable {
-  StringFromCharCode() { this = "String#fromCharCode" }
-
-  override DataFlow::CallNode getACall() {
-    result = DataFlow::globalVarRef("String").getAPropertyRead("fromCharCode").getACall()
-  }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    preservesValue = false and
-    (
-      input = "Argument[0..]" and
-      output = "ReturnValue"
-    )
-  }
-}

javascript/ql/lib/semmle/javascript/internal/flow_summaries/TypedArrays.qll

@@ -1,89 +0,0 @@
-private import javascript
-private import semmle.javascript.dataflow.FlowSummary
-private import semmle.javascript.dataflow.InferredTypes
-private import semmle.javascript.dataflow.internal.DataFlowPrivate as Private
-private import FlowSummaryUtil
-
-private class TypedArrayEntryPoint extends API::EntryPoint {
-  TypedArrayEntryPoint() { this = "global.Uint8Array" }
-
-  override DataFlow::SourceNode getASource() { result = DataFlow::globalVarRef("Uint8Array") }
-}
-
-pragma[nomagic]
-API::Node typedArrayConstructorRef() { result = any(TypedArrayEntryPoint e).getANode() }
-
-class TypedArrayConstructorSummary extends SummarizedCallable {
-  TypedArrayConstructorSummary() { this = "TypedArray constructor" }
-
-  override DataFlow::InvokeNode getACall() {
-    result = typedArrayConstructorRef().getAnInstantiation()
-  }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    preservesValue = true and
-    input = "Argument[0].ArrayElement" and
-    output = "ReturnValue.ArrayElement"
-  }
-}
-
-class BufferTypedArray extends DataFlow::AdditionalFlowStep {
-  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
-    exists(DataFlow::PropRead p |
-      p = typedArrayConstructorRef().getInstance().getMember("buffer").asSource() and
-      pred = p.getBase() and
-      succ = p
-    )
-  }
-}
-
-class TypedArraySet extends SummarizedCallable {
-  TypedArraySet() { this = "TypedArray#set" }
-
-  override InstanceCall getACall() {
-    result = typedArrayConstructorRef().getInstance().getMember("set").getACall()
-  }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    preservesValue = true and
-    input = "Argument[0].ArrayElement" and
-    output = "Argument[this].ArrayElement"
-  }
-}
-
-class TypedArraySubarray extends SummarizedCallable {
-  TypedArraySubarray() { this = "TypedArray#subarray" }
-
-  override InstanceCall getACall() { result.getMethodName() = "subarray" }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    preservesValue = true and
-    input = "Argument[this].ArrayElement" and
-    output = "ReturnValue.ArrayElement"
-  }
-}
-
-private class ArrayBufferEntryPoint extends API::EntryPoint {
-  ArrayBufferEntryPoint() { this = ["global.ArrayBuffer", "global.SharedArrayBuffer"] }
-
-  override DataFlow::SourceNode getASource() {
-    result = DataFlow::globalVarRef(["ArrayBuffer", "SharedArrayBuffer"])
-  }
-}
-
-pragma[nomagic]
-API::Node arrayBufferConstructorRef() { result = any(ArrayBufferEntryPoint a).getANode() }
-
-class TransferLike extends SummarizedCallable {
-  TransferLike() { this = "ArrayBuffer#transfer" }
-
-  override InstanceCall getACall() {
-    result.getMethodName() = ["transfer", "transferToFixedLength"]
-  }
-
-  override predicate propagatesFlow(string input, string output, boolean preservesValue) {
-    preservesValue = true and
-    input = "Argument[this].ArrayElement" and
-    output = "ReturnValue.ArrayElement"
-  }
-}

javascript/ql/src/Expressions/BitwiseSignCheck.ql

@@ -17,6 +17,7 @@ import javascript
  *
  * For example, projecting out constant bit patterns less than 2<sup>31</sup>
  * is safe, as are shifts by small constant integers.
+ * Dummy change
  */
 predicate acceptableSignCheck(BitwiseExpr b) {
   // projecting out constant bit patterns not containing the sign bit is fine

javascript/ql/src/Security/trest/test.ql

@@ -1,10 +0,0 @@
-import javascript
-
-API::NewNode getAWebSocketInstance() { result instanceof ClientWebSocket::ClientSocket }
-
-from DataFlow::Node handler
-where
-  handler = getAWebSocketInstance().getReturn().getMember("onmessage").asSource()
-  or
-  handler = getAWebSocketInstance().getAPropertyWrite("onmessage").getRhs()
-select handler, "This is a WebSocket onmessage handler."

javascript/ql/test/library-tests/TaintTracking/BasicTaintTracking.expected

@@ -35,23 +35,11 @@ legacyDataFlowDifference
 | spread.js:4:15:4:22 | source() | spread.js:18:8:18:8 | y | only flow with NEW data flow library |
 | spread.js:4:15:4:22 | source() | spread.js:24:8:24:8 | y | only flow with NEW data flow library |
 | tst.js:2:13:2:20 | source() | tst.js:17:10:17:10 | a | only flow with OLD data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:5:10:5:10 | y | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:7:10:7:17 | y.buffer | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:15:10:15:10 | z | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:18:10:18:12 | sub | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:42:10:42:30 | typedAr ... ring(y) | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:48:10:48:12 | str | only flow with NEW data flow library |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:52:10:52:13 | str2 | only flow with NEW data flow library |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x | only flow with NEW data flow library |
 consistencyIssue
 | nested-props.js:20 | expected an alert, but found none | NOT OK - but not found | Consistency |
 | stringification-read-steps.js:17 | expected an alert, but found none | NOT OK | Consistency |
 | stringification-read-steps.js:25 | expected an alert, but found none | NOT OK | Consistency |
-| typed-arrays.js:23 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
-| typed-arrays.js:28 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
-| typed-arrays.js:32 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
-| typed-arrays.js:36 | expected an alert, but found none | NOT OK -- Should be flagged but it is not. | Consistency |
 flow
 | access-path-sanitizer.js:2:18:2:25 | source() | access-path-sanitizer.js:4:8:4:12 | obj.x |
 | addexpr.js:4:10:4:17 | source() | addexpr.js:7:8:7:8 | x |
@@ -337,14 +325,6 @@ flow
 | tst.js:87:22:87:29 | source() | tst.js:90:14:90:25 | taintedValue |
 | tst.js:93:22:93:29 | source() | tst.js:96:14:96:25 | taintedValue |
 | tst.js:93:22:93:29 | source() | tst.js:97:14:97:26 | map.get(true) |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:5:10:5:10 | y |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:7:10:7:17 | y.buffer |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:11:10:11:12 | arr |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:15:10:15:10 | z |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:18:10:18:12 | sub |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:42:10:42:30 | typedAr ... ring(y) |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:48:10:48:12 | str |
-| typed-arrays.js:2:13:2:20 | source() | typed-arrays.js:52:10:52:13 | str2 |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:8:10:8:17 | captured |
 | use-use-after-implicit-read.js:7:17:7:24 | source() | use-use-after-implicit-read.js:15:10:15:10 | x |
 | xml.js:5:18:5:25 | source() | xml.js:8:14:8:17 | text |

javascript/ql/test/library-tests/TaintTracking/typed-arrays.js

@@ -1,53 +0,0 @@
-function test() {
-    let x = source();
-
-    let y = new Uint8Array(x);
-    sink(y); // NOT OK
-
-    sink(y.buffer); // NOT OK
-    sink(y.length);
-
-    var arr = new Uint8Array(y.buffer, y.byteOffset, y.byteLength);
-    sink(arr); // NOT OK
-
-    const z = new Uint8Array([1, 2, 3]);
-    z.set(y, 3);
-    sink(z); // NOT OK
-
-    const sub = y.subarray(1, 3)
-    sink(sub); // NOT OK
-
-    const buffer = new ArrayBuffer(8);
-    const view = new Uint8Array(buffer);
-    view.set(x, 3);
-    sink(buffer); // NOT OK -- Should be flagged but it is not.
-
-    const sharedBuffer = new SharedArrayBuffer(8);
-    const view1 = new Uint8Array(sharedBuffer);
-    view1.set(x, 3);
-    sink(sharedBuffer); // NOT OK -- Should be flagged but it is not.
-
-    const transfered = buffer.transfer();
-    const transferedView = new Uint8Array(transfered);
-    sink(transferedView); // NOT OK -- Should be flagged but it is not.
-
-    const transfered2 = buffer.transferToFixedLength();
-    const transferedView2 = new Uint8Array(transfered2);
-    sink(transferedView2); // NOT OK -- Should be flagged but it is not.
-
-    var typedArrayToString = (function () {
-        return function (a) { return String.fromCharCode.apply(null, a); };
-    })();
-
-    sink(typedArrayToString(y)); // NOT OK
-
-    let str = '';
-    for (let i = 0; i < y.length; i++) 
-        str += String.fromCharCode(y[i]);
-    
-    sink(str); // NOT OK
-
-    const decoder = new TextDecoder('utf-8');
-    const str2 = decoder.decode(y);
-    sink(str2); //  NOT OK
-}

javascript/ql/test/library-tests/frameworks/WebSocket/browser-custom.js

@@ -1,74 +0,0 @@
-import { MyWebSocket, MySockJS, myWebSocketInstance, mySockJSInstance } from './browser.js';
-
-(function () {
-	const socket = new MyWebSocket('ws://localhost:9080'); // $ clientSocket
-
-	socket.addEventListener('open', function (event) {
-		socket.send('Hi from browser!'); // $ clientSend
-	});
-
-	socket.addEventListener('message', function (event) {
-		console.log('Message from server ', event.data); // $ remoteFlow
-	}); // $ clientReceive
-
-	socket.onmessage = function (event) {
-		console.log("Message from server 2", event.data); // $ remoteFlow
-	}; // $ clientReceive
-})();
-
-
-(function () {
-	var sock = new MySockJS('http://0.0.0.0:9999/echo'); // $ clientSocket
-	sock.onopen = function () {
-		sock.send('test'); // $ clientSend
-	};
-	
-	sock.onmessage = function (e) {
-		console.log('message', e.data); // $ remoteFlow
-		sock.close();
-	}; // $ clientReceive
-	
-	sock.addEventListener('message', function (event) {
-		console.log('Using addEventListener ', event.data); // $ remoteFlow
-	}); // $ clientReceive
-})();
-
-
-(function () {
-    myWebSocketInstance.addEventListener('open', function (event) {
-        myWebSocketInstance.send('Hi from browser!'); // $ clientSend
-    });
-
-    myWebSocketInstance.addEventListener('message', function (event) {
-        console.log('Message from server ', event.data); // $ remoteFlow
-    }); // $ clientReceive
-
-    myWebSocketInstance.onmessage = function (event) {
-        console.log("Message from server 2", event.data); // $ remoteFlow
-    }; // $ clientReceive
-})();
-
-
-(function () {
-    mySockJSInstance.onopen = function () {
-        mySockJSInstance.send('test'); // $ clientSend
-    };
-    
-    mySockJSInstance.onmessage = function (e) {
-        console.log('message', e.data); // $ remoteFlow
-        mySockJSInstance.close();
-    }; // $ clientReceive
-    
-    mySockJSInstance.addEventListener('message', function (event) {
-        console.log('Using addEventListener ', event.data); // $ remoteFlow
-    }); // $ clientReceive
-})();
-
-
-const recv_message = function (e) {
-    console.log('Received message:', e.data); // $ remoteFlow
-}; // $ clientReceive
-
-(function () {
-    myWebSocketInstance.onmessage = recv_message.bind(this);
-})();

javascript/ql/test/library-tests/frameworks/WebSocket/browser.js

@@ -1,37 +1,32 @@
 (function () {
-	const socket = new WebSocket('ws://localhost:8080'); // $clientSocket
+	const socket = new WebSocket('ws://localhost:8080');
 
 	socket.addEventListener('open', function (event) {
-		socket.send('Hi from browser!'); // $clientSend
+		socket.send('Hi from browser!');
 	});
 
 	socket.addEventListener('message', function (event) {
-		console.log('Message from server ', event.data); // $ remoteFlow
-	}); // $clientReceive
+		console.log('Message from server ', event.data);
+	});
 
 	socket.onmessage = function (event) {
-		console.log("Message from server 2", event.data); // $ remoteFlow
-	}; // $clientReceive
+		console.log("Message from server 2", event.data)
+	};
 })();
 
 
 (function () {
-	var sock = new SockJS('http://0.0.0.0:9999/echo'); // $clientSocket
+	var sock = new SockJS('http://0.0.0.0:9999/echo');
 	sock.onopen = function () {
-		sock.send('test'); // $clientSend
+		sock.send('test');
 	};
 	
 	sock.onmessage = function (e) {
-		console.log('message', e.data); // $ remoteFlow
+		console.log('message', e.data);
 		sock.close();
-	}; // $clientReceive
+	};
 	
 	sock.addEventListener('message', function (event) {
-		console.log('Using addEventListener ', event.data); // $ remoteFlow
-	}); // $clientReceive
-})();
-
-export const MyWebSocket = WebSocket;
-export const MySockJS = SockJS;
-export const myWebSocketInstance = new WebSocket('ws://localhost:8080'); // $ clientSocket
-export const mySockJSInstance = new SockJS('http://0.0.0.0:9999/echo'); // $ clientSocket
+		console.log('Using addEventListener ', event.data);
+	});
+})

javascript/ql/test/library-tests/frameworks/WebSocket/client-custom.js

@@ -1,23 +0,0 @@
-const { MyWebSocketWS, myWebSocketWSInstance } = require('./client.js');
-
-(function () {
-	const ws = new MyWebSocketWS('ws://example.org'); // $ clientSocket
-
-	ws.on('open', function open() {
-		ws.send('Hi from client!'); // $ clientSend
-	});
-
-	ws.on('message', function incoming(data) { // $ remoteFlow
-		console.log(data);
-	}); // $ clientReceive
-})();
-
-(function () {
-	myWebSocketWSInstance.on('open', function open() {
-		myWebSocketWSInstance.send('Hi from client!'); // $ clientSend
-	});
-
-	myWebSocketWSInstance.on('message', function incoming(data) { // $ remoteFlow
-		console.log(data);
-	}); // $ clientReceive
-})();

javascript/ql/test/library-tests/frameworks/WebSocket/client.js

@@ -1,16 +1,13 @@
-const WebSocket = require('ws');
-
 (function () {
-	const ws = new WebSocket('ws://example.org'); // $clientSocket
+	const WebSocket = require('ws');
+
+	const ws = new WebSocket('ws://example.org');
 
 	ws.on('open', function open() {
-		ws.send('Hi from client!'); // $clientSend
+		ws.send('Hi from client!');
 	});
 
-	ws.on('message', function incoming(data) { // $ remoteFlow
+	ws.on('message', function incoming(data) {
 		console.log(data);
-	}); // $clientReceive
-})();
-
-module.exports.MyWebSocketWS = require('ws');
-module.exports.myWebSocketWSInstance = new WebSocket('ws://example.org'); // $ clientSocket
+	});
+})();

javascript/ql/test/library-tests/frameworks/WebSocket/server-custom.js

@@ -1,23 +0,0 @@
-const { MyWebSocketServer, myWebSocketServerInstance } = require('./server.js');
-
-(function () {
-	const wss = new MyWebSocketServer({ port: 8080 });
-
-	wss.on('connection', function connection(ws) { // $ serverSocket
-		ws.on('message', function incoming(message) { // $ remoteFlow
-			console.log('received: %s', message);
-		}); // $ serverReceive
-
-		ws.send('Hi from server!'); // $ serverSend
-	});
-})();
-
-(function () {
-	myWebSocketServerInstance.on('connection', function connection(ws) { // $ serverSocket
-		ws.on('message', function incoming(message) { // $ remoteFlow
-			console.log('received: %s', message);
-		}); // $ serverReceive
-
-		ws.send('Hi from server!'); // $ serverSend
-	});
-})();

javascript/ql/test/library-tests/frameworks/WebSocket/server.js

@@ -1,16 +1,13 @@
-const WebSocket = require('ws');
-
 (function () {
+	const WebSocket = require('ws');
+
 	const wss = new WebSocket.Server({ port: 8080 });
 
-	wss.on('connection', function connection(ws) { // $serverSocket
-		ws.on('message', function incoming(message) { // $remoteFlow
+	wss.on('connection', function connection(ws) {
+		ws.on('message', function incoming(message) {
 			console.log('received: %s', message);
-		}); // $serverReceive
+		});
 
-		ws.send('Hi from server!'); // $serverSend
+		ws.send('Hi from server!');
 	});
-})();
-
-module.exports.MyWebSocketServer = require('ws').Server;
-module.exports.myWebSocketServerInstance = new WebSocket.Server({ port: 8080 });
+})();

javascript/ql/test/library-tests/frameworks/WebSocket/sockjs.js

@@ -5,11 +5,11 @@ const sockjs = require('sockjs');
 const app = express();
 const server = http.createServer(app);
 const sockjs_echo = sockjs.createServer({});
-sockjs_echo.on('connection', function (conn) { // $serverSocket
-    conn.on('data', function (message) { // $remoteFlow
+sockjs_echo.on('connection', function (conn) {
+    conn.on('data', function (message) {
         var data = JSON.parse(message);
-        conn.write(JSON.stringify(eval(data.test))); // $serverSend
-    }); // $serverReceive
+        conn.write(JSON.stringify(eval(data.test)));
+    });
 });
 
 sockjs_echo.installHandlers(server, { prefix: '/echo' });

javascript/ql/test/library-tests/frameworks/WebSocket/test.expected

@@ -1,139 +1,35 @@
-clientReceive
-| browser-custom.js:10:37:12:2 | functio ... Flow\\n\\t} |
-| browser-custom.js:14:21:16:2 | functio ... Flow\\n\\t} |
-| browser-custom.js:26:19:29:2 | functio ... e();\\n\\t} |
-| browser-custom.js:31:35:33:2 | functio ... Flow\\n\\t} |
-| browser-custom.js:42:53:44:5 | functio ... w\\n    } |
-| browser-custom.js:46:37:48:5 | functio ... w\\n    } |
-| browser-custom.js:57:34:60:5 | functio ... ;\\n    } |
-| browser-custom.js:62:50:64:5 | functio ... w\\n    } |
-| browser-custom.js:68:22:70:1 | functio ... eFlow\\n} |
-| browser.js:8:37:10:2 | functio ... Flow\\n\\t} |
-| browser.js:12:21:14:2 | functio ... Flow\\n\\t} |
-| browser.js:24:19:27:2 | functio ... e();\\n\\t} |
-| browser.js:29:35:31:2 | functio ... Flow\\n\\t} |
-| client-custom.js:10:19:12:2 | functio ... ta);\\n\\t} |
-| client-custom.js:20:38:22:2 | functio ... ta);\\n\\t} |
-| client.js:10:19:12:2 | functio ... ta);\\n\\t} |
-clientSend
-| browser-custom.js:7:3:7:33 | socket. ... wser!') |
-| browser-custom.js:23:3:23:19 | sock.send('test') |
-| browser-custom.js:39:9:39:52 | myWebSo ... wser!') |
-| browser-custom.js:54:9:54:37 | mySockJ ... 'test') |
-| browser.js:5:3:5:33 | socket. ... wser!') |
-| browser.js:21:3:21:19 | sock.send('test') |
-| client-custom.js:7:3:7:28 | ws.send ... ient!') |
-| client-custom.js:17:3:17:47 | myWebSo ... ient!') |
-| client.js:7:3:7:28 | ws.send ... ient!') |
 clientSocket
-| browser-custom.js:4:17:4:54 | new MyW ... :9080') |
-| browser-custom.js:21:13:21:52 | new MyS ... /echo') |
 | browser.js:2:17:2:52 | new Web ... :8080') |
 | browser.js:19:13:19:50 | new Soc ... /echo') |
-| browser.js:36:36:36:71 | new Web ... :8080') |
-| browser.js:37:33:37:70 | new Soc ... /echo') |
-| client-custom.js:4:13:4:49 | new MyW ... e.org') |
 | client.js:4:13:4:45 | new Web ... e.org') |
-| client.js:16:40:16:72 | new Web ... e.org') |
+clientSend
+| browser.js:5:3:5:33 | socket. ... wser!') |
+| browser.js:21:3:21:19 | sock.send('test') |
+| client.js:7:3:7:28 | ws.send ... ient!') |
+clientReceive
+| browser.js:8:37:10:2 | functio ... ta);\\n\\t} |
+| browser.js:12:21:14:2 | functio ... ata)\\n\\t} |
+| browser.js:24:19:27:2 | functio ... e();\\n\\t} |
+| browser.js:29:35:31:2 | functio ... ta);\\n\\t} |
+| client.js:10:19:12:2 | functio ... ta);\\n\\t} |
+serverSocket
+| server.js:6:43:6:44 | ws |
+| sockjs.js:8:40:8:43 | conn |
+serverSend
+| server.js:11:3:11:28 | ws.send ... rver!') |
+| sockjs.js:11:9:11:51 | conn.wr ... test))) |
+serverReceive
+| server.js:7:3:9:4 | ws.on(' ... );\\n\\t\\t}) |
+| sockjs.js:9:5:12:6 | conn.on ... \\n    }) |
 flowSteps
-| browser-custom.js:1:10:1:20 | MyWebSocket | browser-custom.js:1:10:1:20 | MyWebSocket |
-| browser-custom.js:1:23:1:30 | MySockJS | browser-custom.js:1:23:1:30 | MySockJS |
-| browser-custom.js:1:33:1:51 | myWebSocketInstance | browser-custom.js:1:33:1:51 | myWebSocketInstance |
-| browser-custom.js:1:54:1:69 | mySockJSInstance | browser-custom.js:1:54:1:69 | mySockJSInstance |
-| browser-custom.js:7:15:7:32 | 'Hi from browser!' | server-custom.js:7:38:7:44 | message |
-| browser-custom.js:7:15:7:32 | 'Hi from browser!' | server-custom.js:17:38:17:44 | message |
-| browser-custom.js:7:15:7:32 | 'Hi from browser!' | server.js:7:38:7:44 | message |
-| browser-custom.js:23:13:23:18 | 'test' | sockjs.js:9:31:9:37 | message |
-| browser-custom.js:39:34:39:51 | 'Hi from browser!' | server-custom.js:7:38:7:44 | message |
-| browser-custom.js:39:34:39:51 | 'Hi from browser!' | server-custom.js:17:38:17:44 | message |
-| browser-custom.js:39:34:39:51 | 'Hi from browser!' | server.js:7:38:7:44 | message |
-| browser-custom.js:54:31:54:36 | 'test' | sockjs.js:9:31:9:37 | message |
-| browser.js:5:15:5:32 | 'Hi from browser!' | server-custom.js:7:38:7:44 | message |
-| browser.js:5:15:5:32 | 'Hi from browser!' | server-custom.js:17:38:17:44 | message |
 | browser.js:5:15:5:32 | 'Hi from browser!' | server.js:7:38:7:44 | message |
 | browser.js:21:13:21:18 | 'test' | sockjs.js:9:31:9:37 | message |
-| client-custom.js:7:11:7:27 | 'Hi from client!' | server-custom.js:7:38:7:44 | message |
-| client-custom.js:7:11:7:27 | 'Hi from client!' | server-custom.js:17:38:17:44 | message |
-| client-custom.js:7:11:7:27 | 'Hi from client!' | server.js:7:38:7:44 | message |
-| client-custom.js:17:30:17:46 | 'Hi from client!' | server-custom.js:7:38:7:44 | message |
-| client-custom.js:17:30:17:46 | 'Hi from client!' | server-custom.js:17:38:17:44 | message |
-| client-custom.js:17:30:17:46 | 'Hi from client!' | server.js:7:38:7:44 | message |
-| client.js:7:11:7:27 | 'Hi from client!' | server-custom.js:7:38:7:44 | message |
-| client.js:7:11:7:27 | 'Hi from client!' | server-custom.js:17:38:17:44 | message |
 | client.js:7:11:7:27 | 'Hi from client!' | server.js:7:38:7:44 | message |
-| client.js:15:32:15:44 | require('ws') | client-custom.js:1:9:1:21 | MyWebSocketWS |
-| client.js:16:40:16:72 | new Web ... e.org') | client-custom.js:1:24:1:44 | myWebSo ... nstance |
-| server-custom.js:11:11:11:27 | 'Hi from server!' | browser-custom.js:11:39:11:48 | event.data |
-| server-custom.js:11:11:11:27 | 'Hi from server!' | browser-custom.js:15:40:15:49 | event.data |
-| server-custom.js:11:11:11:27 | 'Hi from server!' | browser-custom.js:43:45:43:54 | event.data |
-| server-custom.js:11:11:11:27 | 'Hi from server!' | browser-custom.js:47:46:47:55 | event.data |
-| server-custom.js:11:11:11:27 | 'Hi from server!' | browser-custom.js:69:38:69:43 | e.data |
-| server-custom.js:11:11:11:27 | 'Hi from server!' | browser.js:9:39:9:48 | event.data |
-| server-custom.js:11:11:11:27 | 'Hi from server!' | browser.js:13:40:13:49 | event.data |
-| server-custom.js:11:11:11:27 | 'Hi from server!' | client-custom.js:10:37:10:40 | data |
-| server-custom.js:11:11:11:27 | 'Hi from server!' | client-custom.js:20:56:20:59 | data |
-| server-custom.js:11:11:11:27 | 'Hi from server!' | client.js:10:37:10:40 | data |
-| server-custom.js:21:11:21:27 | 'Hi from server!' | browser-custom.js:11:39:11:48 | event.data |
-| server-custom.js:21:11:21:27 | 'Hi from server!' | browser-custom.js:15:40:15:49 | event.data |
-| server-custom.js:21:11:21:27 | 'Hi from server!' | browser-custom.js:43:45:43:54 | event.data |
-| server-custom.js:21:11:21:27 | 'Hi from server!' | browser-custom.js:47:46:47:55 | event.data |
-| server-custom.js:21:11:21:27 | 'Hi from server!' | browser-custom.js:69:38:69:43 | e.data |
-| server-custom.js:21:11:21:27 | 'Hi from server!' | browser.js:9:39:9:48 | event.data |
-| server-custom.js:21:11:21:27 | 'Hi from server!' | browser.js:13:40:13:49 | event.data |
-| server-custom.js:21:11:21:27 | 'Hi from server!' | client-custom.js:10:37:10:40 | data |
-| server-custom.js:21:11:21:27 | 'Hi from server!' | client-custom.js:20:56:20:59 | data |
-| server-custom.js:21:11:21:27 | 'Hi from server!' | client.js:10:37:10:40 | data |
-| server.js:11:11:11:27 | 'Hi from server!' | browser-custom.js:11:39:11:48 | event.data |
-| server.js:11:11:11:27 | 'Hi from server!' | browser-custom.js:15:40:15:49 | event.data |
-| server.js:11:11:11:27 | 'Hi from server!' | browser-custom.js:43:45:43:54 | event.data |
-| server.js:11:11:11:27 | 'Hi from server!' | browser-custom.js:47:46:47:55 | event.data |
-| server.js:11:11:11:27 | 'Hi from server!' | browser-custom.js:69:38:69:43 | e.data |
 | server.js:11:11:11:27 | 'Hi from server!' | browser.js:9:39:9:48 | event.data |
 | server.js:11:11:11:27 | 'Hi from server!' | browser.js:13:40:13:49 | event.data |
-| server.js:11:11:11:27 | 'Hi from server!' | client-custom.js:10:37:10:40 | data |
-| server.js:11:11:11:27 | 'Hi from server!' | client-custom.js:20:56:20:59 | data |
 | server.js:11:11:11:27 | 'Hi from server!' | client.js:10:37:10:40 | data |
-| server.js:15:36:15:55 | require('ws').Server | server-custom.js:1:9:1:25 | MyWebSocketServer |
-| server.js:16:44:16:79 | new Web ... 8080 }) | server-custom.js:1:28:1:52 | myWebSo ... nstance |
-| sockjs.js:11:20:11:50 | JSON.st ... .test)) | browser-custom.js:27:26:27:31 | e.data |
-| sockjs.js:11:20:11:50 | JSON.st ... .test)) | browser-custom.js:32:42:32:51 | event.data |
-| sockjs.js:11:20:11:50 | JSON.st ... .test)) | browser-custom.js:58:32:58:37 | e.data |
-| sockjs.js:11:20:11:50 | JSON.st ... .test)) | browser-custom.js:63:48:63:57 | event.data |
 | sockjs.js:11:20:11:50 | JSON.st ... .test)) | browser.js:25:26:25:31 | e.data |
 | sockjs.js:11:20:11:50 | JSON.st ... .test)) | browser.js:30:42:30:51 | event.data |
 remoteFlow
-| browser-custom.js:11:39:11:48 | event.data |
-| browser-custom.js:15:40:15:49 | event.data |
-| browser-custom.js:27:26:27:31 | e.data |
-| browser-custom.js:32:42:32:51 | event.data |
-| browser-custom.js:43:45:43:54 | event.data |
-| browser-custom.js:47:46:47:55 | event.data |
-| browser-custom.js:58:32:58:37 | e.data |
-| browser-custom.js:63:48:63:57 | event.data |
-| browser-custom.js:69:38:69:43 | e.data |
-| browser.js:9:39:9:48 | event.data |
-| browser.js:13:40:13:49 | event.data |
-| browser.js:25:26:25:31 | e.data |
-| browser.js:30:42:30:51 | event.data |
-| client-custom.js:10:37:10:40 | data |
-| client-custom.js:20:56:20:59 | data |
-| client.js:10:37:10:40 | data |
-| server-custom.js:7:38:7:44 | message |
-| server-custom.js:17:38:17:44 | message |
 | server.js:7:38:7:44 | message |
 | sockjs.js:9:31:9:37 | message |
-serverReceive
-| server-custom.js:7:3:9:4 | ws.on(' ... );\\n\\t\\t}) |
-| server-custom.js:17:3:19:4 | ws.on(' ... );\\n\\t\\t}) |
-| server.js:7:3:9:4 | ws.on(' ... );\\n\\t\\t}) |
-| sockjs.js:9:5:12:6 | conn.on ... \\n    }) |
-serverSend
-| server-custom.js:11:3:11:28 | ws.send ... rver!') |
-| server-custom.js:21:3:21:28 | ws.send ... rver!') |
-| server.js:11:3:11:28 | ws.send ... rver!') |
-| sockjs.js:11:9:11:51 | conn.wr ... test))) |
-serverSocket
-| server-custom.js:6:43:6:44 | ws |
-| server-custom.js:16:65:16:66 | ws |
-| server.js:6:43:6:44 | ws |
-| sockjs.js:8:40:8:43 | conn |

javascript/ql/test/library-tests/frameworks/WebSocket/test.qlref

@@ -1,2 +0,0 @@
-query: test.ql
-postprocess: utils/test/InlineExpectationsTestQuery.ql

javascript/ql/test/query-tests/Security/CWE-079/ReflectedXss/ReflectedXss.expected

@@ -27,14 +27,6 @@
 | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | ReflectedXssContentTypes.js:39:13:39:35 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:39:23:39:35 | req.params.id | user-provided value |
 | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | ReflectedXssContentTypes.js:70:12:70:34 | "FOO: " ... rams.id | Cross-site scripting vulnerability due to a $@. | ReflectedXssContentTypes.js:70:22:70:34 | req.params.id | user-provided value |
 | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | Cross-site scripting vulnerability due to a $@. | ReflectedXssGood3.js:135:15:135:27 | req.params.id | user-provided value |
-| app/api/route.ts:5:18:5:21 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:5:18:5:21 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
-| app/api/route.ts:13:18:13:21 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:13:18:13:21 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
-| app/api/route.ts:25:18:25:21 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:25:18:25:21 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
-| app/api/route.ts:29:25:29:28 | body | app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:29:25:29:28 | body | Cross-site scripting vulnerability due to a $@. | app/api/route.ts:2:24:2:33 | req.json() | user-provided value |
-| app/api/routeNextRequest.ts:7:20:7:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:7:20:7:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
-| app/api/routeNextRequest.ts:15:20:15:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:15:20:15:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
-| app/api/routeNextRequest.ts:27:20:27:23 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:27:20:27:23 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
-| app/api/routeNextRequest.ts:31:27:31:30 | body | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:31:27:31:30 | body | Cross-site scripting vulnerability due to a $@. | app/api/routeNextRequest.ts:4:22:4:31 | req.json() | user-provided value |
 | etherpad.js:11:12:11:19 | response | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:11:12:11:19 | response | Cross-site scripting vulnerability due to a $@. | etherpad.js:9:16:9:30 | req.query.jsonp | user-provided value |
 | formatting.js:6:14:6:47 | util.fo ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:6:14:6:47 | util.fo ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
 | formatting.js:7:14:7:53 | require ... , evil) | formatting.js:4:16:4:29 | req.query.evil | formatting.js:7:14:7:53 | require ... , evil) | Cross-site scripting vulnerability due to a $@. | formatting.js:4:16:4:29 | req.query.evil | user-provided value |
@@ -136,18 +128,6 @@ edges
 | ReflectedXssGood3.js:135:15:135:27 | req.params.id | ReflectedXssGood3.js:135:9:135:27 | url | provenance |  |
 | ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:68:22:68:26 | value | provenance |  |
 | ReflectedXssGood3.js:139:24:139:26 | url | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | provenance |  |
-| app/api/route.ts:2:11:2:33 | body | app/api/route.ts:5:18:5:21 | body | provenance |  |
-| app/api/route.ts:2:11:2:33 | body | app/api/route.ts:13:18:13:21 | body | provenance |  |
-| app/api/route.ts:2:11:2:33 | body | app/api/route.ts:25:18:25:21 | body | provenance |  |
-| app/api/route.ts:2:11:2:33 | body | app/api/route.ts:29:25:29:28 | body | provenance |  |
-| app/api/route.ts:2:18:2:33 | await req.json() | app/api/route.ts:2:11:2:33 | body | provenance |  |
-| app/api/route.ts:2:24:2:33 | req.json() | app/api/route.ts:2:18:2:33 | await req.json() | provenance |  |
-| app/api/routeNextRequest.ts:4:9:4:31 | body | app/api/routeNextRequest.ts:7:20:7:23 | body | provenance |  |
-| app/api/routeNextRequest.ts:4:9:4:31 | body | app/api/routeNextRequest.ts:15:20:15:23 | body | provenance |  |
-| app/api/routeNextRequest.ts:4:9:4:31 | body | app/api/routeNextRequest.ts:27:20:27:23 | body | provenance |  |
-| app/api/routeNextRequest.ts:4:9:4:31 | body | app/api/routeNextRequest.ts:31:27:31:30 | body | provenance |  |
-| app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | app/api/routeNextRequest.ts:4:9:4:31 | body | provenance |  |
-| app/api/routeNextRequest.ts:4:22:4:31 | req.json() | app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | provenance |  |
 | etherpad.js:9:5:9:53 | response | etherpad.js:11:12:11:19 | response | provenance |  |
 | etherpad.js:9:16:9:30 | req.query.jsonp | etherpad.js:9:5:9:53 | response | provenance |  |
 | formatting.js:4:9:4:29 | evil | formatting.js:6:43:6:46 | evil | provenance |  |
@@ -329,20 +309,6 @@ nodes
 | ReflectedXssGood3.js:135:15:135:27 | req.params.id | semmle.label | req.params.id |
 | ReflectedXssGood3.js:139:12:139:27 | escapeHtml3(url) | semmle.label | escapeHtml3(url) |
 | ReflectedXssGood3.js:139:24:139:26 | url | semmle.label | url |
-| app/api/route.ts:2:11:2:33 | body | semmle.label | body |
-| app/api/route.ts:2:18:2:33 | await req.json() | semmle.label | await req.json() |
-| app/api/route.ts:2:24:2:33 | req.json() | semmle.label | req.json() |
-| app/api/route.ts:5:18:5:21 | body | semmle.label | body |
-| app/api/route.ts:13:18:13:21 | body | semmle.label | body |
-| app/api/route.ts:25:18:25:21 | body | semmle.label | body |
-| app/api/route.ts:29:25:29:28 | body | semmle.label | body |
-| app/api/routeNextRequest.ts:4:9:4:31 | body | semmle.label | body |
-| app/api/routeNextRequest.ts:4:16:4:31 | await req.json() | semmle.label | await req.json() |
-| app/api/routeNextRequest.ts:4:22:4:31 | req.json() | semmle.label | req.json() |
-| app/api/routeNextRequest.ts:7:20:7:23 | body | semmle.label | body |
-| app/api/routeNextRequest.ts:15:20:15:23 | body | semmle.label | body |
-| app/api/routeNextRequest.ts:27:20:27:23 | body | semmle.label | body |
-| app/api/routeNextRequest.ts:31:27:31:30 | body | semmle.label | body |
 | etherpad.js:9:5:9:53 | response | semmle.label | response |
 | etherpad.js:9:16:9:30 | req.query.jsonp | semmle.label | req.query.jsonp |
 | etherpad.js:11:12:11:19 | response | semmle.label | response |