Merge pull request #21859 from github/release-prep/2.25.5

Release preparation for version 2.25.5

.github/workflows/mad_modelDiff.yml

@@ -70,7 +70,7 @@ jobs:
             SHORTNAME=`basename $DATABASE`
             python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
             mkdir -p $MODELS/$SHORTNAME
-            mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
+            mv java/ql/lib/ext/generated/modelgenerator/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
             cd ..
           }
 

.github/workflows/python-tooling.yml

@@ -5,7 +5,7 @@ on:
     paths:
       - "misc/bazel/**"
       - "misc/codegen/**"
-      - "misc/scripts/models-as-data/bulk_generate_mad.py"
+      - "misc/scripts/models-as-data/*.py"
       - "*.bazel*"
       - .github/workflows/codegen.yml
       - .pre-commit-config.yaml

Cargo.lock

@@ -140,6 +140,26 @@ version = "0.22.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
 
+[[package]]
+name = "bindgen"
+version = "0.72.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "993776b509cfb49c750f11b8f07a46fa23e0a1386ffc01fb1e7d343efc387895"
+dependencies = [
+ "bitflags 2.9.4",
+ "cexpr",
+ "clang-sys",
+ "itertools 0.12.1",
+ "log 0.4.28",
+ "prettyplease",
+ "proc-macro2",
+ "quote",
+ "regex",
+ "rustc-hash 2.1.1",
+ "shlex",
+ "syn",
+]
+
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@@ -240,9 +260,9 @@ dependencies = [
 
 [[package]]
 name = "cc"
-version = "1.2.37"
+version = "1.2.61"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65193589c6404eb80b450d618eaf9a2cafaaafd57ecce47370519ef674a7bd44"
+checksum = "d16d90359e986641506914ba71350897565610e87ce0ad9e6f28569db3dd5c6d"
 dependencies = [
  "find-msvc-tools",
  "jobserver",
@@ -250,6 +270,15 @@ dependencies = [
  "shlex",
 ]
 
+[[package]]
+name = "cexpr"
+version = "0.6.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "6fac387a98bb7c37292057cffc56d62ecb629900026402633ae9160df93a8766"
+dependencies = [
+ "nom",
+]
+
 [[package]]
 name = "cfg-if"
 version = "1.0.3"
@@ -328,7 +357,7 @@ dependencies = [
  "chalk-derive 0.103.0",
  "chalk-ir 0.103.0",
  "ena",
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "itertools 0.12.1",
  "petgraph",
  "rustc-hash 1.1.0",
@@ -349,6 +378,17 @@ dependencies = [
  "windows-link 0.2.0",
 ]
 
+[[package]]
+name = "clang-sys"
+version = "1.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b023947811758c97c59bf9d1c188fd619ad4718dcaa767947df1cadb14f39f4"
+dependencies = [
+ "glob",
+ "libc",
+ "libloading",
+]
+
 [[package]]
 name = "clap"
 version = "4.5.48"
@@ -416,6 +456,7 @@ dependencies = [
  "tree-sitter",
  "tree-sitter-json",
  "tree-sitter-ql",
+ "yeast",
  "zstd",
 ]
 
@@ -437,6 +478,25 @@ dependencies = [
  "tree-sitter-ruby",
 ]
 
+[[package]]
+name = "codeql-extractor-unified"
+version = "0.1.0"
+dependencies = [
+ "clap",
+ "codeql-extractor",
+ "encoding",
+ "lazy_static",
+ "rayon",
+ "regex",
+ "serde_json",
+ "tracing",
+ "tracing-subscriber",
+ "tree-sitter",
+ "tree-sitter-embedded-template",
+ "tree-sitter-swift",
+ "yeast",
+]
+
 [[package]]
 name = "codeql-rust"
 version = "0.1.0"
@@ -485,6 +545,15 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b05b61dc5112cbb17e4b6cd61790d9845d13888356391624cbe7e41efeac1e75"
 
+[[package]]
+name = "convert_case"
+version = "0.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "baaaa0ecca5b51987b9423ccdc971514dd8b0bb7b4060b983d3664dad3f1f89f"
+dependencies = [
+ "unicode-segmentation",
+]
+
 [[package]]
 name = "core-foundation-sys"
 version = "0.8.7"
@@ -738,6 +807,12 @@ dependencies = [
  "typeid",
 ]
 
+[[package]]
+name = "fastrand"
+version = "2.4.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6"
+
 [[package]]
 name = "figment"
 version = "0.10.19"
@@ -754,9 +829,9 @@ dependencies = [
 
 [[package]]
 name = "find-msvc-tools"
-version = "0.1.1"
+version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7fd99930f64d146689264c637b5af2f0233a933bef0d8570e2526bf9e083192d"
+checksum = "5baebc0774151f905a1a2cc41989300b1e6fbb29aff0ceffa1064fdd3088d582"
 
 [[package]]
 name = "fixedbitset"
@@ -786,6 +861,12 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
 
+[[package]]
+name = "foldhash"
+version = "0.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77ce24cb58228fbb8aa041425bb1050850ac19177686ea6e0f41a70416f56fdb"
+
 [[package]]
 name = "form_urlencoded"
 version = "1.2.2"
@@ -870,9 +951,26 @@ checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
 dependencies = [
  "allocator-api2",
  "equivalent",
- "foldhash",
+ "foldhash 0.1.5",
 ]
 
+[[package]]
+name = "hashbrown"
+version = "0.16.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
+dependencies = [
+ "allocator-api2",
+ "equivalent",
+ "foldhash 0.2.0",
+]
+
+[[package]]
+name = "hashbrown"
+version = "0.17.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ed5909b6e89a2db4456e54cd5f673791d7eca6732202bbf2a9cc504fe2f9b84a"
+
 [[package]]
 name = "hashlink"
 version = "0.10.0"
@@ -1059,16 +1157,25 @@ dependencies = [
 
 [[package]]
 name = "indexmap"
-version = "2.11.4"
+version = "2.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4b0f83760fb341a774ed326568e19f5a863af4a952def8c39f9ab92fd95b88e5"
+checksum = "d466e9454f08e4a911e14806c24e16fba1b4c121d1ea474396f396069cf949d9"
 dependencies = [
  "equivalent",
- "hashbrown 0.15.5",
+ "hashbrown 0.17.1",
  "serde",
  "serde_core",
 ]
 
+[[package]]
+name = "indoc"
+version = "2.0.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79cf5c93f93228cf8efb3ba362535fb11199ac548a09ce117c9b1adc3030d706"
+dependencies = [
+ "rustversion",
+]
+
 [[package]]
 name = "inlinable_string"
 version = "0.1.15"
@@ -1198,6 +1305,16 @@ version = "0.2.175"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a82ae493e598baaea5209805c49bbf2ea7de956d50d7da0da1164f9c6d28543"
 
+[[package]]
+name = "libloading"
+version = "0.8.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d7c4b02199fee7c5d21a5ae7d8cfa79a6ef5bb2fc834d6e9058e89c825efdc55"
+dependencies = [
+ "cfg-if",
+ "windows-link 0.2.0",
+]
+
 [[package]]
 name = "line-index"
 version = "0.1.2"
@@ -1263,6 +1380,12 @@ dependencies = [
  "autocfg",
 ]
 
+[[package]]
+name = "minimal-lexical"
+version = "0.2.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a"
+
 [[package]]
 name = "miniz_oxide"
 version = "0.8.9"
@@ -1309,6 +1432,16 @@ version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2bf50223579dc7cdcfb3bfcacf7069ff68243f8c363f62ffa99cf000a6b9c451"
 
+[[package]]
+name = "nom"
+version = "7.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d273983c5a657a70a3e8f2a01329822f3b8c8172b73826411a55751e404a0a4a"
+dependencies = [
+ "memchr",
+ "minimal-lexical",
+]
+
 [[package]]
 name = "notify"
 version = "8.2.0"
@@ -1436,6 +1569,12 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
+[[package]]
+name = "pathdiff"
+version = "0.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "df94ce210e5bc13cb6651479fa48d14f601d9858cfe0467f43ae157023b938d3"
+
 [[package]]
 name = "pear"
 version = "0.2.9"
@@ -1491,7 +1630,36 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4c5cc86750666a3ed20bdaf5ca2a0344f9c67674cae0515bec2da16fbaa47db"
 dependencies = [
  "fixedbitset",
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
+]
+
+[[package]]
+name = "phf"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c1562dc717473dbaa4c1f85a36410e03c047b2e7df7f45ee938fbef64ae7fadf"
+dependencies = [
+ "phf_shared",
+ "serde",
+]
+
+[[package]]
+name = "phf_generator"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "135ace3a761e564ec88c03a77317a7c6b80bb7f7135ef2544dbe054243b89737"
+dependencies = [
+ "fastrand",
+ "phf_shared",
+]
+
+[[package]]
+name = "phf_shared"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e57fef6bc5981e38c2ce2d63bfa546861309f875b8a75f092d1d54ae2d64f266"
+dependencies = [
+ "siphasher",
 ]
 
 [[package]]
@@ -1536,6 +1704,25 @@ dependencies = [
  "zerocopy",
 ]
 
+[[package]]
+name = "prettyplease"
+version = "0.2.37"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "479ca8adacdd7ce8f1fb39ce9ecccbfe93a3f1344b3d0d97f20bc0196208f62b"
+dependencies = [
+ "proc-macro2",
+ "syn",
+]
+
+[[package]]
+name = "proc-macro-crate"
+version = "3.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e67ba7e9b2b56446f1d419b1d807906278ffa1a658a8a5d8a39dcb1f5a78614f"
+dependencies = [
+ "toml_edit 0.25.11+spec-1.1.0",
+]
+
 [[package]]
 name = "proc-macro2"
 version = "1.0.101"
@@ -1667,7 +1854,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e876bb2c3e52a8d4e6684526a2d4e81f9d028b939ee4dc5dc775fe10deb44d59"
 dependencies = [
  "dashmap",
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "la-arena",
  "ra_ap_cfg",
  "ra_ap_intern",
@@ -1709,7 +1896,7 @@ checksum = "ebffdc134eccabc17209d7760cfff7fd12ed18ab6e21188c5e084b97aa38504c"
 dependencies = [
  "arrayvec",
  "either",
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "itertools 0.14.0",
  "ra_ap_base_db",
  "ra_ap_cfg",
@@ -1739,7 +1926,7 @@ dependencies = [
  "drop_bomb",
  "either",
  "fst",
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "itertools 0.14.0",
  "la-arena",
  "ra-ap-rustc_abi",
@@ -1808,7 +1995,7 @@ dependencies = [
  "cov-mark",
  "either",
  "ena",
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "itertools 0.14.0",
  "la-arena",
  "oorandom",
@@ -1846,7 +2033,7 @@ dependencies = [
  "crossbeam-channel",
  "either",
  "fst",
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "itertools 0.14.0",
  "line-index",
  "memchr",
@@ -1948,7 +2135,7 @@ version = "0.0.301"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "45db9e2df587d56f0738afa89fb2c100ff7c1e9cbe49e07f6a8b62342832211b"
 dependencies = [
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "ra_ap_intern",
  "ra_ap_paths",
  "ra_ap_span",
@@ -2107,7 +2294,7 @@ checksum = "6c174d6b9b7a7f54687df7e00c3e75ed6f082a7943a9afb1d54f33c0c12773de"
 dependencies = [
  "crossbeam-channel",
  "fst",
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "nohash-hasher",
  "ra_ap_paths",
  "ra_ap_stdx",
@@ -2239,6 +2426,15 @@ version = "0.8.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "caf4aa5b0f434c91fe5c7f1ecb6a5ece2130b02ad2a590589dda5146df959001"
 
+[[package]]
+name = "relative-path"
+version = "2.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bca40a312222d8ba74837cb474edef44b37f561da5f773981007a10bbaa992b0"
+dependencies = [
+ "serde",
+]
+
 [[package]]
 name = "rowan"
 version = "0.15.15"
@@ -2252,6 +2448,57 @@ dependencies = [
  "text-size",
 ]
 
+[[package]]
+name = "rquickjs"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a135375fbac5ba723bb6a48f432a72f81539cedde422f0121a86c7c4e96d8e0d"
+dependencies = [
+ "rquickjs-core",
+ "rquickjs-macro",
+]
+
+[[package]]
+name = "rquickjs-core"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bccb7121a123865c8ace4dea42e7ed84d78b90cbaf4ca32c59849d8d210c9672"
+dependencies = [
+ "hashbrown 0.16.1",
+ "phf",
+ "relative-path",
+ "rquickjs-sys",
+]
+
+[[package]]
+name = "rquickjs-macro"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89f93602cc3112c7f30bf5f29e722784232138692c7df4c52ebbac7e035d900d"
+dependencies = [
+ "convert_case",
+ "fnv",
+ "ident_case",
+ "indexmap 2.14.0",
+ "phf_generator",
+ "phf_shared",
+ "proc-macro-crate",
+ "proc-macro2",
+ "quote",
+ "rquickjs-core",
+ "syn",
+]
+
+[[package]]
+name = "rquickjs-sys"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "57b1b6528590d4d65dc86b5159eae2d0219709546644c66408b2441696d1d725"
+dependencies = [
+ "bindgen",
+ "cc",
+]
+
 [[package]]
 name = "rust-extractor-macros"
 version = "0.1.0"
@@ -2317,7 +2564,7 @@ dependencies = [
  "crossbeam-utils",
  "hashbrown 0.15.5",
  "hashlink",
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "intrusive-collections",
  "papaya",
  "parking_lot",
@@ -2406,11 +2653,12 @@ dependencies = [
 
 [[package]]
 name = "semver"
-version = "1.0.26"
+version = "1.0.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "56e6fa9c48d24d85fb3de5ad847117517440f6beceb7798af16b4a87d616b8d0"
+checksum = "8a7852d02fc848982e0c167ef163aaff9cd91dc640ba85e263cb1ce46fae51cd"
 dependencies = [
  "serde",
+ "serde_core",
 ]
 
 [[package]]
@@ -2470,7 +2718,7 @@ version = "1.0.145"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "402a6f66d8c709116cf22f558eab210f5a50187f702eb4d7e5ef38d9a7f1c79c"
 dependencies = [
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "itoa",
  "memchr",
  "ryu",
@@ -2506,7 +2754,7 @@ dependencies = [
  "chrono",
  "hex",
  "indexmap 1.9.3",
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "schemars 0.9.0",
  "schemars 1.0.4",
  "serde",
@@ -2534,7 +2782,7 @@ version = "0.9.34+deprecated"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6a8b1a1a2ebf674015cc02edccce75287f1a0130d394307b36743c2f5d504b47"
 dependencies = [
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "itoa",
  "ryu",
  "serde",
@@ -2556,6 +2804,18 @@ version = "1.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64"
 
+[[package]]
+name = "siphasher"
+version = "1.0.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8ee5873ec9cce0195efcb7a4e9507a04cd49aec9c83d0389df45b1ef7ba2e649"
+
+[[package]]
+name = "smallbitvec"
+version = "2.6.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9b0e903ee191d8f7a8fbf0d712c3a1699d19e04ceba5ad1eb673053c7d938a09"
+
 [[package]]
 name = "smallvec"
 version = "1.15.1"
@@ -2632,18 +2892,18 @@ checksum = "144f754d318415ac792f9d69fc87abbbfc043ce2ef041c60f16ad828f638717d"
 
 [[package]]
 name = "thiserror"
-version = "2.0.16"
+version = "2.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3467d614147380f2e4e374161426ff399c91084acd2363eaf549172b3d5e60c0"
+checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
 dependencies = [
  "thiserror-impl",
 ]
 
 [[package]]
 name = "thiserror-impl"
-version = "2.0.16"
+version = "2.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c5e1be1c48b9172ee610da68fd9cd2770e7a4056cb3fc98710ee6906f0c7960"
+checksum = "ebc4ee7f67670e9b64d05fa4253e753e016c6c95ff35b89b7941d6b856dec1d5"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2708,7 +2968,7 @@ dependencies = [
  "serde",
  "serde_spanned 0.6.9",
  "toml_datetime 0.6.11",
- "toml_edit",
+ "toml_edit 0.22.27",
 ]
 
 [[package]]
@@ -2717,13 +2977,13 @@ version = "0.9.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "00e5e5d9bf2475ac9d4f0d9edab68cc573dc2fd644b0dba36b0c30a92dd9eaa0"
 dependencies = [
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "serde_core",
  "serde_spanned 1.0.2",
  "toml_datetime 0.7.2",
  "toml_parser",
  "toml_writer",
- "winnow",
+ "winnow 0.7.13",
 ]
 
 [[package]]
@@ -2744,27 +3004,48 @@ dependencies = [
  "serde_core",
 ]
 
+[[package]]
+name = "toml_datetime"
+version = "1.1.1+spec-1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3165f65f62e28e0115a00b2ebdd37eb6f3b641855f9d636d3cd4103767159ad7"
+dependencies = [
+ "serde_core",
+]
+
 [[package]]
 name = "toml_edit"
 version = "0.22.27"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "41fe8c660ae4257887cf66394862d21dbca4a6ddd26f04a3560410406a2f819a"
 dependencies = [
- "indexmap 2.11.4",
+ "indexmap 2.14.0",
  "serde",
  "serde_spanned 0.6.9",
  "toml_datetime 0.6.11",
  "toml_write",
- "winnow",
+ "winnow 0.7.13",
+]
+
+[[package]]
+name = "toml_edit"
+version = "0.25.11+spec-1.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0b59c4d22ed448339746c59b905d24568fcbb3ab65a500494f7b8c3e97739f2b"
+dependencies = [
+ "indexmap 2.14.0",
+ "toml_datetime 1.1.1+spec-1.1.0",
+ "toml_parser",
+ "winnow 1.0.2",
 ]
 
 [[package]]
 name = "toml_parser"
-version = "1.0.3"
+version = "1.1.2+spec-1.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4cf893c33be71572e0e9aa6dd15e6677937abd686b066eac3f8cd3531688a627"
+checksum = "a2abe9b86193656635d2411dc43050282ca48aa31c2451210f4202550afb7526"
 dependencies = [
- "winnow",
+ "winnow 1.0.2",
 ]
 
 [[package]]
@@ -2779,6 +3060,12 @@ version = "1.0.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d163a63c116ce562a22cda521fcc4d79152e7aba014456fb5eb442f6d6a10109"
 
+[[package]]
+name = "topological-sort"
+version = "0.2.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ea68304e134ecd095ac6c3574494fc62b909f416c4fca77e440530221e549d3d"
+
 [[package]]
 name = "tracing"
 version = "0.1.41"
@@ -2853,9 +3140,9 @@ dependencies = [
 
 [[package]]
 name = "tree-sitter"
-version = "0.25.9"
+version = "0.26.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ccd2a058a86cfece0bf96f7cce1021efef9c8ed0e892ab74639173e5ed7a34fa"
+checksum = "887bd495d0582c5e3e0d8ece2233666169fa56a9644d172fc22ad179ab2d0538"
 dependencies = [
  "cc",
  "regex",
@@ -2875,6 +3162,30 @@ dependencies = [
  "tree-sitter-language",
 ]
 
+[[package]]
+name = "tree-sitter-generate"
+version = "0.26.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3fb2e1bdb1d5f9d23cd5fa68cf98b3bedbd223c92a2edd60bbcf30bcf7180a5"
+dependencies = [
+ "bitflags 2.9.4",
+ "dunce",
+ "indexmap 2.14.0",
+ "indoc",
+ "log 0.4.28",
+ "pathdiff",
+ "regex",
+ "regex-syntax",
+ "rquickjs",
+ "rustc-hash 2.1.1",
+ "semver",
+ "serde",
+ "serde_json",
+ "smallbitvec",
+ "thiserror",
+ "topological-sort",
+]
+
 [[package]]
 name = "tree-sitter-json"
 version = "0.24.8"
@@ -2891,6 +3202,16 @@ version = "0.1.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c4013970217383f67b18aef68f6fb2e8d409bc5755227092d32efb0422ba24b8"
 
+[[package]]
+name = "tree-sitter-python"
+version = "0.23.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3d065aaa27f3aaceaf60c1f0e0ac09e1cb9eb8ed28e7bcdaa52129cffc7f4b04"
+dependencies = [
+ "cc",
+ "tree-sitter-language",
+]
+
 [[package]]
 name = "tree-sitter-ql"
 version = "0.23.1"
@@ -2911,6 +3232,15 @@ dependencies = [
  "tree-sitter-language",
 ]
 
+[[package]]
+name = "tree-sitter-swift"
+version = "0.7.2"
+dependencies = [
+ "cc",
+ "tree-sitter-generate",
+ "tree-sitter-language",
+]
+
 [[package]]
 name = "triomphe"
 version = "0.1.14"
@@ -2960,6 +3290,12 @@ version = "0.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e70f2a8b45122e719eb623c01822704c4e0907e7e426a05927e1a1cfff5b75d0"
 
+[[package]]
+name = "unicode-segmentation"
+version = "1.13.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9629274872b2bfaf8d66f5f15725007f635594914870f65218920345aa11aa8c"
+
 [[package]]
 name = "unicode-xid"
 version = "0.2.6"
@@ -3349,6 +3685,15 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "winnow"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2ee1708bef14716a11bae175f579062d4554d95be2c6829f518df847b7b3fdd0"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "wit-bindgen"
 version = "0.45.1"
@@ -3367,6 +3712,29 @@ version = "1.0.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cfe53a6657fd280eaa890a3bc59152892ffa3e30101319d168b781ed6529b049"
 
+[[package]]
+name = "yeast"
+version = "0.1.0"
+dependencies = [
+ "clap",
+ "serde",
+ "serde_json",
+ "serde_yaml",
+ "tree-sitter",
+ "tree-sitter-python",
+ "tree-sitter-ruby",
+ "yeast-macros",
+]
+
+[[package]]
+name = "yeast-macros"
+version = "0.1.0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "yoke"
 version = "0.8.0"

Cargo.toml

@@ -4,7 +4,11 @@
 resolver = "2"
 members = [
     "shared/tree-sitter-extractor",
+    "shared/yeast",
+    "shared/yeast-macros",
     "ruby/extractor",
+    "unified/extractor",
+    "unified/extractor/tree-sitter-swift",
     "rust/extractor",
     "rust/extractor/macros",
     "rust/ast-generator",

MODULE.bazel

@@ -102,6 +102,7 @@ use_repo(
     tree_sitter_extractors_deps,
     "vendor_ts__anyhow-1.0.100",
     "vendor_ts__argfile-0.2.1",
+    "vendor_ts__cc-1.2.61",
     "vendor_ts__chalk-ir-0.104.0",
     "vendor_ts__chrono-0.4.42",
     "vendor_ts__clap-4.5.48",
@@ -141,14 +142,18 @@ use_repo(
     "vendor_ts__serde-1.0.228",
     "vendor_ts__serde_json-1.0.145",
     "vendor_ts__serde_with-3.14.1",
+    "vendor_ts__serde_yaml-0.9.34-deprecated",
     "vendor_ts__syn-2.0.106",
     "vendor_ts__toml-0.9.7",
     "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
     "vendor_ts__tracing-subscriber-0.3.20",
-    "vendor_ts__tree-sitter-0.25.9",
+    "vendor_ts__tree-sitter-0.26.8",
     "vendor_ts__tree-sitter-embedded-template-0.25.0",
+    "vendor_ts__tree-sitter-generate-0.26.8",
     "vendor_ts__tree-sitter-json-0.24.8",
+    "vendor_ts__tree-sitter-language-0.1.5",
+    "vendor_ts__tree-sitter-python-0.23.6",
     "vendor_ts__tree-sitter-ql-0.23.1",
     "vendor_ts__tree-sitter-ruby-0.23.1",
     "vendor_ts__triomphe-0.1.14",

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 0.4.36
+
+### Minor Analysis Improvements
+
+* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
+
+## 0.4.35
+
+No user-facing changes.
+
 ## 0.4.34
 
 ### Minor Analysis Improvements

actions/ql/lib/change-notes/released/0.4.35.md

@@ -0,0 +1,3 @@
+## 0.4.35
+
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.36.md

@@ -0,0 +1,5 @@
+## 0.4.36
+
+### Minor Analysis Improvements
+
+* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.34
+lastReleaseVersion: 0.4.36

actions/ql/lib/ext/config/poisonable_steps.yml

@@ -70,7 +70,7 @@ extensions:
       - ["(source|sh|bash|zsh|fish)\\s+([^\\s]+)\\b", 2]
       - ["(node)\\s+([^\\s]+)(\\.js|\\.ts)\\b", 2]
       - ["(python[\\d\\.]*)\\s+([^\\s]+)\\.py\\b", 2]
+      - ["(python[\\d\\.]*)\\s+-m\\s+([A-Za-z_][\\w\\.]*)\\b", 2] # eg: pythonX -m anything(dir or file)
       - ["(ruby)\\s+([^\\s]+)\\.rb\\b", 2]
-      - ["(go)\\s+(generate|run)\\s+([^\\s]+)\\.go\\b", 3]
+      - ["(go)\\s+(generate|run)(?:\\s+-[^\\s]+)*\\s+([^\\s]+)", 3]
       - ["(dotnet)\\s+([^\\s]+)\\.csproj\\b", 2]
-

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.35-dev
+version: 0.4.36
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,21 @@
+## 0.6.28
+
+### Query Metadata Changes
+
+* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
+
+### Minor Analysis Improvements
+
+* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
+
+### Bug Fixes
+
+* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
+
+## 0.6.27
+
+No user-facing changes.
+
 ## 0.6.26
 
 ### Major Analysis Improvements
@@ -173,7 +191,7 @@ No user-facing changes.
   * `actions/if-expression-always-true/critical`
   * `actions/if-expression-always-true/high`
   * `actions/unnecessary-use-of-advanced-config`
-
+  
 * The following query has been moved from the `code-scanning` suite to the `security-extended`
   suite. Any existing alerts for this query will be closed automatically unless the analysis is
   configured to use the `security-extended` suite.

actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql

@@ -1,5 +1,5 @@
 /**
- * @name Unpinned tag for a non-immutable Action in workflow
+ * @name Unpinned tag for a non-immutable Action in workflow or composite action
  * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
  * @kind problem
  * @security-severity 5.0
@@ -31,15 +31,26 @@ private predicate isPinnedContainer(string version) {
 bindingset[nwo]
 private predicate isContainerImage(string nwo) { nwo.regexpMatch("^docker://.+") }
 
-from UsesStep uses, string nwo, string version, Workflow workflow, string name
+private predicate getStepContainerName(UsesStep uses, string name) {
+  exists(Workflow workflow |
+    uses.getEnclosingWorkflow() = workflow and
+    (
+      workflow.getName() = name
+      or
+      not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
+    )
+  )
+  or
+  exists(CompositeAction action |
+    uses.getEnclosingCompositeAction() = action and
+    name = action.getLocation().getFile().getBaseName()
+  )
+}
+
+from UsesStep uses, string nwo, string version, string name
 where
   uses.getCallee() = nwo and
-  uses.getEnclosingWorkflow() = workflow and
-  (
-    workflow.getName() = name
-    or
-    not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
-  ) and
+  getStepContainerName(uses, name) and
   uses.getVersion() = version and
   not isTrustedOwner(nwo) and
   not (if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version)) and

actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md

@@ -1,6 +1,35 @@
 ## Overview
 
-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. Under certain conditions described below, attackers can take over a repository by opening malicious PRs from forks. The attacks can result in malicious code execution causing unauthorized changes to the repository or exfiltration of repository secrets and a compromise of connected systems.
+
+## Workflow Security Model
+
+In GitHub Actions, there is a distinction between unprivileged and privileged workflows. For example, a workflow with a `pull_request` trigger is unprivileged while a workflow with `pull_request_target` is privileged.
+
+This is relevant especially for PRs from forks. Normal PRs can only be submitted by people who have write access to a repository, while PRs from forks can be submitted by anyone.
+
+On a PR from a fork, an unprivileged `pull_request` workflow has only limited capabilities but a privileged `pull_request_target` workflow is much more dangerous. A privileged workflow:
+
+  * Runs in the context of the base repository
+  * Has access to organization and repository secrets (e.g., API keys, deployment tokens)
+  * Has a read/write `GITHUB_TOKEN` by default
+  * Can access private resources
+
+Certain triggers automatically grant a workflow elevated privileges:
+
+  * `pull_request_target` as described above
+  * `workflow_run`: Triggered when another workflow completes.
+  * `issue_comment`: Triggered when a comment is made on an issue or PR.
+
+## Attack Details
+
+  * A repository has a privileged workflow
+  * An attacker forks the repository and adds malicious code (e.g., in the build script)
+  * The attacker opens a PR from the fork, and, if needed, comments on the PR
+  * The workflow in the base repository checks out the forked code
+  * The workflow runs, (e.g. the build script etc.), which contains the malicious code
+
+Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 
 ## Recommendation
 
@@ -133,3 +162,5 @@ jobs:
 ## References
 
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
+- Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
+- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).

actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md

@@ -1,6 +1,35 @@
 ## Overview
 
-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. Under certain conditions described below, attackers can take over a repository by opening malicious PRs from forks. The attacks can result in malicious code execution causing unauthorized changes to the repository or exfiltration of repository secrets and a compromise of connected systems.
+
+## Workflow Security Model
+
+In GitHub Actions, there is a distinction between unprivileged and privileged workflows. For example, a workflow with a `pull_request` trigger is unprivileged while a workflow with `pull_request_target` is privileged.
+
+This is relevant especially for PRs from forks. Normal PRs can only be submitted by people who have write access to a repository, while PRs from forks can be submitted by anyone.
+
+On a PR from a fork, an unprivileged `pull_request` workflow has only limited capabilities but a privileged `pull_request_target` workflow is much more dangerous. A privileged workflow:
+
+  * Runs in the context of the base repository
+  * Has access to organization and repository secrets (e.g., API keys, deployment tokens)
+  * Has a read/write `GITHUB_TOKEN` by default
+  * Can access private resources
+
+Certain triggers automatically grant a workflow elevated privileges:
+
+  * `pull_request_target` as described above
+  * `workflow_run`: Triggered when another workflow completes.
+  * `issue_comment`: Triggered when a comment is made on an issue or PR.
+
+## Attack Details
+
+  * A repository has a privileged workflow
+  * An attacker forks the repository and adds malicious code (e.g., in the build script)
+  * The attacker opens a PR from the fork, and, if needed, comments on the PR
+  * The workflow in the base repository checks out the forked code
+  * The workflow runs, (e.g. the build script etc.), which contains the malicious code
+
+Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 
 ## Recommendation
 
@@ -133,3 +162,5 @@ jobs:
 ## References
 
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
+- Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
+- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).

actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in trusted context
+ * @name Checkout of untrusted code in privileged context without privileged context use
  * @description Privileged workflows have read/write access to the base repository and access to secrets.
  *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
  *              that is able to push to the base repository and to access secrets.

actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md

@@ -1,6 +1,35 @@
 ## Overview
 
-GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. A potentially dangerous misuse of the triggers such as `pull_request_target` or `issue_comment` followed by an explicit checkout of untrusted code (Pull Request HEAD) may lead to repository compromise if untrusted code gets executed (e.g., due to a modified build script) in a privileged job.
+GitHub workflows can be triggered through various repository events, including incoming pull requests (PRs) or comments on Issues/PRs. Under certain conditions described below, attackers can take over a repository by opening malicious PRs from forks. The attacks can result in malicious code execution causing unauthorized changes to the repository or exfiltration of repository secrets and a compromise of connected systems.
+
+## Workflow Security Model
+
+In GitHub Actions, there is a distinction between unprivileged and privileged workflows. For example, a workflow with a `pull_request` trigger is unprivileged while a workflow with `pull_request_target` is privileged.
+
+This is relevant especially for PRs from forks. Normal PRs can only be submitted by people who have write access to a repository, while PRs from forks can be submitted by anyone.
+
+On a PR from a fork, an unprivileged `pull_request` workflow has only limited capabilities but a privileged `pull_request_target` workflow is much more dangerous. A privileged workflow:
+
+  * Runs in the context of the base repository
+  * Has access to organization and repository secrets (e.g., API keys, deployment tokens)
+  * Has a read/write `GITHUB_TOKEN` by default
+  * Can access private resources
+
+Certain triggers automatically grant a workflow elevated privileges:
+
+  * `pull_request_target` as described above
+  * `workflow_run`: Triggered when another workflow completes.
+  * `issue_comment`: Triggered when a comment is made on an issue or PR.
+
+## Attack Details
+
+  * A repository has a privileged workflow
+  * An attacker forks the repository and adds malicious code (e.g., in the build script)
+  * The attacker opens a PR from the fork, and, if needed, comments on the PR
+  * The workflow in the base repository checks out the forked code
+  * The workflow runs, (e.g. the build script etc.), which contains the malicious code
+
+Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 
 ## Recommendation
 
@@ -133,3 +162,5 @@ jobs:
 ## References
 
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
+- Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
+- Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).

actions/ql/src/change-notes/released/0.6.27.md

@@ -0,0 +1,3 @@
+## 0.6.27
+
+No user-facing changes.

actions/ql/src/change-notes/released/0.6.28.md

@@ -0,0 +1,13 @@
+## 0.6.28
+
+### Query Metadata Changes
+
+* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
+
+### Minor Analysis Improvements
+
+* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
+
+### Bug Fixes
+
+* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.26
+lastReleaseVersion: 0.6.28

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.27-dev
+version: 0.6.28
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml

@@ -0,0 +1,6 @@
+name: Composite unpinned tag test
+runs:
+  using: "composite"
+  steps:
+    - uses: foo/bar@v2
+    - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb

actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected

@@ -1,3 +1,4 @@
+| .github/actions/unpinned-tag/action.yml:5:13:5:22 | foo/bar@v2 | Unpinned 3rd party Action 'action.yml' step $@ uses 'foo/bar' with ref 'v2', not a pinned commit hash | .github/actions/unpinned-tag/action.yml:5:7:6:4 | Uses Step | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:19:13:19:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:23:13:23:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step |
 | .github/workflows/artifactpoisoning21.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step |

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -8,6 +8,7 @@ edges
 | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step |
 | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata |
 | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step |
+| .github/actions/unpinned-tag/action.yml:5:7:6:4 | Uses Step | .github/actions/unpinned-tag/action.yml:6:7:6:61 | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step |
 | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step |

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,20 @@
+## 10.1.1
+
+### Minor Analysis Improvements
+
+* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.
+
+## 10.1.0
+
+### New Features
+
+* A new predicate `getSwitchCase` was added to the `SwitchStmt` class, which yields the `n`th `case` statement from a `switch` statement.
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).
+
+### Minor Analysis Improvements
+
+* Added taint flow models for the `Strsafe.h` header from the Windows SDK.
+
 ## 10.0.0
 
 ### Breaking Changes

cpp/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).

cpp/ql/lib/change-notes/2026-03-28-switch-stmt.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* A new predicate `getSwitchCase` was added to the `SwitchStmt` class, which yields the `n`th `case` statement from a `switch` statement.

cpp/ql/lib/change-notes/2026-04-28-strsafe.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added taint flow models for the `Strsafe.h` header from the Windows SDK.

cpp/ql/lib/change-notes/released/10.1.0.md

@@ -0,0 +1,10 @@
+## 10.1.0
+
+### New Features
+
+* A new predicate `getSwitchCase` was added to the `SwitchStmt` class, which yields the `n`th `case` statement from a `switch` statement.
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).
+
+### Minor Analysis Improvements
+
+* Added taint flow models for the `Strsafe.h` header from the Windows SDK.

cpp/ql/lib/change-notes/released/10.1.1.md

@@ -0,0 +1,5 @@
+## 10.1.1
+
+### Minor Analysis Improvements
+
+* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 10.0.0
+lastReleaseVersion: 10.1.1

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.0.1-dev
+version: 10.1.1
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll

@@ -87,6 +87,10 @@ private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction i
     output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
     description = "value read by " + this.getName()
   }
+
+  override predicate hasSocketInput(FunctionInput input) {
+    input.isParameterDeref(super.getInputParameterIndex())
+  }
 }
 
 /**

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 1.6.3
+
+### Minor Analysis Improvements
+
+* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.
+
+## 1.6.2
+
+No user-facing changes.
+
 ## 1.6.1
 
 ### Minor Analysis Improvements
@@ -7,7 +17,7 @@
 * The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
 * The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
 * The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
-* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.
+* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build-mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.
 
 ## 1.6.0
 
@@ -366,7 +376,7 @@ No user-facing changes.
 ### Minor Analysis Improvements
 
 * The "non-constant format string" query (`cpp/non-constant-format`) has been updated to produce fewer false positives.
-* Added dataflow models for the `gettext` function variants.
+* Added dataflow models for the `gettext` function variants. 
 
 ## 0.9.4
 

cpp/ql/src/Likely Bugs/Leap Year/UncheckedLeapYearAfterYearModification.ql

@@ -227,6 +227,30 @@ class IgnorableUnaryBitwiseOperation extends IgnorableOperation instanceof Unary
 class IgnorableAssignmentBitwiseOperation extends IgnorableOperation instanceof AssignBitwiseOperation
 { }
 
+class YearFieldAssignmentNode extends DataFlow::Node {
+  YearFieldAccess access;
+
+  YearFieldAssignmentNode() {
+    exists(Function f |
+      f = this.getEnclosingCallable().getUnderlyingCallable() and not f instanceof IgnorableFunction
+    |
+      this.asDefinition().(Assignment).getLValue() = access
+      or
+      this.asDefinition().(CrementOperation).getOperand() = access
+      or
+      exists(Call c | c.getAnArgument() = access and this.asDefiningArgument() = access)
+      or
+      exists(Call c, AddressOfExpr aoe |
+        c.getAnArgument() = aoe and
+        aoe.getOperand() = access and
+        this.asDefiningArgument() = aoe
+      )
+    )
+  }
+
+  YearFieldAccess getYearFieldAccess() { result = access }
+}
+
 /**
  * An arithmetic operation where one of the operands is a pointer or char type, ignore it
  */
@@ -287,24 +311,7 @@ predicate isOperationSourceCandidate(Expr e) {
 }
 
 /**
- * A data flow that tracks an ignorable operation (such as a bitwise operation) to an operation source, so we may disqualify it.
- */
-module IgnorableOperationToOperationSourceCandidateConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof IgnorableOperation }
-
-  predicate isSink(DataFlow::Node n) { isOperationSourceCandidate(n.asExpr()) }
-
-  // looking for sources and sinks in the same function
-  DataFlow::FlowFeature getAFeature() {
-    result instanceof DataFlow::FeatureEqualSourceSinkCallContext
-  }
-}
-
-module IgnorableOperationToOperationSourceCandidateFlow =
-  TaintTracking::Global<IgnorableOperationToOperationSourceCandidateConfig>;
-
-/**
- * The set of all expressions which is a candidate expression and also does not flow from to to some ignorable expression (eg. bitwise op)
+ * The set of all expressions that are candidate expression.
  * ```
  * a = something <<< 2;
  * myDate.year = a + 1;        // invalid
@@ -314,49 +321,16 @@ module IgnorableOperationToOperationSourceCandidateFlow =
  * ```
  */
 class OperationSource extends Expr {
-  OperationSource() {
-    isOperationSourceCandidate(this) and
-    // If the candidate came from an ignorable operation, ignore the candidate
-    // NOTE: we cannot easily flow the candidate to an ignorable operation as that can
-    // be tricky in practice, e.g., a mod operation on a year would be part of a leap year check
-    // but a mod operation ending in a year is more indicative of something to ignore (a conversion)
-    not exists(IgnorableOperationToOperationSourceCandidateFlow::PathNode sink |
-      sink.getNode().asExpr() = this and
-      sink.isSink()
-    )
-  }
-}
-
-class YearFieldAssignmentNode extends DataFlow::Node {
-  YearFieldAccess access;
-
-  YearFieldAssignmentNode() {
-    exists(Function f |
-      f = this.getEnclosingCallable().getUnderlyingCallable() and not f instanceof IgnorableFunction
-    ) and
-    (
-      this.asDefinition().(Assignment).getLValue() = access
-      or
-      this.asDefinition().(CrementOperation).getOperand() = access
-      or
-      exists(Call c | c.getAnArgument() = access and this.asDefiningArgument() = access)
-      or
-      exists(Call c, AddressOfExpr aoe |
-        c.getAnArgument() = aoe and
-        aoe.getOperand() = access and
-        this.asDefiningArgument() = aoe
-      )
-    )
-  }
-
-  YearFieldAccess getYearFieldAccess() { result = access }
+  OperationSource() { isOperationSourceCandidate(this) }
 }
 
 /**
- * A DataFlow configuration for identifying flows from an identified source
- * to the Year field of a date object.
+ * An initial DataFlow configuration for identifying flows from an identified source
+ * to the Year field of a date object. This is used to restrict the sinks of
+ * `IgnorableOperationToOperationSourceCandidateConfig` and the sinks of the
+ * final `OperationToYearAssignmentConfig`.
  */
-module OperationToYearAssignmentConfig implements DataFlow::ConfigSig {
+module OperationToYearAssignmentConfig0 implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node n) { n.asExpr() instanceof OperationSource }
 
   predicate isSink(DataFlow::Node n) {
@@ -411,6 +385,62 @@ module OperationToYearAssignmentConfig implements DataFlow::ConfigSig {
   predicate isBarrierOut(DataFlow::Node n) { isSink(n) }
 }
 
+module OperationToYearAssignmentFlow0 = TaintTracking::Global<OperationToYearAssignmentConfig0>;
+
+predicate yearAssignmentFlowsFromSource(DataFlow::Node source, DataFlow::Node sink) {
+  OperationToYearAssignmentFlow0::flow(source, sink)
+}
+
+/**
+ * A data flow that tracks an ignorable operation (such as a bitwise operation) to an operation source, so we may disqualify it.
+ * Sinks are restricted to operation source candidates that have a flow to a year assignment in `OperationToYearAssignmentFlow0`.
+ */
+module IgnorableOperationToOperationSourceCandidateConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { n.asExpr() instanceof IgnorableOperation }
+
+  predicate isSink(DataFlow::Node n) {
+    isOperationSourceCandidate(n.asExpr()) and
+    yearAssignmentFlowsFromSource(n, _)
+  }
+
+  // looking for sources and sinks in the same function
+  DataFlow::FlowFeature getAFeature() {
+    result instanceof DataFlow::FeatureEqualSourceSinkCallContext
+  }
+}
+
+module IgnorableOperationToOperationSourceCandidateFlow =
+  TaintTracking::Global<IgnorableOperationToOperationSourceCandidateConfig>;
+
+/**
+ * The final DataFlow configuration that refines `OperationToYearAssignmentConfig0` by
+ * additionally filtering out operation sources that flow from an ignorable operation
+ * (via `IgnorableOperationToOperationSourceCandidateFlow`).
+ */
+module OperationToYearAssignmentConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node n) { yearAssignmentFlowsFromSource(n, _) }
+
+  predicate isSink(DataFlow::Node n) {
+    exists(DataFlow::Node operation |
+      yearAssignmentFlowsFromSource(operation, n) and
+      // If the candidate came from an ignorable operation, ignore the candidate
+      // NOTE: we cannot easily flow the candidate to an ignorable operation as that can
+      // be tricky in practice, e.g., a mod operation on a year would be part of a leap year check
+      // but a mod operation ending in a year is more indicative of something to ignore (a conversion)
+      not exists(IgnorableOperationToOperationSourceCandidateFlow::PathNode sink |
+        sink.getNode() = operation and
+        sink.isSink()
+      )
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node n) { OperationToYearAssignmentConfig0::isBarrier(n) }
+
+  predicate isBarrierIn(DataFlow::Node n) { isSource(n) }
+
+  predicate isBarrierOut(DataFlow::Node n) { isSink(n) }
+}
+
 module OperationToYearAssignmentFlow = TaintTracking::Global<OperationToYearAssignmentConfig>;
 
 predicate isLeapYearCheckSink(DataFlow::Node sink) {

cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qhelp

@@ -14,7 +14,7 @@ function may behave unpredictably.</p>
 <p>This may indicate a misspelled function name, or that the required header containing
 the function declaration has not been included.</p>
 
-<p>Note: This query is not compatible with <code>build mode: none</code> databases, and produces
+<p>Note: This query is not compatible with <code>build-mode: none</code> databases, and produces
 no results on those databases.</p>
 
 </overview>

cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql

@@ -18,7 +18,7 @@ import TooManyArguments
 import semmle.code.cpp.commons.Exclusions
 
 /*
- * This query is not compatible with build mode: none databases, and produces
+ * This query is not compatible with build-mode: none databases, and produces
  * no results on those databases.
  */
 

cpp/ql/src/change-notes/released/1.6.1.md

@@ -7,4 +7,4 @@
 * The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
 * The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
 * The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
-* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.
+* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build-mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.

cpp/ql/src/change-notes/released/1.6.2.md

@@ -0,0 +1,3 @@
+## 1.6.2
+
+No user-facing changes.

cpp/ql/src/change-notes/released/1.6.3.md

@@ -0,0 +1,5 @@
+## 1.6.3
+
+### Minor Analysis Improvements
+
+* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.1
+lastReleaseVersion: 1.6.3

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.2-dev
+version: 1.6.3
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -4928,6 +4928,8 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | stl.h:95:69:95:69 | x | stl.h:96:42:96:42 | x |  |
 | stl.h:96:42:96:42 | ref arg x | stl.h:95:69:95:69 | x |  |
 | stl.h:96:42:96:42 | ref arg x | stl.h:95:69:95:69 | x |  |
+| stl.h:292:30:292:40 | 0 | file://:0:0:0:0 | noexcept(...) | TAINT |
+| stl.h:292:30:292:40 | 0 | file://:0:0:0:0 | noexcept(...) | TAINT |
 | stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
 | stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
 | stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp

@@ -577,3 +577,10 @@ void tests3()
 	str = get_home_address();
 	send(val(), str, strlen(str), val()); // BAD
 }
+
+int fscanf(FILE* stream, const char* format, ... );
+
+void test_scanf() {
+	char password[256];
+	fscanf(stdin, "%255s", password); // GOOD: this is not a remote source
+}

csharp/downgrades/3cabc77473cbbda95edebafea345c2e3fdfa12d9/upgrade.properties

@@ -0,0 +1,2 @@
+description: Remove `@parameter` from `@control_flow_element`
+compatibility: full

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs

@@ -95,9 +95,9 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 args += " /p:EnableWindowsTargeting=true";
             }
 
-            if (restoreSettings.ExtraArgs is not null)
+            if (restoreSettings.NugetSources is not null)
             {
-                args += $" {restoreSettings.ExtraArgs}";
+                args += $" {restoreSettings.NugetSources}";
             }
 
             return args;

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNet.cs

@@ -17,7 +17,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         IList<string> GetNugetFeedsFromFolder(string folderPath);
     }
 
-    public record class RestoreSettings(string File, string PackageDirectory, bool ForceDotnetRefAssemblyFetching, string? ExtraArgs = null, string? PathToNugetConfig = null, bool ForceReevaluation = false, bool TargetWindows = false);
+    public record class RestoreSettings(string File, string PackageDirectory, bool ForceDotnetRefAssemblyFetching, string? NugetSources = null, string? PathToNugetConfig = null, bool ForceReevaluation = false, bool TargetWindows = false);
 
     public partial record class RestoreResult(bool Success, IList<string> Output)
     {
@@ -33,6 +33,9 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         private readonly Lazy<bool> hasNugetNoStablePackageVersionError = new(() => Output.Any(s => s.Contains("NU1103")));
         public bool HasNugetNoStablePackageVersionError => hasNugetNoStablePackageVersionError.Value;
 
+        private readonly Lazy<bool> hasNugetPackageMissingError = new(() => Output.Any(s => s.Contains("NU1101")));
+        public bool HasNugetPackageMissingError => hasNugetPackageMissingError.Value;
+
         private static IEnumerable<string> GetFirstGroupOnMatch(Regex regex, IEnumerable<string> lines) =>
             lines
                 .Select(line => regex.Match(line))

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetExeWrapper.cs

@@ -33,7 +33,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// <summary>
         /// Create the package manager for a specified source tree.
         /// </summary>
-        public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDirectory, Semmle.Util.Logging.ILogger logger)
+        public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDirectory, Semmle.Util.Logging.ILogger logger, Func<bool> useDefaultFeed)
         {
             this.fileProvider = fileProvider;
             this.packageDirectory = packageDirectory;
@@ -43,7 +43,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             {
                 logger.LogInfo($"Found packages.config files, trying to use nuget.exe for package restore");
                 nugetExe = ResolveNugetExe();
-                if (HasNoPackageSource())
+                if (HasNoPackageSource() && useDefaultFeed())
                 {
                     // We only modify or add a top level nuget.config file
                     nugetConfigPath = Path.Combine(fileProvider.SourceDir.FullName, "nuget.config");

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs

@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Concurrent;
 using System.Collections.Generic;
+using System.Collections.Immutable;
 using System.IO;
 using System.Linq;
 using System.Net;
@@ -27,8 +28,12 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         private readonly IDiagnosticsWriter diagnosticsWriter;
         private readonly DependencyDirectory legacyPackageDirectory;
         private readonly DependencyDirectory missingPackageDirectory;
+        private readonly DependencyDirectory emptyPackageDirectory;
         private readonly ILogger logger;
         private readonly ICompilationInfoContainer compilationInfoContainer;
+        private readonly bool checkNugetFeedResponsiveness = EnvironmentVariables.GetBooleanOptOut(EnvironmentVariableNames.CheckNugetFeedResponsiveness);
+        private readonly ImmutableHashSet<string> privateRegistryFeeds;
+        private readonly bool hasPrivateRegistryFeeds;
 
         public DependencyDirectory PackageDirectory { get; }
 
@@ -45,6 +50,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             this.fileContent = fileContent;
             this.dotnet = dotnet;
             this.dependabotProxy = dependabotProxy;
+            this.privateRegistryFeeds = dependabotProxy?.RegistryURLs.ToImmutableHashSet() ?? [];
+            this.hasPrivateRegistryFeeds = privateRegistryFeeds.Count > 0;
             this.diagnosticsWriter = diagnosticsWriter;
             this.logger = logger;
             this.compilationInfoContainer = compilationInfoContainer;
@@ -52,6 +59,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             PackageDirectory = new DependencyDirectory("packages", "package", logger);
             legacyPackageDirectory = new DependencyDirectory("legacypackages", "legacy package", logger);
             missingPackageDirectory = new DependencyDirectory("missingpackages", "missing package", logger);
+            emptyPackageDirectory = new DependencyDirectory("empty", "empty package", logger);
         }
 
         public string? TryRestore(string package)
@@ -110,25 +118,50 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         public HashSet<AssemblyLookupLocation> Restore()
         {
             var assemblyLookupLocations = new HashSet<AssemblyLookupLocation>();
-            var checkNugetFeedResponsiveness = EnvironmentVariables.GetBooleanOptOut(EnvironmentVariableNames.CheckNugetFeedResponsiveness);
             logger.LogInfo($"Checking NuGet feed responsiveness: {checkNugetFeedResponsiveness}");
             compilationInfoContainer.CompilationInfos.Add(("NuGet feed responsiveness checked", checkNugetFeedResponsiveness ? "1" : "0"));
 
-            HashSet<string>? explicitFeeds = null;
-            HashSet<string>? allFeeds = null;
+            HashSet<string> explicitFeeds = [];
+            HashSet<string> reachableFeeds = [];
 
             try
             {
-                if (checkNugetFeedResponsiveness && !CheckFeeds(out explicitFeeds, out allFeeds))
+                // Find feeds that are configured in NuGet.config files and divide them into ones that
+                // are explicitly configured for the project or by a private registry, and "all feeds"
+                // (including inherited ones) from other locations on the host outside of the working directory.
+                (explicitFeeds, var allFeeds) = GetAllFeeds();
+
+                if (checkNugetFeedResponsiveness)
                 {
-                    // todo: we could also check the reachability of the inherited nuget feeds, but to use those in the fallback we would need to handle authentication too.
-                    var unresponsiveMissingPackageLocation = DownloadMissingPackagesFromSpecificFeeds([], explicitFeeds);
-                    return unresponsiveMissingPackageLocation is null
-                        ? []
-                        : [unresponsiveMissingPackageLocation];
+                    var inheritedFeeds = allFeeds.Except(explicitFeeds).ToHashSet();
+
+                    if (inheritedFeeds.Count > 0)
+                    {
+                        compilationInfoContainer.CompilationInfos.Add(("Inherited NuGet feed count", inheritedFeeds.Count.ToString()));
+                    }
+
+                    var timeout = CheckSpecifiedFeeds(explicitFeeds, out var reachableExplicitFeeds);
+                    reachableFeeds.UnionWith(reachableExplicitFeeds);
+
+                    var allExplicitReachable = explicitFeeds.Count == reachableExplicitFeeds.Count;
+                    EmitUnreachableFeedsDiagnostics(allExplicitReachable);
+
+                    if (timeout)
+                    {
+                        // If we experience a timeout, we use this fallback.
+                        // todo: we could also check the reachability of the inherited nuget feeds, but to use those in the fallback we would need to handle authentication too.
+                        var unresponsiveMissingPackageLocation = DownloadMissingPackagesFromSpecificFeeds([], explicitFeeds);
+                        return unresponsiveMissingPackageLocation is null
+                            ? []
+                            : [unresponsiveMissingPackageLocation];
+                    }
+
+                    // Inherited feeds should only be used, if they are indeed reachable (as they may be environment specific).
+                    CheckSpecifiedFeeds(inheritedFeeds, out var reachableInheritedFeeds);
+                    reachableFeeds.UnionWith(reachableInheritedFeeds);
                 }
 
-                using (var nuget = new NugetExeWrapper(fileProvider, legacyPackageDirectory, logger))
+                using (var nuget = new NugetExeWrapper(fileProvider, legacyPackageDirectory, logger, IsDefaultFeedReachable))
                 {
                     var count = nuget.InstallPackages();
 
@@ -167,9 +200,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 logger.LogError($"Failed to restore NuGet packages with nuget.exe: {exc.Message}");
             }
 
-            var restoredProjects = RestoreSolutions(out var container);
+            // Restore project dependencies with `dotnet restore`.
+            var restoredProjects = RestoreSolutions(reachableFeeds, out var container);
             var projects = fileProvider.Projects.Except(restoredProjects);
-            RestoreProjects(projects, allFeeds, out var containers);
+            RestoreProjects(projects, reachableFeeds, out var containers);
 
             var dependencies = containers.Flatten(container);
 
@@ -192,6 +226,53 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             return assemblyLookupLocations;
         }
 
+        /// <summary>
+        /// Tests which of the feeds given by <paramref name="feedsToCheck"/> are reachable.
+        /// </summary>
+        /// <param name="feedsToCheck">The feeds to check.</param>
+        /// <param name="isFallback">Whether the feeds are fallback feeds or not.</param>
+        /// <param name="isTimeout">Whether a timeout occurred while checking the feeds.</param>
+        /// <returns>The list of feeds that could be reached.</returns>
+        private List<string> GetReachableNuGetFeeds(HashSet<string> feedsToCheck, bool isFallback, out bool isTimeout)
+        {
+            var fallbackStr = isFallback ? "fallback " : "";
+            logger.LogInfo($"Checking {fallbackStr}NuGet feed reachability on feeds: {string.Join(", ", feedsToCheck.OrderBy(f => f))}");
+
+            var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback);
+            var timeout = false;
+            var reachableFeeds = feedsToCheck
+                .Where(feed =>
+                {
+                    var reachable = IsFeedReachable(feed, initialTimeout, tryCount, out var feedTimeout);
+                    timeout |= feedTimeout;
+                    return reachable;
+                })
+                .ToList();
+
+            if (reachableFeeds.Count == 0)
+            {
+                logger.LogWarning($"No {fallbackStr}NuGet feeds are reachable.");
+            }
+            else
+            {
+                logger.LogInfo($"Reachable {fallbackStr}NuGet feeds: {string.Join(", ", reachableFeeds.OrderBy(f => f))}");
+            }
+
+            isTimeout = timeout;
+            return reachableFeeds;
+        }
+
+        private bool IsDefaultFeedReachable()
+        {
+            if (checkNugetFeedResponsiveness)
+            {
+                var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback: false);
+                return IsFeedReachable(PublicNugetOrgFeed, initialTimeout, tryCount, out var _);
+            }
+
+            return true;
+        }
+
         private List<string> GetReachableFallbackNugetFeeds(HashSet<string>? feedsFromNugetConfigs)
         {
             var fallbackFeeds = EnvironmentVariables.GetURLs(EnvironmentVariableNames.FallbackNugetFeeds).ToHashSet();
@@ -212,17 +293,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 }
             }
 
-            logger.LogInfo($"Checking fallback NuGet feed reachability on feeds: {string.Join(", ", fallbackFeeds.OrderBy(f => f))}");
-            var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback: true);
-            var reachableFallbackFeeds = fallbackFeeds.Where(feed => IsFeedReachable(feed, initialTimeout, tryCount, allowExceptions: false)).ToList();
-            if (reachableFallbackFeeds.Count == 0)
-            {
-                logger.LogWarning("No fallback NuGet feeds are reachable.");
-            }
-            else
-            {
-                logger.LogInfo($"Reachable fallback NuGet feeds: {string.Join(", ", reachableFallbackFeeds.OrderBy(f => f))}");
-            }
+            var reachableFallbackFeeds = GetReachableNuGetFeeds(fallbackFeeds, isFallback: true, out var _);
 
             compilationInfoContainer.CompilationInfos.Add(("Reachable fallback NuGet feed count", reachableFallbackFeeds.Count.ToString()));
 
@@ -237,10 +308,12 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// Populates dependencies with the relevant dependencies from the assets files generated by the restore.
         /// Returns a list of projects that are up to date with respect to restore.
         /// </summary>
-        private IEnumerable<string> RestoreSolutions(out DependencyContainer dependencies)
+        private IEnumerable<string> RestoreSolutions(HashSet<string> reachableFeeds, out DependencyContainer dependencies)
         {
             var successCount = 0;
             var nugetSourceFailures = 0;
+            var nugetMissingPackageFailures = 0;
+
             var assets = new Assets(logger);
 
             var isWindows = fileContent.UseWindowsForms || fileContent.UseWpf;
@@ -248,7 +321,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             var projects = fileProvider.Solutions.SelectMany(solution =>
                 {
                     logger.LogInfo($"Restoring solution {solution}...");
-                    var res = dotnet.Restore(new(solution, PackageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true, TargetWindows: isWindows));
+                    var nugetSources = MakeRestoreSourcesArgument(solution, reachableFeeds);
+                    var res = dotnet.Restore(new(solution, PackageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true, NugetSources: nugetSources, TargetWindows: isWindows));
                     if (res.Success)
                     {
                         successCount++;
@@ -257,51 +331,84 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                     {
                         nugetSourceFailures++;
                     }
+                    if (res.HasNugetPackageMissingError)
+                    {
+                        nugetMissingPackageFailures++;
+                    }
                     assets.AddDependenciesRange(res.AssetsFilePaths);
                     return res.RestoredProjects;
                 }).ToList();
             dependencies = assets.Dependencies;
             compilationInfoContainer.CompilationInfos.Add(("Successfully restored solution files", successCount.ToString()));
             compilationInfoContainer.CompilationInfos.Add(("Failed solution restore with package source error", nugetSourceFailures.ToString()));
+            compilationInfoContainer.CompilationInfos.Add(("Failed solution restore with missing package error", nugetMissingPackageFailures.ToString()));
             compilationInfoContainer.CompilationInfos.Add(("Restored projects through solution files", projects.Count.ToString()));
             return projects;
         }
 
+        private string FeedsToRestoreArgument(IEnumerable<string> feeds)
+        {
+            // If there are no feeds, we want to override any default feeds that `dotnet restore` would use by passing a dummy source argument.
+            if (!feeds.Any())
+            {
+                return $" -s \"{emptyPackageDirectory.DirInfo.FullName}\"";
+            }
+
+            // Add package sources. If any are present, they override all sources specified in
+            // the configuration file(s).
+            var feedArgs = new StringBuilder();
+            foreach (var feed in feeds)
+            {
+                feedArgs.Append($" -s \"{feed}\"");
+            }
+
+            return feedArgs.ToString();
+        }
+
+        /// <summary>
+        /// Constructs the list of NuGet sources to use for this restore.
+        /// (1) Use the feeds we get from `dotnet nuget list source`
+        /// (2) Use private registries, if they are configured
+        /// </summary>
+        /// <param name="path">Path to project/solution</param>
+        /// <param name="reachableFeeds">The set of reachable NuGet feeds.</param>
+        /// <returns>A string representing the NuGet sources argument for the restore command.</returns>
+        private string? MakeRestoreSourcesArgument(string path, HashSet<string> reachableFeeds)
+        {
+            // Do not construct an set of explicit NuGet sources to use for restore.
+            if (!checkNugetFeedResponsiveness && !hasPrivateRegistryFeeds)
+            {
+                return null;
+            }
+
+            // Find the path specific feeds.
+            var folder = GetDirectoryName(path);
+            var feedsToConsider = folder is not null ? GetFeeds(() => dotnet.GetNugetFeedsFromFolder(folder)).ToHashSet() : [];
+
+            if (hasPrivateRegistryFeeds)
+            {
+                feedsToConsider.UnionWith(privateRegistryFeeds);
+            }
+
+            var feedsToUse = checkNugetFeedResponsiveness
+                ? feedsToConsider.Where(reachableFeeds.Contains)
+                : feedsToConsider;
+
+            return FeedsToRestoreArgument(feedsToUse);
+        }
+
         /// <summary>
         /// Executes `dotnet restore` on all projects in projects.
         /// This is done in parallel for performance reasons.
         /// Populates dependencies with the relative paths to the assets files generated by the restore.
         /// </summary>
         /// <param name="projects">A list of paths to project files.</param>
-        private void RestoreProjects(IEnumerable<string> projects, HashSet<string>? configuredSources, out ConcurrentBag<DependencyContainer> dependencies)
+        /// <param name="reachableFeeds">The set of reachable NuGet feeds.</param>
+        private void RestoreProjects(IEnumerable<string> projects, HashSet<string> reachableFeeds, out ConcurrentBag<DependencyContainer> dependencies)
         {
-            // Conservatively, we only set this to a non-null value if a Dependabot proxy is enabled.
-            // This ensures that we continue to get the old behaviour where feeds are taken from
-            // `nuget.config` files instead of the command-line arguments.
-            string? extraArgs = null;
-
-            if (this.dependabotProxy is not null)
-            {
-                // If the Dependabot proxy is configured, then our main goal is to make `dotnet` aware
-                // of the private registry feeds. However, since providing them as command-line arguments
-                // to `dotnet` ignores other feeds that may be configured, we also need to add the feeds
-                // we have discovered from analysing `nuget.config` files.
-                var sources = configuredSources ?? new();
-                this.dependabotProxy.RegistryURLs.ForEach(url => sources.Add(url));
-
-                // Add package sources. If any are present, they override all sources specified in
-                // the configuration file(s).
-                var feedArgs = new StringBuilder();
-                foreach (string source in sources)
-                {
-                    feedArgs.Append($" -s {source}");
-                }
-
-                extraArgs = feedArgs.ToString();
-            }
-
             var successCount = 0;
             var nugetSourceFailures = 0;
+            var nugetMissingPackageFailures = 0;
             ConcurrentBag<DependencyContainer> collectedDependencies = [];
 
             var isWindows = fileContent.UseWindowsForms || fileContent.UseWpf;
@@ -314,7 +421,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 foreach (var project in projectGroup)
                 {
                     logger.LogInfo($"Restoring project {project}...");
-                    var res = dotnet.Restore(new(project, PackageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true, extraArgs, TargetWindows: isWindows));
+                    var nugetSources = MakeRestoreSourcesArgument(project, reachableFeeds);
+                    var res = dotnet.Restore(new(project, PackageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true, NugetSources: nugetSources, TargetWindows: isWindows));
                     assets.AddDependenciesRange(res.AssetsFilePaths);
                     lock (sync)
                     {
@@ -326,6 +434,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                         {
                             nugetSourceFailures++;
                         }
+                        if (res.HasNugetPackageMissingError)
+                        {
+                            nugetMissingPackageFailures++;
+                        }
                     }
                 }
                 collectedDependencies.Add(assets.Dependencies);
@@ -333,6 +445,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             dependencies = collectedDependencies;
             compilationInfoContainer.CompilationInfos.Add(("Successfully restored project files", successCount.ToString()));
             compilationInfoContainer.CompilationInfos.Add(("Failed project restore with package source error", nugetSourceFailures.ToString()));
+            compilationInfoContainer.CompilationInfos.Add(("Failed project restore with missing package error", nugetMissingPackageFailures.ToString()));
         }
 
         private AssemblyLookupLocation? DownloadMissingPackagesFromSpecificFeeds(IEnumerable<string> usedPackageNames, HashSet<string>? feedsFromNugetConfigs)
@@ -623,28 +736,22 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
         }
 
-        private static async Task ExecuteGetRequest(string address, HttpClient httpClient, CancellationToken cancellationToken)
+        private static async Task<HttpResponseMessage> ExecuteGetRequest(string address, HttpClient httpClient, CancellationToken cancellationToken)
         {
-            using var stream = await httpClient.GetStreamAsync(address, cancellationToken);
-            var buffer = new byte[1024];
-            int bytesRead;
-            while ((bytesRead = stream.Read(buffer, 0, buffer.Length)) > 0)
-            {
-                // do nothing
-            }
+            return await httpClient.GetAsync(address, HttpCompletionOption.ResponseHeadersRead, cancellationToken);
         }
 
-        private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount, bool allowExceptions = true)
+        private bool IsFeedReachable(string feed, int timeoutMilliSeconds, int tryCount, out bool isTimeout)
         {
             logger.LogInfo($"Checking if NuGet feed '{feed}' is reachable...");
 
             // Configure the HttpClient to be aware of the Dependabot Proxy, if used.
             HttpClientHandler httpClientHandler = new();
-            if (this.dependabotProxy != null)
+            if (dependabotProxy != null)
             {
-                httpClientHandler.Proxy = new WebProxy(this.dependabotProxy.Address);
+                httpClientHandler.Proxy = new WebProxy(dependabotProxy.Address);
 
-                if (this.dependabotProxy.Certificate != null)
+                if (dependabotProxy.Certificate != null)
                 {
                     httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, _) =>
                     {
@@ -659,7 +766,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                             return false;
                         }
                         chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
-                        chain.ChainPolicy.CustomTrustStore.Add(this.dependabotProxy.Certificate);
+                        chain.ChainPolicy.CustomTrustStore.Add(dependabotProxy.Certificate);
                         return chain.Build(cert);
                     };
                 }
@@ -667,13 +774,17 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 
             using HttpClient client = new(httpClientHandler);
 
+            isTimeout = false;
+
             for (var i = 0; i < tryCount; i++)
             {
                 using var cts = new CancellationTokenSource();
                 cts.CancelAfter(timeoutMilliSeconds);
                 try
                 {
-                    ExecuteGetRequest(feed, client, cts.Token).GetAwaiter().GetResult();
+                    logger.LogInfo($"Attempt {i + 1}/{tryCount} to reach NuGet feed '{feed}'.");
+                    using var response = ExecuteGetRequest(feed, client, cts.Token).GetAwaiter().GetResult();
+                    response.EnsureSuccessStatusCode();
                     logger.LogInfo($"Querying NuGet feed '{feed}' succeeded.");
                     return true;
                 }
@@ -688,14 +799,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                         continue;
                     }
 
-                    // We're only interested in timeouts.
-                    var start = allowExceptions ? "Considering" : "Not considering";
-                    logger.LogInfo($"Querying NuGet feed '{feed}' failed in a timely manner. {start} the feed for use. The reason for the failure: {exc.Message}");
-                    return allowExceptions;
+                    logger.LogInfo($"Querying NuGet feed '{feed}' failed. The reason for the failure: {exc.Message}");
+                    return false;
                 }
             }
 
             logger.LogWarning($"Didn't receive answer from NuGet feed '{feed}'. Tried it {tryCount} times.");
+            isTimeout = true;
             return false;
         }
 
@@ -719,42 +829,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         }
 
         /// <summary>
-        /// Checks that we can connect to all NuGet feeds that are explicitly configured in configuration files
-        /// as well as any private package registry feeds that are configured.
+        /// Retrieves a list of excluded NuGet feeds from the corresponding environment variable.
         /// </summary>
-        /// <param name="explicitFeeds">Outputs the set of explicit feeds.</param>
-        /// <param name="allFeeds">Outputs the set of all feeds (explicit and inherited).</param>
-        /// <returns>True if all feeds are reachable or false otherwise.</returns>
-        private bool CheckFeeds(out HashSet<string> explicitFeeds, out HashSet<string> allFeeds)
+        private HashSet<string> GetExcludedFeeds()
         {
-            (explicitFeeds, allFeeds) = GetAllFeeds();
-            HashSet<string> feedsToCheck = explicitFeeds;
-
-            // If private package registries are configured for C#, then check those
-            // in addition to the ones that are configured in `nuget.config` files.
-            this.dependabotProxy?.RegistryURLs.ForEach(url => feedsToCheck.Add(url));
-
-            var allFeedsReachable = this.CheckSpecifiedFeeds(feedsToCheck);
-
-            var inheritedFeeds = allFeeds.Except(explicitFeeds).ToHashSet();
-            if (inheritedFeeds.Count > 0)
-            {
-                logger.LogInfo($"Inherited NuGet feeds (not checked for reachability): {string.Join(", ", inheritedFeeds.OrderBy(f => f))}");
-                compilationInfoContainer.CompilationInfos.Add(("Inherited NuGet feed count", inheritedFeeds.Count.ToString()));
-            }
-
-            return allFeedsReachable;
-        }
-
-        /// <summary>
-        /// Checks that we can connect to the specified NuGet feeds.
-        /// </summary>
-        /// <param name="feeds">The set of package feeds to check.</param>
-        /// <returns>True if all feeds are reachable or false otherwise.</returns>
-        private bool CheckSpecifiedFeeds(HashSet<string> feeds)
-        {
-            logger.LogInfo("Checking that NuGet feeds are reachable...");
-
             var excludedFeeds = EnvironmentVariables.GetURLs(EnvironmentVariableNames.ExcludedNugetFeedsFromResponsivenessCheck)
                 .ToHashSet();
 
@@ -763,9 +841,49 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 logger.LogInfo($"Excluded NuGet feeds from responsiveness check: {string.Join(", ", excludedFeeds.OrderBy(f => f))}");
             }
 
-            var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback: false);
+            return excludedFeeds;
+        }
 
-            var allFeedsReachable = feeds.All(feed => excludedFeeds.Contains(feed) || IsFeedReachable(feed, initialTimeout, tryCount));
+        /// <summary>
+        /// Checks that we can connect to the specified NuGet feeds.
+        /// </summary>
+        /// <param name="feeds">The set of package feeds to check.</param>
+        /// <param name="reachableFeeds">The list of feeds that were reachable.</param>
+        /// <returns>
+        /// True if there is a timeout when trying to reach the feeds (excluding any feeds that are configured
+        /// to be excluded from the check) or false otherwise.
+        /// </returns>
+        private bool CheckSpecifiedFeeds(HashSet<string> feeds, out HashSet<string> reachableFeeds)
+        {
+            // Exclude any feeds from the feed check that are configured by the corresponding environment variable.
+            // These feeds are always assumed to be reachable.
+            var excludedFeeds = GetExcludedFeeds();
+
+            HashSet<string> feedsToCheck = feeds.Where(feed =>
+            {
+                if (excludedFeeds.Contains(feed))
+                {
+                    logger.LogInfo($"Not checking reachability of NuGet feed '{feed}' as it is in the list of excluded feeds.");
+                    return false;
+                }
+                return true;
+            }).ToHashSet();
+
+            reachableFeeds = GetReachableNuGetFeeds(feedsToCheck, isFallback: false, out var isTimeout).ToHashSet();
+
+            // Always consider feeds excluded for the reachability check as reachable.
+            reachableFeeds.UnionWith(feeds.Where(feed => excludedFeeds.Contains(feed)));
+
+            return isTimeout;
+        }
+
+        /// <summary>
+        /// If <paramref name="allFeedsReachable"/> is `false`, logs this and emits a diagnostic.
+        /// Adds a `CompilationInfos` entry either way.
+        /// </summary>
+        /// <param name="allFeedsReachable">Whether all feeds were reachable or not.</param>
+        private void EmitUnreachableFeedsDiagnostics(bool allFeedsReachable)
+        {
             if (!allFeedsReachable)
             {
                 logger.LogWarning("Found unreachable NuGet feed in C# analysis with build-mode 'none'. This may cause missing dependencies in the analysis.");
@@ -779,8 +897,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 ));
             }
             compilationInfoContainer.CompilationInfos.Add(("All NuGet feeds reachable", allFeedsReachable ? "1" : "0"));
-
-            return allFeedsReachable;
         }
 
         private IEnumerable<string> GetFeeds(Func<IList<string>> getNugetFeeds)
@@ -811,6 +927,19 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
         }
 
+        private string? GetDirectoryName(string path)
+        {
+            try
+            {
+                return new FileInfo(path).Directory?.FullName;
+            }
+            catch (Exception exc)
+            {
+                logger.LogWarning($"Failed to get directory of '{path}': {exc}");
+            }
+            return null;
+        }
+
         private (HashSet<string> explicitFeeds, HashSet<string> allFeeds) GetAllFeeds()
         {
             var nugetConfigs = fileProvider.NugetConfigs;
@@ -828,11 +957,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 
                 if (invalidNugetConfigs.Count() > 0)
                 {
-                    this.logger.LogWarning(string.Format(
+                    logger.LogWarning(string.Format(
                         "Found incorrectly named NuGet configuration files: {0}",
                         string.Join(", ", invalidNugetConfigs)
                     ));
-                    this.diagnosticsWriter.AddEntry(new DiagnosticMessage(
+                    diagnosticsWriter.AddEntry(new DiagnosticMessage(
                         Language.CSharp,
                         "buildless/case-sensitive-nuget-config",
                         "Found NuGet configuration files which are not correctly named",
@@ -864,41 +993,33 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 logger.LogDebug("No NuGet feeds found in nuget.config files.");
             }
 
-            // todo: this could be improved.
-            HashSet<string>? allFeeds = null;
+            // If private package registries are configured for C#, then consider those
+            // in addition to the ones that are configured in `nuget.config` files.
+            if (hasPrivateRegistryFeeds)
+            {
+                logger.LogInfo($"Found {privateRegistryFeeds.Count} private registry feeds configured for C#: {string.Join(", ", privateRegistryFeeds.OrderBy(f => f))}");
+                explicitFeeds.UnionWith(privateRegistryFeeds);
+            }
+
+            HashSet<string> allFeeds = [];
+
+            // Add all explicitFeeds to the set of all feeds.
+            allFeeds.UnionWith(explicitFeeds);
+
+            // Obtain the list of feeds from the root source directory.
+            // If a NuGet file is present it will be respected, otherwise we will just get the machine/environment specific feeds.
+            var nugetFeedsFromRoot = GetFeeds(() => dotnet.GetNugetFeedsFromFolder(fileProvider.SourceDir.FullName));
+            allFeeds.UnionWith(nugetFeedsFromRoot);
 
             if (nugetConfigs.Count > 0)
             {
-                // We don't have to get the feeds from each of the folders from below, it would be enought to check the folders that recursively contain the others.
-                allFeeds = nugetConfigs
-                    .Select(config =>
-                    {
-                        try
-                        {
-                            return new FileInfo(config).Directory?.FullName;
-                        }
-                        catch (Exception exc)
-                        {
-                            logger.LogWarning($"Failed to get directory of '{config}': {exc}");
-                        }
-                        return null;
-                    })
+                var nugetConfigFeeds = nugetConfigs
+                    .Select(GetDirectoryName)
                     .Where(folder => folder != null)
                     .SelectMany(folder => GetFeeds(() => dotnet.GetNugetFeedsFromFolder(folder!)))
                     .ToHashSet();
 
-                // If we have discovered any explicit feeds, then we also expect these to be in the set of all feeds.
-                // Normally, it is a safe assumption to make that `GetNugetFeedsFromFolder` will include the feeds configured
-                // in a NuGet configuration file in the given directory. There is one exception: on a system with case-sensitive
-                // file systems, we may discover a configuration file such as `Nuget.Config` which is not recognised by `dotnet nuget`.
-                // In that case, our call to `GetNugetFeeds` will retrieve the feeds from that file (because it is accepted when
-                // provided explicitly as `--configfile` argument), but the call to `GetNugetFeedsFromFolder` will not.
-                allFeeds.UnionWith(explicitFeeds);
-            }
-            else
-            {
-                // If we haven't found any `nuget.config` files, then obtain a list of feeds from the root source directory.
-                allFeeds = GetFeeds(() => dotnet.GetNugetFeedsFromFolder(this.fileProvider.SourceDir.FullName)).ToHashSet();
+                allFeeds.UnionWith(nugetConfigFeeds);
             }
 
             logger.LogInfo($"Found {allFeeds.Count} NuGet feeds (with inherited ones) in nuget.config files: {string.Join(", ", allFeeds.OrderBy(f => f))}");
@@ -923,6 +1044,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             PackageDirectory?.Dispose();
             legacyPackageDirectory?.Dispose();
             missingPackageDirectory?.Dispose();
+            emptyPackageDirectory?.Dispose();
         }
 
         /// <summary>

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 1.7.67
+
+No user-facing changes.
+
+## 1.7.66
+
+No user-facing changes.
+
 ## 1.7.65
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.66.md

@@ -0,0 +1,3 @@
+## 1.7.66
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.67.md

@@ -0,0 +1,3 @@
+## 1.7.67
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.65
+lastReleaseVersion: 1.7.67

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.66-dev
+version: 1.7.67
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 1.7.67
+
+No user-facing changes.
+
+## 1.7.66
+
+No user-facing changes.
+
 ## 1.7.65
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.66.md

@@ -0,0 +1,3 @@
+## 1.7.66
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.67.md

@@ -0,0 +1,3 @@
+## 1.7.67
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.65
+lastReleaseVersion: 1.7.67

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.66-dev
+version: 1.7.67
 groups:
   - csharp
   - solorigate

csharp/ql/consistency-queries/SsaConsistency.ql

@@ -7,8 +7,8 @@ query predicate localDeclWithSsaDef(LocalVariableDeclExpr d) {
   // Local variables in C# must be initialized before every use, so uninitialized
   // local variables should not have an SSA definition, as that would imply that
   // the declaration is live (can reach a use without passing through a definition)
-  exists(ExplicitDefinition def |
-    d = def.getADefinition().(AssignableDefinitions::LocalVariableDefinition).getDeclaration()
+  exists(SsaExplicitWrite def |
+    d = def.getDefinition().(AssignableDefinitions::LocalVariableDefinition).getDeclaration()
   |
     not d = any(ForeachStmt fs).getVariableDeclExpr() and
     not d = any(SpecificCatchClause scc).getVariableDeclExpr() and

csharp/ql/integration-tests/all-platforms/standalone_resx/CompilationInfo.expected

@@ -1,5 +1,7 @@
 | All NuGet feeds reachable | 1.0 |
+| Failed project restore with missing package error | 0.0 |
 | Failed project restore with package source error | 0.0 |
+| Failed solution restore with missing package error | 0.0 |
 | Failed solution restore with package source error | 0.0 |
 | Inherited NuGet feed count | 1.0 |
 | NuGet feed responsiveness checked | 1.0 |

csharp/ql/integration-tests/all-platforms/standalone_slnx/CompilationInfo.expected

@@ -1,5 +1,7 @@
 | All NuGet feeds reachable | 1.0 |
+| Failed project restore with missing package error | 0.0 |
 | Failed project restore with package source error | 0.0 |
+| Failed solution restore with missing package error | 0.0 |
 | Failed solution restore with package source error | 0.0 |
 | Inherited NuGet feed count | 1.0 |
 | NuGet feed responsiveness checked | 1.0 |

csharp/ql/integration-tests/all-platforms/standalone_winforms/CompilationInfo.expected

@@ -1,5 +1,7 @@
 | All NuGet feeds reachable | 1.0 |
+| Failed project restore with missing package error | 0.0 |
 | Failed project restore with package source error | 0.0 |
+| Failed solution restore with missing package error | 0.0 |
 | Failed solution restore with package source error | 0.0 |
 | Inherited NuGet feed count | 1.0 |
 | NuGet feed responsiveness checked | 1.0 |

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/Assemblies.expected

@@ -0,0 +1 @@
+| test-db/working/packages/newtonsoft.json/13.0.4/lib/net6.0/Newtonsoft.Json.dll:0:0:0:0 | Newtonsoft.Json, Version=13.0.0.0, Culture=neutral, PublicKeyToken=30ad4fe6b2a6aeed |

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/Assemblies.ql

@@ -0,0 +1,5 @@
+import csharp
+
+from Assembly a
+where exists(a.getFile().getAbsolutePath().indexOf("newtonsoft.json"))
+select a

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/CompilationInfo.expected

@@ -0,0 +1,22 @@
+| All NuGet feeds reachable | 1.0 |
+| Failed project restore with missing package error | 0.0 |
+| Failed project restore with package source error | 0.0 |
+| Failed solution restore with missing package error | 0.0 |
+| Failed solution restore with package source error | 0.0 |
+| Inherited NuGet feed count | 1.0 |
+| NuGet feed responsiveness checked | 1.0 |
+| Project files on filesystem | 1.0 |
+| Reachable fallback NuGet feed count | 1.0 |
+| Resolved assembly conflicts | 0.0 |
+| Resource extraction enabled | 0.0 |
+| Restored .NET framework variants | 1.0 |
+| Restored projects through solution files | 0.0 |
+| Solution files on filesystem | 0.0 |
+| Source files generated | 0.0 |
+| Source files on filesystem | 1.0 |
+| Successfully restored project files | 1.0 |
+| Successfully restored solution files | 0.0 |
+| Unresolved references | 0.0 |
+| UseWPF set | 0.0 |
+| UseWindowsForms set | 0.0 |
+| WebView extraction enabled | 1.0 |

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/CompilationInfo.ql

@@ -0,0 +1,15 @@
+import csharp
+import semmle.code.csharp.commons.Diagnostics
+
+query predicate compilationInfo(string key, float value) {
+  key != "Resolved references" and
+  not key.matches("Compiler diagnostic count for%") and
+  exists(Compilation c, string infoKey, string infoValue | infoValue = c.getInfo(infoKey) |
+    key = infoKey and
+    value = infoValue.toFloat()
+    or
+    not exists(infoValue.toFloat()) and
+    key = infoKey + ": " + infoValue and
+    value = 1
+  )
+}

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/clear/nuget.config

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<configuration>
+  <packageSources>
+    <clear />
+  </packageSources>
+</configuration>

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "10.0.201"
+    }
+}

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/proj/Program.cs

@@ -0,0 +1 @@
+class Program { }

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/proj/proj.csproj

@@ -0,0 +1,16 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <OutputType>Exe</OutputType>
+    <TargetFrameworks>net10.0</TargetFrameworks>
+  </PropertyGroup>
+
+  <Target Name="DeleteBinObjFolders" BeforeTargets="Clean">
+    <RemoveDir Directories=".\bin" />
+    <RemoveDir Directories=".\obj" />
+  </Target>
+
+  <ItemGroup>
+    <PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
+  </ItemGroup>
+</Project>

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_clear/test.py

@@ -0,0 +1,12 @@
+import os
+import runs_on
+
+
+@runs_on.posix
+def test(codeql, csharp):
+    # Making sure the reachability test of `nuget.org` succeeds:
+    os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_NUGET_FEEDS_CHECK_FALLBACK_TIMEOUT"] = "1000"
+    os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_NUGET_FEEDS_CHECK_FALLBACK_LIMIT"] = "5"
+
+    # This test checks that the nuget.config file in the clear folder is not applied to the restore of the project.
+    codeql.database.create(build_mode="none")

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_config_error/CompilationInfo.expected

@@ -1,7 +1,10 @@
-| All NuGet feeds reachable | 1.0 |
-| Failed project restore with package source error | 1.0 |
+| All NuGet feeds reachable | 0.0 |
+| Failed project restore with missing package error | 1.0 |
+| Failed project restore with package source error | 0.0 |
+| Failed solution restore with missing package error | 0.0 |
 | Failed solution restore with package source error | 0.0 |
 | Fallback nuget restore | 1.0 |
+| Inherited NuGet feed count | 1.0 |
 | NuGet feed responsiveness checked | 1.0 |
 | Project files on filesystem | 1.0 |
 | Reachable fallback NuGet feed count | 1.0 |

csharp/ql/integration-tests/posix/standalone_dependencies_nuget_config_fallback/CompilationInfo.expected

@@ -1,5 +1,6 @@
 | All NuGet feeds reachable | 0.0 |
 | Fallback nuget restore | 1.0 |
+| Inherited NuGet feed count | 1.0 |
 | NuGet feed responsiveness checked | 1.0 |
 | Project files on filesystem | 1.0 |
 | Reachable fallback NuGet feed count | 2.0 |

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,46 @@
+## 6.0.1
+
+No user-facing changes.
+
+## 6.0.0
+
+### Breaking Changes
+
+* The C# control flow graph (CFG) implementation has been completely
+  rewritten. The CFG now includes additional nodes to more accurately represent
+  certain constructs. This also means that any existing code that implicitly
+  relies on very specific details about the CFG may need to be updated.
+  The CFG no longer uses splitting, which means that AST nodes now have a unique
+  CFG node representation.
+  Additionally, the following breaking changes have been made:
+  - `ControlFlow::Node` has been renamed to `ControlFlowNode`.
+  - `ControlFlow::Nodes` has been renamed to `ControlFlowNodes`.
+  - `BasicBlock.getCallable` has been renamed to `BasicBlock.getEnclosingCallable`.
+  - `BasicBlocks.qll` has been deleted.
+  - `ControlFlowNode.getAstNode` has changed its meaning. The AST-to-CFG
+    mapping remains one-to-many, but now for a different reason. It used to be
+    because of splitting, but now it's because of additional "helper" CFG
+    nodes. To get the (now canonical) CFG node for a given AST node, use
+    `ControlFlowNode.asExpr()` or `ControlFlowNode.asStmt()` or
+    `ControlFlowElement.getControlFlowNode()` instead.
+
+### Deprecated APIs
+
+* The QL classes in the C# SSA library have been renamed to improve consistency between languages. Any custom QL code that makes use of SSA needs to be updated. The old classes have been deprecated and include more detailed migration instructions in their qldoc.
+
+### New Features
+
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/).
+
+### Major Analysis Improvements
+
+* When resolving dependencies in `build-mode: none`, `dotnet restore` now explicitly receives reachable NuGet feeds configured in `nuget.config` when feed responsiveness checking is enabled (the default), and any private registries directly, improving reliability when default feeds are unavailable or restricted.
+
+### Minor Analysis Improvements
+
+* Expanded ASP and ASP.NET remote source modeling to cover additional sources, including fields of tainted parameters as well as properties and fields that become tainted transitively.
+* C# 14: Added support for user-defined compound assignment operators.
+
 ## 5.5.0
 
 ### Deprecated APIs
@@ -64,9 +107,9 @@ No user-facing changes.
 * When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
 * Updated the generated .NET “models as data” runtime models to cover .NET 10.
 * C# 14: Support for *implicit* span conversions in the QL library.
-* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
+* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build-mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
 * Added autobuilder and `build-mode: none` support for `.slnx` solution files.
-* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
+* In `build-mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
 * Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
 
 ### Bug Fixes

csharp/ql/lib/change-notes/2026-03-06-compound-assignment-operations.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* C# 14: Added support for user-defined compound assignment operators.

csharp/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/).

csharp/ql/lib/change-notes/2026-04-01-asp-remote-sources.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Expanded ASP and ASP.NET remote source modeling to cover additional sources, including fields of tainted parameters as well as properties and fields that become tainted transitively.

csharp/ql/lib/change-notes/2026-04-13-cfg.md

@@ -1,20 +0,0 @@
----
-category: breaking
----
-* The C# control flow graph (CFG) implementation has been completely
-  rewritten. The CFG now includes additional nodes to more accurately represent
-  certain constructs. This also means that any existing code that implicitly
-  relies on very specific details about the CFG may need to be updated.
-  The CFG no longer uses splitting, which means that AST nodes now have a unique
-  CFG node representation.
-  Additionally, the following breaking changes have been made:
-  - `ControlFlow::Node` has been renamed to `ControlFlowNode`.
-  - `ControlFlow::Nodes` has been renamed to `ControlFlowNodes`.
-  - `BasicBlock.getCallable` has been renamed to `BasicBlock.getEnclosingCallable`.
-  - `BasicBlocks.qll` has been deleted.
-  - `ControlFlowNode.getAstNode` has changed its meaning. The AST-to-CFG
-    mapping remains one-to-many, but now for a different reason. It used to be
-    because of splitting, but now it's because of additional "helper" CFG
-    nodes. To get the (now canonical) CFG node for a given AST node, use
-    `ControlFlowNode.asExpr()` or `ControlFlowNode.asStmt()` or
-    `ControlFlowElement.getControlFlowNode()` instead.

csharp/ql/lib/change-notes/released/5.4.5.md

@@ -5,9 +5,9 @@
 * When a code-scanning configuration specifies the `paths:` and/or `paths-ignore:` settings, these are now taken into account by the C# extractor's search for `.config`, `.props`, XML and project files.
 * Updated the generated .NET “models as data” runtime models to cover .NET 10.
 * C# 14: Support for *implicit* span conversions in the QL library.
-* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
+* Basic extractor support for .NET 10 is now available. Extraction is supported for .NET 10 projects in both traced mode and `build-mode: none`. However, code that uses language features new to C# 14 is not yet fully supported for extraction and analysis.
 * Added autobuilder and `build-mode: none` support for `.slnx` solution files.
-* In `build mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
+* In `build-mode: none`, .NET 10 is now used by default unless a specific .NET version is specified elsewhere.
 * Added implicit reads of `System.Collections.Generic.KeyValuePair.Value` at taint-tracking sinks and at inputs to additional taint steps. As a result, taint-tracking queries will now produce more results when a container is tainted.
 
 ### Bug Fixes

csharp/ql/lib/change-notes/released/6.0.0.md

@@ -0,0 +1,38 @@
+## 6.0.0
+
+### Breaking Changes
+
+* The C# control flow graph (CFG) implementation has been completely
+  rewritten. The CFG now includes additional nodes to more accurately represent
+  certain constructs. This also means that any existing code that implicitly
+  relies on very specific details about the CFG may need to be updated.
+  The CFG no longer uses splitting, which means that AST nodes now have a unique
+  CFG node representation.
+  Additionally, the following breaking changes have been made:
+  - `ControlFlow::Node` has been renamed to `ControlFlowNode`.
+  - `ControlFlow::Nodes` has been renamed to `ControlFlowNodes`.
+  - `BasicBlock.getCallable` has been renamed to `BasicBlock.getEnclosingCallable`.
+  - `BasicBlocks.qll` has been deleted.
+  - `ControlFlowNode.getAstNode` has changed its meaning. The AST-to-CFG
+    mapping remains one-to-many, but now for a different reason. It used to be
+    because of splitting, but now it's because of additional "helper" CFG
+    nodes. To get the (now canonical) CFG node for a given AST node, use
+    `ControlFlowNode.asExpr()` or `ControlFlowNode.asStmt()` or
+    `ControlFlowElement.getControlFlowNode()` instead.
+
+### Deprecated APIs
+
+* The QL classes in the C# SSA library have been renamed to improve consistency between languages. Any custom QL code that makes use of SSA needs to be updated. The old classes have been deprecated and include more detailed migration instructions in their qldoc.
+
+### New Features
+
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C#](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-csharp/).
+
+### Major Analysis Improvements
+
+* When resolving dependencies in `build-mode: none`, `dotnet restore` now explicitly receives reachable NuGet feeds configured in `nuget.config` when feed responsiveness checking is enabled (the default), and any private registries directly, improving reliability when default feeds are unavailable or restricted.
+
+### Minor Analysis Improvements
+
+* Expanded ASP and ASP.NET remote source modeling to cover additional sources, including fields of tainted parameters as well as properties and fields that become tainted transitively.
+* C# 14: Added support for user-defined compound assignment operators.

csharp/ql/lib/change-notes/released/6.0.1.md

@@ -0,0 +1,3 @@
+## 6.0.1
+
+No user-facing changes.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.5.0
+lastReleaseVersion: 6.0.1

csharp/ql/lib/printCfg.ql

@@ -8,6 +8,7 @@
  */
 
 import csharp
+import semmle.code.csharp.controlflow.internal.ControlFlowGraph
 
 external string selectedSourceFile();
 
@@ -22,6 +23,8 @@ external int selectedSourceColumn();
 private predicate selectedSourceColumnAlias = selectedSourceColumn/0;
 
 module ViewCfgQueryInput implements ControlFlow::ViewCfgQueryInputSig<File> {
+  private import semmle.code.csharp.controlflow.ControlFlowGraph
+
   predicate selectedSourceFile = selectedSourceFileAlias/0;
 
   predicate selectedSourceLine = selectedSourceLineAlias/0;
@@ -29,7 +32,7 @@ module ViewCfgQueryInput implements ControlFlow::ViewCfgQueryInputSig<File> {
   predicate selectedSourceColumn = selectedSourceColumnAlias/0;
 
   predicate cfgScopeSpan(
-    Callable scope, File file, int startLine, int startColumn, int endLine, int endColumn
+    Ast::Callable scope, File file, int startLine, int startColumn, int endLine, int endColumn
   ) {
     file = scope.getFile() and
     scope.getLocation().getStartLine() = startLine and

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.5.1-dev
+version: 6.0.1
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/Assignable.qll

@@ -271,6 +271,8 @@ module AssignableInternal {
     def = TPatternDefinition(result)
     or
     def = TAssignOperationDefinition(result)
+    or
+    def = TParameterDefaultDefinition(_, result)
   }
 
   /** A local variable declaration at the top-level of a pattern. */
@@ -308,10 +310,17 @@ module AssignableInternal {
         exists(Callable c | p = c.getAParameter() |
           c.hasBody()
           or
-          // Same as `c.(Constructor).hasInitializer()`, but avoids negative recursion warning
-          c.getAChildExpr() instanceof @constructor_init_expr
+          c.(Constructor).hasInitializer()
         )
       } or
+      TParameterDefaultDefinition(Parameter p, Expr default) {
+        exists(Callable c | p = c.getAParameter() |
+          c.hasBody()
+          or
+          c.(Constructor).hasInitializer()
+        ) and
+        default = p.getDefaultValue()
+      } or
       TAddressOfDefinition(AddressOfExpr aoe) or
       TPatternDefinition(TopLevelPatternDecl tlpd) or
       TAssignOperationDefinition(AssignOperation ao) {
@@ -350,6 +359,8 @@ module AssignableInternal {
         any(AssignableDefinitions::PatternDefinition pd | result = pd.getDeclaration().getVariable())
       or
       def = any(AssignableDefinitions::InitializerDefinition init | result = init.getAssignable())
+      or
+      def = TParameterDefaultDefinition(result, _)
     }
 
     // Not defined by dispatch in order to avoid too conservative negative recursion error
@@ -489,16 +500,7 @@ class AssignableDefinition extends TAssignableDefinition {
    */
   pragma[nomagic]
   AssignableRead getAFirstRead() {
-    exists(ControlFlowNode cfn | cfn = result.getControlFlowNode() |
-      exists(Ssa::ExplicitDefinition def | result = def.getAFirstReadAtNode(cfn) |
-        this = def.getADefinition()
-      )
-      or
-      exists(Ssa::ImplicitParameterDefinition def | result = def.getAFirstReadAtNode(cfn) |
-        this.(AssignableDefinitions::ImplicitParameterDefinition).getParameter() =
-          def.getParameter()
-      )
-    )
+    exists(SsaExplicitWrite def | result = Ssa::ssaGetAFirstUse(def) | this = def.getDefinition())
   }
 
   /** Gets a textual representation of this assignable definition. */
@@ -689,7 +691,33 @@ module AssignableDefinitions {
 
     override string toString() { result = p.toString() }
 
-    override Location getLocation() { result = this.getTarget().getLocation() }
+    override Location getLocation() { result = p.getLocation() }
+  }
+
+  /**
+   * A default value assigned to a parameter.
+   */
+  class ParameterDefaultDefinition extends AssignableDefinition, TParameterDefaultDefinition {
+    Parameter p;
+    Expr default;
+
+    ParameterDefaultDefinition() { this = TParameterDefaultDefinition(p, default) }
+
+    /** Gets the underlying parameter. */
+    Parameter getParameter() { result = p }
+
+    /** Gets the default value expression for the parameter. */
+    Expr getDefaultValue() { result = default }
+
+    override Expr getSource() { result = default }
+
+    override Expr getElement() { result = default }
+
+    override Callable getEnclosingCallable() { result = p.getCallable() }
+
+    override string toString() { result = p.toString() + " = ..." }
+
+    override Location getLocation() { result = default.getLocation() }
   }
 
   /**

csharp/ql/lib/semmle/code/csharp/ExprOrStmtParent.qll

@@ -13,7 +13,7 @@ private import internal.Location
  * An element that can have a child statement or expression.
  */
 class ExprOrStmtParent extends Element, @exprorstmt_parent {
-  final override ControlFlowElement getChild(int i) {
+  override ControlFlowElement getChild(int i) {
     result = this.getChildExpr(i) or
     result = this.getChildStmt(i)
   }
@@ -42,14 +42,8 @@ class ExprOrStmtParent extends Element, @exprorstmt_parent {
  *
  * An element that can have a child top-level expression.
  */
-class TopLevelExprParent extends Element, @top_level_expr_parent {
+class TopLevelExprParent extends ExprOrStmtParent, @top_level_expr_parent {
   final override Expr getChild(int i) { result = this.getChildExpr(i) }
-
-  /** Gets the `i`th child expression of this element (zero-based). */
-  final Expr getChildExpr(int i) { expr_parent_top_level_adjusted(result, i, this) }
-
-  /** Gets a child expression of this element, if any. */
-  final Expr getAChildExpr() { result = this.getChildExpr(_) }
 }
 
 /** INTERNAL: Do not use. */

csharp/ql/lib/semmle/code/csharp/PrintAst.qll

@@ -299,7 +299,9 @@ class ControlFlowElementNode extends ElementNode {
     not isNotNeeded(element.getParent+()) and
     // LambdaExpr is both a Callable and a ControlFlowElement,
     // print it with the more specific CallableNode
-    not element instanceof Callable
+    not element instanceof Callable and
+    // Handled in `ParameterNode`
+    not element instanceof Parameter
   }
 
   override PrintAstNode getChild(int childIndex) {

csharp/ql/lib/semmle/code/csharp/Variable.qll

@@ -87,7 +87,9 @@ class LocalScopeVariable extends Variable, @local_scope_variable {
  * }
  * ```
  */
-class Parameter extends LocalScopeVariable, Attributable, TopLevelExprParent, @parameter {
+class Parameter extends LocalScopeVariable, Attributable, TopLevelExprParent, ControlFlowElement,
+  @parameter
+{
   /** Gets the raw position of this parameter, including the `this` parameter at index 0. */
   final int getRawPosition() { this = this.getDeclaringElement().getRawParameter(result) }
 

csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowGraph.qll

@@ -3,7 +3,7 @@
  */
 
 import csharp
-private import codeql.controlflow.ControlFlowGraph
+private import internal.ControlFlowGraph
 private import codeql.controlflow.SuccessorType
 private import semmle.code.csharp.commons.Compilation
 private import semmle.code.csharp.controlflow.internal.NonReturning as NonReturning
@@ -19,197 +19,6 @@ private import Cfg1
 private import Cfg2
 import Public
 
-/** Provides an implementation of the AST signature for C#. */
-private module Ast implements AstSig<Location> {
-  private import csharp as CS
-
-  class AstNode = ControlFlowElementOrCallable;
-
-  additional predicate skipControlFlow(AstNode e) {
-    e instanceof TypeAccess and
-    not e instanceof TypeAccessPatternExpr
-    or
-    not e.getFile().fromSource()
-  }
-
-  private AstNode getExprChild0(Expr e, int i) {
-    not e instanceof NameOfExpr and
-    not e instanceof AnonymousFunctionExpr and
-    not skipControlFlow(result) and
-    result = e.getChild(i)
-  }
-
-  private AstNode getStmtChild0(Stmt s, int i) {
-    not s instanceof FixedStmt and
-    not s instanceof UsingBlockStmt and
-    result = s.getChild(i)
-    or
-    s =
-      any(FixedStmt fs |
-        result = fs.getVariableDeclExpr(i)
-        or
-        result = fs.getBody() and
-        i = max(int j | exists(fs.getVariableDeclExpr(j))) + 1
-      )
-    or
-    s =
-      any(UsingBlockStmt us |
-        result = us.getExpr() and
-        i = 0
-        or
-        result = us.getVariableDeclExpr(i)
-        or
-        result = us.getBody() and
-        i = max([1, count(us.getVariableDeclExpr(_))])
-      )
-  }
-
-  AstNode getChild(AstNode n, int index) {
-    result = getStmtChild0(n, index)
-    or
-    result = getExprChild0(n, index)
-  }
-
-  private AstNode getParent(AstNode n) { n = getChild(result, _) }
-
-  Callable getEnclosingCallable(AstNode node) {
-    result = node.(ControlFlowElement).getEnclosingCallable() or
-    result.(ObjectInitMethod).initializes(getParent*(node)) or
-    Initializers::staticMemberInitializer(result, getParent*(node))
-  }
-
-  class Callable = CS::Callable;
-
-  AstNode callableGetBody(Callable c) {
-    not skipControlFlow(result) and
-    result = c.getBody()
-  }
-
-  class Stmt = CS::Stmt;
-
-  class Expr = CS::Expr;
-
-  class BlockStmt = CS::BlockStmt;
-
-  class ExprStmt = CS::ExprStmt;
-
-  class IfStmt = CS::IfStmt;
-
-  class LoopStmt = CS::LoopStmt;
-
-  class WhileStmt = CS::WhileStmt;
-
-  class DoStmt = CS::DoStmt;
-
-  final private class FinalForStmt = CS::ForStmt;
-
-  class ForStmt extends FinalForStmt {
-    Expr getInit(int index) { result = this.getInitializer(index) }
-  }
-
-  final private class FinalForeachStmt = CS::ForeachStmt;
-
-  class ForeachStmt extends FinalForeachStmt {
-    Expr getVariable() {
-      result = this.getVariableDeclExpr() or result = this.getVariableDeclTuple()
-    }
-
-    Expr getCollection() { result = this.getIterableExpr() }
-  }
-
-  class BreakStmt = CS::BreakStmt;
-
-  class ContinueStmt = CS::ContinueStmt;
-
-  class GotoStmt = CS::GotoStmt;
-
-  class ReturnStmt = CS::ReturnStmt;
-
-  class Throw = CS::ThrowElement;
-
-  final private class FinalTryStmt = CS::TryStmt;
-
-  class TryStmt extends FinalTryStmt {
-    Stmt getBody() { result = this.getBlock() }
-
-    CatchClause getCatch(int index) { result = this.getCatchClause(index) }
-
-    Stmt getFinally() { result = super.getFinally() }
-  }
-
-  final private class FinalCatchClause = CS::CatchClause;
-
-  class CatchClause extends FinalCatchClause {
-    AstNode getVariable() { result = this.(CS::SpecificCatchClause).getVariableDeclExpr() }
-
-    Expr getCondition() { result = this.getFilterClause() }
-
-    Stmt getBody() { result = this.getBlock() }
-  }
-
-  final private class FinalSwitch = CS::Switch;
-
-  class Switch extends FinalSwitch {
-    Case getCase(int index) { result = super.getCase(index) }
-
-    Stmt getStmt(int index) { result = this.(CS::SwitchStmt).getStmt(index) }
-  }
-
-  final private class FinalCase = CS::Case;
-
-  class Case extends FinalCase {
-    AstNode getAPattern() { result = this.getPattern() }
-
-    Expr getGuard() { result = this.getCondition() }
-
-    AstNode getBody() { result = super.getBody() }
-  }
-
-  class DefaultCase extends Case instanceof CS::DefaultCase { }
-
-  class ConditionalExpr = CS::ConditionalExpr;
-
-  class BinaryExpr = CS::BinaryOperation;
-
-  class LogicalAndExpr = CS::LogicalAndExpr;
-
-  class LogicalOrExpr = CS::LogicalOrExpr;
-
-  class NullCoalescingExpr = CS::NullCoalescingExpr;
-
-  class UnaryExpr = CS::UnaryOperation;
-
-  class LogicalNotExpr = CS::LogicalNotExpr;
-
-  class Assignment = CS::Assignment;
-
-  class AssignExpr = CS::AssignExpr;
-
-  class CompoundAssignment = CS::AssignOperation;
-
-  class AssignLogicalAndExpr extends CompoundAssignment {
-    AssignLogicalAndExpr() { none() }
-  }
-
-  class AssignLogicalOrExpr extends CompoundAssignment {
-    AssignLogicalOrExpr() { none() }
-  }
-
-  class AssignNullCoalescingExpr = CS::AssignCoalesceExpr;
-
-  final private class FinalBoolLiteral = CS::BoolLiteral;
-
-  class BooleanLiteral extends FinalBoolLiteral {
-    boolean getValue() { result = this.getBoolValue() }
-  }
-
-  final private class FinalIsExpr = CS::IsExpr;
-
-  class PatternMatchExpr extends FinalIsExpr {
-    AstNode getPattern() { result = super.getPattern() }
-  }
-}
-
 /**
  * A compilation.
  *
@@ -232,79 +41,17 @@ private class CompilationExt extends TCompilationExt {
 }
 
 /** Gets the compilation that source file `f` belongs to. */
-private CompilationExt getCompilation(File f) {
+bindingset[e]
+pragma[inline_late]
+private CompilationExt getCompilation(Element e) {
   exists(Compilation c |
-    f = c.getAFileCompiled() and
+    e.getALocation().getFile() = c.getAFileCompiled() and
     result = TCompilation(c)
   )
   or
   result = TBuildless()
 }
 
-private module Initializers {
-  private import semmle.code.csharp.ExprOrStmtParent as ExprOrStmtParent
-
-  /**
-   * The `expr_parent_top_level_adjusted()` relation restricted to exclude relations
-   * between properties and their getters' expression bodies in properties such as
-   * `int P => 0`.
-   *
-   * This is in order to only associate the expression body with one CFG scope, namely
-   * the getter (and not the declaration itself).
-   */
-  private predicate expr_parent_top_level_adjusted2(
-    Expr child, int i, @top_level_exprorstmt_parent parent
-  ) {
-    ExprOrStmtParent::expr_parent_top_level_adjusted(child, i, parent) and
-    not exists(Getter g |
-      g.getDeclaration() = parent and
-      i = 0
-    )
-  }
-
-  /**
-   * Holds if `init` is a static member initializer and `staticCtor` is the
-   * static constructor in the same declaring type. Hence, `staticCtor` can be
-   * considered to execute `init` prior to the execution of its body.
-   */
-  predicate staticMemberInitializer(Constructor staticCtor, Expr init) {
-    exists(Assignable a |
-      a.(Modifiable).isStatic() and
-      expr_parent_top_level_adjusted2(init, _, a) and
-      a.getDeclaringType() = staticCtor.getDeclaringType() and
-      staticCtor.isStatic()
-    )
-  }
-
-  /**
-   * Gets the `i`th static member initializer expression for static constructor `staticCtor`.
-   */
-  Expr initializedStaticMemberOrder(Constructor staticCtor, int i) {
-    result =
-      rank[i + 1](Expr init, Location l, string filepath, int startline, int startcolumn |
-        staticMemberInitializer(staticCtor, init) and
-        l = init.getLocation() and
-        l.hasLocationInfo(filepath, startline, startcolumn, _, _)
-      |
-        init order by startline, startcolumn, filepath
-      )
-  }
-
-  /**
-   * Gets the `i`th member initializer expression for object initializer method `obinit`.
-   */
-  AssignExpr initializedInstanceMemberOrder(ObjectInitMethod obinit, int i) {
-    result =
-      rank[i + 1](AssignExpr ae0, Location l, string filepath, int startline, int startcolumn |
-        obinit.initializes(ae0) and
-        l = ae0.getLocation() and
-        l.hasLocationInfo(filepath, startline, startcolumn, _, _)
-      |
-        ae0 order by startline, startcolumn, filepath
-      )
-  }
-}
-
 private module Exceptions {
   private import semmle.code.csharp.commons.Assertions
 
@@ -415,12 +162,12 @@ private module Input implements InputSig1, InputSig2 {
     l = TLblGoto(n.(LabelStmt).getLabel())
   }
 
-  class CallableBodyPartContext = CompilationExt;
+  class CallableContext = CompilationExt;
 
   pragma[nomagic]
-  Ast::AstNode callableGetBodyPart(Callable c, CallableBodyPartContext ctx, int index) {
+  Ast::AstNode callableGetBodyPart(Ast::Callable c, CallableContext ctx, int index) {
     not Ast::skipControlFlow(result) and
-    ctx = getCompilation(result.getFile()) and
+    ctx = getCompilation(result) and
     (
       result = Initializers::initializedInstanceMemberOrder(c, index)
       or
@@ -437,9 +184,19 @@ private module Input implements InputSig1, InputSig2 {
         or
         i = 2 and result = ctor.getBody()
       )
+      or
+      not c instanceof Constructor and
+      result = c.getBody() and
+      index = 0
     )
   }
 
+  pragma[nomagic]
+  Ast::Parameter callableGetParameter(Ast::Callable c, CallableContext ctx, int index) {
+    result = Ast::callableGetParameter(c, index) and
+    ctx = getCompilation(result)
+  }
+
   private Expr getQualifier(QualifiableExpr qe) {
     result = qe.getQualifier() or
     result = qe.(ExtensionMethodCall).getArgument(0)

csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowReachability.qll

@@ -26,17 +26,7 @@ private module ControlFlowInput implements InputSig<Location, ControlFlowNode, B
 
   class Expr = CS::Expr;
 
-  class SourceVariable = Ssa::SourceVariable;
-
-  class SsaDefinition = Ssa::Definition;
-
-  class SsaExplicitWrite extends SsaDefinition instanceof Ssa::ExplicitDefinition {
-    Expr getValue() { result = super.getADefinition().getSource() }
-  }
-
-  class SsaPhiDefinition = Ssa::PhiNode;
-
-  class SsaUncertainWrite = Ssa::UncertainDefinition;
+  import Ssa
 
   class GuardValue = Guards::GuardValue;
 

csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll

@@ -85,12 +85,12 @@ private module GuardsInput implements SharedGuards::InputSig<Location, ControlFl
 
     predicate matchEdge(BasicBlock bb1, BasicBlock bb2) {
       bb1.getASuccessor(any(MatchingSuccessor s | s.getValue() = true)) = bb2 and
-      bb1.getLastNode() = AstNode.super.getControlFlowNode()
+      bb1.getLastNode() = super.getPattern().getControlFlowNode()
     }
 
     predicate nonMatchEdge(BasicBlock bb1, BasicBlock bb2) {
       bb1.getASuccessor(any(MatchingSuccessor s | s.getValue() = false)) = bb2 and
-      bb1.getLastNode() = AstNode.super.getControlFlowNode()
+      bb1.getLastNode() = super.getPattern().getControlFlowNode()
     }
   }
 
@@ -191,23 +191,7 @@ private module GuardsImpl = SharedGuards::Make<Location, Cfg, GuardsInput>;
 class GuardValue = GuardsImpl::GuardValue;
 
 private module LogicInput implements GuardsImpl::LogicInputSig {
-  class SsaDefinition extends Ssa::Definition {
-    Expr getARead() { super.getARead() = result }
-  }
-
-  class SsaExplicitWrite extends SsaDefinition instanceof Ssa::ExplicitDefinition {
-    Expr getValue() { result = super.getADefinition().getSource() }
-  }
-
-  class SsaPhiDefinition extends SsaDefinition instanceof Ssa::PhiNode {
-    predicate hasInputFromBlock(SsaDefinition inp, BasicBlock bb) {
-      super.hasInputFromBlock(inp, bb)
-    }
-  }
-
-  class SsaParameterInit extends SsaDefinition instanceof Ssa::ImplicitParameterDefinition {
-    Parameter getParameter() { result = super.getParameter() }
-  }
+  import Ssa
 
   predicate additionalNullCheck(GuardsImpl::PreGuard guard, GuardValue val, Expr e, boolean isNull) {
     // Comparison with a non-`null` value, for example `x?.Length > 0`
@@ -586,7 +570,7 @@ class AccessOrCallExpr extends Expr {
    * An expression can have more than one SSA qualifier in the presence
    * of control flow splitting.
    */
-  Ssa::Definition getAnSsaQualifier(ControlFlowNode cfn) { result = getAnSsaQualifier(this, cfn) }
+  SsaDefinition getAnSsaQualifier(ControlFlowNode cfn) { result = getAnSsaQualifier(this, cfn) }
 }
 
 private Declaration getDeclarationTarget(Expr e) {
@@ -594,22 +578,22 @@ private Declaration getDeclarationTarget(Expr e) {
   result = e.(Call).getTarget()
 }
 
-private Ssa::Definition getAnSsaQualifier(Expr e, ControlFlowNode cfn) {
+private SsaDefinition getAnSsaQualifier(Expr e, ControlFlowNode cfn) {
   e = getATrackedAccess(result, cfn)
   or
   not e = getATrackedAccess(_, _) and
   result = getAnSsaQualifier(e.(QualifiableExpr).getQualifier(), cfn)
 }
 
-private AssignableAccess getATrackedAccess(Ssa::Definition def, ControlFlowNode cfn) {
-  result = def.getAReadAtNode(cfn)
+private AssignableAccess getATrackedAccess(SsaDefinition def, ControlFlowNode cfn) {
+  result = def.getARead() and cfn = result.getControlFlowNode()
   or
-  result = def.(Ssa::ExplicitDefinition).getADefinition().getTargetAccess() and
+  result = def.(SsaExplicitWrite).getDefinition().getTargetAccess() and
   cfn = def.getControlFlowNode()
 }
 
 private predicate ssaMustHaveValue(Expr e, GuardValue v) {
-  exists(Ssa::Definition def, BasicBlock bb |
+  exists(SsaDefinition def, BasicBlock bb |
     e = def.getARead() and
     e.getBasicBlock() = bb and
     Guards::ssaControls(def, bb, v)
@@ -841,14 +825,12 @@ module Internal {
     )
     or
     e =
-      any(Ssa::Definition def |
-        forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nullDef(u))
+      any(SsaDefinition def |
+        forex(SsaDefinition u | u = def.getAnUltimateDefinition() | nullDef(u))
       ).getARead()
   }
 
-  private predicate nullDef(Ssa::ExplicitDefinition def) {
-    nullValueImplied(def.getADefinition().getSource())
-  }
+  private predicate nullDef(SsaExplicitWrite def) { nullValueImplied(def.getValue()) }
 
   predicate nonNullValueImplied(Expr e) {
     nonNullValue(e)
@@ -856,14 +838,12 @@ module Internal {
     exists(Expr e1 | nonNullValueImplied(e1) and nonNullValueImpliedUnary(e1, e))
     or
     e =
-      any(Ssa::Definition def |
-        forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nonNullDef(u))
+      any(SsaDefinition def |
+        forex(SsaDefinition u | u = def.getAnUltimateDefinition() | nonNullDef(u))
       ).getARead()
   }
 
-  private predicate nonNullDef(Ssa::ExplicitDefinition def) {
-    nonNullValueImplied(def.getADefinition().getSource())
-  }
+  private predicate nonNullDef(SsaExplicitWrite def) { nonNullValueImplied(def.getValue()) }
 
   /** A callable that always returns a non-`null` value. */
   private class NonNullCallable extends Callable {
@@ -1120,7 +1100,7 @@ module Internal {
     private predicate nodeIsGuardedBySameSubExprSsaDef0(
       ControlFlowNode cfn, BasicBlock guardedBB, AccessOrCallExpr guarded, Guard g,
       ControlFlowNode subCfn, BasicBlock subCfnBB, AccessOrCallExpr sub, GuardValue v,
-      Ssa::Definition def
+      SsaDefinition def
     ) {
       nodeIsGuardedBySameSubExpr(cfn, guardedBB, guarded, g, sub, v) and
       def = sub.getAnSsaQualifier(subCfn) and
@@ -1130,7 +1110,7 @@ module Internal {
     pragma[nomagic]
     private predicate nodeIsGuardedBySameSubExprSsaDef(
       ControlFlowNode guardedCfn, AccessOrCallExpr guarded, Guard g, ControlFlowNode subCfn,
-      AccessOrCallExpr sub, GuardValue v, Ssa::Definition def
+      AccessOrCallExpr sub, GuardValue v, SsaDefinition def
     ) {
       exists(BasicBlock guardedBB, BasicBlock subCfnBB |
         nodeIsGuardedBySameSubExprSsaDef0(guardedCfn, guardedBB, guarded, g, subCfn, subCfnBB, sub,
@@ -1149,7 +1129,7 @@ module Internal {
     cached
     predicate isGuardedByExpr(AccessOrCallExpr guarded, Guard g, AccessOrCallExpr sub, GuardValue v) {
       isGuardedByExpr0(guarded, g, sub, v) and
-      forall(ControlFlowNode subCfn, Ssa::Definition def |
+      forall(ControlFlowNode subCfn, SsaDefinition def |
         nodeIsGuardedBySameSubExprSsaDef(_, guarded, g, subCfn, sub, v, def)
       |
         def = guarded.getAnSsaQualifier(_)
@@ -1161,7 +1141,7 @@ module Internal {
       ControlFlowNodes::ElementNode guarded, Guard g, AccessOrCallExpr sub, GuardValue v
     ) {
       nodeIsGuardedBySameSubExpr(guarded, _, _, g, sub, v) and
-      forall(ControlFlowNode subCfn, Ssa::Definition def |
+      forall(ControlFlowNode subCfn, SsaDefinition def |
         nodeIsGuardedBySameSubExprSsaDef(guarded, _, g, subCfn, sub, v, def)
       |
         def =

csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraph.qll

@@ -0,0 +1,282 @@
+import csharp
+import codeql.controlflow.ControlFlowGraph
+
+module Initializers {
+  private import semmle.code.csharp.ExprOrStmtParent as ExprOrStmtParent
+
+  /**
+   * The `expr_parent_top_level_adjusted()` relation restricted to exclude relations
+   * between properties and their getters' expression bodies in properties such as
+   * `int P => 0`.
+   *
+   * This is in order to only associate the expression body with one CFG scope, namely
+   * the getter (and not the declaration itself).
+   */
+  private predicate expr_parent_top_level_adjusted2(
+    Expr child, int i, @top_level_exprorstmt_parent parent
+  ) {
+    ExprOrStmtParent::expr_parent_top_level_adjusted(child, i, parent) and
+    not exists(Getter g |
+      g.getDeclaration() = parent and
+      i = 0
+    )
+  }
+
+  /**
+   * Holds if `init` is a static member initializer and `staticCtor` is the
+   * static constructor in the same declaring type. Hence, `staticCtor` can be
+   * considered to execute `init` prior to the execution of its body.
+   */
+  predicate staticMemberInitializer(Constructor staticCtor, Expr init) {
+    exists(Assignable a |
+      a.(Modifiable).isStatic() and
+      expr_parent_top_level_adjusted2(init, _, a) and
+      a.getDeclaringType() = staticCtor.getDeclaringType() and
+      staticCtor.isStatic()
+    )
+  }
+
+  /**
+   * Gets the `i`th static member initializer expression for static constructor `staticCtor`.
+   */
+  Expr initializedStaticMemberOrder(Constructor staticCtor, int i) {
+    result =
+      rank[i + 1](Expr init, Location l, string filepath, int startline, int startcolumn |
+        staticMemberInitializer(staticCtor, init) and
+        l = init.getLocation() and
+        l.hasLocationInfo(filepath, startline, startcolumn, _, _)
+      |
+        init order by startline, startcolumn, filepath
+      )
+  }
+
+  /**
+   * Gets the `i`th member initializer expression for object initializer method `obinit`.
+   */
+  AssignExpr initializedInstanceMemberOrder(ObjectInitMethod obinit, int i) {
+    result =
+      rank[i + 1](AssignExpr ae0, Location l, string filepath, int startline, int startcolumn |
+        obinit.initializes(ae0) and
+        l = ae0.getLocation() and
+        l.hasLocationInfo(filepath, startline, startcolumn, _, _)
+      |
+        ae0 order by startline, startcolumn, filepath
+      )
+  }
+}
+
+/**
+ * Provides an implementation of the AST signature for C#.
+ */
+module Ast implements AstSig<Location> {
+  private import csharp as CS
+
+  class AstNode = ControlFlowElementOrCallable;
+
+  additional predicate skipControlFlow(AstNode e) {
+    e instanceof TypeAccess and
+    not e instanceof TypeAccessPatternExpr
+    or
+    not e.getFile().fromSource()
+  }
+
+  private AstNode getExprChild0(Expr e, int i) {
+    not e instanceof NameOfExpr and
+    not e instanceof AnonymousFunctionExpr and
+    not skipControlFlow(result) and
+    result = e.getChild(i)
+  }
+
+  private AstNode getStmtChild0(Stmt s, int i) {
+    not s instanceof FixedStmt and
+    not s instanceof UsingBlockStmt and
+    result = s.getChild(i)
+    or
+    s =
+      any(FixedStmt fs |
+        result = fs.getVariableDeclExpr(i)
+        or
+        result = fs.getBody() and
+        i = max(int j | exists(fs.getVariableDeclExpr(j))) + 1
+      )
+    or
+    s =
+      any(UsingBlockStmt us |
+        result = us.getExpr() and
+        i = 0
+        or
+        result = us.getVariableDeclExpr(i)
+        or
+        result = us.getBody() and
+        i = max([1, count(us.getVariableDeclExpr(_))])
+      )
+  }
+
+  AstNode getChild(AstNode n, int index) {
+    result = getStmtChild0(n, index)
+    or
+    result = getExprChild0(n, index)
+  }
+
+  private AstNode getParent(AstNode n) { n = getChild(result, _) }
+
+  Callable getEnclosingCallable(AstNode node) {
+    result = node.(ControlFlowElement).getEnclosingCallable()
+    or
+    result.(ObjectInitMethod).initializes(getParent*(node))
+    or
+    Initializers::staticMemberInitializer(result, getParent*(node))
+    or
+    result = node.(Parameter).getCallable()
+    or
+    not skipControlFlow(node) and
+    getParent*(node) = any(Parameter p | result = p.getCallable()).getDefaultValue()
+  }
+
+  class Callable extends CS::Callable {
+    Callable() { this.isUnboundDeclaration() }
+  }
+
+  AstNode callableGetBody(Callable c) {
+    not skipControlFlow(result) and
+    result = c.getBody()
+  }
+
+  final private class ParameterFinal = CS::Parameter;
+
+  class Parameter extends ParameterFinal {
+    Expr getDefaultValue() {
+      // Avoid combinatorial explosions for callables with multiple bodies
+      result = unique( | | super.getDefaultValue())
+    }
+  }
+
+  Parameter callableGetParameter(Callable c, int i) {
+    not skipControlFlow(result) and
+    result = c.getParameter(i)
+  }
+
+  class Stmt = CS::Stmt;
+
+  class Expr = CS::Expr;
+
+  class BlockStmt = CS::BlockStmt;
+
+  class ExprStmt = CS::ExprStmt;
+
+  class IfStmt = CS::IfStmt;
+
+  class LoopStmt = CS::LoopStmt;
+
+  class WhileStmt = CS::WhileStmt;
+
+  class DoStmt = CS::DoStmt;
+
+  final private class FinalForStmt = CS::ForStmt;
+
+  class ForStmt extends FinalForStmt {
+    Expr getInit(int index) { result = this.getInitializer(index) }
+  }
+
+  final private class FinalForeachStmt = CS::ForeachStmt;
+
+  class ForeachStmt extends FinalForeachStmt {
+    Expr getVariable() {
+      result = this.getVariableDeclExpr() or result = this.getVariableDeclTuple()
+    }
+
+    Expr getCollection() { result = this.getIterableExpr() }
+  }
+
+  class BreakStmt = CS::BreakStmt;
+
+  class ContinueStmt = CS::ContinueStmt;
+
+  class GotoStmt = CS::GotoStmt;
+
+  class ReturnStmt = CS::ReturnStmt;
+
+  class Throw = CS::ThrowElement;
+
+  final private class FinalTryStmt = CS::TryStmt;
+
+  class TryStmt extends FinalTryStmt {
+    Stmt getBody() { result = this.getBlock() }
+
+    CatchClause getCatch(int index) { result = this.getCatchClause(index) }
+
+    Stmt getFinally() { result = super.getFinally() }
+  }
+
+  final private class FinalCatchClause = CS::CatchClause;
+
+  class CatchClause extends FinalCatchClause {
+    AstNode getVariable() { result = this.(CS::SpecificCatchClause).getVariableDeclExpr() }
+
+    Expr getCondition() { result = this.getFilterClause() }
+
+    Stmt getBody() { result = this.getBlock() }
+  }
+
+  final private class FinalSwitch = CS::Switch;
+
+  class Switch extends FinalSwitch {
+    Case getCase(int index) { result = super.getCase(index) }
+
+    Stmt getStmt(int index) { result = this.(CS::SwitchStmt).getStmt(index) }
+  }
+
+  final private class FinalCase = CS::Case;
+
+  class Case extends FinalCase {
+    AstNode getPattern(int index) { result = this.getPattern() and index = 0 }
+
+    Expr getGuard() { result = this.getCondition() }
+
+    AstNode getBody() { result = super.getBody() }
+  }
+
+  class DefaultCase extends Case instanceof CS::DefaultCase { }
+
+  class ConditionalExpr = CS::ConditionalExpr;
+
+  class BinaryExpr = CS::BinaryOperation;
+
+  class LogicalAndExpr = CS::LogicalAndExpr;
+
+  class LogicalOrExpr = CS::LogicalOrExpr;
+
+  class NullCoalescingExpr = CS::NullCoalescingExpr;
+
+  class UnaryExpr = CS::UnaryOperation;
+
+  class LogicalNotExpr = CS::LogicalNotExpr;
+
+  class Assignment = CS::Assignment;
+
+  class AssignExpr = CS::AssignExpr;
+
+  class CompoundAssignment = CS::AssignOperation;
+
+  class AssignLogicalAndExpr extends CompoundAssignment {
+    AssignLogicalAndExpr() { none() }
+  }
+
+  class AssignLogicalOrExpr extends CompoundAssignment {
+    AssignLogicalOrExpr() { none() }
+  }
+
+  class AssignNullCoalescingExpr = CS::AssignCoalesceExpr;
+
+  final private class FinalBoolLiteral = CS::BoolLiteral;
+
+  class BooleanLiteral extends FinalBoolLiteral {
+    boolean getValue() { result = this.getBoolValue() }
+  }
+
+  final private class FinalIsExpr = CS::IsExpr;
+
+  class PatternMatchExpr extends FinalIsExpr {
+    AstNode getPattern() { result = super.getPattern() }
+  }
+}

csharp/ql/lib/semmle/code/csharp/dataflow/Nullness.qll

@@ -67,8 +67,8 @@ class AlwaysNullExpr extends Expr {
     exists(AlwaysNullExpr e1, AlwaysNullExpr e2 | G::Internal::nullValueImpliedBinary(e1, e2, this))
     or
     this =
-      any(Ssa::Definition def |
-        forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nullDef(u))
+      any(SsaDefinition def |
+        forex(SsaDefinition u | u = def.getAnUltimateDefinition() | nullDef(u))
       ).getARead()
     or
     exists(Callable target |
@@ -80,9 +80,7 @@ class AlwaysNullExpr extends Expr {
 }
 
 /** Holds if SSA definition `def` is always `null`. */
-private predicate nullDef(Ssa::ExplicitDefinition def) {
-  def.getADefinition().getSource() instanceof AlwaysNullExpr
-}
+private predicate nullDef(SsaExplicitWrite def) { def.getValue() instanceof AlwaysNullExpr }
 
 /** An expression that is never `null`. */
 class NonNullExpr extends Expr {
@@ -94,8 +92,8 @@ class NonNullExpr extends Expr {
     this instanceof G::NullGuardedExpr
     or
     this =
-      any(Ssa::Definition def |
-        forex(Ssa::Definition u | u = def.getAnUltimateDefinition() | nonNullDef(u))
+      any(SsaDefinition def |
+        forex(SsaDefinition u | u = def.getAnUltimateDefinition() | nonNullDef(u))
       ).getARead()
     or
     exists(Callable target |
@@ -108,10 +106,10 @@ class NonNullExpr extends Expr {
 }
 
 /** Holds if SSA definition `def` is never `null`. */
-private predicate nonNullDef(Ssa::ExplicitDefinition def) {
-  def.getADefinition().getSource() instanceof NonNullExpr
+private predicate nonNullDef(SsaExplicitWrite def) {
+  def.getValue() instanceof NonNullExpr
   or
-  exists(AssignableDefinition ad | ad = def.getADefinition() |
+  exists(AssignableDefinition ad | ad = def.getDefinition() |
     ad instanceof AssignableDefinitions::PatternDefinition
     or
     ad =
@@ -124,13 +122,11 @@ private predicate nonNullDef(Ssa::ExplicitDefinition def) {
 }
 
 /**
- * Holds if `node` is a dereference `d` of SSA definition `def`.
+ * Holds if `d` is a dereference of SSA definition `def`.
  */
-private predicate dereferenceAt(ControlFlowNode node, Ssa::Definition def, Dereference d) {
-  d = def.getAReadAtNode(node)
-}
+private predicate dereferenceAt(SsaDefinition def, Dereference d) { d = def.getARead() }
 
-private predicate isMaybeNullArgument(Ssa::ImplicitParameterDefinition def, MaybeNullExpr arg) {
+private predicate isMaybeNullArgument(SsaParameterInit def, MaybeNullExpr arg) {
   exists(AssignableDefinitions::ImplicitParameterDefinition pdef, Parameter p |
     p = def.getParameter()
   |
@@ -181,18 +177,8 @@ private predicate hasMultipleParamsArguments(Call c) {
   )
 }
 
-private predicate isNullDefaultArgument(Ssa::ImplicitParameterDefinition def, AlwaysNullExpr arg) {
-  exists(AssignableDefinitions::ImplicitParameterDefinition pdef, Parameter p |
-    p = def.getParameter()
-  |
-    p = pdef.getParameter().getUnboundDeclaration() and
-    arg = p.getDefaultValue() and
-    not arg.getEnclosingCallable().getEnclosingCallable*() instanceof TestMethod
-  )
-}
-
 /** Holds if `def` is an SSA definition that may be `null`. */
-private predicate defMaybeNull(Ssa::Definition def, ControlFlowNode node, string msg, Element reason) {
+private predicate defMaybeNull(SsaDefinition def, ControlFlowNode node, string msg, Element reason) {
   not nonNullDef(def) and
   (
     // A variable compared to `null` might be `null`
@@ -200,10 +186,10 @@ private predicate defMaybeNull(Ssa::Definition def, ControlFlowNode node, string
       de.guardSuggestsMaybeNull(reason) and
       msg = "as suggested by $@ null check" and
       node = def.getControlFlowNode() and
-      not de = any(Ssa::PhiNode phi).getARead() and
+      not de = any(SsaPhiDefinition phi).getARead() and
       // Don't use a check as reason if there is a `null` assignment
       // or argument
-      not def.(Ssa::ExplicitDefinition).getADefinition().getSource() instanceof MaybeNullExpr and
+      not def.(SsaExplicitWrite).getValue() instanceof MaybeNullExpr and
       not isMaybeNullArgument(def, _)
     )
     or
@@ -216,37 +202,33 @@ private predicate defMaybeNull(Ssa::Definition def, ControlFlowNode node, string
       else msg = "because of $@ potential null argument"
     )
     or
-    isNullDefaultArgument(def, reason) and
-    node = def.getControlFlowNode() and
-    msg = "because the parameter has a null default value"
-    or
     // If the source of a variable is `null` then the variable may be `null`
-    exists(AssignableDefinition adef | adef = def.(Ssa::ExplicitDefinition).getADefinition() |
+    exists(AssignableDefinition adef | adef = def.(SsaExplicitWrite).getDefinition() |
       adef.getSource() = maybeNullExpr(node.asExpr()) and
       reason = adef.getExpr() and
       msg = "because of $@ assignment"
     )
     or
     // A variable of nullable type may be null
-    exists(Dereference d | dereferenceAt(_, def, d) |
+    exists(Dereference d | dereferenceAt(def, d) |
       node = def.getControlFlowNode() and
       d.hasNullableType() and
-      not def instanceof Ssa::PhiNode and
+      not def instanceof SsaPhiDefinition and
       reason = def.getSourceVariable().getAssignable() and
       msg = "because it has a nullable type"
     )
   )
 }
 
-private Ssa::Definition getAPseudoInput(Ssa::Definition def) {
-  result = def.(Ssa::PhiNode).getAnInput()
+private SsaDefinition getAPseudoInput(SsaDefinition def) {
+  result = def.(SsaPhiDefinition).getAnInput()
 }
 
 // `def.getAnUltimateDefinition()` includes inputs into uncertain
 // definitions, but we only want inputs into pseudo nodes
-private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) {
+private SsaDefinition getAnUltimateDefinition(SsaDefinition def) {
   result = getAPseudoInput*(def) and
-  not result instanceof Ssa::PhiNode
+  not result instanceof SsaPhiDefinition
 }
 
 /**
@@ -254,8 +236,8 @@ private Ssa::Definition getAnUltimateDefinition(Ssa::Definition def) {
  * through an intermediate dereference that always throws a null reference
  * exception.
  */
-private predicate defReaches(Ssa::Definition def, ControlFlowNode cfn) {
-  exists(def.getAFirstReadAtNode(cfn))
+private predicate defReaches(SsaDefinition def, ControlFlowNode cfn) {
+  Ssa::ssaGetAFirstUse(def).getControlFlowNode() = cfn
   or
   exists(ControlFlowNode mid | defReaches(def, mid) |
     SsaImpl::adjacentReadPairSameVar(_, mid, cfn) and
@@ -264,11 +246,12 @@ private predicate defReaches(Ssa::Definition def, ControlFlowNode cfn) {
 }
 
 private module NullnessConfig implements ControlFlowReachability::ConfigSig {
-  predicate source(ControlFlowNode node, Ssa::Definition def) { defMaybeNull(def, node, _, _) }
+  predicate source(ControlFlowNode node, SsaDefinition def) { defMaybeNull(def, node, _, _) }
 
-  predicate sink(ControlFlowNode node, Ssa::Definition def) {
+  predicate sink(ControlFlowNode node, SsaDefinition def) {
     exists(Dereference d |
-      dereferenceAt(node, def, d) and
+      dereferenceAt(def, d) and
+      node = d.getControlFlowNode() and
       not d instanceof NonNullExpr
     )
   }
@@ -281,11 +264,12 @@ private module NullnessConfig implements ControlFlowReachability::ConfigSig {
 private module NullnessFlow = ControlFlowReachability::Flow<NullnessConfig>;
 
 predicate maybeNullDeref(Dereference d, Ssa::SourceVariable v, string msg, Element reason) {
-  exists(Ssa::Definition origin, Ssa::Definition ssa, ControlFlowNode src, ControlFlowNode sink |
+  exists(SsaDefinition origin, SsaDefinition ssa, ControlFlowNode src, ControlFlowNode sink |
     defMaybeNull(origin, src, msg, reason) and
     NullnessFlow::flow(src, origin, sink, ssa) and
     ssa.getSourceVariable() = v and
-    dereferenceAt(sink, ssa, d) and
+    dereferenceAt(ssa, d) and
+    sink = d.getControlFlowNode() and
     not d.isAlwaysNull(v)
   )
 }
@@ -336,10 +320,7 @@ class Dereference extends G::DereferenceableExpr {
         not p.getAnnotatedType().isNullableRefType()
         or
         p.fromSource() and
-        exists(
-          Ssa::ImplicitParameterDefinition def,
-          AssignableDefinitions::ImplicitParameterDefinition pdef
-        |
+        exists(SsaParameterInit def, AssignableDefinitions::ImplicitParameterDefinition pdef |
           p = def.getParameter()
         |
           p.getUnboundDeclaration() = pdef.getParameter() and
@@ -349,9 +330,9 @@ class Dereference extends G::DereferenceableExpr {
     )
   }
 
-  private predicate isAlwaysNull0(Ssa::Definition def) {
-    forall(Ssa::Definition input | input = getAnUltimateDefinition(def) |
-      input.(Ssa::ExplicitDefinition).getADefinition().getSource() instanceof AlwaysNullExpr
+  private predicate isAlwaysNull0(SsaDefinition def) {
+    forall(SsaDefinition input | input = getAnUltimateDefinition(def) |
+      input.(SsaExplicitWrite).getValue() instanceof AlwaysNullExpr
     ) and
     not nonNullDef(def) and
     this = def.getARead() and
@@ -367,7 +348,7 @@ class Dereference extends G::DereferenceableExpr {
     // Exclude fields and properties, as they may not have an accurate SSA representation
     v.getAssignable() instanceof LocalScopeVariable and
     (
-      forex(Ssa::Definition def0 | this = def0.getARead() | this.isAlwaysNull0(def0))
+      forex(SsaDefinition def0 | this = def0.getARead() | this.isAlwaysNull0(def0))
       or
       exists(G::GuardValue nv |
         this.(G::GuardedExpr).mustHaveValue(nv) and

csharp/ql/lib/semmle/code/csharp/dataflow/SSA.qll

@@ -3,13 +3,14 @@
  */
 
 import csharp
+private import internal.SsaImpl as SsaImpl
+import SsaImpl::Ssa_
 
 /**
  * Provides classes for working with static single assignment (SSA) form.
  */
 module Ssa {
-  private import internal.SsaImpl as SsaImpl
-  private import semmle.code.csharp.internal.Location
+  import SsaImpl::Ssa_
 
   pragma[nomagic]
   private predicate assignableDefinitionLocalScopeVariable(
@@ -19,15 +20,6 @@ module Ssa {
     ad.getEnclosingCallable() = c
   }
 
-  pragma[nomagic]
-  private predicate localScopeSourceVariable(
-    SourceVariables::LocalScopeSourceVariable sv, LocalScopeVariable v, Callable c1, Callable c2
-  ) {
-    sv.getAssignable() = v and
-    sv.getEnclosingCallable() = c1 and
-    v.getCallable() = c2
-  }
-
   /**
    * A variable that can be SSA converted.
    *
@@ -54,7 +46,7 @@ module Ssa {
       not exists(result.getTargetAccess()) and
       exists(LocalScopeVariable v, Callable c |
         assignableDefinitionLocalScopeVariable(result, v, c) and
-        localScopeSourceVariable(this, v, c, _)
+        SsaImpl::localScopeSourceVariable(this, v, c, _)
       )
     }
 
@@ -82,7 +74,7 @@ module Ssa {
      * Gets an SSA definition that has this variable as its underlying
      * source variable.
      */
-    Definition getAnSsaDefinition() { result.getSourceVariable() = this }
+    SsaDefinition getAnSsaDefinition() { result.getSourceVariable() = this }
   }
 
   /** Provides different types of `SourceVariable`s. */
@@ -158,11 +150,49 @@ module Ssa {
   }
 
   /**
+   * Gets a read of the source variable underlying the SSA definition `def`
+   * that can be reached from `def` without passing through any
+   * other SSA definition or read. Example:
+   *
+   * ```csharp
+   * int Field;
+   *
+   * void SetField(int i) {
+   *   this.Field = i;
+   *   Use(this.Field);
+   *   if (i > 0)
+   *     this.Field = i - 1;
+   *   else if (i < 0)
+   *     SetField(1);
+   *   Use(this.Field);
+   *   Use(this.Field);
+   * }
+   * ```
+   *
+   * - The read of `i` on line 4 can be reached from the explicit SSA
+   *   definition (wrapping an implicit entry definition) on line 3.
+   * - The reads of `i` on lines 6 and 7 are not the first reads of any SSA
+   *   definition.
+   * - The read of `this.Field` on line 5 can be reached from the explicit SSA
+   *   definition on line 4.
+   * - The read of `this.Field` on line 10 can be reached from the phi node
+   *   between lines 9 and 10.
+   * - The read of `this.Field` on line 11 is not the first read of any SSA
+   *   definition.
+   *
+   * Subsequent reads can be found by following the steps defined by
+   * `AssignableRead.getANextRead()`.
+   */
+  AssignableRead ssaGetAFirstUse(SsaDefinition def) { SsaImpl::firstReadSameVar(def, result) }
+
+  /**
+   * DEPRECATED: Use `SsaDefinition` instead.
+   *
    * A static single assignment (SSA) definition. Either an explicit variable
    * definition (`ExplicitDefinition`), an implicit variable definition
    * (`ImplicitDefinition`), or a phi node (`PhiNode`).
    */
-  class Definition extends SsaImpl::Definition {
+  deprecated class Definition extends SsaImpl::Definition {
     /** Gets the control flow node of this SSA definition. */
     final ControlFlowNode getControlFlowNode() {
       exists(BasicBlock bb, int i | this.definesAt(_, bb, i) | result = bb.getNode(0.maximum(i)))
@@ -203,9 +233,11 @@ module Ssa {
      * - The reads of `this.Field` on lines 10 and 11 can be reached from the phi
      *   node between lines 9 and 10.
      */
-    final AssignableRead getARead() { result = this.getAReadAtNode(_) }
+    final AssignableRead getARead() { result = SsaImpl::getAReadAtNode(this, _) }
 
     /**
+     * DEPRECATED: Use `getARead()` instead.
+     *
      * Gets a read of the source variable underlying this SSA definition at
      * control flow node `cfn` that can be reached from this SSA definition
      * without passing through any other SSA definitions. Example:
@@ -232,11 +264,13 @@ module Ssa {
      * - The reads of `this.Field` on lines 10 and 11 can be reached from the phi
      *   node between lines 9 and 10.
      */
-    final AssignableRead getAReadAtNode(ControlFlowNode cfn) {
+    deprecated final AssignableRead getAReadAtNode(ControlFlowNode cfn) {
       result = SsaImpl::getAReadAtNode(this, cfn)
     }
 
     /**
+     * DEPRECATED: Use `ssaGetAFirstUse` instead.
+     *
      * Gets a read of the source variable underlying this SSA definition that
      * can be reached from this SSA definition without passing through any
      * other SSA definition or read. Example:
@@ -270,9 +304,11 @@ module Ssa {
      * Subsequent reads can be found by following the steps defined by
      * `AssignableRead.getANextRead()`.
      */
-    final AssignableRead getAFirstRead() { result = this.getAFirstReadAtNode(_) }
+    deprecated final AssignableRead getAFirstRead() { result = this.getAFirstReadAtNode(_) }
 
     /**
+     * DEPRECATED: Use `ssaGetAFirstUse` instead.
+     *
      * Gets a read of the source variable underlying this SSA definition at
      * control flow node `cfn` that can be reached from this SSA definition
      * without passing through any other SSA definition or read. Example:
@@ -306,8 +342,8 @@ module Ssa {
      * Subsequent reads can be found by following the steps defined by
      * `AssignableRead.getANextRead()`.
      */
-    final AssignableRead getAFirstReadAtNode(ControlFlowNode cfn) {
-      SsaImpl::firstReadSameVar(this, cfn) and
+    deprecated final AssignableRead getAFirstReadAtNode(ControlFlowNode cfn) {
+      SsaImpl::firstReadSameVar(this, result) and
       result.getControlFlowNode() = cfn
     }
 
@@ -316,8 +352,8 @@ module Ssa {
      * includes inputs to phi nodes and the prior definitions of uncertain writes.
      */
     private Definition getAPhiInputOrPriorDefinition() {
-      result = this.(PhiNode).getAnInput() or
-      result = this.(UncertainDefinition).getPriorDefinition()
+      result = this.(SsaPhiDefinition).getAnInput() or
+      result = this.(SsaUncertainWrite).getPriorDefinition()
     }
 
     /**
@@ -351,7 +387,7 @@ module Ssa {
      */
     final Definition getAnUltimateDefinition() {
       result = this.getAPhiInputOrPriorDefinition*() and
-      not result instanceof PhiNode
+      not result instanceof SsaPhiDefinition
     }
 
     /**
@@ -363,37 +399,46 @@ module Ssa {
       result.(ControlFlowElement).getControlFlowNode() = this.getControlFlowNode()
     }
 
-    /** Gets the callable to which this SSA definition belongs. */
-    final Callable getEnclosingCallable() {
+    /**
+     * DEPRECATED: Use `getSourceVariable().getEnclosingCallable()` instead.
+     *
+     * Gets the callable to which this SSA definition belongs.
+     */
+    deprecated final Callable getEnclosingCallable() {
       result = this.getSourceVariable().getEnclosingCallable()
     }
 
     /**
+     * DEPRECATED.
+     *
      * Holds if this SSA definition assigns to `out`/`ref` parameter `p`, and the
      * parameter may remain unchanged throughout the rest of the enclosing callable.
      */
-    final predicate isLiveOutRefParameterDefinition(Parameter p) {
+    deprecated final predicate isLiveOutRefParameterDefinition(Parameter p) {
       SsaImpl::isLiveOutRefParameterDefinition(this, p)
     }
-
-    /** Gets the location of this SSA definition. */
-    override Location getLocation() { none() }
   }
 
   /**
+   * DEPRECATED: Use `SsaExplicitWrite` instead.
+   *
    * An SSA definition that corresponds to an explicit assignable definition.
    */
-  class ExplicitDefinition extends Definition, SsaImpl::WriteDefinition {
+  deprecated class ExplicitDefinition extends Definition, SsaImpl::WriteDefinition {
     AssignableDefinition ad;
 
     ExplicitDefinition() { SsaImpl::explicitDefinition(this, _, ad) }
 
     /**
+     * DEPRECATED: Use `SsaExplicitWrite.getDefinition()` instead.
+     *
      * Gets an underlying assignable definition. The result is always unique,
      * except for pathological `out`/`ref` assignments like `M(out x, out x)`,
      * where there may be more than one underlying definition.
      */
-    final AssignableDefinition getADefinition() { result = SsaImpl::getADefinition(this) }
+    deprecated final AssignableDefinition getADefinition() {
+      result = SsaImpl::getADefinition(this)
+    }
 
     /**
      * DEPRECATED.
@@ -454,20 +499,18 @@ module Ssa {
     }
 
     override Element getElement() { result = ad.getElement() }
-
-    override string toString() { result = "SSA def(" + this.getSourceVariable() + ")" }
-
-    override Location getLocation() { result = ad.getLocation() }
   }
 
   /**
+   * DEPRECATED: Use `SsaParameterInit` or `SsaImplicitWrite` instead.
+   *
    * An SSA definition that does not correspond to an explicit variable definition.
    * Either an implicit initialization of a variable at the beginning of a callable
    * (`ImplicitEntryDefinition`), an implicit definition via a call
    * (`ImplicitCallDefinition`), or an implicit definition where the qualifier is
    * updated (`ImplicitQualifierDefinition`).
    */
-  class ImplicitDefinition extends Definition, SsaImpl::WriteDefinition {
+  deprecated class ImplicitDefinition extends Definition, SsaImpl::WriteDefinition {
     ImplicitDefinition() {
       exists(BasicBlock bb, SourceVariable v, int i | this.definesAt(v, bb, i) |
         SsaImpl::implicitEntryDefinition(bb, v) and
@@ -481,11 +524,13 @@ module Ssa {
   }
 
   /**
+   * DEPRECATED: Use `SsaParameterInit` or `SsaImplicitEntryDefinition` instead.
+   *
    * An SSA definition representing the implicit initialization of a variable
-   * at the beginning of a callable. Either a parameter, a local scope variable
-   * captured by the callable, or a field or property accessed inside the callable.
+   * at the beginning of a callable. Either a local scope variable captured by
+   * the callable or a field or property accessed inside the callable.
    */
-  class ImplicitEntryDefinition extends ImplicitDefinition {
+  deprecated class ImplicitEntryDefinition extends ImplicitDefinition {
     ImplicitEntryDefinition() {
       exists(BasicBlock bb, SourceVariable v |
         this.definesAt(v, bb, -1) and
@@ -497,69 +542,40 @@ module Ssa {
     final Callable getCallable() { result = this.getBasicBlock().getEnclosingCallable() }
 
     override Element getElement() { result = this.getCallable() }
-
-    override string toString() {
-      if this.getSourceVariable().getAssignable() instanceof LocalScopeVariable
-      then result = "SSA capture def(" + this.getSourceVariable() + ")"
-      else result = "SSA entry def(" + this.getSourceVariable() + ")"
-    }
-
-    override Location getLocation() { result = this.getCallable().getLocation() }
-  }
-
-  private module NearestLocationInput implements NearestLocationInputSig {
-    class C = ImplicitParameterDefinition;
-
-    predicate relevantLocations(ImplicitParameterDefinition def, Location l1, Location l2) {
-      not def.getBasicBlock() instanceof EntryBasicBlock and
-      l1 = def.getParameter().getALocation() and
-      l2 = def.getBasicBlock().getLocation()
-    }
-  }
-
-  pragma[nomagic]
-  private predicate implicitEntryDef(ImplicitEntryDefinition def, SourceVariable v, Callable c) {
-    v = def.getSourceVariable() and
-    c = def.getCallable()
   }
 
   /**
-   * An SSA definition representing the implicit initialization of a parameter
-   * at the beginning of a callable.
+   * DEPRECATED: Use `SsaParameterInit` instead.
    */
-  class ImplicitParameterDefinition extends ImplicitEntryDefinition {
+  deprecated final class ImplicitParameterDefinition = SsaImpl::ParameterDefinitionImpl;
+
+  deprecated private class ExplicitParameterDefinition extends ExplicitDefinition,
+    SsaImpl::ParameterDefinitionImpl
+  {
     private Parameter p;
+    override AssignableDefinitions::ImplicitParameterDefinition ad;
 
-    ImplicitParameterDefinition() {
-      exists(SourceVariable sv, Callable c |
-        implicitEntryDef(this, sv, c) and
-        localScopeSourceVariable(sv, p, _, c)
-      )
+    ExplicitParameterDefinition() { p = ad.getParameter() }
+
+    override Parameter getParameter() { result = p }
+
+    override string toString() { result = SsaImpl::ParameterDefinitionImpl.super.toString() }
+  }
+
+  /** An SSA definition in a closure that captures a variable. */
+  class SsaCapturedDefinition extends SsaImplicitEntryDefinition {
+    SsaCapturedDefinition() {
+      this.getSourceVariable().getAssignable() instanceof LocalScopeVariable
     }
 
-    /** Gets the parameter that this entry definition represents. */
-    Parameter getParameter() { result = p }
-
-    override Element getElement() { result = this.getParameter() }
-
-    override string toString() {
-      result = "SSA param(" + pragma[only_bind_out](this.getParameter()) + ")"
-    }
-
-    override Location getLocation() {
-      not NearestLocation<NearestLocationInput>::nearestLocation(this, _, _) and
-      result = p.getLocation()
-      or
-      // multi-bodied method: use matching parameter location
-      NearestLocation<NearestLocationInput>::nearestLocation(this, result, _)
-    }
+    override string toString() { result = "SSA capture def(" + this.getSourceVariable() + ")" }
   }
 
   /**
    * An SSA definition representing the potential definition of a variable
    * via a call.
    */
-  class ImplicitCallDefinition extends ImplicitDefinition {
+  class ImplicitCallDefinition extends SsaImplicitWrite {
     private Call c;
 
     ImplicitCallDefinition() {
@@ -586,18 +602,17 @@ module Ssa {
     }
 
     override string toString() { result = "SSA call def(" + this.getSourceVariable() + ")" }
-
-    override Location getLocation() { result = this.getCall().getLocation() }
   }
 
   /**
    * An SSA definition representing the potential definition of a variable
    * via an SSA definition for the qualifier.
    */
-  class ImplicitQualifierDefinition extends ImplicitDefinition, SsaImpl::WriteDefinition {
-    private Definition q;
+  class ImplicitQualifierDefinition extends SsaImplicitWrite {
+    private SsaDefinition q;
 
     ImplicitQualifierDefinition() {
+      not this instanceof SsaImplicitEntryDefinition and
       exists(BasicBlock bb, int i, SourceVariables::QualifiedFieldOrPropSourceVariable v |
         this.definesAt(v, bb, i)
       |
@@ -607,19 +622,19 @@ module Ssa {
     }
 
     /** Gets the SSA definition for the qualifier. */
-    final Definition getQualifierDefinition() { result = q }
+    final SsaDefinition getQualifierDefinition() { result = q }
 
     override string toString() { result = "SSA qualifier def(" + this.getSourceVariable() + ")" }
-
-    override Location getLocation() { result = this.getQualifierDefinition().getLocation() }
   }
 
   /**
+   * DEPRECATED: Use `SsaPhiDefinition` instead.
+   *
    * An SSA phi node, that is, a pseudo definition for a variable at a point
    * in the flow graph where otherwise two or more definitions for the variable
    * would be visible.
    */
-  class PhiNode extends Definition, SsaImpl::PhiNode {
+  deprecated class PhiNode extends Definition, SsaImpl::PhiNode {
     /**
      * Gets an input of this phi node. Example:
      *
@@ -648,27 +663,17 @@ module Ssa {
     predicate hasInputFromBlock(Definition inp, BasicBlock bb) {
       inp = SsaImpl::phiHasInputFromBlock(this, bb)
     }
-
-    override string toString() { result = "SSA phi(" + this.getSourceVariable() + ")" }
-
-    /*
-     * The location of a phi node is the same as the location of the first node
-     * in the basic block in which it is defined.
-     *
-     * Strictly speaking, the node is *before* the first node, but such a location
-     * does not exist in the source program.
-     */
-
-    override Location getLocation() { result = this.getBasicBlock().getFirstNode().getLocation() }
   }
 
   /**
+   * DEPRECATED: Use `SsaUncertainWrite` instead.
+   *
    * An SSA definition that represents an uncertain update of the underlying
    * assignable. Either an explicit update that is uncertain (`ref` assignments
    * need not be certain), an implicit non-local update via a call, or an
    * uncertain update of the qualifier.
    */
-  class UncertainDefinition extends Definition, SsaImpl::UncertainWriteDefinition {
+  deprecated class UncertainDefinition extends Definition, SsaImpl::UncertainWriteDefinition {
     /**
      * Gets the immediately preceding definition. Since this update is uncertain,
      * the value from the preceding definition might still be valid.

csharp/ql/lib/semmle/code/csharp/dataflow/internal/BaseSSA.qll

@@ -1,9 +1,20 @@
-import csharp
+private import csharp as CS
 
 /**
  * Provides a simple SSA implementation for local scope variables.
  */
 module BaseSsa {
+  private import BaseSsaImpl
+
+  class SimpleLocalScopeVariable = BaseSsaImpl::SimpleLocalScopeVariable;
+
+  module Ssa = SsaImpl::MakeSsa<SsaInput>;
+
+  import Ssa
+}
+
+private module BaseSsaImpl {
+  private import CS
   private import AssignableDefinitions
   private import codeql.ssa.Ssa as SsaImplCommon
 
@@ -13,7 +24,7 @@ module BaseSsa {
     predicate ref() { any() }
 
     cached
-    predicate backref() { (exists(any(SsaDefinition def).getARead()) implies any()) }
+    predicate backref() { (exists(any(BaseSsa::SsaDefinition def).getARead()) implies any()) }
   }
 
   /**
@@ -112,11 +123,9 @@ module BaseSsa {
     }
   }
 
-  private module SsaImpl = SsaImplCommon::Make<Location, Cfg, SsaImplInput>;
-
-  private module SsaInput implements SsaImpl::SsaInputSig {
-    private import csharp as CS
+  module SsaImpl = SsaImplCommon::Make<Location, Cfg, SsaImplInput>;
 
+  module SsaInput implements SsaImpl::SsaInputSig {
     class Expr = CS::Expr;
 
     class Parameter = CS::Parameter;
@@ -139,8 +148,4 @@ module BaseSsa {
       w.isParameterInit(v)
     }
   }
-
-  module Ssa = SsaImpl::MakeSsa<SsaInput>;
-
-  import Ssa
 }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -175,6 +175,18 @@ private module ThisFlow {
     result = strictcount(int primaryParamPos | primaryConstructorThisAccess(_, bb, primaryParamPos))
   }
 
+  private module BodyNearestLocationInput implements NearestLocationInputSig {
+    class C = ControlFlowElement;
+
+    predicate relevantLocations(ControlFlowElement body, Location l1, Location l2) {
+      exists(DataFlowCallable c |
+        any(InstanceParameterNode p).isParameterOf(c, _) and
+        body = c.asCallable(l1).getBody() and
+        l2 = body.getLocation()
+      )
+    }
+  }
+
   private predicate thisAccess(Node n, BasicBlock bb, int i) {
     thisAccess(n, bb.getNode(i))
     or
@@ -183,21 +195,29 @@ private module ThisFlow {
       i = ppos - numberOfPrimaryConstructorParameters(bb)
     )
     or
-    exists(DataFlowCallable c, EntryBasicBlock entry |
-      n.(InstanceParameterNode).isParameterOf(c, _) and
-      exists(ControlFlowNode succ |
-        succ = c.getAControlFlowNode() and
-        succ = entry.getFirstNode().getASuccessor() and
+    exists(Callable c, InstanceParameterNode p, Location l |
+      p = n and
+      c = p.getCallable(l) and
+      (
         // In case `c` has multiple bodies, we want each body to gets its own implicit
-        // entry definition. In case `c` doesn't have multiple bodies, the line below
-        // is simply the same as `bb = entry`, because `entry.getFirstNode().getASuccessor()`
-        // will be in the entry block.
-        bb = succ.getBasicBlock()
-      |
-        i = -1 - numberOfPrimaryConstructorParameters(bb)
+        // entry definition.
+        exists(ControlFlowElement body |
+          body = c.getBody() and
+          bb.getANode().isBefore(body) and
+          NearestLocation<BodyNearestLocationInput>::nearestLocation(body, l, _)
+        )
         or
-        not exists(numberOfPrimaryConstructorParameters(bb)) and i = -1
+        not c.hasBody() and
+        exists(EntryBasicBlock entry, ControlFlowNode succ |
+          succ = p.getEnclosingCallableImpl().getAControlFlowNode() and
+          succ = entry.getFirstNode().getASuccessor() and
+          bb = succ.getBasicBlock()
+        )
       )
+    |
+      i = -1 - numberOfPrimaryConstructorParameters(bb)
+      or
+      not exists(numberOfPrimaryConstructorParameters(bb)) and i = -1
     )
   }
 
@@ -250,10 +270,10 @@ module VariableCapture {
   private predicate closureFlowStep(ControlFlowNodes::ExprNode e1, ControlFlowNodes::ExprNode e2) {
     e1.getExpr() = LocalFlow::getALastEvalNode(e2.getExpr())
     or
-    exists(Ssa::Definition def, AssignableDefinition adef |
+    exists(SsaDefinition def, AssignableDefinition adef |
       LocalFlow::defAssigns(adef, _, _, e1) and
-      def.getAnUltimateDefinition().(Ssa::ExplicitDefinition).getADefinition() = adef and
-      exists(def.getAReadAtNode(e2))
+      def.getAnUltimateDefinition().(SsaExplicitWrite).getDefinition() = adef and
+      def.getARead().getControlFlowNode() = e2
     )
   }
 
@@ -580,8 +600,8 @@ module LocalFlow {
     or
     ThisFlow::adjacentThisRefs(nodeFrom.(PostUpdateNode).getPreUpdateNode(), nodeTo)
     or
-    exists(AssignableDefinition def, ControlFlowNode cfn, Ssa::ExplicitDefinition ssaDef |
-      ssaDef.getADefinition() = def and
+    exists(AssignableDefinition def, ControlFlowNode cfn, SsaExplicitWrite ssaDef |
+      ssaDef.getDefinition() = def and
       ssaDef.getControlFlowNode() = cfn and
       nodeFrom = TAssignableDefinitionNode(def, cfn) and
       nodeTo.(SsaDefinitionNode).getDefinition() = ssaDef
@@ -918,8 +938,6 @@ private Gvn::GvnType getANonTypeParameterSubTypeRestricted(RelevantGvnType t) {
 
 /** A callable with an implicit `this` parameter. */
 private class InstanceCallable extends Callable {
-  private Location l;
-
   InstanceCallable() {
     not this.(Modifiable).isStatic() and
     // local functions and delegate capture `this` and should therefore
@@ -927,8 +945,6 @@ private class InstanceCallable extends Callable {
     not this instanceof LocalFunction and
     not this instanceof AnonymousFunctionExpr
   }
-
-  Location getARelevantLocation() { result = l }
 }
 
 /**
@@ -1019,8 +1035,7 @@ private module Cached {
     } or
     TInstanceParameterNode(InstanceCallable c, Location l) {
       c = any(DataFlowCallable dfc).asCallable(l) and
-      c instanceof CallableUsedInSource and
-      l = c.getARelevantLocation()
+      c instanceof CallableUsedInSource
     } or
     TDelegateSelfReferenceNode(Callable c) { lambdaCreationExpr(_, c) } or
     TLocalFunctionCreationNode(ControlFlowNodes::ElementNode cfn, Boolean isPostUpdate) {
@@ -1229,7 +1244,7 @@ class SsaNode extends NodeImpl, TSsaNode {
 class SsaDefinitionNode extends SsaNode {
   override SsaImpl::DataFlowIntegration::SsaDefinitionNode node;
 
-  Ssa::Definition getDefinition() { result = node.getDefinition() }
+  SsaDefinition getDefinition() { result = node.getDefinition() }
 
   override ControlFlowNode getControlFlowNodeImpl() {
     result = this.getDefinition().getControlFlowNode()
@@ -1287,12 +1302,6 @@ private module NearestLocationInputParamAfterCallable implements NearestLocation
 }
 
 private module ParameterNodes {
-  pragma[nomagic]
-  private predicate ssaParamDef(Ssa::ImplicitParameterDefinition ssaDef, Parameter p, Location l) {
-    p = ssaDef.getParameter() and
-    l = ssaDef.getLocation()
-  }
-
   private module NearestLocationInputParamBeforeCallable implements NearestLocationInputSig {
     class C = Parameter;
 
@@ -1343,11 +1352,9 @@ private module ParameterNodes {
     }
 
     /** Gets the SSA definition corresponding to this parameter, if any. */
-    Ssa::ImplicitParameterDefinition getSsaDefinition() {
-      exists(Parameter p, Location l |
-        l = this.getParameterLocation(p) and
-        ssaParamDef(result, p, l)
-      )
+    SsaParameterInit getSsaDefinition() {
+      result.getParameter() = parameter and
+      result.getBasicBlock() = callable.getABasicBlock()
     }
 
     override predicate isParameterOf(DataFlowCallable c, ParameterPosition pos) {
@@ -1423,7 +1430,7 @@ private module ParameterNodes {
   }
 
   /** An implicit entry definition for a captured variable. */
-  class SsaCapturedEntryDefinition extends Ssa::ImplicitEntryDefinition {
+  deprecated class SsaCapturedEntryDefinition extends Ssa::ImplicitEntryDefinition {
     private LocalScopeVariable v;
 
     SsaCapturedEntryDefinition() { this.getSourceVariable().getAssignable() = v }
@@ -1598,7 +1605,7 @@ private module ReturnNodes {
 
     OutRefReturnNode() {
       exists(Parameter p |
-        this.getDefinition().isLiveOutRefParameterDefinition(p) and
+        SsaImpl::isLiveOutRefParameterDefinition(this.getDefinition(), p) and
         kind.getPosition() = p.getPosition()
       |
         p.isOut() and kind instanceof OutReturnKind
@@ -2001,12 +2008,9 @@ private class FieldOrPropertyRead extends FieldOrPropertyAccess, AssignableRead
    * SSA updates.
    */
   predicate hasNonlocalValue() {
-    exists(Ssa::Definition def, Ssa::ImplicitDefinition idef |
+    exists(SsaDefinition def |
       def.getARead() = this and
-      idef = def.getAnUltimateDefinition()
-    |
-      idef instanceof Ssa::ImplicitEntryDefinition or
-      idef instanceof Ssa::ImplicitCallDefinition
+      def.getAnUltimateDefinition() instanceof SsaImplicitWrite
     )
   }
 }
@@ -2205,12 +2209,11 @@ private predicate readContentStep(Node node1, Content c, Node node2) {
   c instanceof ElementContent
   or
   exists(
-    ForeachStmt fs, Ssa::ExplicitDefinition def,
-    AssignableDefinitions::LocalVariableDefinition defTo
+    ForeachStmt fs, SsaExplicitWrite def, AssignableDefinitions::LocalVariableDefinition defTo
   |
     node1.asExpr() = fs.getIterableExpr() and
     defTo.getDeclaration() = fs.getVariableDeclExpr() and
-    def.getADefinition() = defTo and
+    def.getDefinition() = defTo and
     node2.(SsaDefinitionNode).getDefinition() = def and
     c instanceof ElementContent
   )

csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll

@@ -7,8 +7,9 @@ private import codeql.ssa.Ssa as SsaImplCommon
 private import AssignableDefinitions
 private import semmle.code.csharp.controlflow.Guards as Guards
 private import semmle.code.csharp.dataflow.internal.BaseSSA
+private import semmle.code.csharp.internal.Location
 
-private module SsaInput implements SsaImplCommon::InputSig<Location, BasicBlock> {
+private module SsaImplInput implements SsaImplCommon::InputSig<Location, BasicBlock> {
   class SourceVariable = Ssa::SourceVariable;
 
   /**
@@ -40,15 +41,52 @@ private module SsaInput implements SsaImplCommon::InputSig<Location, BasicBlock>
   }
 }
 
-import SsaImplCommon::Make<Location, Cfg, SsaInput> as Impl
+import SsaImplCommon::Make<Location, Cfg, SsaImplInput> as Impl
+
+private module SsaInput implements Impl::SsaInputSig {
+  private import csharp as CS
+
+  class Expr = CS::Expr;
+
+  class Parameter = CS::Parameter;
+
+  class VariableWrite extends AssignableDefinition {
+    Expr asExpr() { result = this.getExpr() }
+
+    Expr getValue() { result = this.getSource() }
+
+    predicate isParameterInit(Parameter p) { this.(ImplicitParameterDefinition).getParameter() = p }
+  }
+
+  predicate explicitWrite(VariableWrite w, BasicBlock bb, int i, SsaImplInput::SourceVariable v) {
+    exists(AssignableDefinition ad | variableDefinition(bb, i, v, ad) |
+      w = ad or
+      w = getASameOutRefDefAfter(v, ad)
+    )
+    or
+    exists(Parameter p |
+      implicitEntryDefinition(bb, v) and
+      i = -1 and
+      p = v.getAssignable() and
+      pragma[only_bind_out](p.getCallable()) = pragma[only_bind_out](v.getEnclosingCallable()) and
+      w.isParameterInit(p)
+    )
+  }
+}
+
+module Ssa_ = Impl::MakeSsa<SsaInput>;
 
 class Definition = Impl::Definition;
 
-class WriteDefinition = Impl::WriteDefinition;
+private class SsaDefinitionToStringProxy extends Definition {
+  override string toString() { result = this.(SsaDefinition).toString() }
+}
 
-class UncertainWriteDefinition = Impl::UncertainWriteDefinition;
+deprecated class WriteDefinition = Impl::WriteDefinition;
 
-class PhiNode = Impl::PhiNode;
+deprecated class UncertainWriteDefinition = Impl::UncertainWriteDefinition;
+
+deprecated class PhiNode = Impl::PhiNode;
 
 module Consistency = Impl::Consistency;
 
@@ -126,7 +164,6 @@ private module SourceVariableImpl {
    */
   predicate variableDefinition(BasicBlock bb, int i, Ssa::SourceVariable v, AssignableDefinition ad) {
     ad = v.getADefinition() and
-    ad.getExpr().getControlFlowNode() = bb.getNode(i) and
     // In cases like `(x, x) = (0, 1)`, we discard the first (dead) definition of `x`
     not exists(TupleAssignmentDefinition first, TupleAssignmentDefinition second | first = ad |
       second.getAssignment() = first.getAssignment() and
@@ -136,7 +173,13 @@ private module SourceVariableImpl {
     // In cases like `M(out x, out x)`, there is no inherent evaluation order, so we
     // collapse the two definitions of `x`, using the first access as the representative,
     // and expose both definitions in `ExplicitDefinition.getADefinition()`
-    not ad = getASameOutRefDefAfter(v, _)
+    not ad = getASameOutRefDefAfter(v, _) and
+    (
+      ad.getExpr().getControlFlowNode() = bb.getNode(i)
+      or
+      ad.(AssignableDefinitions::ImplicitParameterDefinition).getParameter().getControlFlowNode() =
+        bb.getNode(i)
+    )
   }
 
   /**
@@ -243,6 +286,15 @@ private module SourceVariableImpl {
 private import SourceVariableImpl
 private import Ssa::SourceVariables
 
+pragma[nomagic]
+predicate localScopeSourceVariable(
+  Ssa::SourceVariables::LocalScopeSourceVariable sv, LocalScopeVariable v, Callable c1, Callable c2
+) {
+  sv.getAssignable() = v and
+  sv.getEnclosingCallable() = c1 and
+  v.getCallable() = c2
+}
+
 private module CallGraph {
   private import semmle.code.csharp.dispatch.Dispatch
 
@@ -753,34 +805,26 @@ private module Cached {
 
   cached
   predicate implicitEntryDefinition(BasicBlock bb, Ssa::SourceVariable v) {
-    exists(EntryBasicBlock entry, Callable c |
-      c = entry.getEnclosingCallable() and
-      // In case `c` has multiple bodies, we want each body to get its own implicit
-      // entry definition. In case `c` doesn't have multiple bodies, the line below
-      // is simply the same as `bb = entry`, because `entry.getFirstNode().getASuccessor()`
-      // will be in the entry block.
-      bb = entry.getFirstNode().getASuccessor().getBasicBlock() and
-      c = v.getEnclosingCallable()
-    |
-      // Captured variable
-      exists(LocalScopeVariable lsv |
-        v = any(LocalScopeSourceVariable lv | lsv = lv.getAssignable())
-      |
-        lsv.getCallable() != c
+    exists(Callable c | c = v.getEnclosingCallable() |
+      c = bb.(EntryBasicBlock).getEnclosingCallable() and
+      (
+        // Captured variable
+        exists(LocalScopeVariable lsv |
+          v = any(LocalScopeSourceVariable lv | lsv = lv.getAssignable())
+        |
+          lsv.getCallable() != c
+        )
+        or
+        // Each tracked field and property has an implicit entry definition
+        v instanceof PlainFieldOrPropSourceVariable
       )
       or
-      // Each tracked field and property has an implicit entry definition
-      v instanceof PlainFieldOrPropSourceVariable
-      or
-      v.getAssignable() instanceof Parameter
-    )
-  }
-
-  cached
-  AssignableDefinition getADefinition(Ssa::ExplicitDefinition def) {
-    exists(Ssa::SourceVariable v, AssignableDefinition ad | explicitDefinition(def, v, ad) |
-      result = ad or
-      result = getASameOutRefDefAfter(v, ad)
+      // In case `c` has multiple bodies, we want each body to get its own set of
+      // parameter definitions, so we add special writes to the start of the basic
+      // blocks containing the bodies
+      strictcount(c.getBody()) > 1 and
+      v.getAssignable() instanceof Parameter and
+      bb.getANode().isBefore(c.getBody())
     )
   }
 
@@ -800,7 +844,7 @@ private module Cached {
   predicate variableWriteQualifier(
     BasicBlock bb, int i, QualifiedFieldOrPropSourceVariable v, boolean certain
   ) {
-    SsaInput::variableWrite(bb, i, v.getQualifier(), certain) and
+    SsaImplInput::variableWrite(bb, i, v.getQualifier(), certain) and
     // Eliminate corner case where a call definition can overlap with a
     // qualifier definition: if method `M` updates field `F`, then a call
     // to `M` is both an update of `x.M` and `x.M.M`, so the former call
@@ -809,41 +853,15 @@ private module Cached {
     not updatesNamedFieldOrProp(bb, i, _, v, _)
   }
 
-  cached
-  predicate explicitDefinition(WriteDefinition def, Ssa::SourceVariable v, AssignableDefinition ad) {
-    exists(BasicBlock bb, int i |
-      def.definesAt(v, bb, i) and
-      variableDefinition(bb, i, v, ad)
-    )
-  }
-
-  cached
-  predicate isLiveAtEndOfBlock(Definition def, BasicBlock bb) {
-    Impl::ssaDefReachesEndOfBlock(bb, def, _)
-  }
-
-  cached
-  Definition phiHasInputFromBlock(Ssa::PhiNode phi, BasicBlock bb) {
-    Impl::phiHasInputFromBlock(phi, result, bb)
-  }
-
-  cached
-  AssignableRead getAReadAtNode(Definition def, ControlFlowNode cfn) {
-    exists(Ssa::SourceVariable v, BasicBlock bb, int i |
-      Impl::ssaDefReachesRead(v, def, bb, i) and
-      variableReadActual(bb, i, v) and
-      cfn = bb.getNode(i) and
-      result.getControlFlowNode() = cfn
-    )
-  }
-
   /**
-   * Holds if the value defined at SSA definition `def` can reach a read at `cfn`,
+   * Holds if the value defined at SSA definition `def` can reach a read `read`,
    * without passing through any other read.
    */
   cached
-  predicate firstReadSameVar(Definition def, ControlFlowNode cfn) {
-    exists(BasicBlock bb, int i | Impl::firstUse(def, bb, i, true) and cfn = bb.getNode(i))
+  predicate firstReadSameVar(Definition def, AssignableRead read) {
+    exists(BasicBlock bb, int i |
+      Impl::firstUse(def, bb, i, true) and read.getControlFlowNode() = bb.getNode(i)
+    )
   }
 
   /**
@@ -861,15 +879,14 @@ private module Cached {
     )
   }
 
+  /**
+   * Holds if the SSA definition `def` assigns to `out`/`ref` parameter `p`, and the
+   * parameter may remain unchanged throughout the rest of the enclosing callable.
+   */
   cached
-  Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) {
-    Impl::uncertainWriteDefinitionInput(def, result)
-  }
-
-  cached
-  predicate isLiveOutRefParameterDefinition(Ssa::Definition def, Parameter p) {
+  predicate isLiveOutRefParameterDefinition(SsaDefinition def, Parameter p) {
     p.isOutOrRef() and
-    exists(Ssa::SourceVariable v, Ssa::Definition def0, BasicBlock bb, int i |
+    exists(Ssa::SourceVariable v, SsaDefinition def0, BasicBlock bb, int i |
       v = def.getSourceVariable() and
       p = v.getAssignable() and
       def = def0.getAnUltimateDefinition() and
@@ -951,6 +968,43 @@ private module Cached {
 
 import Cached
 
+deprecated AssignableDefinition getADefinition(Ssa::ExplicitDefinition def) {
+  exists(Ssa::SourceVariable v, AssignableDefinition ad | explicitDefinition(def, v, ad) |
+    result = ad or
+    result = getASameOutRefDefAfter(v, ad)
+  )
+}
+
+deprecated predicate explicitDefinition(
+  WriteDefinition def, Ssa::SourceVariable v, AssignableDefinition ad
+) {
+  exists(BasicBlock bb, int i |
+    def.definesAt(v, bb, i) and
+    variableDefinition(bb, i, v, ad)
+  )
+}
+
+deprecated predicate isLiveAtEndOfBlock(Definition def, BasicBlock bb) {
+  Impl::ssaDefReachesEndOfBlock(bb, def, _)
+}
+
+deprecated Definition phiHasInputFromBlock(Ssa::PhiNode phi, BasicBlock bb) {
+  Impl::phiHasInputFromBlock(phi, result, bb)
+}
+
+deprecated AssignableRead getAReadAtNode(Definition def, ControlFlowNode cfn) {
+  exists(Ssa::SourceVariable v, BasicBlock bb, int i |
+    Impl::ssaDefReachesRead(v, def, bb, i) and
+    variableReadActual(bb, i, v) and
+    cfn = bb.getNode(i) and
+    result.getControlFlowNode() = cfn
+  )
+}
+
+deprecated Definition uncertainWriteDefinitionInput(UncertainWriteDefinition def) {
+  Impl::uncertainWriteDefinitionInput(def, result)
+}
+
 private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInputSig {
   private import codeql.util.Boolean
 
@@ -958,20 +1012,20 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu
     predicate hasCfgNode(BasicBlock bb, int i) { this = bb.getNode(i) }
   }
 
-  Expr getARead(Definition def) { exists(getAReadAtNode(def, result)) }
+  Expr getARead(Definition def) { def.(SsaDefinition).getARead().getControlFlowNode() = result }
 
-  predicate ssaDefHasSource(WriteDefinition def) {
+  predicate ssaDefHasSource(Impl::WriteDefinition def) {
     // exclude flow directly from RHS to SSA definition, as we instead want to
     // go from RHS to matching assignable definition, and from there to SSA definition
-    def instanceof Ssa::ImplicitParameterDefinition
+    def instanceof SsaParameterInit
   }
 
   /**
-   * Allows for flow into uncertain defintions that are not call definitions,
+   * Allows for flow into uncertain definitions that are not call definitions,
    * as we, conservatively, consider such definitions to be certain.
    */
-  predicate allowFlowIntoUncertainDef(UncertainWriteDefinition def) {
-    def instanceof Ssa::ExplicitDefinition
+  predicate allowFlowIntoUncertainDef(Impl::UncertainWriteDefinition def) {
+    def instanceof SsaExplicitWrite
     or
     def =
       any(Ssa::ImplicitQualifierDefinition qdef |
@@ -995,3 +1049,58 @@ private module DataFlowIntegrationInput implements Impl::DataFlowIntegrationInpu
 }
 
 private module DataFlowIntegrationImpl = Impl::DataFlowIntegration<DataFlowIntegrationInput>;
+
+deprecated private module MultiBodyNearestLocationInput implements NearestLocationInputSig {
+  class C = MultiBodyParameterDefinition;
+
+  predicate relevantLocations(MultiBodyParameterDefinition def, Location l1, Location l2) {
+    exists(Callable c, ControlFlowNode n |
+      l1 = def.getParameter().getALocation() and
+      n = def.getBasicBlock().getANode() and
+      n.isBefore(c.getBody()) and
+      l2 = n.getLocation()
+    )
+  }
+}
+
+pragma[nomagic]
+deprecated private predicate implicitEntryDef(
+  Ssa::ImplicitEntryDefinition def, Ssa::SourceVariable v, Callable c
+) {
+  v = def.getSourceVariable() and
+  c = def.getCallable()
+}
+
+/**
+ * An SSA definition representing the implicit initialization of a parameter
+ * at the beginning of a callable.
+ */
+abstract deprecated class ParameterDefinitionImpl extends Ssa::Definition {
+  /** Gets the parameter that this definition represents. */
+  abstract Parameter getParameter();
+
+  override string toString() {
+    result = "SSA param(" + pragma[only_bind_out](this.getParameter()) + ")"
+  }
+}
+
+deprecated class MultiBodyParameterDefinition extends ParameterDefinitionImpl,
+  Ssa::ImplicitEntryDefinition
+{
+  private Parameter p;
+
+  MultiBodyParameterDefinition() {
+    exists(Ssa::SourceVariable sv, Callable c |
+      implicitEntryDef(this, sv, c) and
+      localScopeSourceVariable(sv, p, _, c)
+    )
+  }
+
+  override Parameter getParameter() { result = p }
+
+  override string toString() { result = ParameterDefinitionImpl.super.toString() }
+
+  override Location getLocation() {
+    NearestLocation<MultiBodyNearestLocationInput>::nearestLocation(this, result, _)
+  }
+}