Merge pull request #15153 from github/post-release-prep/codeql-cli-2.15.5

Post-release preparation for codeql-cli-2.15.5

cpp/downgrades/0a9eb01d3650642e013eb86be45d952289537f91/upgrade.properties

@@ -0,0 +1,3 @@
+description: Expose whether a function was prototyped or not
+compatibility: backwards
+function_prototyped.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 0.12.2
+
+No user-facing changes.
+
+## 0.12.1
+
+### New Features
+
+* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.
+
 ## 0.12.0
 
 ### Breaking Changes

cpp/ql/lib/change-notes/released/0.12.1.md

@@ -0,0 +1,5 @@
+## 0.12.1
+
+### New Features
+
+* Added an `isPrototyped` predicate to `Function` that holds when the function has a prototype.

cpp/ql/lib/change-notes/released/0.12.2.md

@@ -0,0 +1,3 @@
+## 0.12.2
+
+No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.12.0
+lastReleaseVersion: 0.12.2

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.12.1-dev
+version: 0.12.3-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -112,6 +112,16 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
    */
   predicate isDeleted() { function_deleted(underlyingElement(this)) }
 
+  /**
+   * Holds if this function has a prototyped interface.
+   *
+   * Functions generally have a prototyped interface, unless they are
+   * K&R-style functions either without any forward function declaration,
+   * or with all the forward declarations omitting the parameters of the
+   * function.
+   */
+  predicate isPrototyped() { function_prototyped(underlyingElement(this)) }
+
   /**
    * Holds if this function is explicitly defaulted with the `= default`
    * specifier.

cpp/ql/lib/semmle/code/cpp/ir/implementation/internal/TOperand.qll

@@ -23,9 +23,8 @@ private module Internal {
   newtype TOperand =
     // RAW
     TRegisterOperand(TRawInstruction useInstr, RegisterOperandTag tag, TRawInstruction defInstr) {
-      defInstr = RawConstruction::getRegisterOperandDefinition(useInstr, tag) and
-      not RawConstruction::isInCycle(useInstr) and
-      strictcount(RawConstruction::getRegisterOperandDefinition(useInstr, tag)) = 1
+      defInstr = unique( | | RawConstruction::getRegisterOperandDefinition(useInstr, tag)) and
+      not RawConstruction::isInCycle(useInstr)
     } or
     // Placeholder for Phi and Chi operands in stages that don't have the corresponding instructions
     TNoOperand() { none() } or

cpp/ql/lib/semmle/code/cpp/models/implementations/StdContainer.qll

@@ -123,7 +123,7 @@ private class StdSequenceContainerData extends TaintFunction {
 /**
  * The standard container functions `push_back` and `push_front`.
  */
-private class StdSequenceContainerPush extends TaintFunction {
+class StdSequenceContainerPush extends MemberFunction {
   StdSequenceContainerPush() {
     this.getClassAndName("push_back") instanceof Vector or
     this.getClassAndName(["push_back", "push_front"]) instanceof Deque or
@@ -131,6 +131,17 @@ private class StdSequenceContainerPush extends TaintFunction {
     this.getClassAndName(["push_back", "push_front"]) instanceof List
   }
 
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+}
+
+private class StdSequenceContainerPushModel extends StdSequenceContainerPush, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to qualifier
     input.isParameterDeref(0) and
@@ -160,7 +171,7 @@ private class StdSequenceContainerFrontBack extends TaintFunction {
 /**
  * The standard container functions `insert` and `insert_after`.
  */
-private class StdSequenceContainerInsert extends TaintFunction {
+class StdSequenceContainerInsert extends MemberFunction {
   StdSequenceContainerInsert() {
     this.getClassAndName("insert") instanceof Deque or
     this.getClassAndName("insert") instanceof List or
@@ -181,7 +192,9 @@ private class StdSequenceContainerInsert extends TaintFunction {
    * Gets the index of a parameter to this function that is an iterator.
    */
   int getAnIteratorParameterIndex() { this.getParameter(result).getType() instanceof Iterator }
+}
 
+private class StdSequenceContainerInsertModel extends StdSequenceContainerInsert, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from parameter to container itself (qualifier) and return value
     (
@@ -253,11 +266,28 @@ private class StdSequenceContainerAt extends TaintFunction {
 }
 
 /**
- * The standard vector `emplace` function.
+ * The standard `emplace` function.
  */
-class StdVectorEmplace extends TaintFunction {
-  StdVectorEmplace() { this.getClassAndName("emplace") instanceof Vector }
+class StdSequenceEmplace extends MemberFunction {
+  StdSequenceEmplace() {
+    this.getClassAndName("emplace") instanceof Vector
+    or
+    this.getClassAndName("emplace") instanceof List
+    or
+    this.getClassAndName("emplace") instanceof Deque
+  }
 
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+}
+
+private class StdSequenceEmplaceModel extends StdSequenceEmplace, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter except the position iterator to qualifier and return value
     // (here we assume taint flow from any constructor parameter to the constructed object)
@@ -269,12 +299,36 @@ class StdVectorEmplace extends TaintFunction {
   }
 }
 
+/**
+ * The standard vector `emplace` function.
+ */
+class StdVectorEmplace extends StdSequenceEmplace {
+  StdVectorEmplace() { this.getDeclaringType() instanceof Vector }
+}
+
 /**
  * The standard vector `emplace_back` function.
  */
-class StdVectorEmplaceBack extends TaintFunction {
-  StdVectorEmplaceBack() { this.getClassAndName("emplace_back") instanceof Vector }
+class StdSequenceEmplaceBack extends MemberFunction {
+  StdSequenceEmplaceBack() {
+    this.getClassAndName("emplace_back") instanceof Vector
+    or
+    this.getClassAndName("emplace_back") instanceof List
+    or
+    this.getClassAndName("emplace_back") instanceof Deque
+  }
 
+  /**
+   * Gets the index of a parameter to this function that is a reference to the
+   * value type of the container.
+   */
+  int getAValueTypeParameterIndex() {
+    this.getParameter(result).getUnspecifiedType().(ReferenceType).getBaseType() =
+      this.getDeclaringType().getTemplateArgument(0).(Type).getUnspecifiedType() // i.e. the `T` of this `std::vector<T>`
+  }
+}
+
+private class StdSequenceEmplaceBackModel extends StdSequenceEmplaceBack, TaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from any parameter to qualifier
     // (here we assume taint flow from any constructor parameter to the constructed object)
@@ -282,3 +336,10 @@ class StdVectorEmplaceBack extends TaintFunction {
     output.isQualifierObject()
   }
 }
+
+/**
+ * The standard vector `emplace_back` function.
+ */
+class StdVectorEmplaceBack extends StdSequenceEmplaceBack {
+  StdVectorEmplaceBack() { this.getDeclaringType() instanceof Vector }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/StdString.qll

@@ -99,9 +99,11 @@ private class StdStringConstructor extends Constructor, StdStringTaintFunction {
 /**
  * The `std::string` function `c_str`.
  */
-private class StdStringCStr extends StdStringTaintFunction {
+class StdStringCStr extends MemberFunction {
   StdStringCStr() { this.getClassAndName("c_str") instanceof StdBasicString }
+}
 
+private class StdStringCStrModel extends StdStringCStr, StdStringTaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
     input.isQualifierObject() and
@@ -112,9 +114,11 @@ private class StdStringCStr extends StdStringTaintFunction {
 /**
  * The `std::string` function `data`.
  */
-private class StdStringData extends StdStringTaintFunction {
+class StdStringData extends MemberFunction {
   StdStringData() { this.getClassAndName("data") instanceof StdBasicString }
+}
 
+private class StdStringDataModel extends StdStringData, StdStringTaintFunction {
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     // flow from string itself (qualifier) to return value
     input.isQualifierObject() and

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -405,6 +405,8 @@ function_deleted(unique int id: @function ref);
 
 function_defaulted(unique int id: @function ref);
 
+function_prototyped(unique int id: @function ref)
+
 member_function_this_type(
     unique int id: @function ref,
     int this_type: @type ref

cpp/ql/lib/upgrades/8cba93a44180e0d50a80a660950800d822b981fc/upgrade.properties

@@ -0,0 +1,2 @@
+description: Expose whether a function was prototyped or not
+compatibility: partial

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 0.9.1
+
+No user-facing changes.
+
+## 0.9.0
+
+### Breaking Changes
+
+* The `cpp/tainted-format-string-through-global` query has been deleted. This does not lead to a loss of relevant alerts, as the query duplicated a subset of the alerts from `cpp/tainted-format-string`.
+
+### New Queries
+
+* Added a new query, `cpp/use-of-string-after-lifetime-ends`, to detect calls to `c_str` on strings that will be destroyed immediately.
+
 ## 0.8.3
 
 ### Minor Analysis Improvements

cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.qhelp

@@ -0,0 +1,44 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>Calling <code>c_str</code> on a <code>std::string</code> object returns a pointer to the underlying character array.
+When the <code>std::string</code> object is destroyed, the pointer returned by <code>c_str</code> is no
+longer valid. If the pointer is used after the <code>std::string</code> object is destroyed, then the behavior is undefined.
+</p>
+</overview>
+
+<recommendation>
+<p>
+Ensure that the pointer returned by <code>c_str</code> does not outlive the underlying <code>std::string</code> object.
+</p>
+</recommendation>
+
+<example>
+<p>
+The following example concatenates two <code>std::string</code> objects, and then converts the resulting string to a
+C string using <code>c_str</code> so that it can be passed to the <code>work</code> function.
+
+However, the underlying <code>std::string</code> object that represents the concatenated string is destroyed as soon as the call
+to <code>c_str</code> returns. This means that <code>work</code> is given a pointer to invalid memory.
+</p>
+
+<sample src="UseOfStringAfterLifetimeEndsBad.cpp" />
+
+<p>
+The following example fixes the above code by ensuring that the pointer returned by the call to <code>c_str</code> does
+not outlive the underlying <code>std::string</code> objects. This ensures that the pointer passed to <code>work</code>
+points to valid memory.
+</p>
+
+<sample src="UseOfStringAfterLifetimeEndsGood.cpp" />
+
+</example>
+<references>
+
+<li><a href="https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM50-CPP.+Do+not+access+freed+memory">MEM50-CPP. Do not access freed memory</a>.</li>
+
+</references>
+</qhelp>

cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql

@@ -0,0 +1,100 @@
+/**
+ * @name Use of string after lifetime ends
+ * @description If the value of a call to 'c_str' outlives the underlying object it may lead to unexpected behavior.
+ * @kind problem
+ * @precision high
+ * @id cpp/use-of-string-after-lifetime-ends
+ * @problem.severity warning
+ * @security-severity 8.8
+ * @tags reliability
+ *       security
+ *       external/cwe/cwe-416
+ *       external/cwe/cwe-664
+ */
+
+import cpp
+import semmle.code.cpp.models.implementations.StdString
+import semmle.code.cpp.models.implementations.StdContainer
+
+/**
+ * Holds if `e` will be consumed by its parent as a glvalue and does not have
+ * an lvalue-to-rvalue conversion. This means that it will be materialized into
+ * a temporary object.
+ */
+predicate isTemporary(Expr e) {
+  e instanceof TemporaryObjectExpr
+  or
+  e.isPRValueCategory() and
+  e.getUnspecifiedType() instanceof Class and
+  not e.hasLValueToRValueConversion()
+}
+
+/** Holds if `e` is written to a container. */
+predicate isStoredInContainer(Expr e) {
+  exists(StdSequenceContainerInsert insert, Call call, int index |
+    call = insert.getACallToThisFunction() and
+    index = insert.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+  or
+  exists(StdSequenceContainerPush push, Call call, int index |
+    call = push.getACallToThisFunction() and
+    index = push.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+  or
+  exists(StdSequenceEmplace emplace, Call call, int index |
+    call = emplace.getACallToThisFunction() and
+    index = emplace.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+  or
+  exists(StdSequenceEmplaceBack emplaceBack, Call call, int index |
+    call = emplaceBack.getACallToThisFunction() and
+    index = emplaceBack.getAValueTypeParameterIndex() and
+    call.getArgument(index) = e
+  )
+}
+
+/**
+ * Holds if the value of `e` outlives the enclosing full expression. For
+ * example, because the value is stored in a local variable.
+ */
+predicate outlivesFullExpr(Expr e) {
+  any(Assignment assign).getRValue() = e
+  or
+  any(Variable v).getInitializer().getExpr() = e
+  or
+  any(ReturnStmt ret).getExpr() = e
+  or
+  exists(ConditionalExpr cond |
+    outlivesFullExpr(cond) and
+    [cond.getThen(), cond.getElse()] = e
+  )
+  or
+  exists(BinaryOperation bin |
+    outlivesFullExpr(bin) and
+    bin.getAnOperand() = e
+  )
+  or
+  exists(ClassAggregateLiteral aggr |
+    outlivesFullExpr(aggr) and
+    aggr.getAFieldExpr(_) = e
+  )
+  or
+  exists(ArrayAggregateLiteral aggr |
+    outlivesFullExpr(aggr) and
+    aggr.getAnElementExpr(_) = e
+  )
+  or
+  isStoredInContainer(e)
+}
+
+from Call c
+where
+  outlivesFullExpr(c) and
+  not c.isFromUninstantiatedTemplate(_) and
+  (c.getTarget() instanceof StdStringCStr or c.getTarget() instanceof StdStringData) and
+  isTemporary(c.getQualifier().getFullyConverted())
+select c,
+  "The underlying string object is destroyed after the call to '" + c.getTarget() + "' returns."

cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEndsBad.cpp

@@ -0,0 +1,9 @@
+#include <string>
+void work(const char*);
+
+// BAD: the concatenated string is deallocated when `c_str` returns. So `work`
+// is given a pointer to invalid memory.
+void work_with_combined_string_bad(std::string s1, std::string s2) {
+  const char* combined_string = (s1 + s2).c_str();
+  work(combined_string);
+}

cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEndsGood.cpp

@@ -0,0 +1,9 @@
+#include <string>
+void work(const char*);
+
+// GOOD: the concatenated string outlives the call to `work`. So the pointer
+// obtainted from `c_str` is valid.
+void work_with_combined_string_good(std::string s1, std::string s2) {
+  auto combined_string = s1 + s2;
+  work(combined_string.c_str());
+}

cpp/ql/src/change-notes/released/0.9.0.md

@@ -1,4 +1,9 @@
----
-category: breaking
----
+## 0.9.0
+
+### Breaking Changes
+
 * The `cpp/tainted-format-string-through-global` query has been deleted. This does not lead to a loss of relevant alerts, as the query duplicated a subset of the alerts from `cpp/tainted-format-string`.
+
+### New Queries
+
+* Added a new query, `cpp/use-of-string-after-lifetime-ends`, to detect calls to `c_str` on strings that will be destroyed immediately.

cpp/ql/src/change-notes/released/0.9.1.md

@@ -0,0 +1,3 @@
+## 0.9.1
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.3
+lastReleaseVersion: 0.9.1

cpp/ql/src/experimental/Security/CWE/CWE-416/UseAfterExpiredLifetime.ql

@@ -12,7 +12,6 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.DataFlow
 import semmle.code.cpp.controlflow.Nullness
 
 class StarOperator extends Operator {

cpp/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql

@@ -9,7 +9,6 @@
  */
 
 import cpp
-import semmle.code.cpp.dataflow.DataFlow as ASTDataFlow
 import experimental.cryptography.Concepts
 
 from HashAlgorithm alg, Expr confSink, string msg

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.8.4-dev
+version: 0.9.2-dev
 groups:
   - cpp
   - queries

cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.expected

@@ -0,0 +1,12 @@
+| test.cpp:165:34:165:38 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:166:39:166:43 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:167:44:167:48 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:169:29:169:33 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:178:37:178:41 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:181:39:181:43 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:183:37:183:41 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |
+| test.cpp:187:34:187:37 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
+| test.cpp:188:39:188:42 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
+| test.cpp:189:44:189:47 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
+| test.cpp:191:29:191:32 | call to data | The underlying string object is destroyed after the call to 'data' returns. |
+| test.cpp:193:31:193:35 | call to c_str | The underlying string object is destroyed after the call to 'c_str' returns. |

cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/UseOfStringAfterLifetimeEnds.qlref

@@ -0,0 +1,2 @@
+
+Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql

cpp/ql/test/query-tests/Security/CWE/CWE-416/semmle/tests/UseOfStringAfterLifetimeEnds/test.cpp

@@ -0,0 +1,219 @@
+typedef unsigned long size_t;
+
+namespace std {
+  template<class T> struct remove_reference { typedef T type; };
+
+  template<class T> struct remove_reference<T &> { typedef T type; };
+
+  template<class T> struct remove_reference<T &&> { typedef T type; };
+
+  template<class T> using remove_reference_t = typename remove_reference<T>::type;
+
+  template< class T > std::remove_reference_t<T>&& move( T&& t );
+}
+
+// --- iterator ---
+
+namespace std {
+  template<class T> struct remove_const { typedef T type; };
+
+  template<class T> struct remove_const<const T> { typedef T type; };
+
+  // `remove_const_t<T>` removes any `const` specifier from `T`
+  template<class T> using remove_const_t = typename remove_const<T>::type;
+
+  struct ptrdiff_t;
+
+  template<class I> struct iterator_traits;
+
+  template <class Category,
+        class value_type,
+        class difference_type = ptrdiff_t,
+        class pointer_type = value_type*,
+        class reference_type = value_type&>
+  struct iterator {
+    typedef Category iterator_category;
+
+    iterator();
+    iterator(iterator<Category, remove_const_t<value_type> > const &other); // non-const -> const conversion constructor
+
+    iterator &operator++();
+    iterator operator++(int);
+    iterator &operator--();
+    iterator operator--(int);
+    bool operator==(iterator other) const;
+    bool operator!=(iterator other) const;
+    reference_type operator*() const;
+    pointer_type operator->() const;
+    iterator operator+(int);
+    iterator operator-(int);
+    iterator &operator+=(int);
+    iterator &operator-=(int);
+    int operator-(iterator);
+    reference_type operator[](int);
+  };
+
+  struct input_iterator_tag {};
+  struct forward_iterator_tag : public input_iterator_tag {};
+  struct bidirectional_iterator_tag : public forward_iterator_tag {};
+  struct random_access_iterator_tag : public bidirectional_iterator_tag {};
+}
+
+// --- string ---
+
+namespace std
+{
+  template<class charT> struct char_traits;
+
+  typedef size_t streamsize;
+
+  template <class T> class allocator {
+  public:
+    allocator() throw();
+    typedef size_t size_type;
+  };
+
+  template<class charT, class traits = char_traits<charT>, class Allocator = allocator<charT> >
+  class basic_string {
+  public:
+    using value_type = charT;
+    using reference = value_type&;
+    using const_reference = const value_type&;
+    typedef typename Allocator::size_type size_type;
+    static const size_type npos = -1;
+
+    explicit basic_string(const Allocator& a = Allocator());
+    basic_string(const charT* s, const Allocator& a = Allocator());
+    template<class InputIterator> basic_string(InputIterator begin, InputIterator end, const Allocator& a = Allocator());
+
+    const charT* c_str() const;
+    charT* data() noexcept;
+    size_t length() const;
+
+    typedef std::iterator<random_access_iterator_tag, charT> iterator;
+    typedef std::iterator<random_access_iterator_tag, const charT> const_iterator;
+
+    iterator begin();
+    iterator end();
+    const_iterator begin() const;
+    const_iterator end() const;
+    const_iterator cbegin() const;
+    const_iterator cend() const;
+
+    const_reference operator[](size_type pos) const;
+    reference operator[](size_type pos);
+    const_reference at(size_type n) const;
+    reference at(size_type n);
+    basic_string& insert(size_type pos, const basic_string& str);
+    basic_string& insert(size_type pos, size_type n, charT c);
+    basic_string& insert(size_type pos, const charT* s);
+    iterator insert(const_iterator p, size_type n, charT c);
+    template<class InputIterator> iterator insert(const_iterator p, InputIterator first, InputIterator last); 
+    basic_string& replace(size_type pos1, size_type n1, const basic_string& str);
+    basic_string& replace(size_type pos1, size_type n1, size_type n2, charT c);
+  };
+
+  template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const basic_string<charT, traits, Allocator>& rhs);
+  template<class charT, class traits, class Allocator> basic_string<charT, traits, Allocator> operator+(const basic_string<charT, traits, Allocator>& lhs, const charT* rhs);
+
+  typedef basic_string<char> string;
+}
+
+// --- vector ---
+
+namespace std {
+  template<class T, class Allocator = allocator<T>>
+  class vector { 
+  public:
+    using value_type = T;
+    using reference = value_type&;
+    using const_reference = const value_type&; 
+    using size_type = unsigned int;
+    using iterator = std::iterator<random_access_iterator_tag, T>;
+    using const_iterator = std::iterator<random_access_iterator_tag, const T>;
+
+    vector() noexcept(noexcept(Allocator()));
+    explicit vector(const Allocator&) noexcept;
+    explicit vector(size_type n, const Allocator& = Allocator());
+    vector(size_type n, const T& value, const Allocator& = Allocator());
+    template<class InputIterator, class IteratorCategory = typename InputIterator::iterator_category> vector(InputIterator first, InputIterator last, const Allocator& = Allocator());
+    ~vector();
+
+    void push_back(const T& x);
+    void push_back(T&& x);
+
+    iterator insert(const_iterator position, const T& x);
+    iterator insert(const_iterator position, T&& x);
+    iterator insert(const_iterator position, size_type n, const T& x);
+    template<class InputIterator> iterator insert(const_iterator position, InputIterator first, InputIterator last);
+
+    template <class... Args> iterator emplace (const_iterator position, Args&&... args);
+    template <class... Args> void emplace_back (Args&&... args);
+  };
+}
+
+struct S {
+  const char* s;
+};
+
+void call_by_value(S);
+void call_by_cref(const S&);
+
+void call(const char*);
+
+const char* test1(bool b1, bool b2) {
+  auto s1 = std::string("hello").c_str(); // BAD
+  auto s2 = b1 ? std::string("hello").c_str() : ""; // BAD
+  auto s3 = b2 ? "" : std::string("hello").c_str(); // BAD
+  const char* s4;
+  s4 = std::string("hello").c_str(); // BAD
+
+  call(std::string("hello").c_str()); // GOOD
+  call(b1 ? std::string("hello").c_str() : ""); // GOOD
+  call(b1 ? (b2 ? "" : std::string("hello").c_str()) : ""); // GOOD
+  call_by_value({ std::string("hello").c_str() }); // GOOD
+  call_by_cref({ std::string("hello").c_str() }); // GOOD
+
+  std::vector<const char*> v1;
+  v1.push_back(std::string("hello").c_str()); // BAD
+
+  std::vector<S> v2;
+  v2.push_back({ std::string("hello").c_str() }); // BAD
+
+  S s5[] = { { std::string("hello").c_str() } }; // BAD
+
+  char c = std::string("hello").c_str()[0]; // GOOD
+
+  auto s6 = std::string("hello").data(); // BAD
+  auto s7 = b1 ? std::string("hello").data() : ""; // BAD
+  auto s8 = b2 ? "" : std::string("hello").data(); // BAD
+  char* s9;
+  s9 = std::string("hello").data(); // BAD
+
+  return std::string("hello").c_str(); // BAD
+}
+
+void test2(bool b1, bool b2) {
+  std::string s("hello");
+  auto s1 = s.c_str(); // GOOD
+  auto s2 = b1 ? s.c_str() : ""; // GOOD
+  auto s3 = b2 ? "" : s.c_str(); // GOOD
+  const char* s4;
+  s4 = s.c_str(); // GOOD
+
+  std::string& sRef = s;
+
+  auto s5 = sRef.c_str(); // GOOD
+  auto s6 = b1 ? sRef.c_str() : ""; // GOOD
+  auto s7 = b2 ? "" : sRef.c_str(); // GOOD
+  const char* s8;
+  s8 = sRef.c_str(); // GOOD
+
+  std::string&& sRefRef = std::string("hello");
+
+  auto s9 = sRefRef.c_str(); // GOOD
+  auto s10 = b1 ? sRefRef.c_str() : ""; // GOOD
+  auto s11 = b2 ? "" : sRefRef.c_str(); // GOOD
+  const char* s12;
+  s12 = sRefRef.c_str(); // GOOD
+}

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/AssemblyCache.cs

@@ -1,5 +1,4 @@
-using System;
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.IO;
 using System.Linq;
 
@@ -20,7 +19,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// assembly cache.
         /// </param>
         /// <param name="progressMonitor">Callback for progress.</param>
-        public AssemblyCache(IEnumerable<string> paths, ProgressMonitor progressMonitor)
+        public AssemblyCache(IEnumerable<string> paths, IEnumerable<string> frameworkPaths, ProgressMonitor progressMonitor)
         {
             foreach (var path in paths)
             {
@@ -40,7 +39,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                     progressMonitor.LogInfo("AssemblyCache: Path not found: " + path);
                 }
             }
-            IndexReferences();
+            IndexReferences(frameworkPaths);
         }
 
         /// <summary>
@@ -57,13 +56,11 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
         }
 
-        private static readonly Version emptyVersion = new Version(0, 0, 0, 0);
-
         /// <summary>
         /// Indexes all DLLs we have located.
         /// Because this is a potentially time-consuming operation, it is put into a separate stage.
         /// </summary>
-        private void IndexReferences()
+        private void IndexReferences(IEnumerable<string> frameworkPaths)
         {
             // Read all of the files
             foreach (var filename in pendingDllsToIndex)
@@ -71,13 +68,9 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 IndexReference(filename);
             }
 
-            // Index "assemblyInfo" by version string
-            // The OrderBy is used to ensure that we by default select the highest version number.
             foreach (var info in assemblyInfoByFileName.Values
                 .OrderBy(info => info.Name)
-                .ThenBy(info => info.NetCoreVersion ?? emptyVersion)
-                .ThenBy(info => info.Version ?? emptyVersion)
-                .ThenBy(info => info.Filename))
+                .OrderAssemblyInfosByPreference(frameworkPaths))
             {
                 foreach (var index in info.IndexStrings)
                 {

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/AssemblyCacheExtensions.cs

@@ -0,0 +1,29 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+
+namespace Semmle.Extraction.CSharp.DependencyFetching
+{
+    internal static class AssemblyCacheExtensions
+    {
+        private static readonly Version emptyVersion = new Version(0, 0, 0, 0);
+
+        /// <summary>
+        /// This method orders AssemblyInfos by version numbers (.net core version first, then assembly version). Finally, it orders by filename to make the order deterministic.
+        /// </summary>
+        public static IOrderedEnumerable<AssemblyInfo> OrderAssemblyInfosByPreference(this IEnumerable<AssemblyInfo> assemblies, IEnumerable<string> frameworkPaths)
+        {
+            // prefer framework assemblies over others
+            int initialOrdering(AssemblyInfo info) => frameworkPaths.Any(framework => info.Filename.StartsWith(framework, StringComparison.OrdinalIgnoreCase)) ? 1 : 0;
+
+            var ordered = assemblies is IOrderedEnumerable<AssemblyInfo> o
+                ? o.ThenBy(initialOrdering)
+                : assemblies.OrderBy(initialOrdering);
+
+            return ordered
+                .ThenBy(info => info.NetCoreVersion ?? emptyVersion)
+                .ThenBy(info => info.Version ?? emptyVersion)
+                .ThenBy(info => info.Filename);
+        }
+    }
+}

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs

@@ -128,16 +128,18 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 DownloadMissingPackages(allNonBinaryFiles, dllPaths);
             }
 
+            var frameworkLocations = new HashSet<string>();
+
             // Find DLLs in the .Net / Asp.Net Framework
             // This block needs to come after the nuget restore, because the nuget restore might fetch the .NET Core/Framework reference assemblies.
             if (options.ScanNetFrameworkDlls)
             {
-                AddNetFrameworkDlls(dllPaths);
-                AddAspNetCoreFrameworkDlls(dllPaths);
-                AddMicrosoftWindowsDesktopDlls(dllPaths);
+                AddNetFrameworkDlls(dllPaths, frameworkLocations);
+                AddAspNetCoreFrameworkDlls(dllPaths, frameworkLocations);
+                AddMicrosoftWindowsDesktopDlls(dllPaths, frameworkLocations);
             }
 
-            assemblyCache = new AssemblyCache(dllPaths, progressMonitor);
+            assemblyCache = new AssemblyCache(dllPaths, frameworkLocations, progressMonitor);
             AnalyseSolutions(solutions);
 
             foreach (var filename in assemblyCache.AllAssemblies.Select(a => a.Filename))
@@ -146,7 +148,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
 
             RemoveNugetAnalyzerReferences();
-            ResolveConflicts();
+            ResolveConflicts(frameworkLocations);
 
             // Output the findings
             foreach (var r in usedReferences.Keys.OrderBy(r => r))
@@ -228,7 +230,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
         }
 
-        private void AddNetFrameworkDlls(ISet<string> dllPaths)
+        private void AddNetFrameworkDlls(ISet<string> dllPaths, ISet<string> frameworkLocations)
         {
             // Multiple dotnet framework packages could be present.
             // The order of the packages is important, we're adding the first one that is present in the nuget cache.
@@ -241,6 +243,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             if (frameworkPath.Path is not null)
             {
                 dllPaths.Add(frameworkPath.Path);
+                frameworkLocations.Add(frameworkPath.Path);
                 progressMonitor.LogInfo($"Found .NET Core/Framework DLLs in NuGet packages at {frameworkPath.Path}. Not adding installation directory.");
 
                 for (var i = frameworkPath.Index + 1; i < packagesInPrioOrder.Length; i++)
@@ -270,6 +273,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 
             progressMonitor.LogInfo($".NET runtime location selected: {runtimeLocation}");
             dllPaths.Add(runtimeLocation);
+            frameworkLocations.Add(runtimeLocation);
         }
 
         private void RemoveNugetPackageReference(string packagePrefix, ISet<string> dllPaths)
@@ -294,7 +298,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
         }
 
-        private void AddAspNetCoreFrameworkDlls(ISet<string> dllPaths)
+        private void AddAspNetCoreFrameworkDlls(ISet<string> dllPaths, ISet<string> frameworkLocations)
         {
             if (!fileContent.IsNewProjectStructureUsed || !fileContent.UseAspNetCoreDlls)
             {
@@ -306,20 +310,25 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             {
                 progressMonitor.LogInfo($"Found ASP.NET Core in NuGet packages. Not adding installation directory.");
                 dllPaths.Add(aspNetCorePackage);
+                frameworkLocations.Add(aspNetCorePackage);
+                return;
             }
-            else if (Runtime.AspNetCoreRuntime is string aspNetCoreRuntime)
+
+            if (Runtime.AspNetCoreRuntime is string aspNetCoreRuntime)
             {
                 progressMonitor.LogInfo($"ASP.NET runtime location selected: {aspNetCoreRuntime}");
                 dllPaths.Add(aspNetCoreRuntime);
+                frameworkLocations.Add(aspNetCoreRuntime);
             }
         }
 
-        private void AddMicrosoftWindowsDesktopDlls(ISet<string> dllPaths)
+        private void AddMicrosoftWindowsDesktopDlls(ISet<string> dllPaths, ISet<string> frameworkLocations)
         {
             if (GetPackageDirectory(FrameworkPackageNames.WindowsDesktopFramework) is string windowsDesktopApp)
             {
                 progressMonitor.LogInfo($"Found Windows Desktop App in NuGet packages.");
                 dllPaths.Add(windowsDesktopApp);
+                frameworkLocations.Add(windowsDesktopApp);
             }
         }
 
@@ -345,12 +354,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 
             return new DirectoryInfo(packageDirectory.DirInfo.FullName)
                 .EnumerateDirectories("*", new EnumerationOptions { MatchCasing = MatchCasing.CaseInsensitive, RecurseSubdirectories = false })
-                .Select(d => d.FullName);
+                .Select(d => d.Name);
         }
 
         private void LogAllUnusedPackages(DependencyContainer dependencies) =>
             GetAllPackageDirectories()
                 .Where(package => !dependencies.Packages.Contains(package))
+                .Order()
                 .ForEach(package => progressMonitor.LogInfo($"Unused package: {package}"));
 
         private void GenerateSourceFileFromImplicitUsings()
@@ -472,7 +482,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// If the same assembly name is duplicated with different versions,
         /// resolve to the higher version number.
         /// </summary>
-        private void ResolveConflicts()
+        private void ResolveConflicts(IEnumerable<string> frameworkPaths)
         {
             var sortedReferences = new List<AssemblyInfo>();
             foreach (var usedReference in usedReferences)
@@ -488,11 +498,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 }
             }
 
-            var emptyVersion = new Version(0, 0);
             sortedReferences = sortedReferences
-                .OrderBy(r => r.NetCoreVersion ?? emptyVersion)
-                .ThenBy(r => r.Version ?? emptyVersion)
-                .ThenBy(r => r.Filename)
+                .OrderAssemblyInfosByPreference(frameworkPaths)
                 .ToList();
 
             var finalAssemblyList = new Dictionary<string, AssemblyInfo>();

csharp/extractor/Semmle.Extraction.CSharp.StubGenerator/StubVisitor.cs

@@ -41,6 +41,7 @@ internal sealed class StubVisitor : SymbolVisitor
             (
                 t1 is INamedTypeSymbol named1 &&
                 t2 is INamedTypeSymbol named2 &&
+                (!SymbolEqualityComparer.Default.Equals(named1, named1.ConstructedFrom) || !SymbolEqualityComparer.Default.Equals(named2, named2.ConstructedFrom)) &&
                 EqualsModuloTupleElementNames(named1.ConstructedFrom, named2.ConstructedFrom) &&
                 named1.TypeArguments.Length == named2.TypeArguments.Length &&
                 named1.TypeArguments.Zip(named2.TypeArguments).All(p => EqualsModuloTupleElementNames(p.First, p.Second))

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 1.7.5
+
+No user-facing changes.
+
+## 1.7.4
+
+No user-facing changes.
+
 ## 1.7.3
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.4.md

@@ -0,0 +1,3 @@
+## 1.7.4
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.5.md

@@ -0,0 +1,3 @@
+## 1.7.5
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.3
+lastReleaseVersion: 1.7.5

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.4-dev
+version: 1.7.6-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 1.7.5
+
+No user-facing changes.
+
+## 1.7.4
+
+No user-facing changes.
+
 ## 1.7.3
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.4.md

@@ -0,0 +1,3 @@
+## 1.7.4
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.5.md

@@ -0,0 +1,3 @@
+## 1.7.5
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.3
+lastReleaseVersion: 1.7.5

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.4-dev
+version: 1.7.6-dev
 groups:
   - csharp
   - solorigate

csharp/ql/integration-tests/all-platforms/cshtml/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/cshtml_standalone/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/diag_dotnet_incompatible/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/diag_missing_project_files/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/diag_missing_xamarin_sdk/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/diag_recursive_generics/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/dotnet_build/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/dotnet_no_args_inject/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/dotnet_pack/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/dotnet_publish/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/dotnet_run/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/all-platforms/standalone/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/posix-only/dotnet_test/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/posix-only/dotnet_test_mstest/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/posix-only/inherit-env-vars/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/posix-only/standalone_dependencies_nuget/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/integration-tests/posix-only/warn_as_error/global.json

@@ -0,0 +1,5 @@
+{
+    "sdk": {
+        "version": "7.0.102"
+    }
+}

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,11 @@
+## 0.8.5
+
+No user-facing changes.
+
+## 0.8.4
+
+No user-facing changes.
+
 ## 0.8.3
 
 ### Minor Analysis Improvements

csharp/ql/lib/change-notes/released/0.8.4.md

@@ -0,0 +1,3 @@
+## 0.8.4
+
+No user-facing changes.

csharp/ql/lib/change-notes/released/0.8.5.md

@@ -0,0 +1,3 @@
+## 0.8.5
+
+No user-facing changes.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.3
+lastReleaseVersion: 0.8.5

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.8.4-dev
+version: 0.8.6-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/Callable.qll

@@ -105,7 +105,10 @@ class Callable extends DotNet::Callable, Parameterizable, ExprOrStmtParent, @cal
    * then both `{ return 0; }` and `{ return 1; }` are statement bodies of
    * `N.C.M()`.
    */
-  final BlockStmt getStatementBody() { result = this.getAChildStmt() }
+  final BlockStmt getStatementBody() {
+    result = getStatementBody(this) and
+    not this.getFile().isStub()
+  }
 
   /**
    * DEPRECATED: Use `getStatementBody` instead.
@@ -143,8 +146,8 @@ class Callable extends DotNet::Callable, Parameterizable, ExprOrStmtParent, @cal
    * then both `0` and `1` are expression bodies of `N.C.M()`.
    */
   final Expr getExpressionBody() {
-    result = this.getAChildExpr() and
-    not result = this.(Constructor).getInitializer()
+    result = getExpressionBody(this) and
+    not this.getFile().isStub()
   }
 
   /** Holds if this callable has an expression body. */

csharp/ql/lib/semmle/code/csharp/ExprOrStmtParent.qll

@@ -53,6 +53,20 @@ class TopLevelExprParent extends Element, @top_level_expr_parent {
 
 private predicate hasNoSourceLocation(Element e) { not e.getALocation() instanceof SourceLocation }
 
+/** INTERNAL: Do not use. */
+Expr getExpressionBody(Callable c) {
+  result = c.getAChildExpr() and
+  not result = c.(Constructor).getInitializer()
+}
+
+/** INTERNAL: Do not use. */
+BlockStmt getStatementBody(Callable c) { result = c.getAChildStmt() }
+
+private ControlFlowElement getBody(Callable c) {
+  result = getExpressionBody(c) or
+  result = getStatementBody(c)
+}
+
 cached
 private module Cached {
   cached
@@ -161,20 +175,20 @@ private module Cached {
 
   private predicate parent(ControlFlowElement child, ExprOrStmtParent parent) {
     child = getAChild(parent) and
-    not child = any(Callable c).getBody()
+    not child = getBody(_)
   }
 
   /** Holds if the enclosing body of `cfe` is `body`. */
   cached
   predicate enclosingBody(ControlFlowElement cfe, ControlFlowElement body) {
-    body = any(Callable c).getBody() and
+    body = getBody(_) and
     parent*(enclosingStart(cfe), body)
   }
 
   /** Holds if the enclosing callable of `cfe` is `c`. */
   cached
   predicate enclosingCallable(ControlFlowElement cfe, Callable c) {
-    enclosingBody(cfe, c.getBody())
+    enclosingBody(cfe, getBody(c))
     or
     parent*(enclosingStart(cfe), c.(Constructor).getInitializer())
   }

csharp/ql/lib/semmle/code/csharp/File.qll

@@ -54,14 +54,14 @@ class File extends Container, Impl::File {
 
   /** Holds if this file is a QL test stub file. */
   pragma[noinline]
-  private predicate isStub() {
+  predicate isStub() {
     this.extractedQlTest() and
     this.getAbsolutePath().matches("%resources/stubs/%")
   }
 
   /** Holds if this file contains source code. */
   final predicate fromSource() {
-    this.getExtension() = "cs" and
+    this.getExtension() = ["cs", "cshtml"] and
     not this.isStub()
   }
 

csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll

@@ -13,11 +13,14 @@ private import semmle.code.csharp.commons.Compilation
 /** An element that defines a new CFG scope. */
 class CfgScope extends Element, @top_level_exprorstmt_parent {
   CfgScope() {
-    this instanceof Callable
-    or
-    // For now, static initializer values have their own scope. Eventually, they
-    // should be treated like instance initializers.
-    this.(Assignable).(Modifiable).isStatic()
+    this.getFile().fromSource() and
+    (
+      this instanceof Callable
+      or
+      // For now, static initializer values have their own scope. Eventually, they
+      // should be treated like instance initializers.
+      this.(Assignable).(Modifiable).isStatic()
+    )
   }
 }
 

csharp/ql/lib/semmle/code/csharp/dataflow/FlowSummary.qll

@@ -168,7 +168,8 @@ private SummaryComponent delegateSelf() {
 
 private predicate mayInvokeCallback(Callable c, int n) {
   c.getParameter(n).getType() instanceof SystemLinqExpressions::DelegateExtType and
-  not c.fromSource()
+  not c.hasBody() and
+  (if c instanceof Accessor then not c.fromSource() else any())
 }
 
 private class SummarizedCallableWithCallback extends SummarizedCallable {

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowDispatch.qll

@@ -81,9 +81,9 @@ newtype TReturnKind =
  */
 class DataFlowSummarizedCallable instanceof FlowSummary::SummarizedCallable {
   DataFlowSummarizedCallable() {
-    not this.fromSource()
+    not this.hasBody()
     or
-    this.fromSource() and not this.applyGeneratedModel()
+    this.hasBody() and not this.applyGeneratedModel()
   }
 
   string toString() { result = super.toString() }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/SsaImpl.qll

@@ -310,7 +310,12 @@ private module CallGraph {
       c = any(DelegateCall dc | e = dc.getExpr()) and
       libraryDelegateCall = false
       or
-      c.getTarget().fromLibrary() and
+      exists(Callable target |
+        target = c.getTarget() and
+        not target.hasBody()
+      |
+        if target instanceof Accessor then not target.fromSource() else any()
+      ) and
       e = c.getAnArgument() and
       e.getType() instanceof SystemLinqExpressions::DelegateExtType and
       libraryDelegateCall = true

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 0.8.5
+
+No user-facing changes.
+
+## 0.8.4
+
+### Minor Analysis Improvements
+
+* Modelled additional flow steps to track flow from a `View` call in an MVC controller to the corresponding Razor View (`.cshtml`) file, which may result in additional results for queries such as `cs/web/xss`.
+
 ## 0.8.3
 
 ### Minor Analysis Improvements

csharp/ql/src/Security Features/CWE-639/InsecureDirectObjectReference.ql

@@ -8,7 +8,7 @@
  * @precision medium
  * @id cs/web/insecure-direct-object-reference
  * @tags security
- *       external/cwe-639
+ *       external/cwe/cwe-639
  */
 
 import csharp

csharp/ql/src/change-notes/released/0.8.4.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
-* Modelled additional flow steps to track flow from a `View` call in an MVC controller to the corresponding Razor View (`.cshtml`) file, which may result in additional results for queries such as `cs/web/xss`.
+## 0.8.4
+
+### Minor Analysis Improvements
+
+* Modelled additional flow steps to track flow from a `View` call in an MVC controller to the corresponding Razor View (`.cshtml`) file, which may result in additional results for queries such as `cs/web/xss`.

csharp/ql/src/change-notes/released/0.8.5.md

@@ -0,0 +1,3 @@
+## 0.8.5
+
+No user-facing changes.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.8.3
+lastReleaseVersion: 0.8.5

csharp/ql/src/experimental/Security Features/CWE-759/HashWithoutSalt.ql

@@ -6,7 +6,7 @@
  * @id cs/hash-without-salt
  * @tags security
  *       experimental
- *       external/cwe-759
+ *       external/cwe/cwe-759
  */
 
 import csharp

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.8.4-dev
+version: 0.8.6-dev
 groups:
   - csharp
   - queries

csharp/ql/src/utils/modeleditor/AccessPathSuggestions.qll

@@ -1,112 +0,0 @@
-/** Provides classes and predicates related to handling access path suggestions for the VS Code extension. */
-
-private import csharp
-private import semmle.code.csharp.commons.Collections as Collections
-private import FrameworkModeEndpointsQuery
-private import ModelEditor
-
-/** A collection type */
-abstract private class CollectionType extends RefType {
-  abstract Type getElementType();
-}
-
-private class ArrayCollectionType extends CollectionType, ArrayType {
-  override Type getElementType() { result = this.(ArrayType).getElementType() }
-}
-
-private class GenericCollectionType extends CollectionType, ConstructedType,
-  Collections::CollectionType
-{
-  GenericCollectionType() {
-    // Only include collections with a single type argument, which we expect to be lists.
-    count(int i | exists(this.getTypeArgument(i))) = 1
-  }
-
-  override Type getElementType() { result = this.getTypeArgument(0) }
-}
-
-private predicate nestedPathBase(
-  Endpoint endpoint, Element element, string value, string details, string defType,
-  boolean isInputOnly, boolean isOutputOnly
-) {
-  endpoint.getReturnType() = element and
-  isInputOnly = false and
-  isOutputOnly = true and
-  value = "ReturnValue" and
-  details = element.toString() and
-  defType = "return"
-  or
-  exists(Parameter parameter |
-    endpoint.getAParameter() = parameter and parameter.getType() = element
-  |
-    value = "Argument[" + parameter.getPosition() + "]" and
-    details = parameter.getType().toString() + " " + parameter.getName() and
-    isInputOnly = false and
-    isOutputOnly = false and
-    defType = "parameter"
-  )
-  or
-  endpoint.getDeclaringType() = element and
-  isInputOnly = false and
-  isOutputOnly = false and
-  value = "Argument[this]" and
-  details = element.toString() and
-  defType = "class"
-}
-
-private predicate nestedPathRec(
-  Endpoint endpoint, Element element, string value, string details, string defType,
-  boolean isInputOnly, boolean isOutputOnly, int pathLength
-) {
-  pathLength < 8 and
-  (
-    nestedPathBase(endpoint, element, value, details, defType, isInputOnly, isOutputOnly) and
-    pathLength = 1
-    or
-    exists(
-      Type prevType, string prevValue, string prevDetails, string prevDefType,
-      boolean prevIsInputOnly, boolean prevIsOutputOnly, int prevPathLength
-    |
-      nestedPathRec(endpoint, prevType, prevValue, prevDetails, prevDefType, prevIsInputOnly,
-        prevIsOutputOnly, prevPathLength) and
-      pathLength = prevPathLength + 1
-    |
-      element = prevType.(CollectionType).getElementType() and
-      value = prevValue + ".Element" and
-      details = element.toString() and
-      isInputOnly = prevIsInputOnly and
-      isOutputOnly = prevIsOutputOnly and
-      defType = "array"
-      or
-      element = prevType.(CollectionType).getElementType() and
-      (value = prevValue + ".WithoutElement" or value = prevValue + ".WithElement") and
-      details = element.toString() and
-      isInputOnly = true and
-      isOutputOnly = prevIsOutputOnly and
-      defType = "array"
-      or
-      element = prevType.(RefType).getAField() and
-      not element.(Field).isStatic() and
-      value = prevValue + ".Field[" + element.(Field).getFullyQualifiedName() + "]" and
-      details = element.(Field).getType().toString() + " " + element.(Field).getName() and
-      isInputOnly = false and
-      isOutputOnly = false and
-      defType = "field"
-      or
-      element = prevType.(RefType).getAProperty() and
-      not element.(Property).isStatic() and
-      value = prevValue + ".Property[" + element.(Property).getFullyQualifiedName() + "]" and
-      details = element.(Property).getType().toString() + " " + element.(Property).getName() and
-      isInputOnly = false and
-      isOutputOnly = false and
-      defType = "property"
-    )
-  )
-}
-
-predicate nestedPath(
-  Endpoint endpoint, Element element, string value, string details, string defType,
-  boolean isInputOnly, boolean isOutputOnly
-) {
-  nestedPathRec(endpoint, element, value, details, defType, isInputOnly, isOutputOnly, _)
-}

csharp/ql/src/utils/modeleditor/ApplicationModeAccessPathSuggestions.ql

@@ -1,45 +0,0 @@
-/**
- * @name Fetch suggestions for access paths of input and output parameters of a method (application mode)
- * @description A list of access paths for input and output parameters of a method. Excludes test and generated code.
- * @kind table
- * @id csharp/utils/modeleditor/application-mode-access-path-suggestions
- * @tags modeleditor access-path-suggestions application-mode
- */
-
-private import csharp
-private import AccessPathSuggestions
-private import ApplicationModeEndpointsQuery
-private import ModelEditor
-
-predicate suggestions(
-  string namespace, string typeName, string methodName, string methodParameters, string value,
-  string details, string defType, boolean isInputOnly, boolean isOutputOnly
-) {
-  exists(ExternalEndpoint endpoint, Element element |
-    nestedPath(endpoint, element, value, details, defType, isInputOnly, isOutputOnly)
-  |
-    exists(aUsage(endpoint)) and
-    namespace = endpoint.getNamespace() and
-    typeName = endpoint.getTypeName() and
-    methodName = endpoint.getName() and
-    methodParameters = endpoint.getParameterTypes()
-  )
-}
-
-predicate inputSuggestions(
-  string namespace, string typeName, string methodName, string methodParameters, string value,
-  string details, string defType
-) {
-  suggestions(namespace, typeName, methodName, methodParameters, value, details, defType, _, false)
-}
-
-predicate outputSuggestions(
-  string namespace, string typeName, string methodName, string methodParameters, string value,
-  string details, string defType
-) {
-  suggestions(namespace, typeName, methodName, methodParameters, value, details, defType, false, _)
-}
-
-query predicate input = inputSuggestions/7;
-
-query predicate output = outputSuggestions/7;

csharp/ql/src/utils/modeleditor/ApplicationModeEndpoints.ql

@@ -10,6 +10,8 @@ import csharp
 import ApplicationModeEndpointsQuery
 import ModelEditor
 
+private Call aUsage(ExternalEndpoint api) { result.getTarget().getUnboundDeclaration() = api }
+
 from ExternalEndpoint endpoint, boolean supported, Call usage, string type, string classification
 where
   supported = isSupported(endpoint) and

csharp/ql/src/utils/modeleditor/ApplicationModeEndpointsQuery.qll

@@ -6,8 +6,6 @@ private import semmle.code.csharp.dataflow.internal.TaintTrackingPrivate
 private import semmle.code.csharp.security.dataflow.flowsources.Remote
 private import ModelEditor
 
-Call aUsage(ExternalEndpoint api) { result.getTarget().getUnboundDeclaration() = api }
-
 /**
  * A class of effectively public callables in library code.
  */

csharp/ql/src/utils/modeleditor/FrameworkModeAccessPathSuggestions.ql

@@ -1,44 +0,0 @@
-/**
- * @name Fetch suggestions for access paths of input and output parameters of a method (framework mode)
- * @description A list of access paths for input and output parameters of a method. Excludes test and generated code.
- * @kind table
- * @id csharp/utils/modeleditor/framework-mode-access-path-suggestions
- * @tags modeleditor access-path-suggestions framework-mode
- */
-
-private import csharp
-private import AccessPathSuggestions
-private import FrameworkModeEndpointsQuery
-private import ModelEditor
-
-predicate suggestions(
-  string namespace, string typeName, string methodName, string methodParameters, string value,
-  string details, string defType, boolean isInputOnly, boolean isOutputOnly
-) {
-  exists(PublicEndpointFromSource endpoint, Element element |
-    nestedPath(endpoint, element, value, details, defType, isInputOnly, isOutputOnly)
-  |
-    namespace = endpoint.getNamespace() and
-    typeName = endpoint.getTypeName() and
-    methodName = endpoint.getName() and
-    methodParameters = endpoint.getParameterTypes()
-  )
-}
-
-predicate inputSuggestions(
-  string namespace, string typeName, string methodName, string methodParameters, string value,
-  string details, string defType
-) {
-  suggestions(namespace, typeName, methodName, methodParameters, value, details, defType, _, false)
-}
-
-predicate outputSuggestions(
-  string namespace, string typeName, string methodName, string methodParameters, string value,
-  string details, string defType
-) {
-  suggestions(namespace, typeName, methodName, methodParameters, value, details, defType, false, _)
-}
-
-query predicate input = inputSuggestions/7;
-
-query predicate output = outputSuggestions/7;

csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs

@@ -185,16 +185,16 @@ namespace My.Qltest
         void M1()
         {
             var o = new object();
-            Sink(GeneratedFlow(o));
+            Sink(GeneratedFlow(o)); // no flow because the modelled method exists in source code
         }
 
         void M2()
         {
             var o1 = new object();
-            Sink(GeneratedFlowArgs(o1, null));
+            Sink(GeneratedFlowArgs(o1, null)); // no flow because the modelled method exists in source code
 
             var o2 = new object();
-            Sink(GeneratedFlowArgs(null, o2));
+            Sink(GeneratedFlowArgs(null, o2)); // no flow because the modelled method exists in source code
         }
 
         void M3()

csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.expected

@@ -61,12 +61,6 @@ edges
 | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object |
 | ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | ExternalFlow.cs:118:21:118:30 | call to method Reverse : null [element] : Object |
 | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object | ExternalFlow.cs:120:18:120:21 | access to array element |
-| ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | ExternalFlow.cs:188:32:188:32 | access to local variable o : Object |
-| ExternalFlow.cs:188:32:188:32 | access to local variable o : Object | ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow |
-| ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | ExternalFlow.cs:194:36:194:37 | access to local variable o1 : Object |
-| ExternalFlow.cs:194:36:194:37 | access to local variable o1 : Object | ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs |
-| ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | ExternalFlow.cs:197:42:197:43 | access to local variable o2 : Object |
-| ExternalFlow.cs:197:42:197:43 | access to local variable o2 : Object | ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs |
 | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | ExternalFlow.cs:206:38:206:39 | access to local variable o2 : Object |
 | ExternalFlow.cs:206:38:206:39 | access to local variable o2 : Object | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs |
 | ExternalFlow.cs:231:21:231:28 | object creation of type HC : HC | ExternalFlow.cs:232:21:232:21 | access to local variable h : HC |
@@ -151,15 +145,6 @@ nodes
 | ExternalFlow.cs:118:29:118:29 | access to local variable a : null [element] : Object | semmle.label | access to local variable a : null [element] : Object |
 | ExternalFlow.cs:120:18:120:18 | access to local variable b : null [element] : Object | semmle.label | access to local variable b : null [element] : Object |
 | ExternalFlow.cs:120:18:120:21 | access to array element | semmle.label | access to array element |
-| ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
-| ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow | semmle.label | call to method GeneratedFlow |
-| ExternalFlow.cs:188:32:188:32 | access to local variable o : Object | semmle.label | access to local variable o : Object |
-| ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
-| ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs | semmle.label | call to method GeneratedFlowArgs |
-| ExternalFlow.cs:194:36:194:37 | access to local variable o1 : Object | semmle.label | access to local variable o1 : Object |
-| ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
-| ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs | semmle.label | call to method GeneratedFlowArgs |
-| ExternalFlow.cs:197:42:197:43 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
 | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | semmle.label | object creation of type Object : Object |
 | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs | semmle.label | call to method MixedFlowArgs |
 | ExternalFlow.cs:206:38:206:39 | access to local variable o2 : Object | semmle.label | access to local variable o2 : Object |
@@ -189,8 +174,5 @@ subpaths
 | ExternalFlow.cs:104:18:104:25 | access to field Field | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | ExternalFlow.cs:104:18:104:25 | access to field Field | $@ | ExternalFlow.cs:98:24:98:35 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:112:18:112:25 | access to property MyProp | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | ExternalFlow.cs:112:18:112:25 | access to property MyProp | $@ | ExternalFlow.cs:111:24:111:35 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:120:18:120:21 | access to array element | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | ExternalFlow.cs:120:18:120:21 | access to array element | $@ | ExternalFlow.cs:117:36:117:47 | object creation of type Object : Object | object creation of type Object : Object |
-| ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow | ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | ExternalFlow.cs:188:18:188:33 | call to method GeneratedFlow | $@ | ExternalFlow.cs:187:21:187:32 | object creation of type Object : Object | object creation of type Object : Object |
-| ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs | ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | ExternalFlow.cs:194:18:194:44 | call to method GeneratedFlowArgs | $@ | ExternalFlow.cs:193:22:193:33 | object creation of type Object : Object | object creation of type Object : Object |
-| ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs | ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | ExternalFlow.cs:197:18:197:44 | call to method GeneratedFlowArgs | $@ | ExternalFlow.cs:196:22:196:33 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | ExternalFlow.cs:206:18:206:40 | call to method MixedFlowArgs | $@ | ExternalFlow.cs:205:22:205:33 | object creation of type Object : Object | object creation of type Object : Object |
 | ExternalFlow.cs:233:18:233:18 | access to local variable o | ExternalFlow.cs:231:21:231:28 | object creation of type HC : HC | ExternalFlow.cs:233:18:233:18 | access to local variable o | $@ | ExternalFlow.cs:231:21:231:28 | object creation of type HC : HC | object creation of type HC : HC |

csharp/ql/test/utils/modeleditor/ApplicationModeAccessPathSuggestions.expected

@@ -1,40 +0,0 @@
-input
-| System | Console | ReadLine | () | Argument[this] | Console | class |
-| System | Console | ReadLine | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| System | Console | ReadLine | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| System | Console | ReadLine | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| System | Console | Write | (System.Object) | Argument[0] | Object value | parameter |
-| System | Console | Write | (System.Object) | Argument[this] | Console | class |
-| System | Console | WriteLine | (System.Object) | Argument[0] | Object value | parameter |
-| System | Console | WriteLine | (System.Object) | Argument[this] | Console | class |
-| System | Console | WriteLine | (System.String) | Argument[0] | String value | parameter |
-| System | Console | WriteLine | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| System | Console | WriteLine | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| System | Console | WriteLine | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| System | Console | WriteLine | (System.String) | Argument[this] | Console | class |
-| System | Console | get_BackgroundColor | () | Argument[this] | Console | class |
-| System | Console | set_ForegroundColor | (System.ConsoleColor) | Argument[0] | ConsoleColor value | parameter |
-| System | Console | set_ForegroundColor | (System.ConsoleColor) | Argument[this] | Console | class |
-output
-| System | Console | ReadLine | () | Argument[this] | Console | class |
-| System | Console | ReadLine | () | ReturnValue | String | return |
-| System | Console | ReadLine | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| System | Console | ReadLine | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| System | Console | ReadLine | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| System | Console | Write | (System.Object) | Argument[0] | Object value | parameter |
-| System | Console | Write | (System.Object) | Argument[this] | Console | class |
-| System | Console | Write | (System.Object) | ReturnValue | Void | return |
-| System | Console | WriteLine | (System.Object) | Argument[0] | Object value | parameter |
-| System | Console | WriteLine | (System.Object) | Argument[this] | Console | class |
-| System | Console | WriteLine | (System.Object) | ReturnValue | Void | return |
-| System | Console | WriteLine | (System.String) | Argument[0] | String value | parameter |
-| System | Console | WriteLine | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| System | Console | WriteLine | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| System | Console | WriteLine | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| System | Console | WriteLine | (System.String) | Argument[this] | Console | class |
-| System | Console | WriteLine | (System.String) | ReturnValue | Void | return |
-| System | Console | get_BackgroundColor | () | Argument[this] | Console | class |
-| System | Console | get_BackgroundColor | () | ReturnValue | ConsoleColor | return |
-| System | Console | set_ForegroundColor | (System.ConsoleColor) | Argument[0] | ConsoleColor value | parameter |
-| System | Console | set_ForegroundColor | (System.ConsoleColor) | Argument[this] | Console | class |
-| System | Console | set_ForegroundColor | (System.ConsoleColor) | ReturnValue | Void | return |

csharp/ql/test/utils/modeleditor/ApplicationModeAccessPathSuggestions.qlref

@@ -1 +0,0 @@
-utils/modeleditor/ApplicationModeAccessPathSuggestions.ql

csharp/ql/test/utils/modeleditor/FrameworkModeAccessPathSuggestions.expected

@@ -1,202 +0,0 @@
-input
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0] | String value | parameter |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff | (T) | Argument[0] | T arg | parameter |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff | (T) | Argument[this] | PublicGenericClass`2 | class |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff2`1 | (T2) | Argument[0] | T2 arg | parameter |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff2`1 | (T2) | Argument[this] | PublicGenericClass`2 | class |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[this] | PublicGenericInterface`1 | class |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff | (T) | Argument[0] | T arg | parameter |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff | (T) | Argument[this] | PublicGenericInterface`1 | class |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff2`1 | (T2) | Argument[0] | T2 arg | parameter |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff2`1 | (T2) | Argument[this] | PublicGenericInterface`1 | class |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0] | String value | parameter |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-output
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue | String | return |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | get_PublicProperty | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | neutralStuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | protectedStuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0] | String value | parameter |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | set_PublicProperty | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | sinkStuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue | String | return |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | sourceStuff | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | staticStuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | stuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[this] | PublicClass | class |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicClass.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue | String | return |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicClass | summaryStuff | (System.String) | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff | (T) | Argument[0] | T arg | parameter |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff | (T) | Argument[this] | PublicGenericClass`2 | class |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff | (T) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff2`1 | (T2) | Argument[0] | T2 arg | parameter |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff2`1 | (T2) | Argument[this] | PublicGenericClass`2 | class |
-| GitHub.CodeQL | PublicGenericClass`2 | stuff2`1 | (T2) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | Argument[this] | PublicGenericInterface`1 | class |
-| GitHub.CodeQL | PublicGenericInterface`1 | staticStuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff | (T) | Argument[0] | T arg | parameter |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff | (T) | Argument[this] | PublicGenericInterface`1 | class |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff | (T) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff2`1 | (T2) | Argument[0] | T2 arg | parameter |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff2`1 | (T2) | Argument[this] | PublicGenericInterface`1 | class |
-| GitHub.CodeQL | PublicGenericInterface`1 | stuff2`1 | (T2) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue | String | return |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue.Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue.Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | get_PublicProperty | () | ReturnValue.Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0] | String value | parameter |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | set_PublicProperty | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | staticStuff | (System.String) | ReturnValue | Void | return |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0] | String arg | parameter |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0].Field[System.String._firstChar] | Char _firstChar | field |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0].Field[System.String._stringLength] | Int32 _stringLength | field |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[0].Property[System.String.Length] | Int32 Length | property |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[this] | PublicInterface | class |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | Argument[this].Property[GitHub.CodeQL.PublicInterface.PublicProperty] | String PublicProperty | property |
-| GitHub.CodeQL | PublicInterface | stuff | (System.String) | ReturnValue | Void | return |

csharp/ql/test/utils/modeleditor/FrameworkModeAccessPathSuggestions.qlref

@@ -1 +0,0 @@
-utils/modeleditor/FrameworkModeAccessPathSuggestions.ql

docs/codeql/codeql-for-visual-studio-code/using-the-codeql-model-editor.rst

@@ -18,7 +18,7 @@ When you open the model editor, it analyzes the currently selected CodeQL databa
 
 The model editor has two different modes:
 
-- Application mode (default view): The editor lists each external framework used by the selected CodeQL database. When you expand a framework, a list of all calls to and from the external API is shown with the options available to model dataflow through each call. This mode is most useful for improving the CodeQL results for the specific codebase.
+- Application mode (default view): The editor lists each external framework used by the selected CodeQL database. When you expand a framework, a list of all calls to and from the external API is shown with the options available to model dataflow through each call. This mode is most useful for improving the CodeQL results for a specific codebase.
 
 - Dependency mode: The editor identifies all of the publicly accessible APIs in the selected CodeQL database. This view guides you through modeling each public API that the codebase makes available. When you have finished modeling the entire API, you can save the model and use it to improve the CodeQL analysis for all codebases that use the dependency.
 
@@ -28,30 +28,45 @@ Displaying the CodeQL model editor
 #. Open your CodeQL workspace in VS Code, for example, the ``vscode-codeql-starter`` workspace.
    If you haven't updated the ``ql`` submodule for a while, update it from ``main`` to ensure that you have the queries used to gather data for the model editor.
 #. Open the CodeQL extension and select the CodeQL database that you want to model from the "Databases" section of the left side pane.
-#. Use the command palette to run the “CodeQL: Open Model Editor (Beta)” command.
-#. The CodeQL model editor will open in a new tab and run a series of telemetry queries to identify APIs in the code.
-#. When the queries are complete, the APIs that have been identified are shown in the editor.
+#. In the left side panel, expand the "CodeQL method modeling" section and click **Start modeling** to display the model editor. Alternatively, use the command palette to run the “CodeQL: Open Model Editor (Beta)” command.
+#. The CodeQL model editor runs a series of telemetry queries to identify APIs in the code and the editor is displayed in a new tab.
+#. When the telemetry queries are complete, the APIs that have been identified are shown in the editor.
+
+.. tip::
+
+   The "CodeQL method modeling" section is a view that you can move from the primary sidebar to the secondary sidebar, when you want more space while you are modeling calls or methods. If you close the view, you can reopen it from the "Open Views" option in the **View** menu.
 
 Modeling the calls your codebase makes to external APIs
 -------------------------------------------------------
 
-You typically use this approach when you are looking at a specific codebase where you want to improve the precision of CodeQL results. This is usually when the codebase uses frameworks or libraries that are not supported by CodeQL and if the source code of the framework or library is not included in the analysis.
+You typically use this approach when you are looking at a specific codebase where you want to improve the precision of CodeQL results. This is useful when the codebase uses frameworks or libraries that are not supported by CodeQL and if the source code of the framework or library is not included in the analysis.
 
 #. Select the CodeQL database that you want to improve CodeQL coverage for.
 #. Display the CodeQL model editor. By default the editor runs in application mode, so the list of external APIs used by the selected codebase is shown.
 
    .. image:: ../images/codeql-for-visual-studio-code/model-application-mode.png
       :width: 800
-      :alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing three of the external frameworks used by the "sofa-jraft" codebase.
+      :alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing two of the external Java frameworks used by the "sofa-jraft" codebase.
 
 #. Click to expand an external API and view the list of calls from the codebase to the external dependency.
-#. Click **View** associated with an API call or method to show where it is used in your codebase.
 
    .. image:: ../images/codeql-for-visual-studio-code/model-application-mode-expanded.png
       :width: 800
       :alt: Screenshot of the "Application mode" view of the CodeQL model pack editor in Visual Studio Code showing the calls to the "rocksdbjni" framework ready for modeling. The "View" option for the first call is highlighted with a dark orange outline.
 
-#. When you have determined how to model the call or method, define the **Model type**.
+#. Click **View** associated with an API call or method to show where it is used in your codebase.
+
+   .. image:: ../images/codeql-for-visual-studio-code/model-application-mode-view-code.png
+      :width: 800
+      :alt: Screenshot of a file showing a place where your codebase calls the API is highlighted with a dark orange outline.
+
+#. The file containing the first call from your codebase to the API is opened and a "CodeQL methods usage" view is displayed in the VS Code Panel (where the "Problems" and "Terminal" views are usually displayed). The "CodeQL methods usage" view lists of all the calls from your code to the API, grouped by method. You can click through each use to decide how to model your use of the method.
+
+   .. image:: ../images/codeql-for-visual-studio-code/model-application-mode-view-list.png
+      :width: 800
+      :alt: Screenshot of the "CodeQL methods usage" view. The currently displayed call to an external method is highlighted blue.
+
+#. When you have determined how to model your use of the method, you can define the **Model type** in the "CodeQL method modeling" tab of the CodeQL extension. This change is automatically reflected in the main model editor.
 #. The remaining fields are updated with available options:
 
    - **Source**: choose the **Output** element to model.
@@ -59,9 +74,9 @@ You typically use this approach when you are looking at a specific codebase wher
    - **Flow summary**: choose the **Input** and **Output** elements to model.
 
 #. Define the **Kind** of dataflow for the model.
-#. When you have finished modeling, click **Save all** or **Save** (shown at the bottom right of each expanded list of calls). The percentage of calls modeled in the editor is updated.
+#. When you have finished modeling, display the main model editor and click **Save all** or **Save** (shown at the bottom right of each expanded list of methods). The percentage of methods modeled in the editor is updated.
 
-The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL.
+The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL. For more information, see "`Using CodeQL model packs with code scanning <#using-codeql-model-packs-with-code-scanning>`__".
 
 The models are stored in a series of YAML data extension files, one for each external API. For example:
 
@@ -101,7 +116,7 @@ You typically use this method when you want to model a framework or library that
 #. Define the **Kind** of dataflow for the model.
 #. When you have finished modeling, click **Save all** or **Save** (shown at the bottom right of each expanded list of calls). The percentage of calls modeled in the editor is updated.
 
-The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL.
+The models are stored in your workspace at ``.github/codeql/extensions/<codeql-model-pack>``, where ``<codeql-model-pack>`` is the name of the CodeQL database that you selected. That is, the name of the repository, hyphen, the language analyzed by CodeQL. For more information, see "`Using CodeQL model packs with code scanning <#using-codeql-model-packs-with-code-scanning>`__".
 
 The models are stored in a series of YAML data extension files, one for each public method. For example:
 
@@ -114,10 +129,19 @@ The models are stored in a series of YAML data extension files, one for each pub
 
 The editor will create a separate model file for each package that you model.
 
-Testing CodeQL model packs
---------------------------
+Modeling methods with multiple potential flows
+----------------------------------------------
 
-You can test any CodeQL model packs you create in VS Code by toggling the "use model packs" setting on and off. This method works for both databases and for variant analysis repositories.
+Some methods support more than one data flow. It is important to model all the data flows for a method, otherwise you cannot detect all the potential problems associated with using the method. First you model one data flow for the method, and then use the **+** button in the method row to specify a second data flow model.
+
+   .. image:: ../images/codeql-for-visual-studio-code/model-dependency-mode-plus.png
+      :width: 800
+      :alt: Screenshot of the "Dependency mode" view of the CodeQL model pack editor in Visual Studio Code showing one model for the ``com.alipay.sofa.jraft.option.BallotBoxOptions.getClosureQueue()`` method. The "+" button is outlined in dark orange. Click this button to create a second model for the method.
+
+Testing CodeQL model packs in VS Code
+-------------------------------------
+
+You can test any CodeQL model packs you create in VS Code by turning the "use model packs" setting on and off. This method works for both databases and for variant analysis repositories.
 
 - To run queries on a CodeQL database with any model packs that are stored within the ``.github/codeql/extensions`` directory of the workspace, update your ``settings.json`` file with: ``"codeQL.runningQueries.useExtensionPacks": "all",``
 - To run queries on a CodeQL database without using model packs, update your ``settings.json`` file with: ``"codeQL.runningQueries.useExtensionPacks": "none",``
@@ -136,4 +160,4 @@ For more information, see the following articles on the GitHub Docs site:
 
 - Default setup of code scanning: `Extending CodeQL coverage with CodeQL model packs in default setup <https://docs.github.com/en/code-security/code-scanning/managing-your-code-scanning-configuration/editing-your-configuration-of-default-setup#extending-codeql-coverage-with-codeql-model-packs-in-default-setup>`__
 - Advanced setup of code scanning: `Extending CodeQL coverage with CodeQL model packs <https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-codeql-model-packs>`__
-- CodeQL CLI setup in external CI system: `Using model packs to analyze calls to custom dependencies <https://docs.github.com/en/code-security/code-scanning/using-codeql-code-scanning-with-your-existing-ci-system/configuring-codeql-cli-in-your-ci-system#using-model-packs-to-analyze-calls-to-custom-dependencies>`__
+- CodeQL CLI setup in external CI system: `Using model packs to analyze calls to custom dependencies <https://docs.github.com/en/code-security/codeql-cli/getting-started-with-the-codeql-cli/customizing-analysis-with-codeql-packs#using-model-packs-to-analyze-calls-to-custom-dependencies>`__

docs/codeql/codeql-language-guides/customizing-library-models-for-java-and-kotlin.rst

@@ -54,14 +54,14 @@ Data extensions use union semantics, which means that the tuples of all extensio
 Publish data extension files in a CodeQL model pack to share
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-You can group one or more data extention files into a CodeQL model pack and publish it to the GitHub Container Registry. This makes it easy for anyone to download the model pack and use it to extend their analysis. For more information, see "`Creating a CodeQL model pack <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack/>`__ and `Publishing and using CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs/>`__ in the CodeQL CLI documentation.
+You can group one or more data extension files into a CodeQL model pack and publish it to the GitHub Container Registry. This makes it easy for anyone to download the model pack and use it to extend their analysis. For more information, see `Creating a CodeQL model pack <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/creating-and-working-with-codeql-packs#creating-a-codeql-model-pack>`__ and `Publishing and using CodeQL packs <https://docs.github.com/en/code-security/codeql-cli/using-the-advanced-functionality-of-the-codeql-cli/publishing-and-using-codeql-packs/>`__ in the CodeQL CLI documentation.
 
 Extensible predicates used to create custom models in Java and Kotlin
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 The CodeQL library for Java and Kotlin analysis exposes the following extensible predicates:
 
-- ``sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)``. This is used to model sources of potentially tainted data.
+- ``sourceModel(package, type, subtypes, name, signature, ext, output, kind, provenance)``. This is used to model sources of potentially tainted data. The ``kind`` of the sources defined using this predicate determine which threat model they are associated with. Different threat models can be used to customize the sources used in an analysis. For more information, see ":ref:`Threat models <threat-models>`."
 - ``sinkModel(package, type, subtypes, name, signature, ext, input, kind, provenance)``. This is used to model sinks where tainted data maybe used in a way that makes the code vulnerable.
 - ``summaryModel(package, type, subtypes, name, signature, ext, input, output, kind, provenance)``. This is used to model flow through elements.
 - ``neutralModel(package, type, name, signature, kind, provenance)``. This is similar to a summary model but used to model the flow of values that have only a minor impact on the dataflow analysis.
@@ -151,7 +151,7 @@ The sixth value should be left empty and is out of scope for this documentation.
 The remaining values are used to define the ``access path``, the ``kind``, and the ``provenance`` (origin) of the source.
 
 - The seventh value ``ReturnValue`` is the access path to the return of the method, which means that it is the return value that should be considered a source of tainted input.
-- The eighth value ``remote`` is the kind of the source. The source kind is used to define the queries where the source is in scope. ``remote`` applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses ``remote`` sources.
+- The eighth value ``remote`` is the kind of the source. The source kind is used to define the threat model where the source is in scope. ``remote`` applies to many of the security related queries as it means a remote source of untrusted data. As an example the SQL injection query uses ``remote`` sources. For more information, see ":ref:`Threat models <threat-models>`."
 - The ninth value ``manual`` is the provenance of the source, which is used to identify the origin of the source.
 
 Example: Add flow through the ``concat`` method
@@ -291,3 +291,19 @@ The first four values identify the callable (in this case a method) to be modele
 - The fourth value ``()`` is the method input type signature.
 - The fifth value ``summary`` is the kind of the neutral.
 - The sixth value ``manual`` is the provenance of the neutral.
+
+.. _threat-models:
+
+Threat models
+-------------
+
+.. include:: ../reusables/beta-note-threat-models-java.rst
+
+A threat model is a named class of dataflow sources that can be enabled or disabled independently. Threat models allow you to control the set of dataflow sources that you want to consider unsafe. For example, one codebase may only consider remote HTTP requests to be tainted, whereas another may also consider data from local files to be unsafe. You can use threat models to ensure that the relevant taint sources are used in a CodeQL analysis.
+
+The ``kind`` property of the ``sourceModel`` determines which threat model a source is associated with. There are two main categories:
+
+- ``remote`` which represents requests and responses from the network. 
+- ``local`` which represents data from local files (``file``), command-line arguments (``commandargs``), database reads (``database``), and environment variables(``environment``).
+ 
+When running a CodeQL analysis, the ``remote`` threat model is included by default. You can optionally include other threat models as appropriate when using the CodeQL CLI and in GitHub code scanning. For more information, see `Analyzing your code with CodeQL queries <https://docs.github.com/code-security/codeql-cli/getting-started-with-the-codeql-cli/analyzing-your-code-with-codeql-queries#including-model-packs-to-add-potential-sources-of-tainted-data>`__ and `Customizing your advanced setup for code scanning <https://docs.github.com/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning#extending-codeql-coverage-with-threat-models>`__.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.0.rst

@@ -0,0 +1,178 @@
+.. _codeql-cli-2.10.0:
+
+==========================
+CodeQL 2.10.0 (2022-06-27)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.0 runs a total of 339 security queries when configured with the Default suite (covering 142 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 4 security queries have been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   The :code:`--format=stats` option of :code:`codeql generate log-summary` has been renamed to :code:`--format=overall`. It now produces a richer JSON object that, in addition to the previous statistics about the run (which can be found in the :code:`stats` property) also records the most expensive predicates in the evaluation run.
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   The :code:`codeql resolve ml-model` command now requires one or more query specifications as command line arguments in order to determine the set of starting packs from which to initiate the resolution process. The command will locate all ML models in any qlpack that is a transitive dependency of any of the starting packs. Also, the output of the command has been expanded to include for each model the containing package's name, version, and path.
+    
+*   The :code:`buildMetadata` inside of compiled CodeQL packs no longer contains a :code:`creationTime` property. This was removed in order to ensure that the content of a CodeQL pack is identical when it is re-compiled.
+    
+*   The :code:`codeql pack download` command, when used with the :code:`--dir` option,
+    now downloads requested packs in directories corresponding to their version numbers. Previously,
+    :code:`codeql pack download --dir ./somewhere codeql/java-queries@0.1.2` would download the pack into the :code:`./somewhere/codeql/java-queries` directory. Now, it will download the pack into the
+    :code:`./somewhere/codeql/java-queries/0.1.2` directory. This allows you to download multiple versions of the same pack using a single command.
+
+Bug Fixes
+~~~~~~~~~
+
+*   Fixed a bug where :code:`codeql pack download`, when used with the :code:`--dir` option, would not download a pack that is in the global package cache.
+    
+*   Fixed a bug where some versions of a CodeQL package could not be downloaded if there are more than 100 versions of this package in the package registry.
+    
+*   Fixed a bug where the :code:`--also-match` option for :code:`codeql resolve files` and :code:`codeql database index-files` does not work with relative paths.
+    
+*   Fixed a bug that caused :code:`codeql query decompile` to ignore the
+    :code:`--output` option when producing bytecode output (:code:`--kind=bytecode`),
+    writing only to :code:`stdout`.
+
+New Features
+~~~~~~~~~~~~
+
+*   You can now include diagnostic messages in the summary produced by the :code:`--print-diagnostics-summary` option of the
+    :code:`codeql database interpret-results` and :code:`codeql database analyze` commands by running these commands at high verbosity levels.
+
+Query Packs
+-----------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   Improved library modeling for the query "Request without certificate validation" (:code:`py/request-without-cert-validation`), so it now also covers :code:`httpx`, :code:`aiohttp.client`, and :code:`urllib3`.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The syntax of the (source|sink|summary)model CSV format has been changed slightly for Java and C#. A new column called :code:`provenance` has been introduced, where the allowed values are :code:`manual` and :code:`generated`. The value used to indicate whether a model as been written by hand (:code:`manual`) or create by the CSV model generator (:code:`generated`).
+*   All auto implemented public properties with public getters and setters on ASP.NET Core remote flow sources are now also considered to be tainted.
+
+Java
+""""
+
+*   The query :code:`java/log-injection` now reports problems at the source (user-controlled data) instead of at the ultimate logging call. This was changed because user functions that wrap the ultimate logging call could result in most alerts being reported in an uninformative location.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`js/resource-exhaustion` query no longer treats the 3-argument version of :code:`Buffer.from` as a sink,
+    since it does not allocate a new buffer.
+
+Python
+""""""
+
+*   The query "Use of a broken or weak cryptographic algorithm" (:code:`py/weak-cryptographic-algorithm`) now reports if a cryptographic operation is potentially insecure due to use of a weak block mode.
+
+Ruby
+""""
+
+*   The query "Use of a broken or weak cryptographic algorithm" (:code:`rb/weak-cryptographic-algorithm`) now reports if a cryptographic operation is potentially insecure due to use of a weak block mode.
+
+New Queries
+~~~~~~~~~~~
+
+Ruby
+""""
+
+*   Added a new query, :code:`rb/improper-memoization`. The query finds cases where the parameter of a memoization method is not used in the memoization key.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+C#
+""
+
+*   The :code:`kind` query metadata was changed to :code:`diagnostic` on :code:`cs/compilation-error`, :code:`cs/compilation-message`, :code:`cs/extraction-error`, and :code:`cs/extraction-message`.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+C/C++
+"""""
+
+*   :code:`UserType.getADeclarationEntry()` now yields all forward declarations when the user type is a :code:`class`, :code:`struct`, or :code:`union`.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Added support for TypeScript 4.7.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added a flow step for :code:`String.valueOf` calls on tainted :code:`android.text.Editable` objects.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   All new ECMAScript 2022 features are now supported.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+C#
+""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+Golang
+""""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+Java
+""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+Python
+""""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.
+
+Ruby
+""""
+
+*   The :code:`BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new :code:`BarrierGuard` parameterized module.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.1.rst

@@ -0,0 +1,132 @@
+.. _codeql-cli-2.10.1:
+
+==========================
+CodeQL 2.10.1 (2022-07-19)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.1 runs a total of 340 security queries when configured with the Default suite (covering 143 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+New Features
+~~~~~~~~~~~~
+
+*   Improved error message from :code:`codeql database analyze` when a query is missing :code:`@id` or :code:`@kind` query metadata.
+
+Query Packs
+-----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/cpp-all` package.
+
+C#
+""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/csharp-all` package.
+
+Java
+""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/java-all` package.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/javascript-all` package.
+
+Python
+""""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/python-all` package.
+
+Ruby
+""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/ruby-all` package.
+
+New Queries
+~~~~~~~~~~~
+
+Java
+""""
+
+*   A new query "Improper verification of intent by broadcast receiver" (:code:`java/improper-intent-verification`) has been added.
+    This query finds instances of Android :code:`BroadcastReceiver`\ s that don't verify the action string of received intents when registered to receive system intents.
+
+Language Libraries
+------------------
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   :code:`AnalysedExpr::isNullCheck` and :code:`AnalysedExpr::isValidCheck` have been updated to handle variable accesses on the left-hand side of the C++ logical "and", and variable declarations in conditions.
+
+Java
+""""
+
+*   Added data-flow models for :code:`java.util.Properties`. Additional results may be found where relevant data is stored in and then retrieved from a :code:`Properties` instance.
+*   Added :code:`Modifier.isInline()`.
+*   Removed Kotlin-specific database and QL structures for loops and :code:`break`\ /\ :code:`continue` statements. The Kotlin extractor was changed to reuse the Java structures for these constructs.
+*   Added additional flow sources for uses of external storage on Android.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The :code:`chownr` library is now modeled as a sink for the :code:`js/path-injection` query.
+*   Improved modeling of sensitive data sources, so common words like :code:`certain` and :code:`secretary` are no longer considered a certificate and a secret (respectively).
+*   The :code:`gray-matter` library is now modeled as a sink for the :code:`js/code-injection` query.
+
+Python
+""""""
+
+*   Improved modeling of sensitive data sources, so common words like :code:`certain` and :code:`secretary` are no longer considered a certificate and a secret (respectively).
+
+Ruby
+""""
+
+*   Fixed a bug causing every expression in the database to be considered a system-command execution sink when calls to any of the following methods exist:
+
+    *   The :code:`spawn`, :code:`fspawn`, :code:`popen4`, :code:`pspawn`, :code:`system`, :code:`_pspawn` methods and the backtick operator from the :code:`POSIX::spawn` gem.
+    *   The :code:`execute_command`, :code:`rake`, :code:`rails_command`, and :code:`git` methods in :code:`Rails::Generation::Actions`.
+    
+*   Improved modeling of sensitive data sources, so common words like :code:`certain` and :code:`secretary` are no longer considered a certificate and a secret (respectively).
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   The documentation of API graphs (the :code:`API` module) has been expanded, and some of the members predicates of :code:`API::Node` have been renamed as follows:
+
+    *   :code:`getAnImmediateUse` -> :code:`asSource`
+    *   :code:`getARhs` -> :code:`asSink`
+    *   :code:`getAUse` -> :code:`getAValueReachableFromSource`
+    *   :code:`getAValueReachingRhs` -> :code:`getAValueReachingSink`
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   Added an :code:`ErrorType` class. An instance of this class will be used if an extractor is unable to extract a type, or if an up/downgrade script is unable to provide a type.

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.10.2.rst

@@ -0,0 +1,105 @@
+.. _codeql-cli-2.10.2:
+
+==========================
+CodeQL 2.10.2 (2022-08-02)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/code-scanning/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.10.2 runs a total of 341 security queries when configured with the Default suite (covering 144 CWE). The Extended suite enables an additional 104 queries (covering 30 more CWE). 1 security query has been added with this release.
+
+CodeQL CLI
+----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+*   The option :code:`--compiler-spec` to :code:`codeql database create` (and
+    :code:`codeql database trace-command`) no longer works. It is replaced by
+    :code:`--extra-tracing-config`, which accepts a tracer configuration file in the new, Lua-based tracer configuration format instead. See
+    :code:`tools/tracer/base.lua` for the precise API available. If you need help help porting your existing compiler specification files, please file a public issue in https://github.com/github/codeql-cli-binaries,
+    or open a private ticket with GitHub support and request an escalation to engineering.
+
+Potentially Breaking Changes
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+*   Versions of the CodeQL extension for Visual Studio Code released before February 2021 may not work correctly with this CLI, in particular if database upgrades are necessary. We recommend keeping your VS Code extension up-to-date.
+
+Deprecations
+~~~~~~~~~~~~
+
+*   The experimental :code:`codeql resolve ml-models` command has been deprecated. Advanced users calling this command should use the new
+    :code:`codeql resolve extensions` command instead.
+
+New Features
+~~~~~~~~~~~~
+
+*   The :code:`codeql github upload-results` command now supports a :code:`--merge` option. If this option is provided, the command will accept the paths to multiple SARIF files, and will merge those files before uploading them as a single analysis. This option is recommended *only* for backwards compatibility with old analyses produced by the CodeQL Runner, which combined the results for multiple languages into a single analysis.
+
+Query Packs
+-----------
+
+Breaking Changes
+~~~~~~~~~~~~~~~~
+
+Python
+""""""
+
+*   Contextual queries and the query libraries they depend on have been moved to the :code:`codeql/python-all` package.
+
+New Queries
+~~~~~~~~~~~
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   A new query "Case-sensitive middleware path" (:code:`js/case-sensitive-middleware-path`) has been added.
+    It highlights middleware routes that can be bypassed due to having a case-sensitive regular expression path.
+
+Ruby
+""""
+
+*   Added a new experimental query, :code:`rb/manually-checking-http-verb`, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow.
+*   Added a new experimental query, :code:`rb/weak-params`, to detect cases when the rails strong parameters pattern isn't followed and values flow into persistent store writes.
+
+Language Libraries
+------------------
+
+Bug Fixes
+~~~~~~~~~
+
+C/C++
+"""""
+
+*   Under certain circumstances a variable declaration that is not also a definition could be associated with a :code:`Variable` that did not have the definition as a :code:`VariableDeclarationEntry`. This is now fixed, and a unique :code:`Variable` will exist that has both the declaration and the definition as a :code:`VariableDeclarationEntry`.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Java
+""""
+
+*   The JUnit5 version of :code:`AssertNotNull` is now recognized, which removes related false positives in the nullness queries.
+*   Added data flow models for :code:`java.util.Scanner`.
+
+Ruby
+""""
+
+*   Calls to :code:`Arel.sql` are now recognised as propagating taint from their argument.
+*   Calls to :code:`ActiveRecord::Relation#annotate` are now recognized as :code:`SqlExecution`\ s so that it will be considered as a sink for queries like rb/sql-injection.
+
+New Features
+~~~~~~~~~~~~
+
+Java
+""""
+
+*   The QL predicate :code:`Expr::getUnderlyingExpr` has been added. It can be used to look through casts and not-null expressions and obtain the underlying expression to which they apply.