Post-release preparation for codeql-cli-2.15.4

Release change notes for 2.15.4

cpp/downgrades/0a9eb01d3650642e013eb86be45d952289537f91/upgrade.properties

@@ -0,0 +1,3 @@
+description: Expose whether a function was prototyped or not
+compatibility: backwards
+function_prototyped.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.12.1
+
+### New Features
+
+* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.
+
 ## 0.12.0
 
 ### Breaking Changes

cpp/ql/lib/change-notes/released/0.12.1.md

@@ -0,0 +1,5 @@
+## 0.12.1
+
+### New Features
+
+* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.12.0
+lastReleaseVersion: 0.12.1

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.12.1-dev
+version: 0.12.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -112,6 +112,16 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    */
   predicate isDeleted() { function_deleted(underlyingElement(this)) }
 
+  /**
+   * Holds if this function has a prototyped interface.
+   *
+   * Functions generally have a prototyped interface, unless they are
+   * K&R-style functions either without any forward function declaration,
+   * or with all the forward declarations omitting the parameters of the
+   * function.
+   */
+  predicate isPrototyped() { function_prototyped(underlyingElement(this)) }
+
   /**
    * Holds if this function is explicitly defaulted with the `= default`
    * specifier.

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll

@@ -23,9 +23,8 @@ private module Internal {
   newtype TOperand =
     // RAW
     TRegisterOperand(TRawInstruction useInstr, RegisterOperandTag tag, TRawInstruction defInstr) {
-      defInstr = RawConstruction::getRegisterOperandDefinition(useInstr, tag) and
-      not RawConstruction::isInCycle(useInstr) and
-      strictcount(RawConstruction::getRegisterOperandDefinition(useInstr, tag)) = 1
+      defInstr = unique( | | RawConstruction::getRegisterOperandDefinition(useInstr, tag)) and
+      not RawConstruction::isInCycle(useInstr)
     } or
     // Placeholder for Phi and Chi operands in stages that don't have the corresponding instructions
     TNoOperand() { none() } or

cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll

@@ -123,7 +123,7 @@ private class StdSequenceContainerData extends TaintFunction {
 /**
  * The standard container functions `push_back` and `push_front`.
  */
-private class StdSequenceContainerPush extends TaintFunction {
+class StdSequenceContainerPush extends MemberFunction {
   StdSequenceContainerPush() {
     this.getClassAndName("push_back") instanceof Vector or
     this.getClassAndName(["push_back", "push_front"]) instanceof Deque or
@@ -131,6 +131,17 @@ private class StdSequenceContainerPush extends TaintFunction {
     this.getClassAndName(["push_back", "push_front"]) instanceof List
   }
 
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+}
+
+private class StdSequenceContainerPushModel extends StdSequenceContainerPush, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to qualifier
     input.isParameterDeref(0) and
@@ -160,7 +171,7 @@ private class StdSequenceContainerFrontBack extends TaintFunction {
 /**
  * The standard container functions `insert` and `insert_after`.
  */
-private class StdSequenceContainerInsert extends TaintFunction {
+class StdSequenceContainerInsert extends MemberFunction {
   StdSequenceContainerInsert() {
     this.getClassAndName("insert") instanceof Deque or
     this.getClassAndName("insert") instanceof List or
@@ -181,7 +192,9 @@ private class StdSequenceContainerInsert extends TaintFunction {
    * Gets the index of a parameter to this function that is an iterator.
    */
   int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
+}
 
+private class StdSequenceContainerInsertModel extends StdSequenceContainerInsert, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to container itself (qualifier) and return value
     (
@@ -253,11 +266,28 @@ private class StdSequenceContainerAt extends TaintFunction {
 }
 
 /**
- * The standard vector `emplace` function.
+ * The standard `emplace` function.
  */
-class StdVectorEmplace extends TaintFunction {
-  StdVectorEmplace() { this.getClassAndName("emplace") instanceof Vector }
+class StdSequenceEmplace extends MemberFunction {
+  StdSequenceEmplace() {
+    this.getClassAndName("emplace") instanceof Vector
+    or
+    this.getClassAndName("emplace") instanceof List
+    or
+    this.getClassAndName("emplace") instanceof Deque
+  }
 
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+}
+
+private class StdSequenceEmplaceModel extends StdSequenceEmplace, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter except the position iterator to qualifier and return value
     // (here we assume taint flow from any constructor parameter to the constructed object)
@@ -269,12 +299,36 @@ class StdVectorEmplace extends TaintFunction {
   }
 }
 
+/**
+ * The standard vector `emplace` function.
+ */
+class StdVectorEmplace extends StdSequenceEmplace {
+  StdVectorEmplace() { this.getDeclaringType() instanceof Vector }
+}
+
 /**
  * The standard vector `emplace_back` function.
  */
-class StdVectorEmplaceBack extends TaintFunction {
-  StdVectorEmplaceBack() { this.getClassAndName("emplace_back") instanceof Vector }
+class StdSequenceEmplaceBack extends MemberFunction {
+  StdSequenceEmplaceBack() {
+    this.getClassAndName("emplace_back") instanceof Vector
+    or
+    this.getClassAndName("emplace_back") instanceof List
+    or
+    this.getClassAndName("emplace_back") instanceof Deque
+  }
 
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+}
+
+private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter to qualifier
     // (here we assume taint flow from any constructor parameter to the constructed object)
@@ -282,3 +336,10 @@ class StdVectorEmplaceBack extends TaintFunction {
     output.isQualifierObject()
   }
 }
+
+/**
+ * The standard vector `emplace_back` function.
+ */
+class StdVectorEmplaceBack extends StdSequenceEmplaceBack {
+  StdVectorEmplaceBack() { this.getDeclaringType() instanceof Vector }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll

@@ -99,9 +99,11 @@ private class StdStringConstructor extends Constructor, StdStringTaintFunction {
 /**
  * The `std::string` function `c_str`.
  */
-private class StdStringCStr extends StdStringTaintFunction {
+class StdStringCStr extends MemberFunction {
   StdStringCStr() { this.getClassAndName("c_str") instanceof StdBasicString }
+}
 
+private class StdStringCStrModel extends StdStringCStr, StdStringTaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
     input.isQualifierObject() and
@@ -112,9 +114,11 @@ private class StdStringCStr extends StdStringTaintFunction {
 /**
  * The `std::string` function `data`.
  */
-private class StdStringData extends StdStringTaintFunction {
+class StdStringData extends MemberFunction {
   StdStringData() { this.getClassAndName("data") instanceof StdBasicString }
+}
 
+private class StdStringDataModel extends StdStringData, StdStringTaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
     input.isQualifierObject() and

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -405,6 +405,8 @@ function_deleted(unique int id: @function ref);
 
 function_defaulted(unique int id: @function ref);
 
+function_prototyped(unique int id: @function ref)
+
 member_function_this_type(
     unique int id: @function ref,
     int this_type: @type ref

cpp/ql/lib/upgrades/8cba93a44180e0d50a80a660950800d822b981fc/upgrade.properties

@@ -0,0 +1,2 @@
+description: Expose whether a function was prototyped or not
+compatibility: partial

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 0.9.0
+
+### Breaking Changes
+
+* The `cpp/tainted-format-string-through-global` query has been deleted. This does not lead to a loss of relevant alerts, as the query duplicated a subset of the alerts from `cpp/tainted-format-string`.
+
+### New Queries
+
+* Added a new query, `cpp/use-of-string-after-lifetime-ends`, to detect calls to `c_str` on strings that will be destroyed immediately.
+
 ## 0.8.3
 
 ### Minor Analysis Improvements

cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.qhelp

@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Calling <code>c_str</code> on a <code>std::string</code> object returns a pointer to the underlying character array.
+When the <code>std::string</code> object is destroyed, the pointer returned by <code>c_str</code> is no
+longer valid. If the pointer is used after the <code>std::string</code> object is destroyed, then the behavior is undefined.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Ensure that the pointer returned by <code>c_str</code> does not outlive the underlying <code>std::string</code> object.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example concatenates two <code>std::string</code> objects, and then converts the resulting string to a
+C string using <code>c_str</code> so that it can be passed to the <code>work</code> function.
+
+However, the underlying <code>std::string</code> object that represents the concatenated string is destroyed as soon as the call
+to <code>c_str</code> returns. This means that <code>work</code> is given a pointer to invalid memory.
+</p>
+
+<sample src="UseOfStringAfterLifetimeEndsBad.cpp" />
+
+<p>
+The following example fixes the above code by ensuring that the pointer returned by the call to <code>c_str</code> does
+not outlive the underlying <code>std::string</code> objects. This ensures that the pointer passed to <code>work</code>
+points to valid memory.
+</p>
+
+<sample src="UseOfStringAfterLifetimeEndsGood.cpp" />
+
+</example>
+<references>
+
+<li><a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM50-CPP.+Do+not+access+freed+memory">MEM50-CPP. Do not access freed memory</a>.</li>
+
+</references>
+</qhelp>

cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql

@@ -0,0 +1,100 @@
+/**
+ * @name Use of string after lifetime ends
+ * @description If the value of a call to 'c_str' outlives the underlying object it may lead to unexpected behavior.
+ * @kind problem
+ * @precision high
+ * @id cpp/use-of-string-after-lifetime-ends
+ * @problem.severity warning
+ * @security-severity 8.8
+ * @tags reliability
+ *       security
+ *       external/cwe/cwe-416
+ *       external/cwe/cwe-664
+ */
+
+import cpp
+import semmle.code.cpp.models.implementations.StdString
+import semmle.code.cpp.models.implementations.StdContainer
+
+/**
+ * Holds if `e` will be consumed by its parent as a glvalue and does not have
+ * an lvalue-to-rvalue conversion. This means that it will be materialized into
+ * a temporary object.
+ */
+predicate isTemporary(Expr e) {
+  e instanceof TemporaryObjectExpr
+  or
+  e.isPRValueCategory() and
+  e.getUnspecifiedType() instanceof Class and
+  not e.hasLValueToRValueConversion()
+}
+
+/** Holds if `e` is written to a container. */
+predicate isStoredInContainer(Expr e) {
+  exists(StdSequenceContainerInsert insert, Call call, int index |
+    call = insert.getACallToThisFunction() and
+    index = insert.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+  or
+  exists(StdSequenceContainerPush push, Call call, int index |
+    call = push.getACallToThisFunction() and
+    index = push.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+  or
+  exists(StdSequenceEmplace emplace, Call call, int index |
+    call = emplace.getACallToThisFunction() and
+    index = emplace.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+  or
+  exists(StdSequenceEmplaceBack emplaceBack, Call call, int index |
+    call = emplaceBack.getACallToThisFunction() and
+    index = emplaceBack.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+}
+
+/**
+ * Holds if the value of `e` outlives the enclosing full expression. For
+ * example, because the value is stored in a local variable.
+ */
+predicate outlivesFullExpr(Expr e) {
+  any(Assignment assign).getRValue() = e
+  or
+  any(Variable v).getInitializer().getExpr() = e
+  or
+  any(ReturnStmt ret).getExpr() = e
+  or
+  exists(ConditionalExpr cond |
+    outlivesFullExpr(cond) and
+    [cond.getThen(), cond.getElse()] = e
+  )
+  or
+  exists(BinaryOperation bin |
+    outlivesFullExpr(bin) and
+    bin.getAnOperand() = e
+  )
+  or
+  exists(ClassAggregateLiteral aggr |
+    outlivesFullExpr(aggr) and
+    aggr.getAFieldExpr(_) = e
+  )
+  or
+  exists(ArrayAggregateLiteral aggr |
+    outlivesFullExpr(aggr) and
+    aggr.getAnElementExpr(_) = e
+  )
+  or
+  isStoredInContainer(e)
+}
+
+from Call c
+where
+  outlivesFullExpr(c) and
+  not c.isFromUninstantiatedTemplate(_) and
+  (c.getTarget() instanceof StdStringCStr or c.getTarget() instanceof StdStringData) and
+  isTemporary(c.getQualifier().getFullyConverted())
+select c,
+  "The underlying string object is destroyed after the call to '" + c.getTarget() + "' returns."

cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEndsBad.cpp

@@ -0,0 +1,9 @@
+#include <string>
+void work(const char*);
+
+// BAD: the concatenated string is deallocated when `c_str` returns. So `work`
+// is given a pointer to invalid memory.
+void work_with_combined_string_bad(std::string s1, std::string s2) {
+  const char* combined_string = (s1 + s2).c_str();
+  work(combined_string);
+}

cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEndsGood.cpp

@@ -0,0 +1,9 @@
+#include <string>
+void work(const char*);
+
+// GOOD: the concatenated string outlives the call to `work`. So the pointer
+// obtainted from `c_str` is valid.
+void work_with_combined_string_good(std::string s1, std::string s2) {
+  auto combined_string = s1 + s2;
+  work(combined_string.c_str());
+}

cpp/ql/src/change-notes/released/0.9.0.md

@@ -1,4 +1,9 @@
----
-category: breaking
----
+## 0.9.0
+
+### Breaking Changes
+
 * The `cpp/tainted-format-string-through-global` query has been deleted. This does not lead to a loss of relevant alerts, as the query duplicated a subset of the alerts from `cpp/tainted-format-string`.
+
+### New Queries
+
+* Added a new query, `cpp/use-of-string-after-lifetime-ends`, to detect calls to `c_str` on strings that will be destroyed immediately.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.3
+lastReleaseVersion: 0.9.0

cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql

@@ -12,7 +12,6 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.controlflow.Nullness
 
 class StarOperator extends Operator {

cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql

@@ -9,7 +9,6 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.DataFlow as ASTDataFlow
 import experimental.cryptography.Concepts
 
 from HashAlgorithm alg, Expr confSink, string msg

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.8.4-dev
+version: 0.9.1-dev
 groups:
   - cpp
   - queries

cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.expected

@@ -0,0 +1,12 @@
+| test.cpp:165:34:165:38 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:166:39:166:43 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:167:44:167:48 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:169:29:169:33 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:178:37:178:41 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:181:39:181:43 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:183:37:183:41 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:187:34:187:37 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
+| test.cpp:188:39:188:42 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
+| test.cpp:189:44:189:47 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
+| test.cpp:191:29:191:32 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
+| test.cpp:193:31:193:35 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |

cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.qlref

@@ -0,0 +1,2 @@
+
+Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql

cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp

@@ -0,0 +1,219 @@
+typedef unsigned long size_t;
+
+namespace std {
+  template<class T> struct remove_reference { typedef T type; };
+
+  template<class T> struct remove_reference<T &> { typedef T type; };
+
+  template<class T> struct remove_reference<T &&> { typedef T type; };
+
+  template<class T> using remove_reference_t = typename remove_reference<T>::type;
+
+  template< class T > std::remove_reference_t<T>&& move( T&& t );
+}
+
+// --- iterator ---
+
+namespace std {
+  template<class T> struct remove_const { typedef T type; };
+
+  template<class T> struct remove_const<const T> { typedef T type; };
+
+  // `remove_const_t<T>` removes any `const` specifier from `T`
+  template<class T> using remove_const_t = typename remove_const<T>::type;
+
+  struct ptrdiff_t;
+
+  template<class I> struct iterator_traits;
+
+  template <class Category,
+        class value_type,
+        class difference_type = ptrdiff_t,
+        class pointer_type = value_type*,
+        class reference_type = value_type&>
+  struct iterator {
+    typedef Category iterator_category;
+
+    iterator();
+    iterator(iterator<Category, remove_const_t<value_type> > const &other); // non-const -> const conversion constructor
+
+    iterator &operator++();
+    iterator operator++(int);
+    iterator &operator--();
+    iterator operator--(int);
+    bool operator==(iterator other) const;
+    bool operator!=(iterator other) const;
+    reference_type operator*() const;
+    pointer_type operator->() const;
+    iterator operator+(int);
+    iterator operator-(int);
+    iterator &operator+=(int);
+    iterator &operator-=(int);
+    int operator-(iterator);
+    reference_type operator[](int);
+  };
+
+  struct input_iterator_tag {};
+  struct forward_iterator_tag : public input_iterator_tag {};
+  struct bidirectional_iterator_tag : public forward_iterator_tag {};
+  struct random_access_iterator_tag : public bidirectional_iterator_tag {};
+}
+
+// --- string ---
+
+namespace std
+{
+  template<class charT> struct char_traits;
+
+  typedef size_t streamsize;
+
+  template <class T> class allocator {
+  public:
+    allocator() throw();
+    typedef size_t size_type;
+  };
+
+  template<class charT, class traits = char_traits<charT>, class Allocator = allocator<charT> >
+  class basic_string {
+  public:
+    using value_type = charT;
+    using reference = value_type&;
+    using const_reference = const value_type&;
+    typedef typename Allocator::size_type size_type;
+    static const size_type npos = -1;
+
+    explicit basic_string(const Allocator& a = Allocator());
+    basic_string(const charT* s, const Allocator& a = Allocator());
+    template<class InputIterator> basic_string(InputIterator begin, InputIterator end, const Allocator& a = Allocator());
+
+    const charT* c_str() const;
+    charT* data() noexcept;
+    size_t length() const;
+
+    typedef std::iterator<random_access_iterator_tag, charT> iterator;
+    typedef std::iterator<random_access_iterator_tag, const charT> const_iterator;
+
+    iterator begin();
+    iterator end();
+    const_iterator begin() const;
+    const_iterator end() const;
+    const_iterator cbegin() const;
+    const_iterator cend() const;
+
+    const_reference operator[](size_type pos) const;
+    reference operator[](size_type pos);
+    const_reference at(size_type n) const;
+    reference at(size_type n);
+    basic_string& insert(size_type pos, const basic_string& str);
+    basic_string& insert(size_type pos, size_type n, charT c);
+    basic_string& insert(size_type pos, const charT* s);
+    iterator insert(const_iterator p, size_type n, charT c);
+    template<class InputIterator> iterator insert(const_iterator p, InputIterator first, InputIterator last); 
+    basic_string& replace(size_type pos1, size_type n1, const basic_string& str);
+    basic_string& replace(size_type pos1, size_type n1, size_type n2, charT c);
+  };
+
+  template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const basic_string<charT, traits, Allocator>& rhs);
+  template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const charT* rhs);
+
+  typedef basic_string<char> string;
+}
+
+// --- vector ---
+
+namespace std {
+  template<class T, class Allocator = allocator<T>>
+  class vector { 
+  public:
+    using value_type = T;
+    using reference = value_type&;
+    using const_reference = const value_type&; 
+    using size_type = unsigned int;
+    using iterator = std::iterator<random_access_iterator_tag, T>;
+    using const_iterator = std::iterator<random_access_iterator_tag, const T>;
+
+    vector() noexcept(noexcept(Allocator()));
+    explicit vector(const Allocator&) noexcept;
+    explicit vector(size_type n, const Allocator& = Allocator());
+    vector(size_type n, const T& value, const Allocator& = Allocator());
+    template<class InputIterator, class IteratorCategory = typename InputIterator::iterator_category> vector(InputIterator first, InputIterator last, const Allocator& = Allocator());
+    ~vector();
+
+    void push_back(const T& x);
+    void push_back(T&& x);
+
+    iterator insert(const_iterator position, const T& x);
+    iterator insert(const_iterator position, T&& x);
+    iterator insert(const_iterator position, size_type n, const T& x);
+    template<class InputIterator> iterator insert(const_iterator position, InputIterator first, InputIterator last);
+
+    template <class... Args> iterator emplace (const_iterator position, Args&&... args);
+    template <class... Args> void emplace_back (Args&&... args);
+  };
+}
+
+struct S {
+  const char* s;
+};
+
+void call_by_value(S);
+void call_by_cref(const S&);
+
+void call(const char*);
+
+const char* test1(bool b1, bool b2) {
+  auto s1 = std::string("hello").c_str(); // BAD
+  auto s2 = b1 ? std::string("hello").c_str() : ""; // BAD
+  auto s3 = b2 ? "" : std::string("hello").c_str(); // BAD
+  const char* s4;
+  s4 = std::string("hello").c_str(); // BAD
+
+  call(std::string("hello").c_str()); // GOOD
+  call(b1 ? std::string("hello").c_str() : ""); // GOOD
+  call(b1 ? (b2 ? "" : std::string("hello").c_str()) : ""); // GOOD
+  call_by_value({ std::string("hello").c_str() }); // GOOD
+  call_by_cref({ std::string("hello").c_str() }); // GOOD
+
+  std::vector<const char*> v1;
+  v1.push_back(std::string("hello").c_str()); // BAD
+
+  std::vector<S> v2;
+  v2.push_back({ std::string("hello").c_str() }); // BAD
+
+  S s5[] = { { std::string("hello").c_str() } }; // BAD
+
+  char c = std::string("hello").c_str()[0]; // GOOD
+
+  auto s6 = std::string("hello").data(); // BAD
+  auto s7 = b1 ? std::string("hello").data() : ""; // BAD
+  auto s8 = b2 ? "" : std::string("hello").data(); // BAD
+  char* s9;
+  s9 = std::string("hello").data(); // BAD
+
+  return std::string("hello").c_str(); // BAD
+}
+
+void test2(bool b1, bool b2) {
+  std::string s("hello");
+  auto s1 = s.c_str(); // GOOD
+  auto s2 = b1 ? s.c_str() : ""; // GOOD
+  auto s3 = b2 ? "" : s.c_str(); // GOOD
+  const char* s4;
+  s4 = s.c_str(); // GOOD
+
+  std::string& sRef = s;
+
+  auto s5 = sRef.c_str(); // GOOD
+  auto s6 = b1 ? sRef.c_str() : ""; // GOOD
+  auto s7 = b2 ? "" : sRef.c_str(); // GOOD
+  const char* s8;
+  s8 = sRef.c_str(); // GOOD
+
+  std::string&& sRefRef = std::string("hello");
+
+  auto s9 = sRefRef.c_str(); // GOOD
+  auto s10 = b1 ? sRefRef.c_str() : ""; // GOOD
+  auto s11 = b2 ? "" : sRefRef.c_str(); // GOOD
+  const char* s12;
+  s12 = sRefRef.c_str(); // GOOD
+}

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/AssemblyCache.cs

@@ -1,5 +1,4 @@
-using System;
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 
@@ -20,7 +19,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// assembly cache.
         /// </param>
         /// <param name="progressMonitor">Callback for progress.</param>
-        public AssemblyCache(IEnumerable<string> paths, ProgressMonitor progressMonitor)
+        public AssemblyCache(IEnumerable<string> paths, IEnumerable<string> frameworkPaths, ProgressMonitor progressMonitor)
         {
             foreach (var path in paths)
             {
@@ -40,7 +39,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                     progressMonitor.LogInfo("AssemblyCache: Path not found: " + path);
                 }
             }
-            IndexReferences();
+            IndexReferences(frameworkPaths);
         }
 
         /// <summary>
@@ -57,13 +56,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
         }
 
-        private static readonly Version emptyVersion = new Version(0, 0, 0, 0);
-
         /// <summary>
         /// Indexes all DLLs we have located.
         /// Because this is a potentially time-consuming operation, it is put into a separate stage.
         /// </summary>
-        private void IndexReferences()
+        private void IndexReferences(IEnumerable<string> frameworkPaths)
         {
             // Read all of the files
             foreach (var filename in pendingDllsToIndex)
@@ -71,13 +68,9 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 IndexReference(filename);
             }
 
-            // Index "assemblyInfo" by version string
-            // The OrderBy is used to ensure that we by default select the highest version number.
             foreach (var info in assemblyInfoByFileName.Values
                 .OrderBy(info => info.Name)
-                .ThenBy(info => info.NetCoreVersion ?? emptyVersion)
-                .ThenBy(info => info.Version ?? emptyVersion)
-                .ThenBy(info => info.Filename))
+                .OrderAssemblyInfosByPreference(frameworkPaths))
             {
                 foreach (var index in info.IndexStrings)
                 {

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/AssemblyCacheExtensions.cs

@@ -0,0 +1,29 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+
+namespace Semmle.Extraction.CSharp.DependencyFetching
+{
+    internal static class AssemblyCacheExtensions
+    {
+        private static readonly Version emptyVersion = new Version(0, 0, 0, 0);
+
+        /// <summary>
+        /// This method orders AssemblyInfos by version numbers (.net core version first, then assembly version). Finally, it orders by filename to make the order deterministic.
+        /// </summary>
+        public static IOrderedEnumerable<AssemblyInfo> OrderAssemblyInfosByPreference(this IEnumerable<AssemblyInfo> assemblies, IEnumerable<string> frameworkPaths)
+        {
+            // prefer framework assemblies over others
+            int initialOrdering(AssemblyInfo info) => frameworkPaths.Any(framework => info.Filename.StartsWith(framework, StringComparison.OrdinalIgnoreCase)) ? 1 : 0;
+
+            var ordered = assemblies is IOrderedEnumerable<AssemblyInfo> o
+                ? o.ThenBy(initialOrdering)
+                : assemblies.OrderBy(initialOrdering);
+
+            return ordered
+                .ThenBy(info => info.NetCoreVersion ?? emptyVersion)
+                .ThenBy(info => info.Version ?? emptyVersion)
+                .ThenBy(info => info.Filename);
+        }
+    }
+}

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs

@@ -128,16 +128,18 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 DownloadMissingPackages(allNonBinaryFiles, dllPaths);
             }
 
+            var frameworkLocations = new HashSet<string>();
+
             // Find DLLs in the .Net / Asp.Net Framework
             // This block needs to come after the nuget restore, because the nuget restore might fetch the .NET Core/Framework reference assemblies.
             if (options.ScanNetFrameworkDlls)
             {
-                AddNetFrameworkDlls(dllPaths);
-                AddAspNetCoreFrameworkDlls(dllPaths);
-                AddMicrosoftWindowsDesktopDlls(dllPaths);
+                AddNetFrameworkDlls(dllPaths, frameworkLocations);
+                AddAspNetCoreFrameworkDlls(dllPaths, frameworkLocations);
+                AddMicrosoftWindowsDesktopDlls(dllPaths, frameworkLocations);
             }
 
-            assemblyCache = new AssemblyCache(dllPaths, progressMonitor);
+            assemblyCache = new AssemblyCache(dllPaths, frameworkLocations, progressMonitor);
             AnalyseSolutions(solutions);
 
             foreach (var filename in assemblyCache.AllAssemblies.Select(a => a.Filename))
@@ -146,7 +148,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
 
             RemoveNugetAnalyzerReferences();
-            ResolveConflicts();
+            ResolveConflicts(frameworkLocations);
 
             // Output the findings
             foreach (var r in usedReferences.Keys.OrderBy(r => r))
@@ -228,7 +230,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
         }
 
-        private void AddNetFrameworkDlls(ISet<string> dllPaths)
+        private void AddNetFrameworkDlls(ISet<string> dllPaths, ISet<string> frameworkLocations)
         {
             // Multiple dotnet framework packages could be present.
             // The order of the packages is important, we're adding the first one that is present in the nuget cache.
@@ -241,6 +243,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             if (frameworkPath.Path is not null)
             {
                 dllPaths.Add(frameworkPath.Path);
+                frameworkLocations.Add(frameworkPath.Path);
                 progressMonitor.LogInfo($"Found .NET Core/Framework DLLs in NuGet packages at {frameworkPath.Path}. Not adding installation directory.");
 
                 for (var i = frameworkPath.Index + 1; i < packagesInPrioOrder.Length; i++)
@@ -270,6 +273,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 
             progressMonitor.LogInfo($".NET runtime location selected: {runtimeLocation}");
             dllPaths.Add(runtimeLocation);
+            frameworkLocations.Add(runtimeLocation);
         }
 
         private void RemoveNugetPackageReference(string packagePrefix, ISet<string> dllPaths)
@@ -294,7 +298,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
         }
 
-        private void AddAspNetCoreFrameworkDlls(ISet<string> dllPaths)
+        private void AddAspNetCoreFrameworkDlls(ISet<string> dllPaths, ISet<string> frameworkLocations)
         {
             if (!fileContent.IsNewProjectStructureUsed || !fileContent.UseAspNetCoreDlls)
             {
@@ -306,20 +310,25 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             {
                 progressMonitor.LogInfo($"Found ASP.NET Core in NuGet packages. Not adding installation directory.");
                 dllPaths.Add(aspNetCorePackage);
+                frameworkLocations.Add(aspNetCorePackage);
+                return;
             }
-            else if (Runtime.AspNetCoreRuntime is string aspNetCoreRuntime)
+
+            if (Runtime.AspNetCoreRuntime is string aspNetCoreRuntime)
             {
                 progressMonitor.LogInfo($"ASP.NET runtime location selected: {aspNetCoreRuntime}");
                 dllPaths.Add(aspNetCoreRuntime);
+                frameworkLocations.Add(aspNetCoreRuntime);
             }
         }
 
-        private void AddMicrosoftWindowsDesktopDlls(ISet<string> dllPaths)
+        private void AddMicrosoftWindowsDesktopDlls(ISet<string> dllPaths, ISet<string> frameworkLocations)
         {
             if (GetPackageDirectory(FrameworkPackageNames.WindowsDesktopFramework) is string windowsDesktopApp)
             {
                 progressMonitor.LogInfo($"Found Windows Desktop App in NuGet packages.");
                 dllPaths.Add(windowsDesktopApp);
+                frameworkLocations.Add(windowsDesktopApp);
             }
         }
 
@@ -345,12 +354,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 
             return new DirectoryInfo(packageDirectory.DirInfo.FullName)
                 .EnumerateDirectories("*", new EnumerationOptions { MatchCasing = MatchCasing.CaseInsensitive, RecurseSubdirectories = false })
-                .Select(d => d.FullName);
+                .Select(d => d.Name);
         }
 
         private void LogAllUnusedPackages(DependencyContainer dependencies) =>
             GetAllPackageDirectories()
                 .Where(package => !dependencies.Packages.Contains(package))
+                .Order()
                 .ForEach(package => progressMonitor.LogInfo($"Unused package: {package}"));
 
         private void GenerateSourceFileFromImplicitUsings()
@@ -472,7 +482,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// If the same assembly name is duplicated with different versions,
         /// resolve to the higher version number.
         /// </summary>
-        private void ResolveConflicts()
+        private void ResolveConflicts(IEnumerable<string> frameworkPaths)
         {
             var sortedReferences = new List<AssemblyInfo>();
             foreach (var usedReference in usedReferences)
@@ -488,11 +498,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 }
             }
 
-            var emptyVersion = new Version(0, 0);
             sortedReferences = sortedReferences
-                .OrderBy(r => r.NetCoreVersion ?? emptyVersion)
-                .ThenBy(r => r.Version ?? emptyVersion)
-                .ThenBy(r => r.Filename)
+                .OrderAssemblyInfosByPreference(frameworkPaths)
                 .ToList();
 
             var finalAssemblyList = new Dictionary<string, AssemblyInfo>();

csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/StubVisitor.cs

@@ -41,6 +41,7 @@ internal sealed class StubVisitor : SymbolVisitor
             (
                 t1 is INamedTypeSymbol named1 &&
                 t2 is INamedTypeSymbol named2 &&
+                (!SymbolEqualityComparer.Default.Equals(named1, named1.ConstructedFrom) || !SymbolEqualityComparer.Default.Equals(named2, named2.ConstructedFrom)) &&
                 EqualsModuloTupleElementNames(named1.ConstructedFrom, named2.ConstructedFrom) &&
                 named1.TypeArguments.Length == named2.TypeArguments.Length &&
                 named1.TypeArguments.Zip(named2.TypeArguments).All(p => EqualsModuloTupleElementNames(p.First, p.Second))

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.4
+
+No user-facing changes.
+
 ## 1.7.3
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.4.md

@@ -0,0 +1,3 @@
+## 1.7.4
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.3
+lastReleaseVersion: 1.7.4

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.4-dev
+version: 1.7.5-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.4
+
+No user-facing changes.
+
 ## 1.7.3
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.4.md

@@ -0,0 +1,3 @@
+## 1.7.4
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.3
+lastReleaseVersion: 1.7.4

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.4-dev
+version: 1.7.5-dev
 groups:
   - csharp
   - solorigate

csharp/ql/integration-tests/all-platforms/cshtml/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/cshtml_standalone/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/diag_dotnet_incompatible/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/diag_missing_project_files/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/diag_missing_xamarin_sdk/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/diag_recursive_generics/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/dotnet_build/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/dotnet_no_args_inject/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/dotnet_pack/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/dotnet_publish/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/dotnet_run/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/standalone/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/posix-only/dotnet_test/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/posix-only/dotnet_test_mstest/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/posix-only/inherit-env-vars/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/posix-only/standalone_dependencies_nuget/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/posix-only/warn_as_error/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 0.8.4
+
+No user-facing changes.
+
 ## 0.8.3
 
 ### Minor Analysis Improvements

csharp/ql/lib/change-notes/released/0.8.4.md

@@ -0,0 +1,3 @@
+## 0.8.4
+
+No user-facing changes.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.3
+lastReleaseVersion: 0.8.4

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.8.4-dev
+version: 0.8.5-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/Callable.qll

@@ -105,7 +105,10 @@ class Callable extends DotNet::Callable, Parameterizable, ExprOrStmtParent, @cal
    * then both `{ return 0; }` and `{ return 1; }` are statement bodies of
    * `N.C.M()`.
    */
-  final BlockStmt getStatementBody() { result = this.getAChildStmt() }
+  final BlockStmt getStatementBody() {
+    result = getStatementBody(this) and
+    not this.getFile().isStub()
+  }
 
   /**
    * DEPRECATED: Use `getStatementBody` instead.
@@ -143,8 +146,8 @@ class Callable extends DotNet::Callable, Parameterizable, ExprOrStmtParent, @cal
    * then both `0` and `1` are expression bodies of `N.C.M()`.
    */
   final Expr getExpressionBody() {
-    result = this.getAChildExpr() and
-    not result = this.(Constructor).getInitializer()
+    result = getExpressionBody(this) and
+    not this.getFile().isStub()
   }
 
   /** Holds if this callable has an expression body. */

csharp/ql/lib/semmle/code/csharp/ExprOrStmtParent.qll

@@ -53,6 +53,20 @@ class TopLevelExprParent extends Element, @top_level_expr_parent {
 
 private predicate hasNoSourceLocation(Element e) { not e.getALocation() instanceof SourceLocation }
 
+/** INTERNAL: Do not use. */
+Expr getExpressionBody(Callable c) {
+  result = c.getAChildExpr() and
+  not result = c.(Constructor).getInitializer()
+}
+
+/** INTERNAL: Do not use. */
+BlockStmt getStatementBody(Callable c) { result = c.getAChildStmt() }
+
+private ControlFlowElement getBody(Callable c) {
+  result = getExpressionBody(c) or
+  result = getStatementBody(c)
+}
+
 cached
 private module Cached {
   cached
@@ -161,20 +175,20 @@ private module Cached {
 
   private predicate parent(ControlFlowElement child, ExprOrStmtParent parent) {
     child = getAChild(parent) and
-    not child = any(Callable c).getBody()
+    not child = getBody(_)
   }
 
   /** Holds if the enclosing body of `cfe` is `body`. */
   cached
   predicate enclosingBody(ControlFlowElement cfe, ControlFlowElement body) {
-    body = any(Callable c).getBody() and
+    body = getBody(_) and
     parent*(enclosingStart(cfe), body)
   }
 
   /** Holds if the enclosing callable of `cfe` is `c`. */
   cached
   predicate enclosingCallable(ControlFlowElement cfe, Callable c) {
-    enclosingBody(cfe, c.getBody())
+    enclosingBody(cfe, getBody(c))
     or
     parent*(enclosingStart(cfe), c.(Constructor).getInitializer())
   }

csharp/ql/lib/semmle/code/csharp/File.qll

@@ -54,14 +54,14 @@ class File extends Container, Impl::File {
 
   /** Holds if this file is a QL test stub file. */
   pragma[noinline]
-  private predicate isStub() {
+  predicate isStub() {
     this.extractedQlTest() and
     this.getAbsolutePath().matches("%resources/stubs/%")
   }
 
   /** Holds if this file contains source code. */
   final predicate fromSource() {
-    this.getExtension() = "cs" and
+    this.getExtension() = ["cs", "cshtml"] and
     not this.isStub()
   }
 

csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll

@@ -13,11 +13,14 @@ private import semmle.code.csharp.commons.Compilation
 /** An element that defines a new CFG scope. */
 class CfgScope extends Element, @top_level_exprorstmt_parent {
   CfgScope() {
-    this instanceof Callable
-    or
-    // For now, static initializer values have their own scope. Eventually, they
-    // should be treated like instance initializers.
-    this.(Assignable).(Modifiable).isStatic()
+    this.getFile().fromSource() and
+    (
+      this instanceof Callable
+      or
+      // For now, static initializer values have their own scope. Eventually, they
+      // should be treated like instance initializers.
+      this.(Assignable).(Modifiable).isStatic()
+    )
   }
 }
 

csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll

@@ -168,7 +168,8 @@ private SummaryComponent delegateSelf() {
 
 private predicate mayInvokeCallback(Callable c, int n) {
   c.getParameter(n).getType() instanceof SystemLinqExpressions::DelegateExtType and
-  not c.fromSource()
+  not c.hasBody() and
+  (if c instanceof Accessor then not c.fromSource() else any())
 }
 
 private class SummarizedCallableWithCallback extends SummarizedCallable {

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -81,9 +81,9 @@ newtype TReturnKind =
  */
 class DataFlowSummarizedCallable instanceof FlowSummary::SummarizedCallable {
   DataFlowSummarizedCallable() {
-    not this.fromSource()
+    not this.hasBody()
     or
-    this.fromSource() and not this.applyGeneratedModel()
+    this.hasBody() and not this.applyGeneratedModel()
   }
 
   string toString() { result = super.toString() }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll

@@ -310,7 +310,12 @@ private module CallGraph {
       c = any(DelegateCall dc | e = dc.getExpr()) and
       libraryDelegateCall = false
       or
-      c.getTarget().fromLibrary() and
+      exists(Callable target |
+        target = c.getTarget() and
+        not target.hasBody()
+      |
+        if target instanceof Accessor then not target.fromSource() else any()
+      ) and
       e = c.getAnArgument() and
       e.getType() instanceof SystemLinqExpressions::DelegateExtType and
       libraryDelegateCall = true

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.8.4
+
+### Minor Analysis Improvements
+
+* Modelled additional flow steps to track flow from a `View` call in an MVC controller to the corresponding Razor View (`.cshtml`) file, which may result in additional results for queries such as `cs/web/xss`.
+
 ## 0.8.3
 
 ### Minor Analysis Improvements

csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql

@@ -8,7 +8,7 @@
  * @precision medium
  * @id cs/web/insecure-direct-object-reference
  * @tags security
- *       external/cwe-639
+ *       external/cwe/cwe-639
  */
 
 import csharp

csharp/ql/src/change-notes/released/0.8.4.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
-* Modelled additional flow steps to track flow from a `View` call in an MVC controller to the corresponding Razor View (`.cshtml`) file, which may result in additional results for queries such as `cs/web/xss`.
+## 0.8.4
+
+### Minor Analysis Improvements
+
+* Modelled additional flow steps to track flow from a `View` call in an MVC controller to the corresponding Razor View (`.cshtml`) file, which may result in additional results for queries such as `cs/web/xss`.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.3
+lastReleaseVersion: 0.8.4

csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql

@@ -6,7 +6,7 @@
  * @id cs/hash-without-salt
  * @tags security
  *       experimental
- *       external/cwe-759
+ *       external/cwe/cwe-759
  */
 
 import csharp

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.8.4-dev
+version: 0.8.5-dev
 groups:
   - csharp
   - queries

csharp/ql/src/utils/modeleditor/AccessPathSuggestions.qll

@@ -1,112 +0,0 @@
-/** Provides classes and predicates related to handling access path suggestions for the VS Code extension. */
-
-private import csharp
-private import semmle.code.csharp.commons.Collections as Collections
-private import FrameworkModeEndpointsQuery
-private import ModelEditor
-
-/** A collection type */
-abstract private class CollectionType extends RefType {
-  abstract Type getElementType();
-}
-
-private class ArrayCollectionType extends CollectionType, ArrayType {
-  override Type getElementType() { result = this.(ArrayType).getElementType() }
-}
-
-private class GenericCollectionType extends CollectionType, ConstructedType,
-  Collections::CollectionType
-{
-  GenericCollectionType() {
-    // Only include collections with a single type argument, which we expect to be lists.
-    count(int i | exists(this.getTypeArgument(i))) = 1
-  }
-
-  override Type getElementType() { result = this.getTypeArgument(0) }
-}
-
-private predicate nestedPathBase(
-  Endpoint endpoint, Element element, string value, string details, string defType,
-  boolean isInputOnly, boolean isOutputOnly
-) {
-  endpoint.getReturnType() = element and
-  isInputOnly = false and
-  isOutputOnly = true and
-  value = "ReturnValue" and
-  details = element.toString() and
-  defType = "return"
-  or
-  exists(Parameter parameter |
-    endpoint.getAParameter() = parameter and parameter.getType() = element
-  |
-    value = "Argument[" + parameter.getPosition() + "]" and
-    details = parameter.getType().toString() + " " + parameter.getName() and
-    isInputOnly = false and
-    isOutputOnly = false and
-    defType = "parameter"
-  )
-  or
-  endpoint.getDeclaringType() = element and
-  isInputOnly = false and
-  isOutputOnly = false and
-  value = "Argument[this]" and
-  details = element.toString() and
-  defType = "class"
-}
-
-private predicate nestedPathRec(
-  Endpoint endpoint, Element element, string value, string details, string defType,
-  boolean isInputOnly, boolean isOutputOnly, int pathLength
-) {
-  pathLength < 8 and
-  (
-    nestedPathBase(endpoint, element, value, details, defType, isInputOnly, isOutputOnly) and
-    pathLength = 1
-    or
-    exists(
-      Type prevType, string prevValue, string prevDetails, string prevDefType,
-      boolean prevIsInputOnly, boolean prevIsOutputOnly, int prevPathLength
-    |
-      nestedPathRec(endpoint, prevType, prevValue, prevDetails, prevDefType, prevIsInputOnly,
-        prevIsOutputOnly, prevPathLength) and
-      pathLength = prevPathLength + 1
-    |
-      element = prevType.(CollectionType).getElementType() and
-      value = prevValue + ".Element" and
-      details = element.toString() and
-      isInputOnly = prevIsInputOnly and
-      isOutputOnly = prevIsOutputOnly and
-      defType = "array"
-      or
-      element = prevType.(CollectionType).getElementType() and
-      (value = prevValue + ".WithoutElement" or value = prevValue + ".WithElement") and
-      details = element.toString() and
-      isInputOnly = true and
-      isOutputOnly = prevIsOutputOnly and
-      defType = "array"
-      or
-      element = prevType.(RefType).getAField() and
-      not element.(Field).isStatic() and
-      value = prevValue + ".Field[" + element.(Field).getFullyQualifiedName() + "]" and
-      details = element.(Field).getType().toString() + " " + element.(Field).getName() and
-      isInputOnly = false and
-      isOutputOnly = false and
-      defType = "field"
-      or
-      element = prevType.(RefType).getAProperty() and
-      not element.(Property).isStatic() and
-      value = prevValue + ".Property[" + element.(Property).getFullyQualifiedName() + "]" and
-      details = element.(Property).getType().toString() + " " + element.(Property).getName() and
-      isInputOnly = false and
-      isOutputOnly = false and
-      defType = "property"
-    )
-  )
-}
-
-predicate nestedPath(
-  Endpoint endpoint, Element element, string value, string details, string defType,
-  boolean isInputOnly, boolean isOutputOnly
-) {
-  nestedPathRec(endpoint, element, value, details, defType, isInputOnly, isOutputOnly, _)
-}

csharp/ql/src/utils/modeleditor/ApplicationModeAccessPathSuggestions.ql

@@ -1,45 +0,0 @@
-/**
- * @name Fetch suggestions for access paths of input and output parameters of a method (application mode)
- * @description A list of access paths for input and output parameters of a method. Excludes test and generated code.
- * @kind table
- * @id csharp/utils/modeleditor/application-mode-access-path-suggestions
- * @tags modeleditor access-path-suggestions application-mode
- */
-
-private import csharp
-private import AccessPathSuggestions
-private import ApplicationModeEndpointsQuery
-private import ModelEditor
-
-predicate suggestions(
-  string namespace, string typeName, string methodName, string methodParameters, string value,
-  string details, string defType, boolean isInputOnly, boolean isOutputOnly
-) {
-  exists(ExternalEndpoint endpoint, Element element |
-    nestedPath(endpoint, element, value, details, defType, isInputOnly, isOutputOnly)
-  |
-    exists(aUsage(endpoint)) and
-    namespace = endpoint.getNamespace() and
-    typeName = endpoint.getTypeName() and
-    methodName = endpoint.getName() and
-    methodParameters = endpoint.getParameterTypes()
-  )
-}
-
-predicate inputSuggestions(
-  string namespace, string typeName, string methodName, string methodParameters, string value,
-  string details, string defType
-) {
-  suggestions(namespace, typeName, methodName, methodParameters, value, details, defType, _, false)
-}
-
-predicate outputSuggestions(
-  string namespace, string typeName, string methodName, string methodParameters, string value,
-  string details, string defType
-) {
-  suggestions(namespace, typeName, methodName, methodParameters, value, details, defType, false, _)
-}
-
-query predicate input = inputSuggestions/7;
-
-query predicate output = outputSuggestions/7;

csharp/ql/src/utils/modeleditor/ApplicationModeEndpoints.ql

@@ -10,6 +10,8 @@ import csharp
 import ApplicationModeEndpointsQuery
 import ModelEditor
 
+private Call aUsage(ExternalEndpoint api) { result.getTarget().getUnboundDeclaration() = api }
+
 from ExternalEndpoint endpoint, boolean supported, Call usage, string type, string classification
 where
   supported = isSupported(endpoint) and

csharp/ql/src/utils/modeleditor/ApplicationModeEndpointsQuery.qll

@@ -6,8 +6,6 @@ private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
 private import semmle.code.csharp.security.dataflow.flowsources.Remote
 private import ModelEditor
 
-Call aUsage(ExternalEndpoint api) { result.getTarget().getUnboundDeclaration() = api }
-
 /**
  * A class of effectively public callables in library code.
  */

csharp/ql/src/utils/modeleditor/FrameworkModeAccessPathSuggestions.ql

@@ -1,44 +0,0 @@
-/**
- * @name Fetch suggestions for access paths of input and output parameters of a method (framework mode)
- * @description A list of access paths for input and output parameters of a method. Excludes test and generated code.
- * @kind table
- * @id csharp/utils/modeleditor/framework-mode-access-path-suggestions
- * @tags modeleditor access-path-suggestions framework-mode
- */
-
-private import csharp
-private import AccessPathSuggestions
-private import FrameworkModeEndpointsQuery
-private import ModelEditor
-
-predicate suggestions(
-  string namespace, string typeName, string methodName, string methodParameters, string value,
-  string details, string defType, boolean isInputOnly, boolean isOutputOnly
-) {
-  exists(PublicEndpointFromSource endpoint, Element element |
-    nestedPath(endpoint, element, value, details, defType, isInputOnly, isOutputOnly)
-  |
-    namespace = endpoint.getNamespace() and
-    typeName = endpoint.getTypeName() and
-    methodName = endpoint.getName() and
-    methodParameters = endpoint.getParameterTypes()
-  )
-}
-
-predicate inputSuggestions(
-  string namespace, string typeName, string methodName, string methodParameters, string value,
-  string details, string defType
-) {
-  suggestions(namespace, typeName, methodName, methodParameters, value, details, defType, _, false)
-}
-
-predicate outputSuggestions(
-  string namespace, string typeName, string methodName, string methodParameters, string value,
-  string details, string defType
-) {
-  suggestions(namespace, typeName, methodName, methodParameters, value, details, defType, false, _)
-}
-
-query predicate input = inputSuggestions/7;
-
-query predicate output = outputSuggestions/7;

csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs

@@ -185,16 +185,16 @@ namespace My.Qltest
         void M1()
         {
             var o = new object();
-            Sink(GeneratedFlow(o));
+            Sink(GeneratedFlow(o)); // no flow because the modelled method exists in source code
         }
 
         void M2()
         {
             var o1 = new object();
-            Sink(GeneratedFlowArgs(o1, null));
+            Sink(GeneratedFlowArgs(o1, null)); // no flow because the modelled method exists in source code
 
             var o2 = new object();
-            Sink(GeneratedFlowArgs(null, o2));
+            Sink(GeneratedFlowArgs(null, o2)); // no flow because the modelled method exists in source code
         }
 
         void M3()

csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected

@@ -61,12 +61,6 @@ edges
 | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object |
 | ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object |
 | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object | ExternalFlow.cs:120:18:120:21 | access to array element |
-| ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | ExternalFlow.cs:188:32:188:32 | access to local variable o : Object |
-| ExternalFlow.cs:188:32:188:32 | access to local variable o : Object | ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow |
-| ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | ExternalFlow.cs:194:36:194:37 | access to local variable o1 : Object |
-| ExternalFlow.cs:194:36:194:37 | access to local variable o1 : Object | ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs |
-| ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | ExternalFlow.cs:197:42:197:43 | access to local variable o2 : Object |
-| ExternalFlow.cs:197:42:197:43 | access to local variable o2 : Object | ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs |
 | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | ExternalFlow.cs:206:38:206:39 | access to local variable o2 : Object |
 | ExternalFlow.cs:206:38:206:39 | access to local variable o2 : Object | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs |
 | ExternalFlow.cs:231:21:231:28 | object creation of type HC : HC | ExternalFlow.cs:232:21:232:21 | access to local variable h : HC |
@@ -151,15 +145,6 @@ nodes
 | ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | semmle.label | access to local variable a : null [element] : Object |
 | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object | semmle.label | access to local variable b : null [element] : Object |
 | ExternalFlow.cs:120:18:120:21 | access to array element | semmle.label | access to array element |
-| ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
-| ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow | semmle.label | call to method GeneratedFlow |
-| ExternalFlow.cs:188:32:188:32 | access to local variable o : Object | semmle.label | access to local variable o : Object |
-| ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
-| ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs | semmle.label | call to method GeneratedFlowArgs |
-| ExternalFlow.cs:194:36:194:37 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
-| ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
-| ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs | semmle.label | call to method GeneratedFlowArgs |
-| ExternalFlow.cs:197:42:197:43 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
 | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs | semmle.label | call to method MixedFlowArgs |
 | ExternalFlow.cs:206:38:206:39 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
@@ -189,8 +174,5 @@ subpaths
 | ExternalFlow.cs:104:18:104:25 | access to field Field | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:104:18:104:25 | access to field Field | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:112:18:112:25 | access to property MyProp | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:112:18:112:25 | access to property MyProp | $@ | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:120:18:120:21 | access to array element | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | ExternalFlow.cs:120:18:120:21 | access to array element | $@ | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | object creation of type Object : Object |
-| ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow | ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow | $@ | ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | object creation of type Object : Object |
-| ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs | ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs | $@ | ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | object creation of type Object : Object |
-| ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs | ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs | $@ | ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs | $@ | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:233:18:233:18 | access to local variable o | ExternalFlow.cs:231:21:231:28 | object creation of type HC : HC | ExternalFlow.cs:233:18:233:18 | access to local variable o | $@ | ExternalFlow.cs:231:21:231:28 | object creation of type HC : HC | object creation of type HC : HC |

csharp/ql/test/utils/modeleditor/ApplicationModeAccessPathSuggestions.expected

@@ -1,40 +0,0 @@
-input
-| System | Console | ReadLine | () | Argument[this] | Console | class |
-| System | Console | ReadLine | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| System | Console | ReadLine | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| System | Console | ReadLine | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| System | Console | Write | (System.Object) | Argument[0] | Object value | parameter |
-| System | Console | Write | (System.Object) | Argument[this] | Console | class |
-| System | Console | WriteLine | (System.Object) | Argument[0] | Object value | parameter |
-| System | Console | WriteLine | (System.Object) | Argument[this] | Console | class |
-| System | Console | WriteLine | (System.String) | Argument[0] | String value | parameter |
-| System | Console | WriteLine | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| System | Console | WriteLine | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| System | Console | WriteLine | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| System | Console | WriteLine | (System.String) | Argument[this] | Console | class |
-| System | Console | get_BackgroundColor | () | Argument[this] | Console | class |
-| System | Console | set_ForegroundColor | (System.ConsoleColor) | Argument[0] | ConsoleColor value | parameter |
-| System | Console | set_ForegroundColor | (System.ConsoleColor) | Argument[this] | Console | class |
-output
-| System | Console | ReadLine | () | Argument[this] | Console | class |
-| System | Console | ReadLine | () | ReturnValue | String | return |
-| System | Console | ReadLine | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| System | Console | ReadLine | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| System | Console | ReadLine | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| System | Console | Write | (System.Object) | Argument[0] | Object value | parameter |
-| System | Console | Write | (System.Object) | Argument[this] | Console | class |
-| System | Console | Write | (System.Object) | ReturnValue | Void | return |
-| System | Console | WriteLine | (System.Object) | Argument[0] | Object value | parameter |
-| System | Console | WriteLine | (System.Object) | Argument[this] | Console | class |
-| System | Console | WriteLine | (System.Object) | ReturnValue | Void | return |
-| System | Console | WriteLine | (System.String) | Argument[0] | String value | parameter |
-| System | Console | WriteLine | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| System | Console | WriteLine | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| System | Console | WriteLine | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| System | Console | WriteLine | (System.String) | Argument[this] | Console | class |
-| System | Console | WriteLine | (System.String) | ReturnValue | Void | return |
-| System | Console | get_BackgroundColor | () | Argument[this] | Console | class |
-| System | Console | get_BackgroundColor | () | ReturnValue | ConsoleColor | return |
-| System | Console | set_ForegroundColor | (System.ConsoleColor) | Argument[0] | ConsoleColor value | parameter |
-| System | Console | set_ForegroundColor | (System.ConsoleColor) | Argument[this] | Console | class |
-| System | Console | set_ForegroundColor | (System.ConsoleColor) | ReturnValue | Void | return |

csharp/ql/test/utils/modeleditor/ApplicationModeAccessPathSuggestions.qlref

@@ -1 +0,0 @@
-utils/modeleditor/ApplicationModeAccessPathSuggestions.ql

csharp/ql/test/utils/modeleditor/FrameworkModeAccessPathSuggestions.expected

@@ -1,202 +0,0 @@
-input
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0] | String value | parameter |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff | (T) | Argument[0] | T arg | parameter |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff | (T) | Argument[this] | PublicGenericClass`2 | class |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff2`1 | (T2) | Argument[0] | T2 arg | parameter |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff2`1 | (T2) | Argument[this] | PublicGenericClass`2 | class |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[this] | PublicGenericInterface`1 | class |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff | (T) | Argument[0] | T arg | parameter |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff | (T) | Argument[this] | PublicGenericInterface`1 | class |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff2`1 | (T2) | Argument[0] | T2 arg | parameter |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff2`1 | (T2) | Argument[this] | PublicGenericInterface`1 | class |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0] | String value | parameter |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-output
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue | String | return |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0] | String value | parameter |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue | String | return |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue | String | return |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff | (T) | Argument[0] | T arg | parameter |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff | (T) | Argument[this] | PublicGenericClass`2 | class |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff | (T) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff2`1 | (T2) | Argument[0] | T2 arg | parameter |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff2`1 | (T2) | Argument[this] | PublicGenericClass`2 | class |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff2`1 | (T2) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[this] | PublicGenericInterface`1 | class |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff | (T) | Argument[0] | T arg | parameter |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff | (T) | Argument[this] | PublicGenericInterface`1 | class |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff | (T) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff2`1 | (T2) | Argument[0] | T2 arg | parameter |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff2`1 | (T2) | Argument[this] | PublicGenericInterface`1 | class |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff2`1 | (T2) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue | String | return |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0] | String value | parameter |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | ReturnValue | Void | return |

csharp/ql/test/utils/modeleditor/FrameworkModeAccessPathSuggestions.qlref

@@ -1 +0,0 @@
-utils/modeleditor/FrameworkModeAccessPathSuggestions.ql

docs/codeql/codeql-for-visual-studio-code/using-the-codeql-model-editor.rst

@@ -18,7 +18,7 @@ When you open the model editor, it analyzes the currently selected CodeQL databa
 
 The model editor has two different modes:
 
-- Application mode (default view): The editor lists each external framework used by the selected CodeQL database. When you expand a framework, a list of all calls to and from the external API is shown with the options available to model dataflow through each call. This mode is most useful for improving the CodeQL results for the specific codebase.
+- Application mode (default view): The editor lists each external framework used by the selected CodeQL database. When you expand a framework, a list of all calls to and from the external API is shown with the options available to model dataflow through each call. This mode is most useful for improving the CodeQL results for a specific codebase.
 
 - Dependency mode: The editor identifies all of the publicly accessible APIs in the selected CodeQL database. This view guides you through modeling each public API that the codebase makes available. When you have finished modeling the entire API, you can save the model and use it to improve the CodeQL analysis for all codebases that use the dependency.
 
@@ -28,30 +28,45 @@ Displaying the CodeQL model editor
 #. Open your CodeQL workspace in VS Code, for example, the ``vscode-codeql-starter`` workspace.
    If you haven't updated the ``ql`` submodule for a while, update it from ``main`` to ensure that you have the queries used to gather data for the model editor.
 #. Open the CodeQL extension and select the CodeQL database that you want to model from the "Databases" section of the left side pane.
-#. Use the command palette to run the “CodeQL: Open Model Editor (Beta)” command.
-#. The CodeQL model editor will open in a new tab and run a series of telemetry queries to identify APIs in the code.
-#. When the queries are complete, the APIs that have been identified are shown in the editor.
+#. In the left side panel, expand the "CodeQL method modeling" section and click **Start modeling** to display the model editor. Alternatively, use the command palette to run the “CodeQL: Open Model Editor (Beta)” command.
+#. The CodeQL model editor runs a series of telemetry queries to identify APIs in the code and the editor is displayed in a new tab.
+#. When the telemetry queries are complete, the APIs that have been identified are shown in the editor.
+
+.. tip::
+
+   The "CodeQL method modeling" section is a view that you can move from the primary sidebar to the secondary sidebar, when you want more space while you are modeling calls or methods. If you close the view, you can reopen it from the "Open Views" option in the **View** menu.
 
 Modeling the calls your codebase makes to external APIs
 -------------------------------------------------------
 
-You typically use this approach when you are looking at a specific codebase where you want to improve the precision of CodeQL results. This is usually when the codebase uses frameworks or libraries that are not supported by CodeQL and if the source code of the framework or library is not included in the analysis.
+You typically use this approach when you are looking at a specific codebase where you want to improve the precision of CodeQL results. This is useful when the codebase uses frameworks or libraries that are not supported by CodeQL and if the source code of the framework or library is not included in the analysis.
 
 #. Select the CodeQL database that you want to improve CodeQL coverage for.
 #. Display the CodeQL model editor. By default the editor runs in application mode, so the list of external APIs used by the selected codebase is shown.
 
    .. image:: ../images/codeql-for-visual-studio-code/model-application-mode.png
       :width: 800
-      :alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing three of the external frameworks used by the "sofa-jraft" codebase.
+      :alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing two of the external Java frameworks used by the "sofa-jraft" codebase.
 
 #. Click to expand an external API and view the list of calls from the codebase to the external dependency.
-#. Click **View** associated with an API call or method to show where it is used in your codebase.
 
    .. image:: ../images/codeql-for-visual-studio-code/model-application-mode-expanded.png
       :width: 800
       :alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing the calls to the "rocksdbjni" framework ready for modeling. The "View" option for the first call is highlighted with a dark orange outline.
 
-#. When you have determined how to model the call or method, define the **Model type**.
+#. Click **View** associated with an API call or method to show where it is used in your codebase.
+
+   .. image:: ../images/codeql-for-visual-studio-code/model-application-mode-view-code.png
+      :width: 800
+      :alt: Screenshot of a file showing a place where your codebase calls the API is highlighted with a dark orange outline.
+
+#. The file containing the first call from your codebase to the API is opened and a "CodeQL methods usage" view is displayed in the VS Code Panel (where the "Problems" and "Terminal" views are usually displayed). The "CodeQL methods usage" view lists of all the calls from your code to the API, grouped by method. You can click through each use to decide how to model your use of the method.
+
+   .. image:: ../images/codeql-for-visual-studio-code/model-application-mode-view-list.png
+      :width: 800
+      :alt: Screenshot of the "CodeQL methods usage" view. The currently displayed call to an external method is highlighted blue.
+
+#. When you have determined how to model your use of the method, you can define the **Model type** in the "CodeQL method modeling" tab of the CodeQL extension. This change is automatically reflected in the main model editor.
 #. The remaining fields are updated with available options:
 
    - **Source**: choose the **Output** element to model.
@@ -59,9 +74,9 @@ You typically use this approach when you are looking at a specific codebase wher
    - **Flow summary**: choose the **Input** and **Output** elements to model.
 
 #. Define the **Kind** of dataflow for the model.
-#. When you have finished modeling, click **Save all** or **Save** (shown at the bottom right of each expanded list of calls). The percentage of calls modeled in the editor is updated.
+#. When you have finished modeling, display the main model editor and click **Save all** or **Save** (shown at the bottom right of each expanded list of methods). The percentage of methods modeled in the editor is updated.
 
-The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL.
+The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL. For more information, see "`Using CodeQL model packs with code scanning <#using-codeql-model-packs-with-code-scanning>`__".
 
 The models are stored in a series of YAML data extension files, one for each external API. For example:
 
@@ -101,7 +116,7 @@ You typically use this method when you want to model a framework or library that
 #. Define the **Kind** of dataflow for the model.
 #. When you have finished modeling, click **Save all** or **Save** (shown at the bottom right of each expanded list of calls). The percentage of calls modeled in the editor is updated.
 
-The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL.
+The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL. For more information, see "`Using CodeQL model packs with code scanning <#using-codeql-model-packs-with-code-scanning>`__".
 
 The models are stored in a series of YAML data extension files, one for each public method. For example:
 
@@ -114,10 +129,19 @@ The models are stored in a series of YAML data extension files, one for each pub
 
 The editor will create a separate model file for each package that you model.
 
-Testing CodeQL model packs
---------------------------
+Modeling methods with multiple potential flows
+----------------------------------------------
 
-You can test any CodeQL model packs you create in VS Code by toggling the "use model packs" setting on and off. This method works for both databases and for variant analysis repositories.
+Some methods support more than one data flow. It is important to model all the data flows for a method, otherwise you cannot detect all the potential problems associated with using the method. First you model one data flow for the method, and then use the **+** button in the method row to specify a second data flow model.
+
+   .. image:: ../images/codeql-for-visual-studio-code/model-dependency-mode-plus.png
+      :width: 800
+      :alt: Screenshot of the "Dependency mode" view of the CodeQL model pack editor in Visual Studio Code showing one model for the ``com.alipay.sofa.jraft.option.BallotBoxOptions.getClosureQueue()`` method. The "+" button is outlined in dark orange. Click this button to create a second model for the method.
+
+Testing CodeQL model packs in VS Code
+-------------------------------------
+
+You can test any CodeQL model packs you create in VS Code by turning the "use model packs" setting on and off. This method works for both databases and for variant analysis repositories.
 
 - To run queries on a CodeQL database with any model packs that are stored within the ``.github/codeql/extensions`` directory of the workspace, update your ``settings.json`` file with: ``"codeQL.runningQueries.useExtensionPacks": "all",``
 - To run queries on a CodeQL database without using model packs, update your ``settings.json`` file with: ``"codeQL.runningQueries.useExtensionPacks": "none",``
@@ -136,4 +160,4 @@ For more information, see the following articles on the GitHub Docs site:
 
 - Default setup of code scanning: `Extending CodeQL coverage with CodeQL model packs in default setup <https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup>`__
 - Advanced setup of code scanning: `Extending CodeQL coverage with CodeQL model packs <https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs>`__
-- CodeQL CLI setup in external CI system: `Using model packs to analyze calls to custom dependencies <https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#using-model-packs-to-analyze-calls-to-custom-dependencies>`__
+- CodeQL CLI setup in external CI system: `Using model packs to analyze calls to custom dependencies <https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#using-model-packs-to-analyze-calls-to-custom-dependencies>`__

docs/codeql/codeql-language-guides/customizing-library-models-for-java-and-kotlin.rst

@@ -54,14 +54,14 @@ Data extensions use union semantics, which means that the tuples of all extensio
 Publish data extension files in a CodeQL model pack to share
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-You can group one or more data extention files into a CodeQL model pack and publish it to the GitHub Container Registry. This makes it easy for anyone to download the model pack and use it to extend their analysis. For more information, see "`Creating a CodeQL model pack <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack/>`__ and `Publishing and using CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs/>`__ in the CodeQL CLI documentation.
+You can group one or more data extension files into a CodeQL model pack and publish it to the GitHub Container Registry. This makes it easy for anyone to download the model pack and use it to extend their analysis. For more information, see `Creating a CodeQL model pack <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack>`__ and `Publishing and using CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs/>`__ in the CodeQL CLI documentation.
 
 Extensible predicates used to create custom models in Java and Kotlin
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The CodeQL library for Java and Kotlin analysis exposes the following extensible predicates:
 
-- ``sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)``. This is used to model sources of potentially tainted data.
+- ``sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)``. This is used to model sources of potentially tainted data. The ``kind`` of the sources defined using this predicate determine which threat model they are associated with. Different threat models can be used to customize the sources used in an analysis. For more information, see ":ref:`Threat models <threat-models>`."
 - ``sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)``. This is used to model sinks where tainted data maybe used in a way that makes the code vulnerable.
 - ``summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)``. This is used to model flow through elements.
 - ``neutralModel(package, type, name, signature, kind, provenance)``. This is similar to a summary model but used to model the flow of values that have only a minor impact on the dataflow analysis.
@@ -151,7 +151,7 @@ The sixth value should be left empty and is out of scope for this documentation.
 The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the source.
 
 - The seventh value ``ReturnValue`` is the access path to the return of the method, which means that it is the return value that should be considered a source of tainted input.
-- The eighth value ``remote`` is the kind of the source. The source kind is used to define the queries where the source is in scope. ``remote`` applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses ``remote`` sources.
+- The eighth value ``remote`` is the kind of the source. The source kind is used to define the threat model where the source is in scope. ``remote`` applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses ``remote`` sources. For more information, see ":ref:`Threat models <threat-models>`."
 - The ninth value ``manual`` is the provenance of the source, which is used to identify the origin of the source.
 
 Example: Add flow through the ``concat`` method
@@ -291,3 +291,19 @@ The first four values identify the callable (in this case a method) to be modele
 - The fourth value ``()`` is the method input type signature.
 - The fifth value ``summary`` is the kind of the neutral.
 - The sixth value ``manual`` is the provenance of the neutral.
+
+.. _threat-models:
+
+Threat models
+-------------
+
+.. include:: ../reusables/beta-note-threat-models-java.rst
+
+A threat model is a named class of dataflow sources that can be enabled or disabled independently. Threat models allow you to control the set of dataflow sources that you want to consider unsafe. For example, one codebase may only consider remote HTTP requests to be tainted, whereas another may also consider data from local files to be unsafe. You can use threat models to ensure that the relevant taint sources are used in a CodeQL analysis.
+
+The ``kind`` property of the ``sourceModel`` determines which threat model a source is associated with. There are two main categories:
+
+- ``remote`` which represents requests and responses from the network. 
+- ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), and environment variables(``environment``).
+ 
+When running a CodeQL analysis, the ``remote`` threat model is included by default. You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see `Analyzing your code with CodeQL queries <https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>`__ and `Customizing your advanced setup for code scanning <https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models>`__.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.0.rst

@@ -0,0 +1,178 @@
+.. _codeql-cli-2.10.0:
+
+==========================
+CodeQL 2.10.0 (2022-06-27)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.0 runs a total of 339 security queries when configured with the Default suite (covering 142 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 4 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   The :code:`--format=stats` option of :code:`codeql generate log-summary` has been renamed to :code:`--format=overall`. It now produces a richer JSON object that, in addition to the previous statistics about the run (which can be found in the :code:`stats` property) also records the most expensive predicates in the evaluation run.
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   The :code:`codeql resolve ml-model` command now requires one or more query specifications as command line arguments in order to determine the set of starting packs from which to initiate the resolution process. The command will locate all ML models in any qlpack that is a transitive dependency of any of the starting packs. Also, the output of the command has been expanded to include for each model the containing package's name, version, and path.
+    
+*   The :code:`buildMetadata` inside of compiled CodeQL packs no longer contains a :code:`creationTime` property. This was removed in order to ensure that the content of a CodeQL pack is identical when it is re-compiled.
+    
+*   The :code:`codeql pack download` command, when used with the :code:`--dir` option,
+    now downloads requested packs in directories corresponding to their version numbers. Previously,
+    :code:`codeql pack download --dir ./somewhere codeql/java-queries@0.1.2` would download the pack into the :code:`./somewhere/codeql/java-queries` directory. Now, it will download the pack into the
+    :code:`./somewhere/codeql/java-queries/0.1.2` directory. This allows you to download multiple versions of the same pack using a single command.
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug where :code:`codeql pack download`, when used with the :code:`--dir` option, would not download a pack that is in the global package cache.
+    
+*   Fixed a bug where some versions of a CodeQL package could not be downloaded if there are more than 100 versions of this package in the package registry.
+    
+*   Fixed a bug where the :code:`--also-match` option for :code:`codeql resolve files` and :code:`codeql database index-files` does not work with relative paths.
+    
+*   Fixed a bug that caused :code:`codeql query decompile` to ignore the
+    :code:`--output` option when producing bytecode output (:code:`--kind=bytecode`),
+    writing only to :code:`stdout`.
+
+New Features
+~~~~~~~~~~~~
+
+*   You can now include diagnostic messages in the summary produced by the :code:`--print-diagnostics-summary` option of the
+    :code:`codeql database interpret-results` and :code:`codeql database analyze` commands by running these commands at high verbosity levels.
+
+Query Packs
+-----------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   Improved library modeling for the query "Request without certificate validation" (:code:`py/request-without-cert-validation`), so it now also covers :code:`httpx`, :code:`aiohttp.client`, and :code:`urllib3`.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The syntax of the (source|sink|summary)model CSV format has been changed slightly for Java and C#. A new column called :code:`provenance` has been introduced, where the allowed values are :code:`manual` and :code:`generated`. The value used to indicate whether a model as been written by hand (:code:`manual`) or create by the CSV model generator (:code:`generated`).
+*   All auto implemented public properties with public getters and setters on ASP.NET Core remote flow sources are now also considered to be tainted.
+
+Java
+""""
+
+*   The query :code:`java/log-injection` now reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`js/resource-exhaustion` query no longer treats the 3-argument version of :code:`Buffer.from` as a sink,
+    since it does not allocate a new buffer.
+
+Python
+""""""
+
+*   The query "Use of a broken or weak cryptographic algorithm" (:code:`py/weak-cryptographic-algorithm`) now reports if a cryptographic operation is potentially insecure due to use of a weak block mode.
+
+Ruby
+""""
+
+*   The query "Use of a broken or weak cryptographic algorithm" (:code:`rb/weak-cryptographic-algorithm`) now reports if a cryptographic operation is potentially insecure due to use of a weak block mode.
+
+New Queries
+~~~~~~~~~~~
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/improper-memoization`. The query finds cases where the parameter of a memoization method is not used in the memoization key.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The :code:`kind` query metadata was changed to :code:`diagnostic` on :code:`cs/compilation-error`, :code:`cs/compilation-message`, :code:`cs/extraction-error`, and :code:`cs/extraction-message`.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+C/C++
+"""""
+
+*   :code:`UserType.getADeclarationEntry()` now yields all forward declarations when the user type is a :code:`class`, :code:`struct`, or :code:`union`.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for TypeScript 4.7.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added a flow step for :code:`String.valueOf` calls on tainted :code:`android.text.Editable` objects.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   All new ECMAScript 2022 features are now supported.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+C#
+""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+Golang
+""""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+Java
+""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+Python
+""""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+Ruby
+""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.1.rst

@@ -0,0 +1,132 @@
+.. _codeql-cli-2.10.1:
+
+==========================
+CodeQL 2.10.1 (2022-07-19)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.1 runs a total of 340 security queries when configured with the Default suite (covering 143 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+New Features
+~~~~~~~~~~~~
+
+*   Improved error message from :code:`codeql database analyze` when a query is missing :code:`@id` or :code:`@kind` query metadata.
+
+Query Packs
+-----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/cpp-all` package.
+
+C#
+""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/csharp-all` package.
+
+Java
+""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/java-all` package.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/javascript-all` package.
+
+Python
+""""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/python-all` package.
+
+Ruby
+""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/ruby-all` package.
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   A new query "Improper verification of intent by broadcast receiver" (:code:`java/improper-intent-verification`) has been added.
+    This query finds instances of Android :code:`BroadcastReceiver`\ s that don't verify the action string of received intents when registered to receive system intents.
+
+Language Libraries
+------------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   :code:`AnalysedExpr::isNullCheck` and :code:`AnalysedExpr::isValidCheck` have been updated to handle variable accesses on the left-hand side of the C++ logical "and", and variable declarations in conditions.
+
+Java
+""""
+
+*   Added data-flow models for :code:`java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a :code:`Properties` instance.
+*   Added :code:`Modifier.isInline()`.
+*   Removed Kotlin-specific database and QL structures for loops and :code:`break`\ /\ :code:`continue` statements. The Kotlin extractor was changed to reuse the Java structures for these constructs.
+*   Added additional flow sources for uses of external storage on Android.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`chownr` library is now modeled as a sink for the :code:`js/path-injection` query.
+*   Improved modeling of sensitive data sources, so common words like :code:`certain` and :code:`secretary` are no longer considered a certificate and a secret (respectively).
+*   The :code:`gray-matter` library is now modeled as a sink for the :code:`js/code-injection` query.
+
+Python
+""""""
+
+*   Improved modeling of sensitive data sources, so common words like :code:`certain` and :code:`secretary` are no longer considered a certificate and a secret (respectively).
+
+Ruby
+""""
+
+*   Fixed a bug causing every expression in the database to be considered a system-command execution sink when calls to any of the following methods exist:
+
+    *   The :code:`spawn`, :code:`fspawn`, :code:`popen4`, :code:`pspawn`, :code:`system`, :code:`_pspawn` methods and the backtick operator from the :code:`POSIX::spawn` gem.
+    *   The :code:`execute_command`, :code:`rake`, :code:`rails_command`, and :code:`git` methods in :code:`Rails::Generation::Actions`.
+    
+*   Improved modeling of sensitive data sources, so common words like :code:`certain` and :code:`secretary` are no longer considered a certificate and a secret (respectively).
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   The documentation of API graphs (the :code:`API` module) has been expanded, and some of the members predicates of :code:`API::Node` have been renamed as follows:
+
+    *   :code:`getAnImmediateUse` -> :code:`asSource`
+    *   :code:`getARhs` -> :code:`asSink`
+    *   :code:`getAUse` -> :code:`getAValueReachableFromSource`
+    *   :code:`getAValueReachingRhs` -> :code:`getAValueReachingSink`
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added an :code:`ErrorType` class. An instance of this class will be used if an extractor is unable to extract a type, or if an up/downgrade script is unable to provide a type.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.2.rst

@@ -0,0 +1,105 @@
+.. _codeql-cli-2.10.2:
+
+==========================
+CodeQL 2.10.2 (2022-08-02)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.2 runs a total of 341 security queries when configured with the Default suite (covering 144 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   The option :code:`--compiler-spec` to :code:`codeql database create` (and
+    :code:`codeql database trace-command`) no longer works. It is replaced by
+    :code:`--extra-tracing-config`, which accepts a tracer configuration file in the new, Lua-based tracer configuration format instead. See
+    :code:`tools/tracer/base.lua` for the precise API available. If you need help help porting your existing compiler specification files, please file a public issue in https://github.com/github/codeql-cli-binaries,
+    or open a private ticket with GitHub support and request an escalation to engineering.
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   Versions of the CodeQL extension for Visual Studio Code released before February 2021 may not work correctly with this CLI, in particular if database upgrades are necessary. We recommend keeping your VS Code extension up-to-date.
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The experimental :code:`codeql resolve ml-models` command has been deprecated. Advanced users calling this command should use the new
+    :code:`codeql resolve extensions` command instead.
+
+New Features
+~~~~~~~~~~~~
+
+*   The :code:`codeql github upload-results` command now supports a :code:`--merge` option. If this option is provided, the command will accept the paths to multiple SARIF files, and will merge those files before uploading them as a single analysis. This option is recommended *only* for backwards compatibility with old analyses produced by the CodeQL Runner, which combined the results for multiple languages into a single analysis.
+
+Query Packs
+-----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/python-all` package.
+
+New Queries
+~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   A new query "Case-sensitive middleware path" (:code:`js/case-sensitive-middleware-path`) has been added.
+    It highlights middleware routes that can be bypassed due to having a case-sensitive regular expression path.
+
+Ruby
+""""
+
+*   Added a new experimental query, :code:`rb/manually-checking-http-verb`, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow.
+*   Added a new experimental query, :code:`rb/weak-params`, to detect cases when the rails strong parameters pattern isn't followed and values flow into persistent store writes.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+C/C++
+"""""
+
+*   Under certain circumstances a variable declaration that is not also a definition could be associated with a :code:`Variable` that did not have the definition as a :code:`VariableDeclarationEntry`. This is now fixed, and a unique :code:`Variable` will exist that has both the declaration and the definition as a :code:`VariableDeclarationEntry`.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The JUnit5 version of :code:`AssertNotNull` is now recognized, which removes related false positives in the nullness queries.
+*   Added data flow models for :code:`java.util.Scanner`.
+
+Ruby
+""""
+
+*   Calls to :code:`Arel.sql` are now recognised as propagating taint from their argument.
+*   Calls to :code:`ActiveRecord::Relation#annotate` are now recognized as :code:`SqlExecution`\ s so that it will be considered as a sink for queries like rb/sql-injection.
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   The QL predicate :code:`Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.3.rst

@@ -0,0 +1,111 @@
+.. _codeql-cli-2.10.3:
+
+==========================
+CodeQL 2.10.3 (2022-08-15)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.3 runs a total of 342 security queries when configured with the Default suite (covering 144 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+New Features
+~~~~~~~~~~~~
+
+*   When called with :code:`--start-tracing`, the :code:`codeql database init` command now accepts extractor options for the indirect tracing environment via
+    :code:`--extractor-option`. Users should continue to specify extractor options for direct tracing environments by passing them to
+    :code:`codeql database trace-command` invocations.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.4.
+
+Query Packs
+-----------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The query :code:`java/sensitive-log` has been improved to no longer report results that are effectively duplicates due to one source flowing to another source.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The query :code:`cpp/bad-strncpy-size` now covers more :code:`strncpy`\ -like functions than before, including :code:`strxfrm`(:code:`_l`), :code:`wcsxfrm`(:code:`_l`), and :code:`stpncpy`. Users of this query may see an increase in results.
+
+Golang
+""""""
+
+*   The query :code:`go/path-injection` no longer considers user-controlled numeric or boolean-typed data as potentially dangerous.
+
+Java
+""""
+
+*   The query :code:`java/path-injection` now recognises vulnerable APIs defined using the :code:`SinkModelCsv` class with the :code:`create-file` type. Out of the box this includes Apache Commons-IO functions, as well as any user-defined sinks.
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   A new query "Android :code:`WebView` that accepts all certificates" (:code:`java/improper-webview-certificate-validation`) has been added. This query finds implementations of :code:`WebViewClient`\ s that accept all certificates in the case of an SSL error.
+
+Language Libraries
+------------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The IR dataflow library now includes flow through global variables. This enables new findings in many scenarios.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Improved analysis of the Android class :code:`AsyncTask` so that data can properly flow through its methods according to the life-cycle steps described here: https://developer.android.com/reference/android/os/AsyncTask#the-4-steps.
+*   Added a data-flow model for the :code:`setProperty` method of :code:`java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a :code:`Properties` instance.
+
+Python
+""""""
+
+*   Change :code:`.getASubclass()` on :code:`API::Node` so it allows to follow subclasses even if the class has a class decorator.
+
+Ruby
+""""
+
+*   Calls to methods generated by ActiveRecord associations are now recognised as instantiations of ActiveRecord objects. This increases the sensitivity of queries such as :code:`rb/sql-injection` and :code:`rb/stored-xss`.
+*   Calls to :code:`ActiveRecord::Base.create` and :code:`ActiveRecord::Base.update` are now recognised as write accesses.
+*   Arguments to :code:`Mime::Type#match?` and :code:`Mime::Type#=~` are now recognised as regular expression sources.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a predicate :code:`getValueConstant` to :code:`AttributeArgument` that yields the argument value as an :code:`Expr` when the value is a constant expression.
+*   A new class predicate :code:`MustFlowConfiguration::allowInterproceduralFlow` has been added to the :code:`semmle.code.cpp.ir.dataflow.MustFlow` library. The new predicate can be overridden to disable interprocedural flow.
+*   Added subclasses of :code:`BuiltInOperations` for :code:`__builtin_bit_cast`, :code:`__builtin_shuffle`, :code:`__has_unique_object_representations`, :code:`__is_aggregate`, and :code:`__is_assignable`.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.4.rst

@@ -0,0 +1,216 @@
+.. _codeql-cli-2.10.4:
+
+==========================
+CodeQL 2.10.4 (2022-08-31)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.4 runs a total of 352 security queries when configured with the Default suite (covering 146 CWE). The Extended suite enables an additional 106 queries (covering 30 more CWE). 12 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+There are no user-facing CLI changes in this release.
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The "Cleartext storage of sensitive information in buffer" (:code:`cpp/cleartext-storage-buffer`) query has been improved to produce fewer false positives.
+
+C#
+""
+
+*   Parameters of delegates passed to routing endpoint calls like :code:`MapGet` in ASP.NET Core are now considered remote flow sources.
+*   The query :code:`cs/unsafe-deserialization-untrusted-input` is not reporting on all calls of :code:`JsonConvert.DeserializeObject` any longer, it only covers cases that explicitly use unsafe serialization settings.
+*   Added better support for the SQLite framework in the SQL injection query.
+*   File streams are now considered stored flow sources. For example, reading query elements from a file can lead to a Second Order SQL injection alert.
+
+Java
+""""
+
+*   The query :code:`java/static-initialization-vector` no longer requires a :code:`Cipher` object to be initialized with :code:`ENCRYPT_MODE` to be considered a valid sink. Also, several new sanitizers were added.
+*   Improved sanitizers for :code:`java/sensitive-log`, which removes some false positives and improves performance a bit.
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   Added a new query, :code:`java/android/implicitly-exported-component`, to detect if components are implicitly exported in the Android manifest.
+*   A new query "Use of RSA algorithm without OAEP" (:code:`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme.
+*   Added a new query, :code:`java/android/debuggable-attribute-enabled`, to detect if the :code:`android:debuggable` attribute is enabled in the Android manifest.
+*   The query "Using a static initialization vector for encryption" (:code:`java/static-initialization-vector`) has been promoted from experimental to the main query pack. This query was originally `submitted as an experimental query by @artem-smotrakov <https://github.com/github/codeql/pull/6357>`__.
+*   A new query :code:`java/partial-path-traversal` finds partial path traversal vulnerabilities resulting from incorrectly using
+    :code:`String#startsWith` to compare canonical paths.
+*   Added a new query, :code:`java/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match
+    too many characters.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added a new query, :code:`py/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match
+    too many characters.
+
+Python
+""""""
+
+*   Added a new query, :code:`py/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match
+    too many characters.
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/log-injection`, to detect cases where a malicious user may be able to forge log entries.
+*   Added a new query, :code:`rb/incomplete-multi-character-sanitization`. The query finds string transformations that do not replace all occurrences of a multi-character substring.
+*   Added a new query, :code:`rb/suspicious-regexp-range`, to detect character ranges in regular expressions that seem to match
+    too many characters.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The queries :code:`java/redos` and :code:`java/polynomial-redos` now have a tag for CWE-1333.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixed that top-level :code:`for await` statements would produce a syntax error. These statements are now parsed correctly.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+
+C#
+""
+
+*   All deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+
+Golang
+""""""
+
+*   Go 1.19 is now supported, including adding new taint propagation steps for new standard-library functions introduced in this release.
+*   Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+*   Fixed data-flow to captured variable references.
+*   We now assume that if a channel-typed field is only referred to twice in the user codebase, once in a send operation and once in a receive, then data flows from the send to the receive statement. This enables finding some cross-goroutine flow.
+
+Java
+""""
+
+*   Added new flow steps for the classes :code:`java.nio.file.Path` and :code:`java.nio.file.Paths`.
+*   The class :code:`AndroidFragment` now also models the Android Jetpack version of the :code:`Fragment` class (:code:`androidx.fragment.app.Fragment`).
+*   Java 19 builds can now be extracted. There are no non-preview new language features in this release, so the only user-visible change is that the CodeQL extractor will now correctly trace compilations using the JDK 19 release of :code:`javac`.
+*   Classes and methods that are seen with several different paths during the extraction process (for example, packaged into different JAR files) now report an arbitrarily selected location via their :code:`getLocation` and :code:`hasLocationInfo` predicates, rather than reporting all of them. This may lead to reduced alert duplication.
+*   The query :code:`java/hardcoded-credential-api-call` now recognises methods that consume usernames, passwords and keys from the JSch, Ganymed, Apache SSHD, sshj, Trilead SSH-2, Apache FTPClient and MongoDB projects.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+
+Python
+""""""
+
+*   Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+
+Ruby
+""""
+
+*   Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
+*   Calls to :code:`render` in Rails controllers and views are now recognized as HTTP response bodies.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+C#
+""
+
+*   Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+Java
+""""
+
+*   Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+*   The utility files previously in the :code:`semmle.code.java.security.performance` package have been moved to the :code:`semmle.code.java.security.regexp` package.
+    
+    The previous files still exist as deprecated aliases.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+*   The utility files previously in the :code:`semmle.javascript.security.performance` package have been moved to the :code:`semmle.javascript.security.regexp` package.
+    
+    The previous files still exist as deprecated aliases.
+
+Python
+""""""
+
+*   Many classes/predicates/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+*   The utility files previously in the :code:`semmle.python.security.performance` package have been moved to the :code:`semmle.python.security.regexp` package.
+    
+    The previous files still exist as deprecated aliases.
+
+Ruby
+""""
+
+*   The utility files previously in the :code:`codeql.ruby.security.performance` package have been moved to the :code:`codeql.ruby.security.regexp` package.
+    
+    The previous files still exist as deprecated aliases.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added support for getting the link targets of global and namespace variables.
+*   Added a :code:`BlockAssignExpr` class, which models a :code:`memcpy`\ -like operation used in compiler generated copy/move constructors and assignment operations.
+
+Java
+""""
+
+*   Added a new predicate, :code:`requiresPermissions`, in the :code:`AndroidComponentXmlElement` and :code:`AndroidApplicationXmlElement` classes to detect if the element has explicitly set a value for its :code:`android:permission` attribute.
+*   Added a new predicate, :code:`hasAnIntentFilterElement`, in the :code:`AndroidComponentXmlElement` class to detect if a component contains an intent filter element.
+*   Added a new predicate, :code:`hasExportedAttribute`, in the :code:`AndroidComponentXmlElement` class to detect if a component has an :code:`android:exported` attribute.
+*   Added a new class, :code:`AndroidCategoryXmlElement`, to represent a category element in an Android manifest file.
+*   Added a new predicate, :code:`getACategoryElement`, in the :code:`AndroidIntentFilterXmlElement` class to get a category element of an intent filter.
+*   Added a new predicate, :code:`isInBuildDirectory`, in the :code:`AndroidManifestXmlFile` class. This predicate detects if the manifest file is located in a build directory.
+*   Added a new predicate, :code:`isDebuggable`, in the :code:`AndroidApplicationXmlElement` class. This predicate detects if the application element has its :code:`android:debuggable` attribute enabled.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.5.rst

@@ -0,0 +1,20 @@
+.. _codeql-cli-2.10.5:
+
+==========================
+CodeQL 2.10.5 (2022-09-13)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+CodeQL CLI
+----------
+
+New Features
+~~~~~~~~~~~~
+
+*   You can now define which registries should be used for downloading and publishing CodeQL packs on a per-workspace basis by creating a :code:`codeql-workspace.yml` file and adding a :code:`registries` block. For more infomation, see `About CodeQL Workspaces <https://codeql.github.com/docs/codeql-cli/about-codeql-workspaces/>`__.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.0.rst

@@ -0,0 +1,365 @@
+.. _codeql-cli-2.11.0:
+
+==========================
+CodeQL 2.11.0 (2022-09-28)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.11.0 runs a total of 353 security queries when configured with the Default suite (covering 148 CWE). The Extended suite enables an additional 109 queries (covering 30 more CWE). 4 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The CodeQL CLI now uses Python 3 to extract both Python 2 and Python 3 databases. Correspondingly, support for using Python 2 to extract Python databases is now deprecated. Starting with version 2.11.3, you will need to install Python 3 to extract Python databases.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is bundled with the CodeQL CLI has been updated to version 17.0.4.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Fixed a bug in the :code:`js/type-confusion-through-parameter-tampering` query that would cause it to ignore sanitizers in branching conditions. The query should now report fewer false positives.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Modernizations from "Cleartext storage of sensitive information in buffer" (:code:`cpp/cleartext-storage-buffer`) have been ported to the "Cleartext storage of sensitive information in file" (:code:`cpp/cleartext-storage-file`), "Cleartext transmission of sensitive information" (:code:`cpp/cleartext-transmission`) and "Cleartext storage of sensitive information in an SQLite database" (:code:`cpp/cleartext-storage-database`) queries. These changes may result in more correct results and fewer false positive results from these queries.
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+C#
+""
+
+*   A new extractor option has been introduced for disabling CIL extraction. Either pass :code:`-Ocil=false` to the :code:`codeql` CLI or set the environment variable :code:`CODEQL_EXTRACTOR_CSHARP_OPTION_CIL=false`.
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+Golang
+""""""
+
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+Java
+""""
+
+*   The Java extractor now populates the :code:`Method` relating to a :code:`MethodAccess` consistently for calls using an explicit and implicit :code:`this` qualifier. Previously if the method :code:`foo` was inherited from a specialised generic type :code:`ParentType<String>`, then an explicit call :code:`this.foo()` would yield a :code:`MethodAccess` whose :code:`getMethod()` accessor returned the bound method :code:`ParentType<String>.foo`, whereas an implicitly-qualified :code:`foo()` :code:`MethodAccess`\ 's :code:`getMethod()` would return the unbound method :code:`ParentType.foo`. Now both scenarios produce a bound method. This means that all data-flow queries may return more results where a relevant path transits a call to such an implicitly-qualified call to a member method with a bound generic type, while queries that inspect the result of :code:`MethodAccess.getMethod()` may need to tolerate bound generic methods in more circumstances. The queries :code:`java/iterator-remove-failure`, :code:`java/non-static-nested-class`, :code:`java/internal-representation-exposure`, :code:`java/subtle-inherited-call` and :code:`java/deprecated-call` have been amended to properly handle calls to bound generic methods, and in some instances may now produce more results in the explicit-\ :code:`this` case as well.
+*   Added taint model for arguments of :code:`java.net.URI` constructors to the queries :code:`java/path-injection` and :code:`java/path-injection-local`.
+*   Added new sinks related to Android's :code:`AlarmManager` to the query :code:`java/android/implicit-pendingintents`.
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Improved how the JavaScript parser handles ambiguities between plain JavaScript and dialects such as Flow and E4X that use the same file extension. The parser now prefers plain JavaScript if possible, falling back to dialects only if the source code can not be parsed as plain JavaScript. Previously, there were rare cases where parsing would fail because the parser would erroneously attempt to parse dialect-specific syntax in a regular JavaScript file.
+*   The :code:`js/regexp/always-matches` query will no longer report an empty regular expression as always matching, as this is often the intended behavior.
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+Python
+""""""
+
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+Ruby
+""""
+
+*   The :code:`rb/unsafe-deserialization` query now includes alerts for user-controlled data passed to :code:`Hash.from_trusted_xml`, since that method can deserialize YAML embedded in the XML, which in turn can result in deserialization of arbitrary objects.
+*   The alert message of many queries have been changed to make the message consistent with other languages.
+
+New Queries
+~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a new medium-precision query, :code:`cpp/missing-check-scanf`, which detects :code:`scanf` output variables that are used without a proper return-value check to see that they were actually written. A variation of this query was originally contributed as an `experimental query by @ihsinme <https://github.com/github/codeql/pull/8246>`__.
+
+Java
+""""
+
+*   The query "Server-side template injection" (:code:`java/server-side-template-injection`) has been promoted from experimental to the main query pack. This query was originally `submitted as an experimental query by @porcupineyhairs <https://github.com/github/codeql/pull/5935>`__.
+*   Added a new query, :code:`java/android/backup-enabled`, to detect if Android applications allow backups.
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/hardcoded-data-interpreted-as-code`, to detect cases where hardcoded data is executed as code, a technique associated with backdoors.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+Golang
+""""""
+
+*   Added the :code:`security-severity` tag and CWE tag to the :code:`go/insecure-hostkeycallback` query.
+
+Java
+""""
+
+*   Removed the :code:`@security-severity` tag from several queries not in the :code:`Security/` folder that also had missing :code:`security` tags.
+
+Python
+""""""
+
+*   Added the :code:`security-severity` tag the :code:`py/redos`, :code:`py/polynomial-redos`, and :code:`py/regex-injection` queries.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+C/C++
+"""""
+
+*   Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
+C#
+""
+
+*   Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
+Java
+""""
+
+*   Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
+Python
+""""""
+
+*   Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
+Ruby
+""""
+
+*   Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The :code:`Member.getQualifiedName()` predicate result now includes the qualified name of the declaring type.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Many library models have been rewritten to use dataflow nodes instead of the AST.
+    The types of some classes have been changed, and these changes may break existing code.
+    Other classes and predicates have been renamed, in these cases the old name is still available as a deprecated feature.
+*   The basetype of the following list of classes has changed from an expression to a dataflow node, and thus code using these classes might break.
+    The fix to these breakages is usually to use :code:`asExpr()` to get an expression from a dataflow node, or to use :code:`.flow()` to get a dataflow node from an expression.
+
+    *   DOM.qll#WebStorageWrite
+    *   CryptoLibraries.qll#CryptographicOperation
+    *   Express.qll#Express::RequestBodyAccess
+    *   HTTP.qll#HTTP::ResponseBody
+    *   HTTP.qll#HTTP::CookieDefinition
+    *   HTTP.qll#HTTP::ServerDefinition
+    *   HTTP.qll#HTTP::RouteSetup
+    *   NoSQL.qll#NoSql::Query
+    *   SQL.qll#SQL::SqlString
+    *   SQL.qll#SQL::SqlSanitizer
+    *   HTTP.qll#ResponseBody
+    *   HTTP.qll#CookieDefinition
+    *   HTTP.qll#ServerDefinition
+    *   HTTP.qll#RouteSetup
+    *   HTTP.qll#HTTP::RedirectInvocation
+    *   HTTP.qll#RedirectInvocation
+    *   Express.qll#Express::RouterDefinition
+    *   AngularJSCore.qll#LinkFunction
+    *   Connect.qll#Connect::StandardRouteHandler
+    *   CryptoLibraries.qll#CryptographicKeyCredentialsExpr
+    *   AWS.qll#AWS::Credentials
+    *   Azure.qll#Azure::Credentials
+    *   Connect.qll#Connect::Credentials
+    *   DigitalOcean.qll#DigitalOcean::Credentials
+    *   Express.qll#Express::Credentials
+    *   NodeJSLib.qll#NodeJSLib::Credentials
+    *   PkgCloud.qll#PkgCloud::Credentials
+    *   Request.qll#Request::Credentials
+    *   ServiceDefinitions.qll#InjectableFunctionServiceRequest
+    *   SensitiveActions.qll#SensitiveVariableAccess
+    *   SensitiveActions.qll#CleartextPasswordExpr
+    *   Connect.qll#Connect::ServerDefinition
+    *   Restify.qll#Restify::ServerDefinition
+    *   Connect.qll#Connect::RouteSetup
+    *   Express.qll#Express::RouteSetup
+    *   Fastify.qll#Fastify::RouteSetup
+    *   Hapi.qll#Hapi::RouteSetup
+    *   Koa.qll#Koa::RouteSetup
+    *   Restify.qll#Restify::RouteSetup
+    *   NodeJSLib.qll#NodeJSLib::RouteSetup
+    *   Express.qll#Express::StandardRouteHandler
+    *   Express.qll#Express::SetCookie
+    *   Hapi.qll#Hapi::RouteHandler
+    *   HTTP.qll#HTTP::Servers::StandardHeaderDefinition
+    *   HTTP.qll#Servers::StandardHeaderDefinition
+    *   Hapi.qll#Hapi::ServerDefinition
+    *   Koa.qll#Koa::AppDefinition
+    *   SensitiveActions.qll#SensitiveCall
+
+Ruby
+""""
+
+*   :code:`import ruby` no longer brings the standard Ruby AST library into scope; it instead brings a module :code:`Ast` into scope, which must be imported. Alternatively, it is also possible to import :code:`codeql.ruby.AST`.
+*   Changed the :code:`HTTP::Client::Request` concept from using :code:`MethodCall` as base class, to using :code:`DataFlow::Node` as base class. Any class that extends :code:`HTTP::Client::Request::Range` must be changed, but if you only use the member predicates of :code:`HTTP::Client::Request`, no changes are required.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The virtual dispatch relation used in data flow now favors summary models over source code for dispatch to interface methods from :code:`java.util` unless there is evidence that a specific source implementation is reachable. This should provide increased precision for any projects that include, for example, custom :code:`List` or :code:`Map` implementations.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for TypeScript 4.8.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added new sinks to the query :code:`java/android/implicit-pendingintents` to take into account the classes :code:`androidx.core.app.NotificationManagerCompat` and :code:`androidx.core.app.AlarmManagerCompat`.
+*   Added new flow steps for :code:`androidx.core.app.NotificationCompat` and its inner classes.
+*   Added flow sinks, sources and summaries for the Kotlin standard library.
+*   Added flow summary for :code:`org.springframework.data.repository.CrudRepository.save()`.
+*   Added new flow steps for the following Android classes:
+
+    *   :code:`android.content.ContentResolver`
+    *   :code:`android.content.ContentProviderClient`
+    *   :code:`android.content.ContentProviderOperation`
+    *   :code:`android.content.ContentProviderOperation$Builder`
+    *   :code:`android.content.ContentProviderResult`
+    *   :code:`android.database.Cursor`
+    
+*   Added taint flow models for the :code:`java.lang.String.(charAt|getBytes)` methods.
+*   Improved taint flow models for the :code:`java.lang.String.(replace|replaceFirst|replaceAll)` methods. Additional results may be found where users do not properly sanitize their inputs.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   A model for the :code:`mermaid` library has been added. XSS queries can now detect flow through the :code:`render` method of the :code:`mermaid` library.
+
+Python
+""""""
+
+*   Changed :code:`CallNode.getArgByName` such that it has results for keyword arguments given after a dictionary unpacking argument, as the :code:`bar=2` argument in :code:`func(foo=1, **kwargs, bar=2)`.
+*   :code:`getStarArg` member-predicate on :code:`Call` and :code:`CallNode` has been changed for calls that have multiple :code:`*args` arguments (for example :code:`func(42, *my_args, *other_args)`): Instead of producing no results, it will always have a result for the *first* such :code:`*args` argument.
+*   Reads of global/non-local variables (without annotations) inside functions defined on classes now works properly in the case where the class had an attribute defined with the same name as the non-local variable.
+
+Ruby
+""""
+
+*   Uses of :code:`ActionView::FileSystemResolver` are now recognized as filesystem accesses.
+*   Accesses of ActiveResource models are now recognized as HTTP requests.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+C#
+""
+
+*   Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+Golang
+""""""
+
+*   Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+Java
+""""
+
+*   The predicate :code:`Annotation.getAValue()` has been deprecated because it might lead to obtaining the value of the wrong annotation element by accident. :code:`getValue(string)` (or one of the value type specific predicates) should be used to explicitly specify the name of the annotation element.
+*   The predicate :code:`Annotation.getAValue(string)` has been renamed to :code:`getAnArrayValue(string)`.
+*   The predicate :code:`SuppressWarningsAnnotation.getASuppressedWarningLiteral()` has been deprecated because it unnecessarily restricts the result type; :code:`getASuppressedWarning()` should be used instead.
+*   The predicates :code:`TargetAnnotation.getATargetExpression()` and :code:`RetentionAnnotation.getRetentionPolicyExpression()` have been deprecated because getting the enum constant read expression is rarely useful, instead the corresponding predicates for getting the name of the referenced enum constants should be used.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+Python
+""""""
+
+*   Some unused predicates in :code:`SsaDefinitions.qll`, :code:`TObject.qll`, :code:`protocols.qll`, and the :code:`pointsto/` folder have been deprecated.
+*   Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+Ruby
+""""
+
+*   Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide.
+    The old name still exists as a deprecated alias.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added subclasses of :code:`BuiltInOperations` for :code:`__is_same`, :code:`__is_function`, :code:`__is_layout_compatible`, :code:`__is_pointer_interconvertible_base_of`, :code:`__is_array`, :code:`__array_rank`, :code:`__array_extent`, :code:`__is_arithmetic`, :code:`__is_complete_type`, :code:`__is_compound`, :code:`__is_const`, :code:`__is_floating_point`, :code:`__is_fundamental`, :code:`__is_integral`, :code:`__is_lvalue_reference`, :code:`__is_member_function_pointer`, :code:`__is_member_object_pointer`, :code:`__is_member_pointer`, :code:`__is_object`, :code:`__is_pointer`, :code:`__is_reference`, :code:`__is_rvalue_reference`, :code:`__is_scalar`, :code:`__is_signed`, :code:`__is_unsigned`, :code:`__is_void`, and :code:`__is_volatile`.
+
+Java
+""""
+
+*   Added a new predicate, :code:`allowsBackup`, in the :code:`AndroidApplicationXmlElement` class. This predicate detects if the application element does not disable the :code:`android:allowBackup` attribute.
+*   The predicates of the CodeQL class :code:`Annotation` have been improved:
+
+    *   Convenience value type specific predicates have been added, such as :code:`getEnumConstantValue(string)` or :code:`getStringValue(string)`.
+    *   Convenience predicates for elements with array values have been added, such as :code:`getAnEnumConstantArrayValue(string)`. While the behavior of the existing predicates has not changed, usage of them should be reviewed (or replaced with the newly added predicate) to make sure they work correctly for elements with array values.
+    *   Some internal CodeQL usage of the :code:`Annotation` predicates has been adjusted and corrected; this might affect the results of some queries.
+    
+*   New predicates have been added to the CodeQL class :code:`Annotatable` to support getting declared and associated annotations. As part of that, :code:`hasAnnotation()` has been changed to also consider inherited annotations, to be consistent with :code:`hasAnnotation(string, string)` and :code:`getAnAnnotation()`. The newly added predicate :code:`hasDeclaredAnnotation()` can be used as replacement for the old functionality.
+*   New predicates have been added to the CodeQL class :code:`AnnotationType` to simplify getting information about usage of JDK meta-annotations, such as :code:`@Retention`.
+
+Shared Libraries
+----------------
+
+Initial Release
+~~~~~~~~~~~~~~~
+
+Static Single Assignment (SSA)
+""""""""""""""""""""""""""""""
+
+*   Initial release. Extracted common SSA code into a library pack to share code between languages.
+
+Database of Common Typographical Errors
+"""""""""""""""""""""""""""""""""""""""
+
+*   Initial release. Share the database of common typographical errors between languages.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.1.rst

@@ -0,0 +1,145 @@
+.. _codeql-cli-2.11.1:
+
+==========================
+CodeQL 2.11.1 (2022-10-11)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.11.1 runs a total of 354 security queries when configured with the Default suite (covering 148 CWE). The Extended suite enables an additional 109 queries (covering 30 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   Pack installation using the CodeQL Packaging beta will now fail if a compatible version cannot be found. This replaces the previous behavior where :code:`codeql pack download` and related commands would instead install the latest version of the pack in this situation.
+
+Bug Fixes
+~~~~~~~~~
+
+*   It is no longer an error to call :code:`codeql pack create <path>` with a :code:`<path>` option pointing to a file name. The CLI will walk up the directory tree and run the command in the first directory containing the :code:`qlpack.yml` or :code:`codeql-pack.yml` file.
+*   Fixed a concurrency error observed when using :code:`codeql database import` or
+    :code:`codeql database finalize` with multiple threads and multiple additional databases on a C++ codebase.
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The :code:`--[no-]count-lines` option to :code:`codeql database create` and related commands is now deprecated and will be removed in a future release of the CodeQL CLI (earliest 2.12.0). It is replaced by
+    :code:`--[no-]calculate-baseline` to reflect the additional baseline information that is now captured as of this release.
+
+New Features
+~~~~~~~~~~~~
+
+*   Subcommands that compile QL accept a new :code:`--no-release-compatibility` option. It does nothing for now, but in the future it will be used to control a trade-off between query performance and compatibility with older/newer releases of the QL evaluator.
+*   :code:`codeql database analyze` and related commands now support absolute paths containing the :code:`@` or :code:`:` characters when specifying which queries to run. To reference a query file, directory, or suite whose path contains a literal :code:`@` or :code:`:`, prefix the query specifier with :code:`path:`, for example:
+
+    ..  code-block:: shell
+    
+            codeql database analyze --format=sarif-latest --output=results <db> path:C:/Users/ci/workspace@2/security/query.ql
+
+Query Packs
+-----------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+
+C#
+""
+
+*   The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+
+Java
+""""
+
+*   The alert message of many queries have been changed to better follow the style guide and make the message consistent with other languages.
+*   :code:`PathSanitizer.qll` has been promoted from experimental to the main query pack. This sanitizer was originally `submitted as part of an experimental query by @luchua-bc <https://github.com/github/codeql/pull/7286>`__.
+*   The queries :code:`java/path-injection`, :code:`java/path-injection-local` and :code:`java/zipslip` now use the sanitizers provided by :code:`PathSanitizer.qll`.
+
+Ruby
+""""
+
+*   The :code:`rb/xxe` query has been updated to add the following sinks for XML external entity expansion:
+
+    #.  Calls to parse XML using :code:`LibXML` when its :code:`default_substitute_entities` option is enabled.
+    #.  Uses of the Rails methods :code:`ActiveSupport::XmlMini.parse`, :code:`Hash.from_xml`, and :code:`Hash.from_trusted_xml` when :code:`ActiveSupport::XmlMini` is configured to use :code:`LibXML` as its backend, and its :code:`default_substitute_entities` option is enabled.
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   Added a new query, :code:`java/android/webview-debugging-enabled`, to detect instances of WebView debugging being enabled in production builds.
+
+Language Libraries
+------------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   :code:`DateTime` expressions are now considered simple type sanitizers. This affects a wide range of security queries.
+*   ASP.NET Core controller definition has been made more precise. The amount of introduced taint sources or eliminated false positives should be low though, since the most common pattern is to derive all user defined ASP.NET Core controllers from the standard Controller class, which is not affected.
+
+Golang
+""""""
+
+*   Added support for :code:`BeegoInput.RequestBody` as a source of untrusted data.
+
+Java
+""""
+
+*   Added external flow sources for the intents received in exported Android services.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Several of the SQL and NoSQL library models have improved, leading to more results for the :code:`js/sql-injection` query,
+    and in some cases the :code:`js/missing-rate-limiting` query.
+
+Python
+""""""
+
+*   Added the ability to refer to subscript operations in the API graph. It is now possible to write :code:`response().getMember("cookies").getASubscript()` to find code like :code:`resp.cookies["key"]` (assuming :code:`response` returns an API node for response objects).
+*   Added modeling of creating Flask responses with :code:`flask.jsonify`.
+
+Ruby
+""""
+
+*   The following classes have been moved from :code:`codeql.ruby.frameworks.ActionController` to :code:`codeql.ruby.frameworks.Rails`\ :
+
+    *   :code:`ParamsCall`, now accessed as :code:`Rails::ParamsCall`.
+    *   :code:`CookieCall`, now accessed as :code:`Rails::CookieCall`.
+    
+*   The following classes have been moved from :code:`codeql.ruby.frameworks.ActionView` to :code:`codeql.ruby.frameworks.Rails`\ :
+
+    *   :code:`HtmlSafeCall`, now accessed as :code:`Rails::HtmlSafeCall`.
+    *   :code:`HtmlEscapeCall`, now accessed as :code:`Rails::HtmlEscapeCall`.
+    *   :code:`RenderCall`, now accessed as :code:`Rails::RenderCall`.
+    *   :code:`RenderToCall`, now accessed as :code:`Rails::RenderToCall`.
+    
+*   Subclasses of :code:`ActionController::Metal` are now recognised as controllers.
+*   :code:`ActionController::DataStreaming::send_file` is now recognized as a
+    :code:`FileSystemAccess`.
+*   Various XSS sinks in the ActionView library are now recognized.
+*   Calls to :code:`ActiveRecord::Base.create` are now recognized as model instantiations.
+*   Various code executions, command executions and HTTP requests in the ActiveStorage library are now recognized.
+*   :code:`MethodBase` now has two new predicates related to visibility: :code:`isPublic` and
+    :code:`isProtected`. These hold, respectively, if the method is public or protected.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.11.2.rst

@@ -0,0 +1,175 @@
+.. _codeql-cli-2.11.2:
+
+==========================
+CodeQL 2.11.2 (2022-10-25)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.11.2 runs a total of 357 security queries when configured with the Default suite (covering 150 CWE). The Extended suite enables an additional 111 queries (covering 31 more CWE). 5 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   Bundling and publishing a CodeQL pack will no longer include nested CodeQL packs. If you want to include a nested pack in your published pack,
+    then you must explicitly include it using the :code:`include` property in the top-level :code:`qlpack.yml` file.
+    
+    For example, if your package structure looks like this:
+
+    ..  code-block:: text
+    
+        qlpack.yml
+        nested-pack
+           ∟ qlpack.yml
+             query.ql
+        
+    then the contents of :code:`nested-pack` will not be included by default within the published package. To include :code:`nested-pack`, add an entry like this to the top level :code:`qlpack.yml` file:
+
+    ..  code-block:: yaml
+    
+        include:
+          - nested-pack/**
+
+Bug Fixes
+~~~~~~~~~
+
+*   Using the :code:`--codescanning-config=<file>` option in
+    :code:`codeql database init` will now correctly process the :code:`paths` and
+    :code:`pathsIgnore` properties of the configuration file in a way that is identical to the behavior of the :code:`codeql-action`. Previously, :code:`paths` or :code:`pathsIgnore` entries that end in :code:`/**` or start with :code:`/`  were incorrectly rejected by the CLI.
+    
+*   Fixed a bug where the :code:`--compilation-cache` option to
+    :code:`codeql pack publish` and :code:`codeql pack create` was being ignored when creating a query pack.  Now, the indicated cache is used when pre-compiling the queries in it.
+    
+*   Fixed a bug that would make the "Show DIL" command in the VSCode extension display nothing.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   Emit a detailed warning if package resolution fails, the legacy
+    :code:`--search-path` option is provided, *and* there is at least one referenced pack that does not use legacy package resolution.
+    In this case, :code:`--additional-packs` should be used to extend the search to additional directories, instead of :code:`--search-path`.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+Python
+""""""
+
+*   Fixed how :code:`flask.request` is modeled as a RemoteFlowSource, such that we show fewer duplicated alert messages for Code Scanning alerts. The import, such as :code:`from flask import request`, will now be shown as the first step in a path explanation.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The "Unterminated variadic call" (:code:`cpp/unterminated-variadic-call`) query has been tuned to produce fewer false positive results.
+*   Fixed false positives from the "Unused static function" (:code:`cpp/unused-static-function`) query in files that had errors during compilation.
+
+Golang
+""""""
+
+*   The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Removed some false positives from the :code:`js/file-system-race` query by requiring that the file-check dominates the file-access.
+*   Improved taint tracking through :code:`JSON.stringify` in cases where a tainted value is stored somewhere in the input object.
+
+Python
+""""""
+
+*   Added model of :code:`cx_Oracle`, :code:`oracledb`, :code:`phonenixdb` and :code:`pyodbc` PyPI packages as a SQL interface following PEP249, resulting in additional sinks for :code:`py/sql-injection`.
+*   Added model of :code:`executemany` calls on PEP-249 compliant database APIs, resulting in additional sinks for :code:`py/sql-injection`.
+*   Added model of :code:`pymssql` PyPI package as a SQL interface following PEP249, resulting in additional sinks for :code:`py/sql-injection`.
+*   The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.
+
+Ruby
+""""
+
+*   HTTP response header and body writes via :code:`ActionDispatch::Response` are now recognized.
+*   The :code:`rb/path-injection` query now treats the :code:`file:` argument of the Rails :code:`render` method as a sink.
+*   The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.
+
+New Queries
+~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a new medium-precision query, :code:`cpp/comma-before-misleading-indentation`, which detects instances of whitespace that have readability issues.
+
+Java
+""""
+
+*   Added a new query, :code:`java/android/incomplete-provider-permissions`, to detect if an Android ContentProvider is not protected with a correct set of permissions.
+*   A new query "Uncontrolled data used in content resolution" (:code:`java/androd/unsafe-content-uri-resolution`) has been added. This query finds paths from user-provided data to URI resolution operations in Android's :code:`ContentResolver` without previous validation or sanitization.
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/non-constant-kernel-open`, to detect uses of Kernel.open and related methods with non-constant values.
+*   Added a new query, :code:`rb/sensitive-get-query`, to detect cases where sensitive data is read from the query parameters of an HTTP :code:`GET` request.
+
+Language Libraries
+------------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added support for common patterns involving :code:`Stream.collect` and common collectors like :code:`Collectors.toList()`.
+*   The class :code:`TypeVariable` now also extends :code:`Modifiable`.
+*   Added data flow steps for tainted Android intents that are sent to services and receivers.
+*   Improved the data flow step for tainted Android intents that are sent to activities so that more cases are covered.
+
+Python
+""""""
+
+*   Fixed labels in the API graph pertaining to definitions of subscripts. Previously, these were found by :code:`getMember` rather than :code:`getASubscript`.
+*   Added edges for indices of subscripts to the API graph. Now a subscripted API node will have an edge to the API node for the index expression. So if :code:`foo` is matched by API node :code:`A`, then :code:`"key"` in :code:`foo["key"]` will be matched by the API node :code:`A.getIndex()`. This can be used to track the origin of the index.
+*   Added member predicate :code:`getSubscriptAt(API::Node index)` to :code:`API::Node`. Like :code:`getASubscript()`, this will return an API node that matches a subscript of the node, but here it will be restricted to subscripts where the index matches the :code:`index` parameter.
+*   Added convenience predicate :code:`getSubscript("key")` to obtain a subscript at a specific index, when the index happens to be a statically known string.
+
+Ruby
+""""
+
+*   The hashing algorithms from :code:`Digest` and :code:`OpenSSL::Digest` are now recognized and can be flagged by the :code:`rb/weak-cryptographic-algorithm` query.
+*   More sources of remote input arising from methods on :code:`ActionDispatch::Request` are now recognized.
+*   The response value returned by the :code:`Faraday#run_request` method is now also considered a source of remote input.
+*   :code:`ActiveJob::Serializers.deserialize` is considered to be a code execution sink.
+*   Calls to :code:`params` in :code:`ActionMailer` classes are now treated as sources of remote user input.
+*   Taint flow through :code:`ActionController::Parameters` is tracked more accurately.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Deprecated :code:`ContextStartActivityMethod`. Use :code:`StartActivityMethod` instead.
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added a new predicate, :code:`hasIncompletePermissions`, in the :code:`AndroidProviderXmlElement` class. This predicate detects if a provider element does not provide both read and write permissions.