set compileForOverlayEval true everywhere

.bazelrc

@@ -37,6 +37,5 @@ build --java_language_version=17
 build --tool_java_language_version=17
 build --tool_java_runtime_version=remotejdk_17
 build --java_runtime_version=remotejdk_17
-build --@rules_python//python/config_settings:python_version=3.12
 
 try-import %workspace%/local.bazelrc

.bazelrc.internal

@@ -8,5 +8,3 @@ common --registry=https://bcr.bazel.build
 # its implementation packages without providing any code itself.
 # We either can depend on internal implementation details, or turn of strict deps.
 common --@rules_dotnet//dotnet/settings:strict_deps=false
-
-build --@rules_python//python/config_settings:python_version=3.12

.bazelversion

@@ -1 +1 @@
-8.1.1
+8.0.0

.github/workflows/build-ripunzip.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, macos-13, windows-2019]
+        os: [ubuntu-20.04, macos-13, windows-2019]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4

.github/workflows/go-tests-rtjo.yml

@@ -1,22 +0,0 @@
-name: "Go: Run RTJO Tests"
-on:
-  pull_request:
-    types:
-      - labeled
-
-permissions:
-  contents: read
-
-jobs:
-  test-linux:
-    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
-    name: RTJO Test Linux (Ubuntu)
-    runs-on: ubuntu-latest-xl
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v4
-      - name: Run tests
-        uses: ./go/actions/test
-        with:
-          run-code-checks: true
-          dynamic-join-order-mode: all

.github/workflows/ruby-qltest-rtjo.yml

@@ -1,40 +0,0 @@
-name: "Ruby: Run RTJO Language Tests"
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - labeled
-
-env:
-  CARGO_TERM_COLOR: always
-
-defaults:
-  run:
-    working-directory: ruby
-
-permissions:
-  contents: read
-
-jobs:
-  qltest-rtjo:
-    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
-    runs-on: ubuntu-latest-xl
-    strategy:
-      fail-fast: false
-    steps:
-      - uses: actions/checkout@v4
-      - uses: ./.github/actions/fetch-codeql
-      - uses: ./ruby/actions/create-extractor-pack
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: ruby-qltest
-      - name: Run QL tests
-        run: |
-          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}

.pre-commit-config.yaml

@@ -72,7 +72,7 @@ repos:
 
       - id: rust-codegen
         name: Run Rust checked in code generation
-        files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list|ast-generator/)
+        files: ^misc/codegen/|^rust/(prefix\.dbscheme|schema/|codegen/|.*/generated/|ql/lib/(rust\.dbscheme$|codeql/rust/elements)|\.generated.list)
         language: system
         entry: bazel run //rust/codegen -- --quiet
         pass_filenames: false

CODEOWNERS

@@ -14,9 +14,6 @@
 /java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
-# Experimental CodeQL cryptography
-**/experimental/quantum/ @github/ps-codeql
-
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers
 /docs/codeql/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers

Cargo.lock

@@ -18,10 +18,13 @@ dependencies = [
 ]
 
 [[package]]
-name = "allocator-api2"
-version = "0.2.21"
+name = "always-assert"
+version = "0.2.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "683d7910e743518b0e34f1186f92494becacb047c7b6bf616c96772180fef923"
+checksum = "a1078fa1ce1e34b1872d8611ad921196d76bdd7027e949fbe31231abde201892"
+dependencies = [
+ "tracing",
+]
 
 [[package]]
 name = "android-tzdata"
@@ -90,9 +93,9 @@ dependencies = [
 
 [[package]]
 name = "anyhow"
-version = "1.0.97"
+version = "1.0.96"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dcfed56ad506cb2c684a14971b8861fdc3baaaae314b9e5f9bb532cbe3ba7a4f"
+checksum = "6b964d184e89d9b6b67dd2715bc8e74cf3107fb2b529990c90cf517326150bf4"
 
 [[package]]
 name = "argfile"
@@ -167,15 +170,6 @@ dependencies = [
  "cfg_aliases",
 ]
 
-[[package]]
-name = "boxcar"
-version = "0.2.11"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6740c6e2fc6360fa57c35214c7493826aee95993926092606f27c983b40837be"
-dependencies = [
- "loom",
-]
-
 [[package]]
 name = "bstr"
 version = "1.11.3"
@@ -259,9 +253,9 @@ checksum = "613afe47fcd5fac7ccf1db93babcb082c5994d996f20b8b159f2ad1658eb5724"
 
 [[package]]
 name = "chalk-derive"
-version = "0.100.0"
+version = "0.99.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ab2d131019373f0d0d1f2af0abd4f719739f6583c1b33965112455f643a910af"
+checksum = "572583d9b97f9d277e5c7607f8239a30e2e04d3ed3b47c87d1cb2152ae724073"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -271,9 +265,9 @@ dependencies = [
 
 [[package]]
 name = "chalk-ir"
-version = "0.100.0"
+version = "0.99.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4f114996bda14c0213f014a4ef31a7867dcf5f539a3900477fc6b20138e7a17b"
+checksum = "e60e0ef9c81dce1336a9ed3c76f08775f5b623151d96d85ba45f7b10de76d1c7"
 dependencies = [
  "bitflags 2.8.0",
  "chalk-derive",
@@ -281,9 +275,9 @@ dependencies = [
 
 [[package]]
 name = "chalk-recursive"
-version = "0.100.0"
+version = "0.99.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "551e956e031c09057c7b21f17d48d91de99c9b6b6e34bceaf5e7202d71021268"
+checksum = "5a06350d614e22b03a69b8105e3541614450a7ea48bc58ecc6c6bd92731a3995"
 dependencies = [
  "chalk-derive",
  "chalk-ir",
@@ -294,9 +288,9 @@ dependencies = [
 
 [[package]]
 name = "chalk-solve"
-version = "0.100.0"
+version = "0.99.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd7ca50181156ce649efe8e5dd00580f573651554e4dcd11afa4e2ac93f53324"
+checksum = "0e428761e9b55bee516bfe2457caed8b6d1b86353f92ae825bbe438a36ce91e8"
 dependencies = [
  "chalk-derive",
  "chalk-ir",
@@ -310,9 +304,9 @@ dependencies = [
 
 [[package]]
 name = "chrono"
-version = "0.4.40"
+version = "0.4.39"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1a7964611d71df112cb1730f2ee67324fcf4d0fc6606acbbe9bfe06df124637c"
+checksum = "7e36cc9d416881d2e24f9a963be5fb1cd90966419ac844274161d10488b3e825"
 dependencies = [
  "android-tzdata",
  "iana-time-zone",
@@ -320,14 +314,14 @@ dependencies = [
  "num-traits",
  "serde",
  "wasm-bindgen",
- "windows-link",
+ "windows-targets 0.52.6",
 ]
 
 [[package]]
 name = "clap"
-version = "4.5.32"
+version = "4.5.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6088f3ae8c3608d19260cd7445411865a485688711b78b5be70d78cd96136f83"
+checksum = "027bb0d98429ae334a8698531da7077bdf906419543a35a55c2cb1b66437d767"
 dependencies = [
  "clap_builder",
  "clap_derive",
@@ -335,9 +329,9 @@ dependencies = [
 
 [[package]]
 name = "clap_builder"
-version = "4.5.32"
+version = "4.5.31"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22a7ef7f676155edfb82daa97f99441f3ebf4a58d5e32f295a56259f1b6facc8"
+checksum = "5589e0cba072e0f3d23791efac0fd8627b49c829c196a492e88168e6a669d863"
 dependencies = [
  "anstream",
  "anstyle",
@@ -347,11 +341,11 @@ dependencies = [
 
 [[package]]
 name = "clap_derive"
-version = "4.5.32"
+version = "4.5.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "09176aae279615badda0765c0c0b3f6ed53f4709118af73cf4655d85d1530cd7"
+checksum = "bf4ced95c6f4a675af3da73304b9ac4ed991640c36374e4b46795c49e17cf1ed"
 dependencies = [
- "heck",
+ "heck 0.5.0",
  "proc-macro2",
  "quote",
  "syn",
@@ -511,15 +505,6 @@ dependencies = [
  "crossbeam-utils",
 ]
 
-[[package]]
-name = "crossbeam-queue"
-version = "0.3.12"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0f58bbc28f91df819d0aa2a2c00cd19754769c2fad90579b3592b1c9ba7a3115"
-dependencies = [
- "crossbeam-utils",
-]
-
 [[package]]
 name = "crossbeam-utils"
 version = "0.8.21"
@@ -574,20 +559,6 @@ dependencies = [
  "parking_lot_core",
 ]
 
-[[package]]
-name = "dashmap"
-version = "6.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5041cc499144891f3790297212f32a74fb938e5136a14943f338ef9e0ae276cf"
-dependencies = [
- "cfg-if",
- "crossbeam-utils",
- "hashbrown 0.14.5",
- "lock_api",
- "once_cell",
- "parking_lot_core",
-]
-
 [[package]]
 name = "deranged"
 version = "0.3.11"
@@ -612,9 +583,9 @@ checksum = "92773504d58c093f6de2459af4af33faa518c13451eb8f2b5698ed3d36e7c813"
 
 [[package]]
 name = "either"
-version = "1.15.0"
+version = "1.14.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "48c757948c5ede0e46177b7add2e67155f70e33c07fea8284df6576da70b3719"
+checksum = "b7914353092ddf589ad78f25c5c1c21b7f80b0ff8621e7c814c3485b5306da9d"
 
 [[package]]
 name = "ena"
@@ -743,12 +714,6 @@ version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
-[[package]]
-name = "foldhash"
-version = "0.1.5"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d9c4f5dac5e15c24eb999c26181a6ca40b39fe946cbe4c263c7209467bc83af2"
-
 [[package]]
 name = "fs-err"
 version = "2.11.0"
@@ -773,19 +738,6 @@ version = "0.4.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7ab85b9b05e3978cc9a9cf8fea7f01b494e1a09ed3037e16ba39edc7a29eb61a"
 
-[[package]]
-name = "generator"
-version = "0.8.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cc6bd114ceda131d3b1d665eba35788690ad37f5916457286b32ab6fd3c438dd"
-dependencies = [
- "cfg-if",
- "libc",
- "log 0.4.25",
- "rustversion",
- "windows",
-]
-
 [[package]]
 name = "getrandom"
 version = "0.3.1"
@@ -834,20 +786,12 @@ name = "hashbrown"
 version = "0.15.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "bf151400ff0baff5465007dd2f3e717f3fe502074ca563069ce3a6629d07b289"
-dependencies = [
- "allocator-api2",
- "equivalent",
- "foldhash",
-]
 
 [[package]]
-name = "hashlink"
-version = "0.10.0"
+name = "heck"
+version = "0.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7382cf6263419f2d8df38c55d7da83da5c18aef87fc7a7fc1fb1e344edfe14c1"
-dependencies = [
- "hashbrown 0.15.2",
-]
+checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
 
 [[package]]
 name = "heck"
@@ -887,7 +831,7 @@ dependencies = [
  "iana-time-zone-haiku",
  "js-sys",
  "wasm-bindgen",
- "windows-core 0.52.0",
+ "windows-core",
 ]
 
 [[package]]
@@ -1083,19 +1027,6 @@ version = "0.4.25"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "04cbf5b083de1c7e0222a7a51dbfdba1cbe1c6ab0b15e29fff3f6c077fd9cd9f"
 
-[[package]]
-name = "loom"
-version = "0.7.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "419e0dc8046cb947daa77eb95ae174acfbddb7673b4151f56d1eed8e93fbfaca"
-dependencies = [
- "cfg-if",
- "generator",
- "scoped-tls",
- "tracing",
- "tracing-subscriber",
-]
-
 [[package]]
 name = "lz4_flex"
 version = "0.11.3"
@@ -1340,12 +1271,6 @@ version = "0.2.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3b3cff922bd51709b605d9ead9aa71031d81447142d828eb4a6eba76fe619f9b"
 
-[[package]]
-name = "portable-atomic"
-version = "1.11.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "350e9b48cbc6b0e028b0473b114454c6316e57336ee184ceab6e53f72c178b3e"
-
 [[package]]
 name = "powerfmt"
 version = "0.2.0"
@@ -1363,9 +1288,9 @@ dependencies = [
 
 [[package]]
 name = "proc-macro2"
-version = "1.0.94"
+version = "1.0.93"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a31971752e70b8b2686d7e46ec17fb38dad4051d94024c88df49b667caea9c84"
+checksum = "60946a68e5f9d28b0dc1c21bb8a97ee7d018a8b322fa57838ba31cc878e22d99"
 dependencies = [
  "unicode-ident",
 ]
@@ -1385,18 +1310,18 @@ dependencies = [
 
 [[package]]
 name = "quote"
-version = "1.0.40"
+version = "1.0.38"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d"
+checksum = "0e4dccaaaf89514f546c693ddc140f729f958c247918a13380cccc6078391acc"
 dependencies = [
  "proc-macro2",
 ]
 
 [[package]]
 name = "ra-ap-rustc_abi"
-version = "0.100.0"
+version = "0.97.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1651b0f7e8c3eb7c27a88f39d277e69c32bfe58e3be174d286c1a24d6a7a4d8"
+checksum = "3829c3355d1681ffeaf1450ec71edcdace6820fe2e86469d8fc1ad45e2c96460"
 dependencies = [
  "bitflags 2.8.0",
  "ra-ap-rustc_hashes",
@@ -1406,18 +1331,18 @@ dependencies = [
 
 [[package]]
 name = "ra-ap-rustc_hashes"
-version = "0.100.0"
+version = "0.97.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2bcd85e93dc0ea850bcfe7957a115957df799ccbc9eea488bdee5ec6780d212b"
+checksum = "1bd4d6d4c434bec08e02370a4f64a4985312097215a62e82d0f757f3a98e502e"
 dependencies = [
  "rustc-stable-hash",
 ]
 
 [[package]]
 name = "ra-ap-rustc_index"
-version = "0.100.0"
+version = "0.97.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "62b295fc0640cd9fe0ecab872ee4a17a96f90a3998ec9f0c4765e9b8415c12cc"
+checksum = "bad6fc4bd7522e31096e2de5b0351144fe0684b608791ee26c842bf2da1b19ae"
 dependencies = [
  "ra-ap-rustc_index_macros",
  "smallvec",
@@ -1425,9 +1350,9 @@ dependencies = [
 
 [[package]]
 name = "ra-ap-rustc_index_macros"
-version = "0.100.0"
+version = "0.97.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c675f4257023aa933882906f13802cae287e88cc39ab13cbb96809083db0c801"
+checksum = "cfb234e1f84b92be45276c3025bee18789e9bc95bec8789bec961e78edb01c52"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -1436,9 +1361,9 @@ dependencies = [
 
 [[package]]
 name = "ra-ap-rustc_lexer"
-version = "0.100.0"
+version = "0.97.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c8358702c2a510ea84ba5801ddc047d9ad9520902cfb0e6173277610cdce2c9c"
+checksum = "7a3a40bd11dc43d1cb110e730b80620cf8102f4cca8920a02b65954da0ed931f"
 dependencies = [
  "memchr",
  "unicode-properties",
@@ -1447,9 +1372,9 @@ dependencies = [
 
 [[package]]
 name = "ra-ap-rustc_parse_format"
-version = "0.100.0"
+version = "0.97.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b98f402011d46732c35c47bfd111dec0495747fef2ec900ddee7fe15d78449a7"
+checksum = "5feb877478994cb4c0c0c7a5116a352eefc0634aefc8636feb00a893fa5b7135"
 dependencies = [
  "ra-ap-rustc_index",
  "ra-ap-rustc_lexer",
@@ -1457,9 +1382,9 @@ dependencies = [
 
 [[package]]
 name = "ra-ap-rustc_pattern_analysis"
-version = "0.100.0"
+version = "0.97.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bef3ff73fa4653252ffe1d1e9177a446f49ef46d97140e4816b7ff2dad59ed53"
+checksum = "a76774d35934d464c4115908cde16f76a4f7e540fe1eea6b79336c556e37bdd3"
 dependencies = [
  "ra-ap-rustc_index",
  "rustc-hash 2.1.1",
@@ -1470,22 +1395,20 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_base_db"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4baa9734d254af14fd603528ad594650dea601b1764492bd39988da38598ae67"
+checksum = "5d8e4a327f1a8ace5afced54ebaa1a34f8cf0bb535a28aefb8300e8ea49a7d6e"
 dependencies = [
- "dashmap 5.5.3",
  "la-arena",
  "lz4_flex",
  "ra_ap_cfg",
  "ra_ap_intern",
- "ra_ap_query-group-macro",
+ "ra_ap_salsa",
  "ra_ap_span",
  "ra_ap_stdx",
  "ra_ap_syntax",
  "ra_ap_vfs",
  "rustc-hash 2.1.1",
- "salsa",
  "semver",
  "tracing",
  "triomphe",
@@ -1493,9 +1416,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_cfg"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0ef2ba45636c5e585040c0c4bee640737a6001b08309f1a25ca78cf04abfbf90"
+checksum = "4d974450788b1f90243c5f2231875ed4d7087444975c0190a1c2cb02c3ed465d"
 dependencies = [
  "ra_ap_intern",
  "ra_ap_tt",
@@ -1505,15 +1428,15 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_edition"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8955c1484d5e7274f755187788ba0d51eb149f870c69cdf0d87c3b7edea20ea0"
+checksum = "c3b1b961a84cb09a4e06e44d06b2e77bcf546d0c2623df9545ba9cc694880989"
 
 [[package]]
 name = "ra_ap_hir"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a51d7955beff2212701b149bea36d4cf2dc0f5cd129652c9bcf0cb5c0b021078"
+checksum = "ff0672e35a6cf12333cb6b9e3fd18aba4bc724fa7c7b24c3253df4730be1f9c3"
 dependencies = [
  "arrayvec",
  "either",
@@ -1537,14 +1460,14 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_hir_def"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e5c97e617e4c585d24b3d4f668861452aedddfbe0262f4c53235dcea77e62f9b"
+checksum = "fde2fb9361257e31e73e63eb2d07445ea3fd4cd1e7bae7f45e7ba82bcfcde29a"
 dependencies = [
  "arrayvec",
  "bitflags 2.8.0",
  "cov-mark",
- "dashmap 5.5.3",
+ "dashmap",
  "drop_bomb",
  "either",
  "fst",
@@ -1560,14 +1483,12 @@ dependencies = [
  "ra_ap_hir_expand",
  "ra_ap_intern",
  "ra_ap_mbe",
- "ra_ap_query-group-macro",
  "ra_ap_span",
  "ra_ap_stdx",
  "ra_ap_syntax",
  "ra_ap_tt",
  "rustc-hash 2.1.1",
  "rustc_apfloat",
- "salsa",
  "smallvec",
  "text-size",
  "tracing",
@@ -1576,9 +1497,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_hir_expand"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "be57c0d7e3f2180dd8ea584b11447f34060eadc06f0f6d559e2a790f6e91b6c5"
+checksum = "1823b649710bf1829c894f774dfe66acb33a3e5bc7409ff7836cd19f6e09c250"
 dependencies = [
  "cov-mark",
  "either",
@@ -1590,14 +1511,12 @@ dependencies = [
  "ra_ap_intern",
  "ra_ap_mbe",
  "ra_ap_parser",
- "ra_ap_query-group-macro",
  "ra_ap_span",
  "ra_ap_stdx",
  "ra_ap_syntax",
  "ra_ap_syntax-bridge",
  "ra_ap_tt",
  "rustc-hash 2.1.1",
- "salsa",
  "smallvec",
  "tracing",
  "triomphe",
@@ -1605,9 +1524,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_hir_ty"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f260f35748f3035b46a8afcdebda7cb75d95c24750105fad86101d09a9d387c8"
+checksum = "72a591a02787bd2e938c25fceb1f831d0929b9c08726e6d831f85c4a9fba04b5"
 dependencies = [
  "arrayvec",
  "bitflags 2.8.0",
@@ -1616,7 +1535,6 @@ dependencies = [
  "chalk-recursive",
  "chalk-solve",
  "cov-mark",
- "dashmap 5.5.3",
  "either",
  "ena",
  "indexmap 2.7.0",
@@ -1625,19 +1543,18 @@ dependencies = [
  "nohash-hasher",
  "oorandom",
  "ra-ap-rustc_abi",
+ "ra-ap-rustc_hashes",
  "ra-ap-rustc_index",
  "ra-ap-rustc_pattern_analysis",
  "ra_ap_base_db",
  "ra_ap_hir_def",
  "ra_ap_hir_expand",
  "ra_ap_intern",
- "ra_ap_query-group-macro",
  "ra_ap_span",
  "ra_ap_stdx",
  "ra_ap_syntax",
  "rustc-hash 2.1.1",
  "rustc_apfloat",
- "salsa",
  "scoped-tls",
  "smallvec",
  "tracing",
@@ -1647,15 +1564,14 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_ide_db"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0426263be26e27cb55a3b9ef88b120511b66fe7d9b418a2473d6d5f3ac2fe0a6"
+checksum = "c74386061453edc3ebfd52141c7c3cde109a7427faff9792a303c3c09a762a01"
 dependencies = [
  "arrayvec",
  "bitflags 2.8.0",
  "cov-mark",
  "crossbeam-channel",
- "dashmap 5.5.3",
  "either",
  "fst",
  "indexmap 2.7.0",
@@ -1667,25 +1583,22 @@ dependencies = [
  "ra_ap_hir",
  "ra_ap_parser",
  "ra_ap_profile",
- "ra_ap_query-group-macro",
  "ra_ap_span",
  "ra_ap_stdx",
  "ra_ap_syntax",
- "ra_ap_vfs",
  "rayon",
  "rustc-hash 2.1.1",
- "salsa",
  "tracing",
  "triomphe",
 ]
 
 [[package]]
 name = "ra_ap_intern"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6ea8c9615b3b0688cf557e7310dbd9432f43860c8ea766d54f4416cbecf3571"
+checksum = "8239ffde688b558a4335f03d14fa42dcebb203f452367830554b18e17ff1c683"
 dependencies = [
- "dashmap 5.5.3",
+ "dashmap",
  "hashbrown 0.14.5",
  "rustc-hash 2.1.1",
  "triomphe",
@@ -1693,9 +1606,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_load-cargo"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "570907e16725c13a678bfd8050ce8839af2831da042a0878b75ee8c41b0f7b0c"
+checksum = "01dd50ca287042b06ca3cc62b60e6891bacee3886d39381d26f9f966e509b1c7"
 dependencies = [
  "anyhow",
  "crossbeam-channel",
@@ -1715,9 +1628,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_mbe"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e893fe03b04b30c9b5a339ac2bf39ce32ac9c05a8b50121b7d89ce658346e164"
+checksum = "c193592a0d1dcd315cf8c60f25d37a15c6b50c2b58bfbc6eac38b123e45c8c21"
 dependencies = [
  "arrayvec",
  "cov-mark",
@@ -1736,9 +1649,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_parser"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6fd9a264120968b14a66b6ba756cd7f99435385b5dbc2f0a611cf3a12221c385"
+checksum = "b380f96951dd56b8231eeb47884fea12c57b8515ac748eedd590b26cd156681c"
 dependencies = [
  "drop_bomb",
  "ra-ap-rustc_lexer",
@@ -1748,18 +1661,18 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_paths"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f47817351651e36b56ff3afc483b41600053c9cb7e67d945467c0abe93416032"
+checksum = "0801105582f532bc59a2b5714a30966c4cf9bd3e5b66f4161763c1d974d2c7d5"
 dependencies = [
  "camino",
 ]
 
 [[package]]
 name = "ra_ap_proc_macro_api"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d96da3b8b9f6b813a98f5357eef303905450741f47ba90adaab8a5371b748416"
+checksum = "da377b243e376b82819f875c1c6624125d27b682a740bd4cafc30b4f496d0ffa"
 dependencies = [
  "indexmap 2.7.0",
  "ra_ap_intern",
@@ -1776,9 +1689,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_profile"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "13637377287c84f88a628e40229d271ef0081c0d683956bd99a6c8278a4f8b14"
+checksum = "4d6d1391bee4f86e56385438a2dcb739cbb96bd0fbf49799a492332d57e6db62"
 dependencies = [
  "cfg-if",
  "libc",
@@ -1788,9 +1701,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_project_model"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "053c5207a638fc7a752c7a454bc952b28b0d02f0bf9f6d7ec785ec809579d8fa"
+checksum = "e8b1ac2712d5f6a20197b360890031e64b4ea097b511f50e2cb8ab1a0e24f577"
 dependencies = [
  "anyhow",
  "cargo_metadata",
@@ -1813,54 +1726,71 @@ dependencies = [
 ]
 
 [[package]]
-name = "ra_ap_query-group-macro"
-version = "0.0.270"
+name = "ra_ap_salsa"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0f1a38f07b442e47a234cbe2e8fd1b8a41ff0cc5123cb1cf994c5ce20edb5bd6"
+checksum = "bc3a0a272f50e2ab831452bd3f4e7f8a571ccf01282d76f4a078f661135ed0ce"
 dependencies = [
- "heck",
+ "indexmap 2.7.0",
+ "itertools 0.12.1",
+ "lock_api",
+ "oorandom",
+ "parking_lot",
+ "ra_ap_salsa-macros",
+ "rustc-hash 2.1.1",
+ "smallvec",
+ "tracing",
+ "triomphe",
+]
+
+[[package]]
+name = "ra_ap_salsa-macros"
+version = "0.0.266"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d5d59b47a54fd5468ce0dc03b146afd0932ae0f3d05a5c15ca78d29d5e85bc31"
+dependencies = [
+ "heck 0.4.1",
  "proc-macro2",
  "quote",
- "salsa",
  "syn",
 ]
 
 [[package]]
 name = "ra_ap_span"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8818680c6f7da3b32cb2bb0992940b24264b1aa90203aa94812e09ab34d362d1"
+checksum = "f10dbdd611d2546be7c400934007865e85bb37570566c715edb3aac76367a782"
 dependencies = [
  "hashbrown 0.14.5",
  "la-arena",
+ "ra_ap_salsa",
  "ra_ap_stdx",
  "ra_ap_syntax",
  "ra_ap_vfs",
  "rustc-hash 2.1.1",
- "salsa",
  "text-size",
 ]
 
 [[package]]
 name = "ra_ap_stdx"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1c10bee1b03fc48083862c13cf06bd3ed17760463ecce2734103a2f511e5ed4"
+checksum = "b7d5c58fcda9b35d61e23f334b2b11221abf53e7f5e4344fc7eb1de18b2cbf68"
 dependencies = [
+ "always-assert",
  "crossbeam-channel",
  "itertools 0.12.1",
  "jod-thread",
  "libc",
  "miow",
- "tracing",
  "windows-sys 0.59.0",
 ]
 
 [[package]]
 name = "ra_ap_syntax"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "92bc32f3946fc5fcbdc79e61b7e26a8c2a3a56f3ef6ab27c7d298a9e21a462f2"
+checksum = "75334f45a8095223823ef1d2789c085460b7b9368c63a6430d46f6f2b9bd5cb5"
 dependencies = [
  "cov-mark",
  "either",
@@ -1878,9 +1808,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_syntax-bridge"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a42052c44c98c122c37aac476260c8f19d8fec495edc9c05835307c9ae86194d"
+checksum = "b331a50f90ae587d230b1b55b3852ebf67ab740dec33c1a4b0900005037e77c2"
 dependencies = [
  "ra_ap_intern",
  "ra_ap_parser",
@@ -1894,9 +1824,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_toolchain"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75996e70b3a0c68cd5157ba01f018964c7c6a5d7b209047d449b393139d0b57f"
+checksum = "8d56e1b3a34eac0448e54afccf63a6b7699ef14a734b2f1b340246ccdd00c0d3"
 dependencies = [
  "camino",
  "home",
@@ -1904,9 +1834,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_tt"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0e4ee31e93bfabe83e6720b7469db88d7ad7ec5c59a1f011efec4aa1327ffc5c"
+checksum = "4b974b1211e0b1e17e44b1f256ca1b4a3734d4d98f43ba09ee0a8476fc3a5b83"
 dependencies = [
  "arrayvec",
  "ra-ap-rustc_lexer",
@@ -1917,9 +1847,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_vfs"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6aac1e277ac70bb073f40f8a3fc44e4b1bb9e4d4b1d0e0bd2f8269543560f80"
+checksum = "2b004e20f901dae213cb1673111a2b56fec4f0d1c4c894b62668a0f69ce25065"
 dependencies = [
  "crossbeam-channel",
  "fst",
@@ -1933,9 +1863,9 @@ dependencies = [
 
 [[package]]
 name = "ra_ap_vfs-notify"
-version = "0.0.270"
+version = "0.0.266"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cd95285146049621ee8f7a512c982a008bf036321fcc9b01a95c1ad7e6aeae57"
+checksum = "95f9e8df03407d76e044f99ef45fafd686d775508aa7d1ba836e9eca58b833a3"
 dependencies = [
  "crossbeam-channel",
  "notify",
@@ -2100,59 +2030,12 @@ dependencies = [
  "smallvec",
 ]
 
-[[package]]
-name = "rustversion"
-version = "1.0.20"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eded382c5f5f786b989652c49544c4877d9f015cc22e145a5ea8ea66c2921cd2"
-
 [[package]]
 name = "ryu"
 version = "1.0.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6ea1a2d0a644769cc99faa24c3ad26b379b786fe7c36fd3c546254801650e6dd"
 
-[[package]]
-name = "salsa"
-version = "0.19.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dd55c6549513b2a42884dae31e3d4f4ac8a6cc51062e68e24d162133889f327c"
-dependencies = [
- "boxcar",
- "crossbeam-queue",
- "dashmap 6.1.0",
- "hashbrown 0.15.2",
- "hashlink",
- "indexmap 2.7.0",
- "parking_lot",
- "portable-atomic",
- "rayon",
- "rustc-hash 2.1.1",
- "salsa-macro-rules",
- "salsa-macros",
- "smallvec",
- "tracing",
-]
-
-[[package]]
-name = "salsa-macro-rules"
-version = "0.19.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2619b4b451beab0a7e4364ff1e6f31950e7e418888fd9bf2f28889671563166a"
-
-[[package]]
-name = "salsa-macros"
-version = "0.19.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4be57a99b3896e8d26850428a6874fb86849e2db874e1db3528e5cee4337d277"
-dependencies = [
- "heck",
- "proc-macro2",
- "quote",
- "syn",
- "synstructure",
-]
-
 [[package]]
 name = "same-file"
 version = "1.0.6"
@@ -2185,18 +2068,18 @@ dependencies = [
 
 [[package]]
 name = "serde"
-version = "1.0.219"
+version = "1.0.218"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5f0e2c6ed6606019b4e29e69dbaba95b11854410e5347d525002456dbbb786b6"
+checksum = "e8dfc9d19bdbf6d17e22319da49161d5d0108e4188e8b680aef6299eed22df60"
 dependencies = [
  "serde_derive",
 ]
 
 [[package]]
 name = "serde_derive"
-version = "1.0.219"
+version = "1.0.218"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "5b0276cf7f2c73365f7157c8123c21cd9a50fbbd844757af28ca1f5925fc2a00"
+checksum = "f09503e191f4e797cb8aac08e9a4a4695c5edf6a2e70e376d961ddd5c969f82b"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2205,9 +2088,9 @@ dependencies = [
 
 [[package]]
 name = "serde_json"
-version = "1.0.140"
+version = "1.0.139"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373"
+checksum = "44f86c3acccc9c65b153fe1b85a3be07fe5515274ec9f0653b4a0875731c72a6"
 dependencies = [
  "itoa",
  "memchr",
@@ -2318,9 +2201,9 @@ checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
 
 [[package]]
 name = "syn"
-version = "2.0.100"
+version = "2.0.98"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b09a44accad81e1ba1cd74a32461ba89dee89095ba17b32f5d03683b1b1fc2a0"
+checksum = "36147f1a48ae0ec2b5b3bc5b537d267457555a10dc06f3dbc8cb11ba3006d3b1"
 dependencies = [
  "proc-macro2",
  "quote",
@@ -2753,16 +2636,6 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
 
-[[package]]
-name = "windows"
-version = "0.58.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dd04d41d93c4992d421894c18c8b43496aa748dd4c081bac0dc93eb0489272b6"
-dependencies = [
- "windows-core 0.58.0",
- "windows-targets 0.52.6",
-]
-
 [[package]]
 name = "windows-core"
 version = "0.52.0"
@@ -2772,66 +2645,6 @@ dependencies = [
  "windows-targets 0.52.6",
 ]
 
-[[package]]
-name = "windows-core"
-version = "0.58.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6ba6d44ec8c2591c134257ce647b7ea6b20335bf6379a27dac5f1641fcf59f99"
-dependencies = [
- "windows-implement",
- "windows-interface",
- "windows-result",
- "windows-strings",
- "windows-targets 0.52.6",
-]
-
-[[package]]
-name = "windows-implement"
-version = "0.58.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "2bbd5b46c938e506ecbce286b6628a02171d56153ba733b6c741fc627ec9579b"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
-[[package]]
-name = "windows-interface"
-version = "0.58.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "053c4c462dc91d3b1504c6fe5a726dd15e216ba718e84a0e46a88fbe5ded3515"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn",
-]
-
-[[package]]
-name = "windows-link"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "76840935b766e1b0a05c0066835fb9ec80071d4c09a16f6bd5f7e655e3c14c38"
-
-[[package]]
-name = "windows-result"
-version = "0.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1d1043d8214f791817bab27572aaa8af63732e11bf84aa21a45a78d6c317ae0e"
-dependencies = [
- "windows-targets 0.52.6",
-]
-
-[[package]]
-name = "windows-strings"
-version = "0.1.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4cd9b125c486025df0eabcb585e62173c6c9eddcec5d117d3b6e8c30e2ee4d10"
-dependencies = [
- "windows-result",
- "windows-targets 0.52.6",
-]
-
 [[package]]
 name = "windows-sys"
 version = "0.48.0"

MODULE.bazel

@@ -71,13 +71,13 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.97",
+    "vendor_ts__anyhow-1.0.96",
     "vendor_ts__argfile-0.2.1",
-    "vendor_ts__chalk-ir-0.100.0",
-    "vendor_ts__chrono-0.4.40",
-    "vendor_ts__clap-4.5.32",
+    "vendor_ts__chalk-ir-0.99.0",
+    "vendor_ts__chrono-0.4.39",
+    "vendor_ts__clap-4.5.31",
     "vendor_ts__dunce-1.0.5",
-    "vendor_ts__either-1.15.0",
+    "vendor_ts__either-1.14.0",
     "vendor_ts__encoding-0.2.33",
     "vendor_ts__figment-0.10.19",
     "vendor_ts__flate2-1.1.0",
@@ -88,31 +88,31 @@ use_repo(
     "vendor_ts__mustache-0.9.0",
     "vendor_ts__num-traits-0.2.19",
     "vendor_ts__num_cpus-1.16.0",
-    "vendor_ts__proc-macro2-1.0.94",
-    "vendor_ts__quote-1.0.40",
-    "vendor_ts__ra_ap_base_db-0.0.270",
-    "vendor_ts__ra_ap_cfg-0.0.270",
-    "vendor_ts__ra_ap_hir-0.0.270",
-    "vendor_ts__ra_ap_hir_def-0.0.270",
-    "vendor_ts__ra_ap_hir_expand-0.0.270",
-    "vendor_ts__ra_ap_hir_ty-0.0.270",
-    "vendor_ts__ra_ap_ide_db-0.0.270",
-    "vendor_ts__ra_ap_intern-0.0.270",
-    "vendor_ts__ra_ap_load-cargo-0.0.270",
-    "vendor_ts__ra_ap_parser-0.0.270",
-    "vendor_ts__ra_ap_paths-0.0.270",
-    "vendor_ts__ra_ap_project_model-0.0.270",
-    "vendor_ts__ra_ap_span-0.0.270",
-    "vendor_ts__ra_ap_stdx-0.0.270",
-    "vendor_ts__ra_ap_syntax-0.0.270",
-    "vendor_ts__ra_ap_vfs-0.0.270",
+    "vendor_ts__proc-macro2-1.0.93",
+    "vendor_ts__quote-1.0.38",
+    "vendor_ts__ra_ap_base_db-0.0.266",
+    "vendor_ts__ra_ap_cfg-0.0.266",
+    "vendor_ts__ra_ap_hir-0.0.266",
+    "vendor_ts__ra_ap_hir_def-0.0.266",
+    "vendor_ts__ra_ap_hir_expand-0.0.266",
+    "vendor_ts__ra_ap_hir_ty-0.0.266",
+    "vendor_ts__ra_ap_ide_db-0.0.266",
+    "vendor_ts__ra_ap_intern-0.0.266",
+    "vendor_ts__ra_ap_load-cargo-0.0.266",
+    "vendor_ts__ra_ap_parser-0.0.266",
+    "vendor_ts__ra_ap_paths-0.0.266",
+    "vendor_ts__ra_ap_project_model-0.0.266",
+    "vendor_ts__ra_ap_span-0.0.266",
+    "vendor_ts__ra_ap_stdx-0.0.266",
+    "vendor_ts__ra_ap_syntax-0.0.266",
+    "vendor_ts__ra_ap_vfs-0.0.266",
     "vendor_ts__rand-0.9.0",
     "vendor_ts__rayon-1.10.0",
     "vendor_ts__regex-1.11.1",
-    "vendor_ts__serde-1.0.219",
-    "vendor_ts__serde_json-1.0.140",
+    "vendor_ts__serde-1.0.218",
+    "vendor_ts__serde_json-1.0.139",
     "vendor_ts__serde_with-3.12.0",
-    "vendor_ts__syn-2.0.100",
+    "vendor_ts__syn-2.0.98",
     "vendor_ts__toml-0.8.20",
     "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
@@ -155,7 +155,7 @@ use_repo(csharp_main_extension, "paket.main")
 pip = use_extension("@rules_python//python/extensions:pip.bzl", "pip")
 pip.parse(
     hub_name = "codegen_deps",
-    python_version = "3.12",
+    python_version = "3.11",
     requirements_lock = "//misc/codegen:requirements_lock.txt",
 )
 use_repo(pip, "codegen_deps")

actions/extractor/tools/autobuild-impl.ps1

@@ -21,7 +21,7 @@ if (($null -ne $env:LGTM_INDEX_INCLUDE) -or ($null -ne $env:LGTM_INDEX_EXCLUDE)
 
 # Find the JavaScript extractor directory via `codeql resolve extractor`.
 $CodeQL = Join-Path $env:CODEQL_DIST 'codeql.exe'
-$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &"$CodeQL" resolve extractor --language javascript
+$env:CODEQL_EXTRACTOR_JAVASCRIPT_ROOT = &$CodeQL resolve extractor --language javascript
 if ($LASTEXITCODE -ne 0) {
     throw 'Failed to resolve JavaScript extractor.'
 }
@@ -40,7 +40,7 @@ $env:CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR = $env:CODEQL_EXTRACTOR_ACTI
 $env:CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR = $env:CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR
 $env:CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE = $env:CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE
 
-&"$JavaScriptAutoBuild"
+&$JavaScriptAutoBuild
 if ($LASTEXITCODE -ne 0) {
     throw "JavaScript autobuilder failed."
 }

actions/extractor/tools/autobuild.cmd

@@ -1,4 +1,3 @@
 @echo off
 rem All of the work is done in the PowerShell script
-echo "Running PowerShell script at '%~dp0autobuild-impl.ps1'"
-powershell.exe -File "%~dp0autobuild-impl.ps1"
+powershell.exe %~dp0autobuild-impl.ps1

actions/extractor/tools/autobuild.sh

@@ -26,7 +26,7 @@ else
 fi
 
 # Find the JavaScript extractor directory via `codeql resolve extractor`.
-CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$("${CODEQL_DIST}/codeql" resolve extractor --language javascript)"
+CODEQL_EXTRACTOR_JAVASCRIPT_ROOT="$($CODEQL_DIST/codeql resolve extractor --language javascript)"
 export CODEQL_EXTRACTOR_JAVASCRIPT_ROOT
 
 echo "Found JavaScript extractor at '${CODEQL_EXTRACTOR_JAVASCRIPT_ROOT}'."
@@ -42,4 +42,4 @@ env CODEQL_EXTRACTOR_JAVASCRIPT_DIAGNOSTIC_DIR="${CODEQL_EXTRACTOR_ACTIONS_DIAGN
     CODEQL_EXTRACTOR_JAVASCRIPT_SOURCE_ARCHIVE_DIR="${CODEQL_EXTRACTOR_ACTIONS_SOURCE_ARCHIVE_DIR}" \
     CODEQL_EXTRACTOR_JAVASCRIPT_TRAP_DIR="${CODEQL_EXTRACTOR_ACTIONS_TRAP_DIR}" \
     CODEQL_EXTRACTOR_JAVASCRIPT_WIP_DATABASE="${CODEQL_EXTRACTOR_ACTIONS_WIP_DATABASE}" \
-    "${JAVASCRIPT_AUTO_BUILD}"
+    ${JAVASCRIPT_AUTO_BUILD}

actions/ql/integration-tests/filters-default/actions.expected

@@ -1,4 +0,0 @@
-| src/.github/action.yaml:1:1:11:32 | name: ' ... action' |
-| src/.github/actions/action-name/action.yml:1:1:11:32 | name: ' ... action' |
-| src/.github/workflows/workflow.yml:1:1:12:33 | name: A workflow |
-| src/action.yml:1:1:11:32 | name: ' ... action' |

actions/ql/integration-tests/filters-default/actions.ql

@@ -1,5 +0,0 @@
-import actions
-
-from AstNode n
-where n instanceof Workflow or n instanceof CompositeAction
-select n

actions/ql/integration-tests/filters-default/src/.github/action.yaml

@@ -1,11 +0,0 @@
-name: 'A composite action'
-description: 'Do something'
-runs:
-  using: "composite"
-  steps:
-    - name: Print
-      run: echo "Hello world"
-      shell: bash
-
-    - name: Checkout
-      uses: actions/checkout@v4

actions/ql/integration-tests/filters-default/src/.github/actions/action-name/action.yml

@@ -1,11 +0,0 @@
-name: 'A composite action'
-description: 'Do something'
-runs:
-  using: "composite"
-  steps:
-    - name: Print
-      run: echo "Hello world"
-      shell: bash
-
-    - name: Checkout
-      uses: actions/checkout@v4

actions/ql/integration-tests/filters-default/src/.github/unreachable-workflow.yml

@@ -1,12 +0,0 @@
-name: An unreachable workflow
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  job:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4

actions/ql/integration-tests/filters-default/src/.github/workflows/workflow.yml

@@ -1,12 +0,0 @@
-name: A workflow
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  job:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4

actions/ql/integration-tests/filters-default/src/action.yml

@@ -1,11 +0,0 @@
-name: 'A composite action'
-description: 'Do something'
-runs:
-  using: "composite"
-  steps:
-    - name: Print
-      run: echo "Hello world"
-      shell: bash
-
-    - name: Checkout
-      uses: actions/checkout@v4

actions/ql/integration-tests/filters-default/src/unreachable-workflow.yml

@@ -1,12 +0,0 @@
-name: An unreachable workflow
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-  job:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4

actions/ql/integration-tests/filters-default/test.py

@@ -1,2 +0,0 @@
-def test(codeql, actions):
-    codeql.database.create(source_root="src")

actions/ql/lib/CHANGELOG.md

@@ -1,10 +1,3 @@
-## 0.4.6
-
-### Bug Fixes
-
-* The query `actions/code-injection/medium` now produces alerts for injection
-  vulnerabilities on `pull_request` events.
-
 ## 0.4.5
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.6.md

@@ -1,6 +0,0 @@
-## 0.4.6
-
-### Bug Fixes
-
-* The query `actions/code-injection/medium` now produces alerts for injection
-  vulnerabilities on `pull_request` events.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.6
+lastReleaseVersion: 0.4.5

actions/ql/lib/codeql/actions/config/Config.qll

@@ -154,13 +154,3 @@ predicate untrustedGitCommandDataModel(string cmd_regex, string flag) {
 predicate untrustedGhCommandDataModel(string cmd_regex, string flag) {
   Extensions::untrustedGhCommandDataModel(cmd_regex, flag)
 }
-
-/**
- * MaD models for permissions needed by actions
- * Fields:
- *    - action: action name, e.g. `actions/checkout`
- *    - permission: permission name, e.g. `contents: read`
- */
-predicate actionsPermissionsDataModel(string action, string permission) {
-  Extensions::actionsPermissionsDataModel(action, permission)
-}

actions/ql/lib/codeql/actions/config/ConfigExtensions.qll

@@ -77,14 +77,3 @@ extensible predicate untrustedGitCommandDataModel(string cmd_regex, string flag)
  * Holds for gh commands that may introduce untrusted data
  */
 extensible predicate untrustedGhCommandDataModel(string cmd_regex, string flag);
-
-/**
- * Holds if `action` needs `permission` to run.
- * - 'action' is the name of the action without any version information.
- *   E.g. for the action selector `actions/checkout@v2`, `action` is `actions/checkout`.
- * - `permission` is of the form `scope-name: read|write`, for example `contents: read`.
- * - see https://github.com/actions/checkout?tab=readme-ov-file#recommended-permissions
- *   for an example of recommended permissions.
- * - see https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token for documentation of token permissions.
- */
-extensible predicate actionsPermissionsDataModel(string action, string permission);

actions/ql/lib/ext/config/actions_permissions.yml

@@ -1,37 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/actions-all
-      extensible: actionsPermissionsDataModel
-    data:
-      - ["actions/checkout", "contents: read"]
-      - ["actions/setup-node", "contents: read"]
-      - ["actions/setup-python", "contents: read"]
-      - ["actions/setup-java", "contents: read"]
-      - ["actions/setup-go", "contents: read"]
-      - ["actions/setup-dotnet", "contents: read"]
-      - ["actions/labeler", "contents: read"]
-      - ["actions/labeler", "pull-requests: write"]
-      - ["actions/attest", "id-token: write"]
-      - ["actions/attest", "attestations: write"]
-      # No permissions needed for actions/add-to-project
-      - ["actions/dependency-review-action", "contents: read"]
-      - ["actions/attest-sbom", "id-token: write"]
-      - ["actions/attest-sbom", "attestations: write"]
-      - ["actions/stale", "contents: write"]
-      - ["actions/stale", "issues: write"]
-      - ["actions/stale", "pull-requests: write"]
-      - ["actions/attest-build-provenance", "id-token: write"]
-      - ["actions/attest-build-provenance", "attestations: write"]
-      - ["actions/jekyll-build-pages", "contents: read"]
-      - ["actions/jekyll-build-pages", "pages: write"]
-      - ["actions/jekyll-build-pages", "id-token: write"]
-      - ["actions/publish-action", "contents: write"]
-      - ["actions/versions-package-tools", "contents: read"]      
-      - ["actions/versions-package-tools", "actions: read"]
-      - ["actions/reusable-workflows", "contents: read"]      
-      - ["actions/reusable-workflows", "actions: read"]
-      # TODO: Add permissions for actions/download-artifact
-      # TODO: Add permissions for actions/upload-artifact
-      # TODO: Add permissions for actions/cache
-
-      

actions/ql/lib/ext/config/context_event_map.yml

@@ -30,9 +30,6 @@ extensions:
       - ["pull_request_review_comment", "github.event.review"] 
       - ["pull_request_review_comment", "github.head_ref"] 
       - ["pull_request_review_comment", "github.event.changes"] 
-      - ["pull_request", "github.event.pull_request"] 
-      - ["pull_request", "github.head_ref"] 
-      - ["pull_request", "github.event.changes"] 
       - ["pull_request_target", "github.event.pull_request"] 
       - ["pull_request_target", "github.head_ref"] 
       - ["pull_request_target", "github.event.changes"] 

actions/ql/lib/ext/config/externally_triggereable_events.yml

@@ -12,7 +12,6 @@ extensions:
       - ["pull_request_comment"]
       - ["pull_request_review"]
       - ["pull_request_review_comment"]
-      - ["pull_request"]
       - ["pull_request_target"]
       - ["workflow_run"] # depending on branch filter
       - ["workflow_call"] # depending on caller

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.7-dev
+version: 0.4.6-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,11 +1,3 @@
-## 0.5.3
-
-### Bug Fixes
-
-* Fixed typos in the query and alert titles for the queries
-  `actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
-  `actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
-
 ## 0.5.2
 
 No user-facing changes.
@@ -15,10 +7,9 @@ No user-facing changes.
 ### Bug Fixes
 
 * The `actions/unversioned-immutable-action` query will no longer report any alerts, since the
-  Immutable Actions feature is not yet available for customer use. The query has also been moved
-  to the experimental folder and will not be used in code scanning unless it is explicitly added
-  to a code scanning configuration. Once the Immutable Actions feature is available, the query will
-  be updated to report alerts again.
+  Immutable Actions feature is not yet available for customer use. The query remains in the
+  default Code Scanning suites for use internal to GitHub. Once the Immutable Actions feature is
+  available, the query will be updated to report alerts again.
 
 ## 0.5.0
 

actions/ql/src/Security/CWE-1395/UseOfKnownVulnerableAction.ql

@@ -1,5 +1,5 @@
 /**
- * @name Use of a known vulnerable action
+ * @name Use of a known vulnerable action.
  * @description The workflow is using an action with known vulnerabilities.
  * @kind problem
  * @problem.severity error

actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql

@@ -14,19 +14,7 @@
 
 import actions
 
-Step stepInJob(Job job) { result = job.(LocalJob).getAStep() }
-
-string jobNeedsPermission(Job job) {
-  actionsPermissionsDataModel(stepInJob(job).(UsesStep).getCallee(), result)
-}
-
-/** Gets a suggestion for the minimal token permissions for `job`, as a JSON string. */
-string permissionsForJob(Job job) {
-  result =
-    "{" + concat(string permission | permission = jobNeedsPermission(job) | permission, ", ") + "}"
-}
-
-from Job job, string permissions
+from Job job
 where
   not exists(job.getPermissions()) and
   not exists(job.getEnclosingWorkflow().getPermissions()) and
@@ -34,8 +22,5 @@ where
   exists(Event e |
     e = job.getATriggerEvent() and
     not e.getName() = "workflow_call"
-  ) and
-  permissions = permissionsForJob(job)
-select job,
-  "Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: "
-    + permissions
+  )
+select job, "Actions Job or Workflow does not set permissions"

actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql

@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in a privileged context
+ * @name Checkout of untrusted code in trusted context
  * @description Privileged workflows have read/write access to the base repository and access to secrets.
  *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
  *              that is able to push to the base repository and to access secrets.

actions/ql/src/change-notes/2025-02-04-suggest-actions-permissions.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Alerts produced by the query `actions/missing-workflow-permissions` now include a minimal set of recommended permissions in the alert message, based on well-known actions seen within the workflow file.

actions/ql/src/change-notes/2025-03-13-environment-query-names.md

@@ -1,7 +1,6 @@
-## 0.5.3
-
-### Bug Fixes
-
+---
+category: fix
+---
 * Fixed typos in the query and alert titles for the queries
   `actions/envpath-injection/critical`, `actions/envpath-injection/medium`,
-  `actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.
+  `actions/envvar-injection/critical`, and `actions/envvar-injection/medium`.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.3
+lastReleaseVersion: 0.5.2

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.5.4-dev
+version: 0.5.3-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected

@@ -400,7 +400,6 @@ nodes
 | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body |
 | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
-| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
@@ -630,7 +629,6 @@ nodes
 | .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | semmle.label | Run Step: title3 [title] |
 | .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
 | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | semmle.label | steps.title3.outputs.title |
-| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
 | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

@@ -400,7 +400,6 @@ nodes
 | .github/workflows/level0.yml:44:20:44:49 | github.event.issue.body | semmle.label | github.event.issue.body |
 | .github/workflows/level0.yml:69:35:69:66 | github.event.comment.body | semmle.label | github.event.comment.body |
 | .github/workflows/level1.yml:37:38:37:81 | github.event.workflow_run.head_branch | semmle.label | github.event.workflow_run.head_branch |
-| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/pull_request_review.yml:7:19:7:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 | .github/workflows/pull_request_review.yml:8:19:8:55 | github.event.pull_request.body | semmle.label | github.event.pull_request.body |
 | .github/workflows/pull_request_review.yml:9:19:9:61 | github.event.pull_request.head.label | semmle.label | github.event.pull_request.head.label |
@@ -630,7 +629,6 @@ nodes
 | .github/workflows/test19.yml:124:9:129:6 | Run Step: title3 [title] | semmle.label | Run Step: title3 [title] |
 | .github/workflows/test19.yml:125:14:128:50 | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n | semmle.label | TITLE=$(gh issue view "$ISSUE_NUMBER" --json title,author)\nTITLE=$(echo $TITLE \| jq -r '.title')\necho "title=$TITLE" >> "$GITHUB_OUTPUT"\n |
 | .github/workflows/test19.yml:129:21:129:52 | steps.title3.outputs.title | semmle.label | steps.title3.outputs.title |
-| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | semmle.label | github.event.pull_request.head.ref |
 | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
 | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
@@ -708,7 +706,6 @@ subpaths
 | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job2.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job2.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
 | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | .github/workflows/inter-job4.yml:22:9:26:6 | Uses Step: source | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job4.yml:44:20:44:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
 | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/inter-job5.yml:45:20:45:53 | needs.job1.outputs.job_output | ${{needs.job1.outputs.job_output}} |
-| .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/priv_pull_request.yml:14:21:14:57 | github.event.pull_request.body | ${{ github.event.pull_request.body }} |
 | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:7:19:7:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} |
 | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:8:19:8:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} |
 | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:9:19:9:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} |

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms6.yml

@@ -1,13 +0,0 @@
-on:
-  workflow_call:
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v2
-    - uses: actions/jekyll-build-pages
-
-

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms7.yml

@@ -1,10 +0,0 @@
-on:
-  workflow_call:
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/add-to-project@v2

actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected

@@ -1,5 +1,3 @@
-| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
-| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
-| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
-| .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
-| .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
+| .github/workflows/perms1.yml:6:5:9:32 | Job: build | Actions Job or Workflow does not set permissions |
+| .github/workflows/perms2.yml:6:5:10:2 | Job: build | Actions Job or Workflow does not set permissions |
+| .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions Job or Workflow does not set permissions |

config/sync-files.py

@@ -58,19 +58,7 @@ def file_checksum(filename):
     with open(filename, 'rb') as file_handle:
         return hashlib.sha1(file_handle.read()).hexdigest()
 
-def accept_prefix(line1, line2):
-    suffix = line2.removeprefix(line1)
-    return not suffix or suffix.lstrip().startswith("//")
-
-def equivalent_lines(lines1, lines2):
-    if len(lines1) != len(lines2):
-        return False
-    for line1, line2 in zip(lines1, lines2):
-        if not accept_prefix(line1, line2) and not accept_prefix(line2, line1):
-            return False
-    return True
-
-def check_group(group_name, files, master_file_picker, emit_error, accept_prefix):
+def check_group(group_name, files, master_file_picker, emit_error):
     extant_files = [f for f in files if path.isfile(f)]
     if len(extant_files) == 0:
         emit_error(__file__, 0, "No files found from group '" + group_name + "'.")
@@ -82,23 +70,11 @@ def check_group(group_name, files, master_file_picker, emit_error, accept_prefix
         return
 
     checksums = {file_checksum(f) for f in extant_files}
-    same_lengths = len(extant_files) == len(files)
-    if len(checksums) == 1 and same_lengths:
+
+    if len(checksums) == 1 and len(extant_files) == len(files):
         # All files are present and identical.
         return
 
-    # In this case we also consider files indentical, if
-    # (1) The group only containts two files.
-    # (2) The lines of one file are the same as the lines of another file
-    # modulo comments.
-    if accept_prefix and same_lengths and len(extant_files) == 2:
-        with open(extant_files[0], 'r') as f1:
-            file1_lines = [l.strip('\n\r') for l in f1.readlines()]
-        with open(extant_files[1], 'r') as f2:
-            file2_lines = [l.strip('\n\r') for l in f2.readlines()]
-        if equivalent_lines(file1_lines, file2_lines):
-            return
-
     master_file = master_file_picker(extant_files)
     if master_file is None:
         emit_error(__file__, 0,
@@ -163,10 +139,9 @@ def sync_identical_files(emit_error):
         raise Exception("Bad command line or file not found")
     chdir_repo_root()
     load_if_exists('.', 'config/identical-files.json')
-    for group_name, files in csharp_test_files().items():
-        check_group(group_name, files, master_file_picker, emit_error, True)
+    file_groups.update(csharp_test_files())
     for group_name, files in file_groups.items():
-        check_group(group_name, files, master_file_picker, emit_error, False)
+        check_group(group_name, files, master_file_picker, emit_error)
 
 def main():
     sync_identical_files(emit_local_error)

cpp/ql/lib/CHANGELOG.md

@@ -1,9 +1,3 @@
-## 4.1.0
-
-### New Features
-
-* Added `Node.asUncertainDefinition` and `Node.asCertainDefinition` to the `DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.
-
 ## 4.0.3
 
 No user-facing changes.

cpp/ql/lib/change-notes/2025-03-13-ascertaindef.md

@@ -1,5 +1,4 @@
-## 4.1.0
-
-### New Features
-
-* Added `Node.asUncertainDefinition` and `Node.asCertainDefinition` to the `DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.
+---
+category: feature
+---
+* Added `Node.asUncertainDefinition` and `Node.asCertainDefinition` to the `DataFlow::Node` class for querying whether a definition overwrites the entire destination buffer.

cpp/ql/lib/change-notes/2025-03-31-calling-convention.md

@@ -1,5 +0,0 @@
----
-category: feature
----
-* Calling conventions explicitly specified on function declarations (`__cdecl`, `__stdcall`, `__fastcall`, etc.)  are now represented as specifiers of those declarations.
-* A new class `CallingConventionSpecifier` extending the `Specifier` class was introduced, which represents explicitly specified calling conventions.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 4.1.0
+lastReleaseVersion: 4.0.3

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 4.1.1-dev
+version: 4.0.4-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Specifier.qll

@@ -97,18 +97,6 @@ class AccessSpecifier extends Specifier {
   override string getAPrimaryQlClass() { result = "AccessSpecifier" }
 }
 
-/**
- * A C/C++ calling convention specifier: `cdecl`, `fastcall`, `stdcall`, `thiscall`,
- * `vectorcall`, or `clrcall`.
- */
-class CallingConventionSpecifier extends Specifier {
-  CallingConventionSpecifier() {
-    this.hasName(["cdecl", "fastcall", "stdcall", "thiscall", "vectorcall", "clrcall"])
-  }
-
-  override string getAPrimaryQlClass() { result = "CallingConventionSpecifier" }
-}
-
 /**
  * An attribute introduced by GNU's `__attribute__((name))` syntax,
  * Microsoft's `__declspec(name)` syntax, Microsoft's `[name]` syntax, the

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowPrivate.qll

@@ -1834,47 +1834,7 @@ module IteratorFlow {
 
   private module IteratorSsa = SsaImpl::Make<Location, SsaInput>;
 
-  private module DataFlowIntegrationInput implements IteratorSsa::DataFlowIntegrationInputSig {
-    private import codeql.util.Void
-
-    class Expr extends Instruction {
-      Expr() {
-        exists(IRBlock bb, int i |
-          SsaInput::variableRead(bb, i, _, true) and
-          this = bb.getInstruction(i)
-        )
-      }
-
-      predicate hasCfgNode(SsaInput::BasicBlock bb, int i) { bb.getInstruction(i) = this }
-    }
-
-    predicate ssaDefHasSource(IteratorSsa::WriteDefinition def) { none() }
-
-    predicate allowFlowIntoUncertainDef(IteratorSsa::UncertainWriteDefinition def) { any() }
-
-    class Guard extends Void {
-      predicate controlsBranchEdge(
-        SsaInput::BasicBlock bb1, SsaInput::BasicBlock bb2, boolean branch
-      ) {
-        none()
-      }
-    }
-
-    predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, boolean branch) {
-      none()
-    }
-
-    predicate supportBarrierGuardsOnPhiEdges() { none() }
-  }
-
-  private module DataFlowIntegrationImpl =
-    IteratorSsa::DataFlowIntegration<DataFlowIntegrationInput>;
-
-  private class IteratorSynthNode extends DataFlowIntegrationImpl::SsaNode {
-    IteratorSynthNode() { not this.asDefinition() instanceof IteratorSsa::WriteDefinition }
-  }
-
-  private class Def extends IteratorSsa::Definition {
+  private class Def extends IteratorSsa::DefinitionExt {
     final override Location getLocation() { result = this.getImpl().getLocation() }
 
     /**
@@ -1882,7 +1842,7 @@ module IteratorFlow {
      * and is a definition (or use) of the variable `sv`.
      */
     predicate hasIndexInBlock(IRBlock block, int index, SourceVariable sv) {
-      super.definesAt(sv, block, index)
+      super.definesAt(sv, block, index, _)
     }
 
     private Ssa::DefImpl getImpl() {
@@ -1899,15 +1859,46 @@ module IteratorFlow {
     int getIndirectionIndex() { result = this.getImpl().getIndirectionIndex() }
   }
 
+  private class PhiNode extends IteratorSsa::DefinitionExt {
+    PhiNode() {
+      this instanceof IteratorSsa::PhiNode or
+      this instanceof IteratorSsa::PhiReadNode
+    }
+
+    SsaIteratorNode getNode() { result.getIteratorFlowNode() = this }
+  }
+
+  cached
+  private module IteratorSsaCached {
+    cached
+    predicate adjacentDefRead(IRBlock bb1, int i1, SourceVariable sv, IRBlock bb2, int i2) {
+      IteratorSsa::adjacentDefReadExt(_, sv, bb1, i1, bb2, i2)
+      or
+      exists(PhiNode phi |
+        IteratorSsa::lastRefRedefExt(_, sv, bb1, i1, phi) and
+        phi.definesAt(sv, bb2, i2, _)
+      )
+    }
+
+    cached
+    Node getAPriorDefinition(IteratorSsa::DefinitionExt next) {
+      exists(IRBlock bb, int i, SourceVariable sv, IteratorSsa::DefinitionExt def |
+        IteratorSsa::lastRefRedefExt(pragma[only_bind_into](def), pragma[only_bind_into](sv),
+          pragma[only_bind_into](bb), pragma[only_bind_into](i), next) and
+        nodeToDefOrUse(result, sv, bb, i, _)
+      )
+    }
+  }
+
   /** The set of nodes necessary for iterator flow. */
-  class IteratorFlowNode instanceof IteratorSynthNode {
+  class IteratorFlowNode instanceof PhiNode {
     /** Gets a textual representation of this node. */
     string toString() { result = super.toString() }
 
     /** Gets the type of this node. */
     DataFlowType getType() {
       exists(Ssa::SourceVariable sv |
-        super.getSourceVariable() = sv and
+        super.definesAt(sv, _, _, _) and
         result = sv.getType()
       )
     }
@@ -1919,33 +1910,60 @@ module IteratorFlow {
     Location getLocation() { result = super.getBasicBlock().getLocation() }
   }
 
-  private predicate defToNode(Node node, Def def) {
-    nodeHasOperand(node, def.getValue().asOperand(), def.getIndirectionIndex())
-    or
-    nodeHasInstruction(node, def.getValue().asInstruction(), def.getIndirectionIndex())
+  private import IteratorSsaCached
+
+  private predicate defToNode(Node node, Def def, boolean uncertain) {
+    (
+      nodeHasOperand(node, def.getValue().asOperand(), def.getIndirectionIndex())
+      or
+      nodeHasInstruction(node, def.getValue().asInstruction(), def.getIndirectionIndex())
+    ) and
+    uncertain = false
   }
 
-  bindingset[result, v]
-  pragma[inline_late]
-  private DataFlowIntegrationImpl::Node fromDfNode(Node n, SourceVariable v) {
-    result = n.(SsaIteratorNode).getIteratorFlowNode()
-    or
-    exists(Ssa::UseImpl use, IRBlock bb, int i |
-      result.(DataFlowIntegrationImpl::ExprNode).getExpr().hasCfgNode(bb, i) and
-      use.hasIndexInBlock(bb, i, v) and
-      use.getNode() = n
+  private predicate nodeToDefOrUse(
+    Node node, SourceVariable sv, IRBlock bb, int i, boolean uncertain
+  ) {
+    exists(Def def |
+      def.hasIndexInBlock(bb, i, sv) and
+      defToNode(node, def, uncertain)
     )
     or
-    defToNode(n, result.(DataFlowIntegrationImpl::SsaDefinitionNode).getDefinition())
+    useToNode(bb, i, sv, node) and
+    uncertain = false
+  }
+
+  private predicate useToNode(IRBlock bb, int i, SourceVariable sv, Node nodeTo) {
+    exists(PhiNode phi |
+      phi.definesAt(sv, bb, i, _) and
+      nodeTo = phi.getNode()
+    )
+    or
+    exists(Ssa::UseImpl use |
+      use.hasIndexInBlock(bb, i, sv) and
+      nodeTo = use.getNode()
+    )
   }
 
   /**
    * Holds if `nodeFrom` flows to `nodeTo` in a single step.
    */
   predicate localFlowStep(Node nodeFrom, Node nodeTo) {
-    exists(SourceVariable v |
-      nodeFrom != nodeTo and
-      DataFlowIntegrationImpl::localFlowStep(v, fromDfNode(nodeFrom, v), fromDfNode(nodeTo, v), _)
+    exists(
+      Node nFrom, SourceVariable sv, IRBlock bb1, int i1, IRBlock bb2, int i2, boolean uncertain
+    |
+      adjacentDefRead(bb1, i1, sv, bb2, i2) and
+      nodeToDefOrUse(nFrom, sv, bb1, i1, uncertain) and
+      useToNode(bb2, i2, sv, nodeTo)
+    |
+      if uncertain = true
+      then
+        nodeFrom =
+          [
+            nFrom,
+            getAPriorDefinition(any(IteratorSsa::DefinitionExt next | next.definesAt(sv, bb1, i1, _)))
+          ]
+      else nFrom = nodeFrom
     )
   }
 }

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaInternals.qll

@@ -956,6 +956,8 @@ class GlobalDef extends Definition {
 private module SsaImpl = SsaImplCommon::Make<Location, SsaInput>;
 
 private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationInputSig {
+  private import codeql.util.Void
+
   class Expr extends Instruction {
     Expr() {
       exists(IRBlock bb, int i |
@@ -975,7 +977,13 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
     )
   }
 
-  predicate ssaDefHasSource(SsaImpl::WriteDefinition def) { none() }
+  predicate ssaDefAssigns(SsaImpl::WriteDefinition def, Expr value) { none() }
+
+  class Parameter extends Void {
+    Location getLocation() { none() }
+  }
+
+  predicate ssaDefInitializesParam(SsaImpl::WriteDefinition def, Parameter p) { none() }
 
   predicate allowFlowIntoUncertainDef(SsaImpl::UncertainWriteDefinition def) { any() }
 
@@ -999,11 +1007,9 @@ private module DataFlowIntegrationInput implements SsaImpl::DataFlowIntegrationI
     }
   }
 
-  predicate guardDirectlyControlsBlock(Guard guard, SsaInput::BasicBlock bb, boolean branch) {
+  predicate guardControlsBlock(Guard guard, SsaInput::BasicBlock bb, boolean branch) {
     guard.(IRGuards::IRGuardCondition).controls(bb, branch)
   }
-
-  predicate keepAllPhiInputBackEdges() { any() }
 }
 
 private module DataFlowIntegrationImpl = SsaImpl::DataFlowIntegration<DataFlowIntegrationInput>;
@@ -1069,7 +1075,7 @@ module BarrierGuard<guardChecksNodeSig/3 guardChecksNode> {
 
 bindingset[result, v]
 pragma[inline_late]
-private DataFlowIntegrationImpl::Node fromDfNode(Node n, SourceVariable v) {
+DataFlowIntegrationImpl::Node fromDfNode(Node n, SourceVariable v) {
   result = n.(SsaSynthNode).getSynthNode()
   or
   exists(UseImpl use, IRBlock bb, int i |

cpp/ql/src/CHANGELOG.md

@@ -1,10 +1,3 @@
-## 1.3.7
-
-### Minor Analysis Improvements
-
-* Fixed a bug in the models for Microsoft's Active Template Library (ATL).
-* The query "Use of basic integral type" (`cpp/jpl-c/basic-int-types`) no longer produces alerts for the standard fixed width integer types (`int8_t`, `uint8_t`, etc.), and the `_Bool` and `bool` types.
-
 ## 1.3.6
 
 No user-facing changes.

cpp/ql/src/Diagnostics/ExtractionWarnings.ql

@@ -14,5 +14,5 @@ where
   or
   warning instanceof ExtractionUnknownProblem
 select warning,
-  "Extraction failed in " + warning.getFile() + " with warning " +
-    warning.getProblemMessage().replaceAll("$", "$$"), warning.getSeverity()
+  "Extraction failed in " + warning.getFile() + " with warning " + warning.getProblemMessage(),
+  warning.getSeverity()

cpp/ql/src/Diagnostics/Internal/ExtractionErrors.ql

@@ -17,6 +17,5 @@ from ExtractionError error
 where
   error instanceof ExtractionUnknownError or
   exists(error.getFile().getRelativePath())
-select error,
-  "Extraction failed in " + error.getFile() + " with error " +
-    error.getErrorMessage().replaceAll("$", "$$"), error.getSeverity()
+select error, "Extraction failed in " + error.getFile() + " with error " + error.getErrorMessage(),
+  error.getSeverity()

cpp/ql/src/change-notes/2025-03-11-basic-int-types.md

@@ -1,6 +1,4 @@
-## 1.3.7
-
-### Minor Analysis Improvements
-
-* Fixed a bug in the models for Microsoft's Active Template Library (ATL).
-* The query "Use of basic integral type" (`cpp/jpl-c/basic-int-types`) no longer produces alerts for the standard fixed width integer types (`int8_t`, `uint8_t`, etc.), and the `_Bool` and `bool` types.
+---
+category: minorAnalysis
+---
+* The query "Use of basic integral type" (`cpp/jpl-c/basic-int-types`) no longer produces alerts for the standard fixed width integer types (`int8_t`, `uint8_t`, etc.), and the `_Bool` and `bool` types.

cpp/ql/src/change-notes/2025-03-14-mad-atl-fix.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed a bug in the models for Microsoft's Active Template Library (ATL).

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.7
+lastReleaseVersion: 1.3.6

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.3.8-dev
+version: 1.3.7-dev
 groups:
   - cpp
   - queries
@@ -11,3 +11,4 @@ suites: codeql-suites
 extractor: cpp
 defaultSuiteFile: codeql-suites/cpp-code-scanning.qls
 warnOnImplicitThis: true
+compileForOverlayEval: true

cpp/ql/test/library-tests/calling-convention/calling-convention.expected

@@ -1,7 +0,0 @@
-| test.cpp:4:21:4:35 | definition of thiscall_method | thiscall |
-| test.cpp:7:14:7:23 | definition of func_cdecl | cdecl |
-| test.cpp:9:16:9:27 | definition of func_stdcall | stdcall |
-| test.cpp:11:17:11:29 | definition of func_fastcall | fastcall |
-| test.cpp:13:20:13:34 | definition of func_vectorcall | vectorcall |
-| test.cpp:15:13:15:25 | definition of func_overload | cdecl |
-| test.cpp:16:15:16:27 | definition of func_overload | stdcall |

cpp/ql/test/library-tests/calling-convention/calling-convention.ql

@@ -1,5 +0,0 @@
-import cpp
-
-from FunctionDeclarationEntry func, CallingConventionSpecifier ccs
-where ccs.hasName(func.getASpecifier())
-select func, func.getASpecifier()

cpp/ql/test/library-tests/calling-convention/test.cpp

@@ -1,16 +0,0 @@
-// semmle-extractor-options: --microsoft
-
-struct call_conventions {
-    void __thiscall thiscall_method() {}
-};
-
-void __cdecl func_cdecl() {}
-
-void __stdcall func_stdcall() {}
-
-void __fastcall func_fastcall() {}
-
-void __vectorcall  func_vectorcall() {}
-
-int __cdecl func_overload() {}
-int __stdcall func_overload(int x) {}

cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected

@@ -68,23 +68,31 @@
 | test.cpp:10:8:10:9 | t2 | test.cpp:11:7:11:8 | [input] SSA phi read(t2) |
 | test.cpp:10:8:10:9 | t2 | test.cpp:11:7:11:8 | [input] SSA phi(*t2) |
 | test.cpp:10:8:10:9 | t2 | test.cpp:13:10:13:11 | t2 |
-| test.cpp:11:7:11:8 | [input] SSA phi read(t2) | test.cpp:15:8:15:9 | t2 |
-| test.cpp:11:7:11:8 | [input] SSA phi(*t2) | test.cpp:15:8:15:9 | t2 |
+| test.cpp:11:7:11:8 | [input] SSA phi read(t2) | test.cpp:15:3:15:6 | SSA phi read(t2) |
+| test.cpp:11:7:11:8 | [input] SSA phi(*t2) | test.cpp:15:3:15:6 | SSA phi(*t2) |
 | test.cpp:11:7:11:8 | t1 | test.cpp:21:8:21:9 | t1 |
 | test.cpp:12:5:12:10 | ... = ... | test.cpp:13:10:13:11 | t2 |
 | test.cpp:12:10:12:10 | 0 | test.cpp:12:5:12:10 | ... = ... |
-| test.cpp:13:10:13:11 | t2 | test.cpp:15:8:15:9 | t2 |
-| test.cpp:13:10:13:11 | t2 | test.cpp:15:8:15:9 | t2 |
+| test.cpp:13:5:13:8 | [input] SSA phi read(t2) | test.cpp:15:3:15:6 | SSA phi read(t2) |
+| test.cpp:13:5:13:8 | [input] SSA phi(*t2) | test.cpp:15:3:15:6 | SSA phi(*t2) |
+| test.cpp:13:10:13:11 | t2 | test.cpp:13:5:13:8 | [input] SSA phi read(t2) |
+| test.cpp:13:10:13:11 | t2 | test.cpp:13:5:13:8 | [input] SSA phi(*t2) |
+| test.cpp:15:3:15:6 | SSA phi read(t2) | test.cpp:15:8:15:9 | t2 |
+| test.cpp:15:3:15:6 | SSA phi(*t2) | test.cpp:15:8:15:9 | t2 |
 | test.cpp:15:8:15:9 | t2 | test.cpp:23:15:23:16 | [input] SSA phi read(*t2) |
 | test.cpp:15:8:15:9 | t2 | test.cpp:23:15:23:16 | [input] SSA phi read(t2) |
 | test.cpp:17:3:17:8 | ... = ... | test.cpp:21:8:21:9 | t1 |
 | test.cpp:17:8:17:8 | 0 | test.cpp:17:3:17:8 | ... = ... |
-| test.cpp:21:8:21:9 | t1 | test.cpp:23:19:23:19 | SSA phi read(t1) |
-| test.cpp:21:8:21:9 | t1 | test.cpp:23:19:23:19 | SSA phi(*t1) |
+| test.cpp:21:8:21:9 | t1 | test.cpp:23:15:23:16 | [input] SSA phi read(t1) |
+| test.cpp:21:8:21:9 | t1 | test.cpp:23:15:23:16 | [input] SSA phi(*t1) |
 | test.cpp:23:15:23:16 | 0 | test.cpp:23:15:23:16 | 0 |
-| test.cpp:23:15:23:16 | 0 | test.cpp:23:19:23:19 | SSA phi(*i) |
+| test.cpp:23:15:23:16 | 0 | test.cpp:23:15:23:16 | [input] SSA phi(*i) |
 | test.cpp:23:15:23:16 | [input] SSA phi read(*t2) | test.cpp:23:19:23:19 | SSA phi read(*t2) |
+| test.cpp:23:15:23:16 | [input] SSA phi read(i) | test.cpp:23:19:23:19 | SSA phi read(i) |
+| test.cpp:23:15:23:16 | [input] SSA phi read(t1) | test.cpp:23:19:23:19 | SSA phi read(t1) |
 | test.cpp:23:15:23:16 | [input] SSA phi read(t2) | test.cpp:23:19:23:19 | SSA phi read(t2) |
+| test.cpp:23:15:23:16 | [input] SSA phi(*i) | test.cpp:23:19:23:19 | SSA phi(*i) |
+| test.cpp:23:15:23:16 | [input] SSA phi(*t1) | test.cpp:23:19:23:19 | SSA phi(*t1) |
 | test.cpp:23:19:23:19 | SSA phi read(*t2) | test.cpp:24:10:24:11 | t2 |
 | test.cpp:23:19:23:19 | SSA phi read(i) | test.cpp:23:19:23:19 | i |
 | test.cpp:23:19:23:19 | SSA phi read(t1) | test.cpp:23:23:23:24 | t1 |

cpp/ql/test/library-tests/preprocessor/preprocessor/pp.cpp

@@ -10,7 +10,7 @@
 // semmle-extractor-options: -I${testdir}/more_headers/ "-U SOME_SYM"
 #undef BAR
 #define SCARY(a,aa,aaah) /* we ignore a */ (aa /* but we take aa */) /* and we ignore aaa */
-#define LOG(fmt, ...)  printf("Warning: %s", fmt, __VA__ARGS__)
+#define LOG(fmt, ...)  printf("Warning: %s", fmt, __VA__ARGS__)  
 #include "pp.h"
 
 #if 0
@@ -59,7 +59,7 @@ public:
 	#else
 		#define IN_TEMPLATE
 	#endif
-
+	
 	static int val;
 };
 
@@ -71,128 +71,7 @@ templateClassContext<int> tcci;
 
 #define BAR
 
-#if defined(BAR) &&\
+#if defined(BAR) && \
   defined(BAR)
 #warning BAR defined
 #endif
-
-#if defined MACROTHREE/**hello*/ && /*world*/\
-/*hw*/ (defined(MACROONE)) /* macroone */
-#endif
-
-#if defined SIMPLE_COMMENT  //this comment \
-     (defined(SIMPLE_COMMENT)) spans over multiple lines
-#endif
-
-#if defined(FOO) &&\
-    defined(BAR)
-#define CONDITIONAL_MACRO_1 1
-#endif
-
-#if defined(FOO) && \
-    defined(BAR) && \
-    !defined(BAZ)
-#define CONDITIONAL_MACRO_2 2
-#endif
-
-#define FOO 8
-#define BAR 2
-#define BAZ 4
-#if ((FOO / BAR) \
-   == 4) && ((BAZ \
-   * QUX) \
-   > 10)
-#define CONDITIONAL_MACRO_3 3
-#endif
-
-// Testing \t spaced PreprocessorIf
-#if defined(FOO)	&&	\
-	defined(BAR)	&&	\
-	defined(BAZ)
-#define CONDITIONAL_MACRO_4 4
-#endif
-
-
-#if defined /* //test */ SIMPLE_COMMENT   //this comment \
-     (defined(SIMPLE_COMMENT)) spans over multiple lines
-#endif
-
-#warning foo \
-
-#warning foo \
-\
-/* a comment */
-
-#warning foo \
-\
-
-#warning foo \
-\
-// a comment
-
-
-#define FOO 8
-#define BAR 2
-#define BAZ 4
-#if ((FOO / BAR) \
-   == 4) && ((BAZ \
-    /** comment */ \
-   * QUX) \
-   /** comment */ \
-   > 10)
-#define CONDITIONAL_MACRO_3 3
-#endif
-
-#define X 1
-#define Y 2
-#if defined(X) && \
-    /*this is a comment*/ defined(Y) \
-    // another comment
-#endif
-
-#warning FOO\
-	 \
-	 \
-	 \
-BAR
-
-
-#warning foo \
-\
-/* comment */     \
-\
-
-
-#if/** */A/* ... */&&B
-#endif
-
-
-#if/** */  /**/    A
-#endif
-
-#if \
-\
-A && B
-#endif
-
-
-#ifdef /*
-
-
-
-*/ FOOBAR
-#warning a
-#else
-#warning b
-#endif
-
-
-#if /*
-
-//test
-
-*/ FOOBAR
-#endif
-
-#if/*...*//*...*/A
-#endif

cpp/ql/test/library-tests/preprocessor/preprocessor/preproc.expected

@@ -33,64 +33,17 @@
 | pp.cpp:0:0:0:0 | pp.cpp | 50 | 2 | 50 | 48 | Macro | MACRO_TEMPLATECLASSCONTEXT_REFERENCED | 5 |
 | pp.cpp:0:0:0:0 | pp.cpp | 54 | 3 | 54 | 39 | Macro | MACRO_TEMPLATEMETHODCONTEXT | 6 |
 | pp.cpp:0:0:0:0 | pp.cpp | 57 | 1 | 57 | 21 | PreprocessorIfdef | INSTANTIATION | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 59 | 1 | 59 | 6 | PreprocessorElse |  | N/A |
+| pp.cpp:0:0:0:0 | pp.cpp | 59 | 1 | 59 | 6 | PreprocessorElse | N/A | N/A |
 | pp.cpp:0:0:0:0 | pp.cpp | 60 | 3 | 60 | 21 | Macro | IN_TEMPLATE |  |
-| pp.cpp:0:0:0:0 | pp.cpp | 61 | 1 | 61 | 7 | PreprocessorEndif |  | N/A |
+| pp.cpp:0:0:0:0 | pp.cpp | 61 | 1 | 61 | 7 | PreprocessorEndif | N/A | N/A |
 | pp.cpp:0:0:0:0 | pp.cpp | 69 | 1 | 69 | 21 | Macro | INSTANTIATION |  |
 | pp.cpp:0:0:0:0 | pp.cpp | 72 | 1 | 72 | 11 | Macro | BAR |  |
-| pp.cpp:0:0:0:0 | pp.cpp | 74 | 1 | 75 | 14 | PreprocessorIf | defined(BAR) && defined(BAR) | N/A |
+| pp.cpp:0:0:0:0 | pp.cpp | 74 | 1 | 74 | 21 | PreprocessorIf | defined(BAR) && \\ | N/A |
 | pp.cpp:0:0:0:0 | pp.cpp | 76 | 1 | 76 | 20 | PreprocessorWarning | BAR defined | N/A |
 | pp.cpp:0:0:0:0 | pp.cpp | 77 | 1 | 77 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 79 | 1 | 80 | 26 | PreprocessorIf | defined MACROTHREE && (defined(MACROONE)) | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 81 | 1 | 81 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 83 | 1 | 83 | 26 | PreprocessorIf | defined SIMPLE_COMMENT | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 85 | 1 | 85 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 87 | 1 | 88 | 16 | PreprocessorIf | defined(FOO) && defined(BAR) | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 90 | 1 | 90 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 92 | 1 | 94 | 17 | PreprocessorIf | defined(FOO) && defined(BAR) && !defined(BAZ) | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 96 | 1 | 96 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 98 | 1 | 98 | 13 | Macro | FOO | 8 |
-| pp.cpp:0:0:0:0 | pp.cpp | 99 | 1 | 99 | 13 | Macro | BAR | 2 |
-| pp.cpp:0:0:0:0 | pp.cpp | 100 | 1 | 100 | 13 | Macro | BAZ | 4 |
-| pp.cpp:0:0:0:0 | pp.cpp | 101 | 1 | 104 | 8 | PreprocessorIf | ((FOO / BAR) == 4) && ((BAZ * QUX) > 10) | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 106 | 1 | 106 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 109 | 1 | 111 | 13 | PreprocessorIf | defined(FOO) && defined(BAR) && defined(BAZ) | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 112 | 1 | 112 | 29 | Macro | CONDITIONAL_MACRO_4 | 4 |
-| pp.cpp:0:0:0:0 | pp.cpp | 113 | 1 | 113 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 116 | 1 | 116 | 39 | PreprocessorIf | defined SIMPLE_COMMENT | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 118 | 1 | 118 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 120 | 1 | 120 | 12 | PreprocessorWarning | foo | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 122 | 1 | 122 | 12 | PreprocessorWarning | foo | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 126 | 1 | 126 | 12 | PreprocessorWarning | foo | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 129 | 1 | 129 | 12 | PreprocessorWarning | foo | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 134 | 1 | 134 | 13 | Macro | FOO | 8 |
-| pp.cpp:0:0:0:0 | pp.cpp | 135 | 1 | 135 | 13 | Macro | BAR | 2 |
-| pp.cpp:0:0:0:0 | pp.cpp | 136 | 1 | 136 | 13 | Macro | BAZ | 4 |
-| pp.cpp:0:0:0:0 | pp.cpp | 137 | 1 | 142 | 8 | PreprocessorIf | ((FOO / BAR) == 4) && ((BAZ * QUX) > 10) | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 144 | 1 | 144 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 146 | 1 | 146 | 11 | Macro | X | 1 |
-| pp.cpp:0:0:0:0 | pp.cpp | 147 | 1 | 147 | 11 | Macro | Y | 2 |
-| pp.cpp:0:0:0:0 | pp.cpp | 148 | 1 | 149 | 36 | PreprocessorIf | defined(X) && defined(Y) | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 151 | 1 | 151 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 153 | 1 | 157 | 3 | PreprocessorWarning | FOO BAR | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 160 | 1 | 160 | 12 | PreprocessorWarning | foo | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 166 | 1 | 166 | 22 | PreprocessorIf | A &&B | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 167 | 1 | 167 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 170 | 1 | 170 | 20 | PreprocessorIf | A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 171 | 1 | 171 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 173 | 1 | 175 | 6 | PreprocessorIf | A && B | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 176 | 1 | 176 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 179 | 1 | 183 | 9 | PreprocessorIfdef | FOOBAR | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 185 | 1 | 185 | 5 | PreprocessorElse | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 186 | 1 | 186 | 10 | PreprocessorWarning | b | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 187 | 1 | 187 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 190 | 1 | 194 | 9 | PreprocessorIf | FOOBAR | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 195 | 1 | 195 | 6 | PreprocessorEndif | N/A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 197 | 1 | 197 | 18 | PreprocessorIf | A | N/A |
-| pp.cpp:0:0:0:0 | pp.cpp | 198 | 1 | 198 | 6 | PreprocessorEndif | N/A | N/A |
 | pp.h:0:0:0:0 | pp.h | 1 | 1 | 1 | 12 | PreprocessorPragma | once | N/A |
 | pp.h:0:0:0:0 | pp.h | 2 | 1 | 2 | 29 | PreprocessorWarning | "This should happen" | N/A |
-| pp.h:0:0:0:0 | pp.h | 3 | 1 | 3 | 27 | PreprocessorLine | 33 "emerald_city.h" | N/A |
+| pp.h:0:0:0:0 | pp.h | 3 | 1 | 3 | 27 | PreprocessorLine | 33  "emerald_city.h" | N/A |
 | pp.h:0:0:0:0 | pp.h | 4 | 1 | 4 | 30 | PreprocessorPragma | byte_order(big_endian) | N/A |
 | pp.h:0:0:0:0 | pp.h | 5 | 1 | 5 | 33 | PreprocessorWarning | "Not in Kansas any more" | N/A |
 | pp.h:0:0:0:0 | pp.h | 7 | 1 | 11 | 8 | Macro | MULTILINE | world a long |

cpp/ql/test/library-tests/specifiers2/specifiers2.expected

@@ -27,7 +27,7 @@
 | Function | cpp20.cpp:62:8:62:8 | operator= | operator= | extern, inline, is_constexpr, public |
 | Function | cpp20.cpp:62:8:62:8 | operator= | operator= | extern, inline, is_constexpr, public |
 | Function | cpp20.cpp:64:5:64:21 | TestExplicitBool4 | TestExplicitBool4 | explicit, extern, public |
-| Function | file://:0:0:0:0 | TestExplicitBool | TestExplicitBool | explicit |
+| Function | file://:0:0:0:0 | TestExplicitBool | TestExplicitBool | explicit, has_trailing_return_type |
 | Function | file://:0:0:0:0 | operator delete | operator delete | extern |
 | Function | file://:0:0:0:0 | operator new | operator new | extern |
 | Function | specifiers2.c:11:6:11:6 | f | f | c_linkage, extern |
@@ -67,8 +67,6 @@
 | Function | specifiers2pp.cpp:63:19:63:34 | member_constexpr | member_constexpr | const, declared_constexpr, inline, is_constexpr, private |
 | Function | specifiers2pp.cpp:64:19:64:40 | member_const_constexpr | member_const_constexpr | const, declared_constexpr, inline, is_constexpr, private |
 | FunctionDeclarationEntry | cpp20.cpp:11:14:11:24 | declaration of TestExplict | TestExplict | explicit |
-| FunctionDeclarationEntry | cpp20.cpp:23:1:23:1 | declaration of TestExplicitBool | TestExplicitBool | has_trailing_return_type |
-| FunctionDeclarationEntry | cpp20.cpp:24:1:24:16 | definition of TestExplicitBool | TestExplicitBool | has_trailing_return_type |
 | FunctionDeclarationEntry | cpp20.cpp:40:23:40:23 | definition of TestExplicitBool2 | TestExplicitBool2 | explicit |
 | FunctionDeclarationEntry | cpp20.cpp:51:5:51:5 | definition of TestExplicitBool3 | TestExplicitBool3 | explicit |
 | FunctionDeclarationEntry | cpp20.cpp:51:5:51:21 | declaration of TestExplicitBool3 | TestExplicitBool3 | explicit |

cpp/ql/test/query-tests/Diagnostics/ExtractionErrors.expected

@@ -1,3 +1,2 @@
-| containserror.cpp:9:14:9:14 | Recoverable extraction error: 'x' has already been declared in the current scope | Extraction failed in containserror.cpp with error "containserror.cpp", line 9: error: "x" has already been declared in the current scope\n  \tconst char *x = "Foo2 $$@ bar2 $$@ baz2";\n  \t            ^\n\n | 2 |
 | doesnotcompile.cpp:4:2:4:2 | Recoverable extraction error: identifier 'This' is undefined | Extraction failed in doesnotcompile.cpp with error "doesnotcompile.cpp", line 4: error: identifier "This" is undefined\n  \tThis is not correct C/C++ code.\n  \t^\n\n | 2 |
 | doesnotcompile.cpp:4:10:4:10 | Recoverable extraction error: expected a ';' | Extraction failed in doesnotcompile.cpp with error "doesnotcompile.cpp", line 4: error: expected a ";"\n  \tThis is not correct C/C++ code.\n  \t        ^\n\n | 2 |

cpp/ql/test/query-tests/Diagnostics/ExtractionWarnings.expected

@@ -1,3 +1,2 @@
-| containserror.cpp:9:14:9:14 | Recoverable extraction error: 'x' has already been declared in the current scope | Extraction failed in containserror.cpp with warning "containserror.cpp", line 9: error: "x" has already been declared in the current scope\n  \tconst char *x = "Foo2 $$@ bar2 $$@ baz2";\n  \t            ^\n\n | 1 |
 | doesnotcompile.cpp:4:2:4:2 | Recoverable extraction error: identifier 'This' is undefined | Extraction failed in doesnotcompile.cpp with warning "doesnotcompile.cpp", line 4: error: identifier "This" is undefined\n  \tThis is not correct C/C++ code.\n  \t^\n\n | 1 |
 | doesnotcompile.cpp:4:10:4:10 | Recoverable extraction error: expected a ';' | Extraction failed in doesnotcompile.cpp with warning "doesnotcompile.cpp", line 4: error: expected a ";"\n  \tThis is not correct C/C++ code.\n  \t        ^\n\n | 1 |

cpp/ql/test/query-tests/Diagnostics/Info.expected

@@ -1,4 +1,4 @@
-| containserror.cpp:0:0:0:0 | containserror.cpp | containserror.cpp | ExtractionProblem (severity 1), fromSource, normalTermination |
+| containserror.cpp:0:0:0:0 | containserror.cpp | containserror.cpp | fromSource, normalTermination |
 | containswarning.cpp:0:0:0:0 | containswarning.cpp | containswarning.cpp | fromSource, normalTermination |
 | doesnotcompile.cpp:0:0:0:0 | doesnotcompile.cpp | doesnotcompile.cpp | ExtractionProblem (severity 1), fromSource, normalTermination |
 | file://:0:0:0:0 |  |  |  |

cpp/ql/test/query-tests/Diagnostics/containserror.cpp

@@ -3,8 +3,3 @@
 void containserror() {
 	#error An error!
 }
-
-void error_with_placeholder() {
-	const char *x = "Foo1 $@ bar1 $@ baz1";
-	const char *x = "Foo2 $@ bar2 $@ baz2";
-}

csharp/documentation/library-coverage/coverage.csv

@@ -8,20 +8,20 @@ ILLink.Shared,,,37,,,,,,,,,,,,,,,,,,,11,26
 ILLink.Tasks,,,5,,,,,,,,,,,,,,,,,,,4,1
 Internal.IL,,,54,,,,,,,,,,,,,,,,,,,28,26
 Internal.Pgo,,,9,,,,,,,,,,,,,,,,,,,2,7
-Internal.TypeSystem,,,342,,,,,,,,,,,,,,,,,,,205,137
+Internal.TypeSystem,,,345,,,,,,,,,,,,,,,,,,,205,140
 Microsoft.ApplicationBlocks.Data,28,,,,,,,,,,,,28,,,,,,,,,,
 Microsoft.AspNetCore.Components,2,4,2,,,,,,,2,,,,,,,,,4,,,1,1
 Microsoft.AspNetCore.Http,,,1,,,,,,,,,,,,,,,,,,,1,
 Microsoft.AspNetCore.Mvc,,,2,,,,,,,,,,,,,,,,,,,,2
 Microsoft.AspNetCore.WebUtilities,,,2,,,,,,,,,,,,,,,,,,,2,
 Microsoft.CSharp,,,2,,,,,,,,,,,,,,,,,,,2,
-Microsoft.Diagnostics.Tools.Pgo,,,21,,,,,,,,,,,,,,,,,,,,21
+Microsoft.Diagnostics.Tools.Pgo,,,23,,,,,,,,,,,,,,,,,,,,23
 Microsoft.DotNet.Build.Tasks,,,11,,,,,,,,,,,,,,,,,,,9,2
 Microsoft.DotNet.PlatformAbstractions,,,1,,,,,,,,,,,,,,,,,,,1,
 Microsoft.EntityFrameworkCore,6,,12,,,,,,,,,,6,,,,,,,,,,12
 Microsoft.Extensions.Caching.Distributed,,,3,,,,,,,,,,,,,,,,,,,,3
 Microsoft.Extensions.Caching.Memory,,,37,,,,,,,,,,,,,,,,,,,5,32
-Microsoft.Extensions.Configuration,,3,118,,,,,,,,,,,,,3,,,,,,41,77
+Microsoft.Extensions.Configuration,,3,123,,,,,,,,,,,,,3,,,,,,40,83
 Microsoft.Extensions.DependencyInjection,,,209,,,,,,,,,,,,,,,,,,,15,194
 Microsoft.Extensions.DependencyModel,,1,57,,,,,,,,,,,,,1,,,,,,13,44
 Microsoft.Extensions.Diagnostics.Metrics,,,14,,,,,,,,,,,,,,,,,,,1,13
@@ -31,16 +31,16 @@ Microsoft.Extensions.Hosting,,,61,,,,,,,,,,,,,,,,,,,29,32
 Microsoft.Extensions.Http,,,9,,,,,,,,,,,,,,,,,,,7,2
 Microsoft.Extensions.Logging,,,107,,,,,,,,,,,,,,,,,,,26,81
 Microsoft.Extensions.Options,,,174,,,,,,,,,,,,,,,,,,,48,126
-Microsoft.Extensions.Primitives,,,75,,,,,,,,,,,,,,,,,,,68,7
+Microsoft.Extensions.Primitives,,,76,,,,,,,,,,,,,,,,,,,67,9
 Microsoft.Interop,,,216,,,,,,,,,,,,,,,,,,,71,145
 Microsoft.JSInterop,2,,,,,,,,,,2,,,,,,,,,,,,
 Microsoft.NET.Build.Tasks,,,5,,,,,,,,,,,,,,,,,,,3,2
-Microsoft.VisualBasic,,,6,,,,,,,,,,,,,,,,,,,1,5
+Microsoft.VisualBasic,,,13,,,,,,,,,,,,,,,,,,,1,12
 Microsoft.Win32,,4,2,,,,,,,,,,,,,,,,,,4,,2
-Mono.Linker,,,278,,,,,,,,,,,,,,,,,,,130,148
+Mono.Linker,,,280,,,,,,,,,,,,,,,,,,,129,151
 MySql.Data.MySqlClient,48,,,,,,,,,,,,48,,,,,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
 SourceGenerators,,,5,,,,,,,,,,,,,,,,,,,,5
-System,54,47,12111,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5993,6118
+System,54,47,12241,,6,5,5,,,4,1,,33,2,,6,15,17,4,3,,5941,6300
 Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,,,

csharp/documentation/library-coverage/coverage.rst

@@ -8,7 +8,7 @@ C# framework & library support
 
    Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
    `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",47,12111,54,5
-   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2252,152,4
-   Totals,,107,14370,400,9
+   System,"``System.*``, ``System``",47,12241,54,5
+   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2272,152,4
+   Totals,,107,14520,400,9
 

csharp/downgrades/66044cfa5bbf2ecfabd06ead25e91db2bdd79764/string_interpol_insert.ql

@@ -1,39 +0,0 @@
-class Expr extends @expr {
-  string toString() { none() }
-}
-
-class TypeOrRef extends @type_or_ref {
-  string toString() { none() }
-}
-
-class InterpolatedStringInsertExpr extends Expr, @interpolated_string_insert_expr { }
-
-private predicate remove_expr(Expr e) {
-  exists(InterpolatedStringInsertExpr ie |
-    e = ie
-    or
-    // Alignment
-    expr_parent(e, 1, ie)
-    or
-    // Format
-    expr_parent(e, 2, ie)
-  )
-}
-
-query predicate new_expressions(Expr e, int kind, TypeOrRef t) {
-  expressions(e, kind, t) and
-  // Remove the syntheetic intert expression and previously un-extracted children
-  not remove_expr(e)
-}
-
-query predicate new_expr_parent(Expr e, int child, Expr parent) {
-  expr_parent(e, child, parent) and
-  not remove_expr(e) and
-  not remove_expr(parent)
-  or
-  // Use the string interpolation as parent instead of the synthetic insert expression
-  exists(InterpolatedStringInsertExpr ie |
-    expr_parent(e, 0, ie) and
-    expr_parent(ie, child, parent)
-  )
-}

csharp/downgrades/66044cfa5bbf2ecfabd06ead25e91db2bdd79764/upgrade.properties

@@ -1,4 +0,0 @@
-description: Remove `interpolated_string_insert_expr` kind.
-compatibility: backwards
-expressions.rel: run string_interpol_insert.qlo new_expressions
-expr_parent.rel: run string_interpol_insert.qlo new_expr_parent

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependabotProxy.cs

@@ -1,22 +1,14 @@
 using System;
-using System.Collections.Generic;
+using System.Diagnostics;
 using System.IO;
 using System.Security.Cryptography.X509Certificates;
 using Semmle.Util;
 using Semmle.Util.Logging;
-using Newtonsoft.Json;
 
 namespace Semmle.Extraction.CSharp.DependencyFetching
 {
     public class DependabotProxy : IDisposable
     {
-        /// <summary>
-        /// Represents configurations for package registries.
-        /// </summary>
-        /// <param name="Type">The type of package registry.</param>
-        /// <param name="URL">The URL of the package registry.</param>
-        public record class RegistryConfig(string Type, string URL);
-
         private readonly string host;
         private readonly string port;
 
@@ -25,10 +17,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// </summary>
         internal string Address { get; }
         /// <summary>
-        /// The URLs of package registries that are configured for the proxy.
-        /// </summary>
-        internal HashSet<string> RegistryURLs { get; }
-        /// <summary>
         /// The path to the temporary file where the certificate is stored.
         /// </summary>
         internal string? CertificatePath { get; private set; }
@@ -79,39 +67,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 result.Certificate = X509Certificate2.CreateFromPem(cert);
             }
 
-            // Try to obtain the list of private registry URLs.
-            var registryURLs = Environment.GetEnvironmentVariable(EnvironmentVariableNames.ProxyURLs);
-
-            if (!string.IsNullOrWhiteSpace(registryURLs))
-            {
-                try
-                {
-                    // The value of the environment variable should be a JSON array of objects, such as:
-                    // [ { "type": "nuget_feed", "url": "https://nuget.pkg.github.com/org/index.json" } ]
-                    var array = JsonConvert.DeserializeObject<List<RegistryConfig>>(registryURLs);
-                    if (array is not null)
-                    {
-                        foreach (RegistryConfig config in array)
-                        {
-                            // The array contains all configured private registries, not just ones for C#.
-                            // We ignore the non-C# ones here.
-                            if (!config.Type.Equals("nuget_feed"))
-                            {
-                                logger.LogDebug($"Ignoring registry at '{config.URL}' since it is not of type 'nuget_feed'.");
-                                continue;
-                            }
-
-                            logger.LogInfo($"Found private registry at '{config.URL}'");
-                            result.RegistryURLs.Add(config.URL);
-                        }
-                    }
-                }
-                catch (JsonException ex)
-                {
-                    logger.LogError($"Unable to parse '{EnvironmentVariableNames.ProxyURLs}': {ex.Message}");
-                }
-            }
-
             return result;
         }
 
@@ -120,7 +75,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             this.host = host;
             this.port = port;
             this.Address = $"http://{this.host}:{this.port}";
-            this.RegistryURLs = new HashSet<string>();
         }
 
         public void Dispose()

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs

@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.IO;
 using System.Linq;
+
 using Newtonsoft.Json.Linq;
 
 using Semmle.Util;
@@ -76,11 +77,6 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 args += " /p:EnableWindowsTargeting=true";
             }
 
-            if (restoreSettings.ExtraArgs is not null)
-            {
-                args += $" {restoreSettings.ExtraArgs}";
-            }
-
             return args;
         }
 

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/EnvironmentVariableNames.cs

@@ -89,10 +89,5 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// Contains the certificate used by the Dependabot proxy.
         /// </summary>
         public const string ProxyCertificate = "CODEQL_PROXY_CA_CERTIFICATE";
-
-        /// <summary>
-        /// Contains the URLs of private nuget registries as a JSON array.
-        /// </summary>
-        public const string ProxyURLs = "CODEQL_PROXY_URLS";
     }
 }

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNet.cs

@@ -17,7 +17,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         IList<string> GetNugetFeedsFromFolder(string folderPath);
     }
 
-    public record class RestoreSettings(string File, string PackageDirectory, bool ForceDotnetRefAssemblyFetching, string? ExtraArgs = null, string? PathToNugetConfig = null, bool ForceReevaluation = false, bool TargetWindows = false);
+    public record class RestoreSettings(string File, string PackageDirectory, bool ForceDotnetRefAssemblyFetching, string? PathToNugetConfig = null, bool ForceReevaluation = false, bool TargetWindows = false);
 
     public partial record class RestoreResult(bool Success, IList<string> Output)
     {

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs

@@ -103,11 +103,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             compilationInfoContainer.CompilationInfos.Add(("NuGet feed responsiveness checked", checkNugetFeedResponsiveness ? "1" : "0"));
 
             HashSet<string>? explicitFeeds = null;
-            HashSet<string>? allFeeds = null;
 
             try
             {
-                if (checkNugetFeedResponsiveness && !CheckFeeds(out explicitFeeds, out allFeeds))
+                if (checkNugetFeedResponsiveness && !CheckFeeds(out explicitFeeds))
                 {
                     // todo: we could also check the reachability of the inherited nuget feeds, but to use those in the fallback we would need to handle authentication too.
                     var unresponsiveMissingPackageLocation = DownloadMissingPackagesFromSpecificFeeds([], explicitFeeds);
@@ -157,7 +156,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 
             var restoredProjects = RestoreSolutions(out var container);
             var projects = fileProvider.Projects.Except(restoredProjects);
-            RestoreProjects(projects, allFeeds, out var containers);
+            RestoreProjects(projects, out var containers);
 
             var dependencies = containers.Flatten(container);
 
@@ -261,33 +260,8 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// Populates dependencies with the relative paths to the assets files generated by the restore.
         /// </summary>
         /// <param name="projects">A list of paths to project files.</param>
-        private void RestoreProjects(IEnumerable<string> projects, HashSet<string>? configuredSources, out ConcurrentBag<DependencyContainer> dependencies)
+        private void RestoreProjects(IEnumerable<string> projects, out ConcurrentBag<DependencyContainer> dependencies)
         {
-            // Conservatively, we only set this to a non-null value if a Dependabot proxy is enabled.
-            // This ensures that we continue to get the old behaviour where feeds are taken from
-            // `nuget.config` files instead of the command-line arguments.
-            string? extraArgs = null;
-
-            if (this.dependabotProxy is not null)
-            {
-                // If the Dependabot proxy is configured, then our main goal is to make `dotnet` aware
-                // of the private registry feeds. However, since providing them as command-line arguments
-                // to `dotnet` ignores other feeds that may be configured, we also need to add the feeds
-                // we have discovered from analysing `nuget.config` files.
-                var sources = configuredSources ?? new();
-                this.dependabotProxy.RegistryURLs.ForEach(url => sources.Add(url));
-
-                // Add package sources. If any are present, they override all sources specified in
-                // the configuration file(s).
-                var feedArgs = new StringBuilder();
-                foreach (string source in sources)
-                {
-                    feedArgs.Append($" -s {source}");
-                }
-
-                extraArgs = feedArgs.ToString();
-            }
-
             var successCount = 0;
             var nugetSourceFailures = 0;
             ConcurrentBag<DependencyContainer> collectedDependencies = [];
@@ -302,7 +276,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 foreach (var project in projectGroup)
                 {
                     logger.LogInfo($"Restoring project {project}...");
-                    var res = dotnet.Restore(new(project, PackageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true, extraArgs, TargetWindows: isWindows));
+                    var res = dotnet.Restore(new(project, PackageDirectory.DirInfo.FullName, ForceDotnetRefAssemblyFetching: true, TargetWindows: isWindows));
                     assets.AddDependenciesRange(res.AssetsFilePaths);
                     lock (sync)
                     {
@@ -706,42 +680,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             return (timeoutMilliSeconds, tryCount);
         }
 
-        /// <summary>
-        /// Checks that we can connect to all Nuget feeds that are explicitly configured in configuration files
-        /// as well as any private package registry feeds that are configured.
-        /// </summary>
-        /// <param name="explicitFeeds">Outputs the set of explicit feeds.</param>
-        /// <param name="allFeeds">Outputs the set of all feeds (explicit and inherited).</param>
-        /// <returns>True if all feeds are reachable or false otherwise.</returns>
-        private bool CheckFeeds(out HashSet<string> explicitFeeds, out HashSet<string> allFeeds)
+        private bool CheckFeeds(out HashSet<string> explicitFeeds)
         {
-            (explicitFeeds, allFeeds) = GetAllFeeds();
-            HashSet<string> feedsToCheck = explicitFeeds;
-
-            // If private package registries are configured for C#, then check those
-            // in addition to the ones that are configured in `nuget.config` files.
-            this.dependabotProxy?.RegistryURLs.ForEach(url => feedsToCheck.Add(url));
-
-            var allFeedsReachable = this.CheckSpecifiedFeeds(feedsToCheck);
-
-            var inheritedFeeds = allFeeds.Except(explicitFeeds).ToHashSet();
-            if (inheritedFeeds.Count > 0)
-            {
-                logger.LogInfo($"Inherited Nuget feeds (not checked for reachability): {string.Join(", ", inheritedFeeds.OrderBy(f => f))}");
-                compilationInfoContainer.CompilationInfos.Add(("Inherited Nuget feed count", inheritedFeeds.Count.ToString()));
-            }
-
-            return allFeedsReachable;
-        }
-
-        /// <summary>
-        /// Checks that we can connect to the specified Nuget feeds.
-        /// </summary>
-        /// <param name="feeds">The set of package feeds to check.</param>
-        /// <returns>True if all feeds are reachable or false otherwise.</returns>
-        private bool CheckSpecifiedFeeds(HashSet<string> feeds)
-        {
-            logger.LogInfo("Checking that Nuget feeds are reachable...");
+            logger.LogInfo("Checking Nuget feeds...");
+            (explicitFeeds, var allFeeds) = GetAllFeeds();
 
             var excludedFeeds = EnvironmentVariables.GetURLs(EnvironmentVariableNames.ExcludedNugetFeedsFromResponsivenessCheck)
                 .ToHashSet();
@@ -753,7 +695,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 
             var (initialTimeout, tryCount) = GetFeedRequestSettings(isFallback: false);
 
-            var allFeedsReachable = feeds.All(feed => excludedFeeds.Contains(feed) || IsFeedReachable(feed, initialTimeout, tryCount));
+            var allFeedsReachable = explicitFeeds.All(feed => excludedFeeds.Contains(feed) || IsFeedReachable(feed, initialTimeout, tryCount));
             if (!allFeedsReachable)
             {
                 logger.LogWarning("Found unreachable Nuget feed in C# analysis with build-mode 'none'. This may cause missing dependencies in the analysis.");
@@ -768,6 +710,14 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
             compilationInfoContainer.CompilationInfos.Add(("All Nuget feeds reachable", allFeedsReachable ? "1" : "0"));
 
+
+            var inheritedFeeds = allFeeds.Except(explicitFeeds).ToHashSet();
+            if (inheritedFeeds.Count > 0)
+            {
+                logger.LogInfo($"Inherited Nuget feeds (not checked for reachability): {string.Join(", ", inheritedFeeds.OrderBy(f => f))}");
+                compilationInfoContainer.CompilationInfos.Add(("Inherited Nuget feed count", inheritedFeeds.Count.ToString()));
+            }
+
             return allFeedsReachable;
         }
 
@@ -816,33 +766,23 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
 
             // todo: this could be improved.
-            HashSet<string>? allFeeds = null;
-
-            if (nugetConfigs.Count > 0)
-            {
-                // We don't have to get the feeds from each of the folders from below, it would be enought to check the folders that recursively contain the others.
-                allFeeds = nugetConfigs
-                    .Select(config =>
+            // We don't have to get the feeds from each of the folders from below, it would be enought to check the folders that recursively contain the others.
+            var allFeeds = nugetConfigs
+                .Select(config =>
+                {
+                    try
                     {
-                        try
-                        {
-                            return new FileInfo(config).Directory?.FullName;
-                        }
-                        catch (Exception exc)
-                        {
-                            logger.LogWarning($"Failed to get directory of '{config}': {exc}");
-                        }
-                        return null;
-                    })
-                    .Where(folder => folder != null)
-                    .SelectMany(folder => GetFeeds(() => dotnet.GetNugetFeedsFromFolder(folder!)))
-                    .ToHashSet();
-            }
-            else
-            {
-                // If we haven't found any `nuget.config` files, then obtain a list of feeds from the root source directory.
-                allFeeds = GetFeeds(() => dotnet.GetNugetFeedsFromFolder(this.fileProvider.SourceDir.FullName)).ToHashSet();
-            }
+                        return new FileInfo(config).Directory?.FullName;
+                    }
+                    catch (Exception exc)
+                    {
+                        logger.LogWarning($"Failed to get directory of '{config}': {exc}");
+                    }
+                    return null;
+                })
+                .Where(folder => folder != null)
+                .SelectMany(folder => GetFeeds(() => dotnet.GetNugetFeedsFromFolder(folder!)))
+                .ToHashSet();
 
             logger.LogInfo($"Found {allFeeds.Count} Nuget feeds (with inherited ones) in nuget.config files: {string.Join(", ", allFeeds.OrderBy(f => f))}");
 

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/SourceGenerators/DotnetSourceGeneratorWrapper/DotnetSourceGeneratorWrapper.cs

@@ -37,8 +37,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         {
             try
             {
-                var relativePathToCsProj = Path.GetRelativePath(sourceDir, csprojFile)
-                    .Replace('\\', '/'); // Ensure we're generating the same hash regardless of the OS
+                var relativePathToCsProj = Path.GetRelativePath(sourceDir, csprojFile);
                 var name = FileUtils.ComputeHash($"{relativePathToCsProj}\n{this.GetType().Name}");
                 using var tempDir = new TemporaryDirectory(Path.Join(FileUtils.GetTemporaryWorkingDirectory(out _), "source-generator"), "source generator temporary", logger);
                 var analyzerConfigPath = Path.Combine(tempDir.DirInfo.FullName, $"{name}.txt");

csharp/extractor/Semmle.Extraction.CSharp/CodeAnalysisExtensions/SymbolExtensions.cs

@@ -29,15 +29,6 @@ namespace Semmle.Extraction.CSharp
             symbol is null ? (AnnotatedTypeSymbol?)null : new AnnotatedTypeSymbol(symbol, NullableAnnotation.None);
     }
 
-    internal static class AnnotatedTypeSymbolExtensions
-    {
-        /// <summary>
-        /// Returns true if the type is a string type.
-        /// </summary>
-        public static bool IsStringType(this AnnotatedTypeSymbol? type) =>
-            type.HasValue && type.Value.Symbol?.SpecialType == SpecialType.System_String;
-    }
-
     internal static class SymbolExtensions
     {
         /// <summary>

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Binary.cs

@@ -18,7 +18,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         {
             // If this is a "+" expression we might need to wrap the child expressions
             // in ToString calls
-            return Kind == ExprKind.ADD && Type.IsStringType()
+            return Kind == ExprKind.ADD
                 ? ImplicitToString.Create(cx, node, this, child)
                 : Create(cx, node, this, child);
         }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ImplicitToString.cs

@@ -39,13 +39,16 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             Context.TrapWriter.Writer.expr_call(this, target);
         }
 
+        private static bool IsStringType(AnnotatedTypeSymbol? type) =>
+            type.HasValue && type.Value.Symbol?.SpecialType == SpecialType.System_String;
+
         /// <summary>
         /// Creates a new expression, adding a compiler generated `ToString` call if required.
         /// </summary>
-        public static Expression Create(Context cx, ExpressionSyntax node, IExpressionParentEntity parent, int child)
+        public static Expression Create(Context cx, ExpressionSyntax node, Expression parent, int child)
         {
             var info = new ExpressionNodeInfo(cx, node, parent, child);
-            return CreateFromNode(info.SetImplicitToString(!info.Type.IsStringType()));
+            return CreateFromNode(info.SetImplicitToString(IsStringType(parent.Type) && !IsStringType(info.Type)));
         }
 
         /// <summary>

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedString.cs

@@ -1,4 +1,5 @@
 using System.IO;
+using Microsoft.CodeAnalysis;
 using Microsoft.CodeAnalysis.CSharp;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
 using Semmle.Extraction.Kinds;
@@ -20,7 +21,15 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                 {
                     case SyntaxKind.Interpolation:
                         var interpolation = (InterpolationSyntax)c;
-                        new InterpolatedStringInsert(Context, interpolation, this, child++);
+                        var exp = interpolation.Expression;
+                        if (Context.GetTypeInfo(exp).Type is ITypeSymbol type && !type.ImplementsIFormattable())
+                        {
+                            ImplicitToString.Create(Context, exp, this, child++);
+                        }
+                        else
+                        {
+                            Create(Context, exp, this, child++);
+                        }
                         break;
                     case SyntaxKind.InterpolatedStringText:
                         // Create a string literal

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/InterpolatedStringInsert.cs

@@ -1,41 +0,0 @@
-using Microsoft.CodeAnalysis;
-using Microsoft.CodeAnalysis.CSharp.Syntax;
-using Semmle.Extraction.Kinds;
-
-namespace Semmle.Extraction.CSharp.Entities.Expressions
-{
-    internal class InterpolatedStringInsert : Expression
-    {
-        public InterpolatedStringInsert(Context cx, InterpolationSyntax syntax, Expression parent, int child) :
-            base(new ExpressionInfo(cx, null, cx.CreateLocation(syntax.GetLocation()), ExprKind.INTERPOLATED_STRING_INSERT, parent, child, isCompilerGenerated: false, null))
-        {
-            var exp = syntax.Expression;
-            if (parent.Type.IsStringType() &&
-                cx.GetTypeInfo(exp).Type is ITypeSymbol type &&
-                !type.ImplementsIFormattable())
-            {
-                ImplicitToString.Create(cx, exp, this, 0);
-            }
-            else
-            {
-                Create(cx, exp, this, 0);
-            }
-
-            // Hardcode the child number of the optional alignment clause to 1 and format clause to 2.
-            // This simplifies the logic in QL.
-            if (syntax.AlignmentClause?.Value is ExpressionSyntax alignment)
-            {
-                Create(cx, alignment, this, 1);
-            }
-
-            if (syntax.FormatClause is InterpolationFormatClauseSyntax format)
-            {
-                var f = format.FormatStringToken.ValueText;
-                var t = AnnotatedTypeSymbol.CreateNotAnnotated(cx.Compilation.GetSpecialType(SpecialType.System_String));
-                new Expression(new ExpressionInfo(cx, t, cx.CreateLocation(format.GetLocation()), ExprKind.UTF16_STRING_LITERAL, this, 2, isCompilerGenerated: false, f));
-            }
-
-        }
-    }
-
-}

csharp/extractor/Semmle.Extraction.CSharp/Kinds/ExprKind.cs

@@ -132,7 +132,6 @@ namespace Semmle.Extraction.Kinds
         UTF8_STRING_LITERAL = 135,
         COLLECTION = 136,
         SPREAD_ELEMENT = 137,
-        INTERPOLATED_STRING_INSERT = 138,
         DEFINE_SYMBOL = 999,
     }
 }

csharp/extractor/Semmle.Extraction.Tests/DotNet.cs

@@ -123,7 +123,7 @@ namespace Semmle.Extraction.Tests
             var dotnet = MakeDotnet(dotnetCliInvoker);
 
             // Execute
-            var res = dotnet.Restore(new("myproject.csproj", "mypackages", false, null, "myconfig.config"));
+            var res = dotnet.Restore(new("myproject.csproj", "mypackages", false, "myconfig.config"));
 
             // Verify
             var lastArgs = dotnetCliInvoker.GetLastArgs();
@@ -141,7 +141,7 @@ namespace Semmle.Extraction.Tests
             var dotnet = MakeDotnet(dotnetCliInvoker);
 
             // Execute
-            var res = dotnet.Restore(new("myproject.csproj", "mypackages", false, null, "myconfig.config", true));
+            var res = dotnet.Restore(new("myproject.csproj", "mypackages", false, "myconfig.config", true));
 
             // Verify
             var lastArgs = dotnetCliInvoker.GetLastArgs();

csharp/paket.dependencies

@@ -4,7 +4,7 @@ source https://api.nuget.org/v3/index.json
 # behave like nuget in choosing transitive dependency versions
 strategy: max
 
-nuget Basic.CompilerLog.Util 0.9.8
+nuget Basic.CompilerLog.Util
 nuget Mono.Posix.NETStandard
 nuget Newtonsoft.Json
 nuget xunit

csharp/paket.lock

@@ -3,12 +3,12 @@ STRATEGY: MAX
 RESTRICTION: == net9.0
 NUGET
   remote: https://api.nuget.org/v3/index.json
-    Basic.CompilerLog.Util (0.9.8)
+    Basic.CompilerLog.Util (0.9.4)
       MessagePack (>= 2.5.187)
-      Microsoft.CodeAnalysis (>= 4.12)
-      Microsoft.CodeAnalysis.CSharp (>= 4.12)
-      Microsoft.CodeAnalysis.VisualBasic (>= 4.12)
-      Microsoft.Extensions.ObjectPool (>= 9.0.2)
+      Microsoft.CodeAnalysis (>= 4.11)
+      Microsoft.CodeAnalysis.CSharp (>= 4.11)
+      Microsoft.CodeAnalysis.VisualBasic (>= 4.11)
+      Microsoft.Extensions.ObjectPool (>= 9.0)
       MSBuild.StructuredLogger (>= 2.2.243)
       System.Buffers (>= 4.6)
     Humanizer.Core (2.14.1)
@@ -96,7 +96,7 @@ NUGET
       System.Reflection.Metadata (>= 8.0)
       System.Threading.Channels (>= 7.0)
     Microsoft.CodeCoverage (17.12)
-    Microsoft.Extensions.ObjectPool (9.0.3)
+    Microsoft.Extensions.ObjectPool (9.0)
     Microsoft.NET.StringTools (17.12.6)
     Microsoft.NET.Test.Sdk (17.12)
       Microsoft.CodeCoverage (>= 17.12)

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.7.37
-
-No user-facing changes.
-
 ## 1.7.36
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.37.md

@@ -1,3 +0,0 @@
-## 1.7.37
-
-No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.37
+lastReleaseVersion: 1.7.36

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.38-dev
+version: 1.7.37-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,7 +1,3 @@
-## 1.7.37
-
-No user-facing changes.
-
 ## 1.7.36
 
 No user-facing changes.