hack: dummy change to trigger qlucie

Merge pull request #19246 from hvitved/rust/cache-tweaks
Merge pull request #19270 from github/felicitymay-patch-1
2026-05-25 00:27:09 +02:00 · 2025-05-15 21:31:32 +02:00 · 2025-04-10 19:02:25 +02:00 · 2025-04-10 15:10:14 +01:00 · 2025-04-10 15:09:43 +02:00 · 2025-04-10 14:41:32 +02:00
155 changed files with 2984 additions and 1059 deletions
--- a/.bazelversion
+++ b/.bazelversion
@@ -1 +1 @@
-8.0.0
+8.1.1
--- a/actions/extractor/tools/autobuild.cmd
+++ b/actions/extractor/tools/autobuild.cmd
@@ -1,3 +1,4 @@
@echo off
 rem All of the work is done in the PowerShell script
-powershell.exe "%~dp0autobuild-impl.ps1"
+echo "Running PowerShell script at '%~dp0autobuild-impl.ps1'"
+powershell.exe -File "%~dp0autobuild-impl.ps1"
--- a/actions/ql/integration-tests/all-platforms/filters-default/actions.expected
+++ b/actions/ql/integration-tests/all-platforms/filters-default/actions.expected
--- a/actions/ql/integration-tests/all-platforms/filters-default/actions.ql
+++ b/actions/ql/integration-tests/all-platforms/filters-default/actions.ql
--- a/actions/ql/integration-tests/all-platforms/filters-default/src/.github/action.yaml
+++ b/actions/ql/integration-tests/all-platforms/filters-default/src/.github/action.yaml
--- a/actions/ql/integration-tests/all-platforms/filters-default/src/.github/actions/action-name/action.yml
+++ b/actions/ql/integration-tests/all-platforms/filters-default/src/.github/actions/action-name/action.yml
--- a/actions/ql/integration-tests/all-platforms/filters-default/src/.github/unreachable-workflow.yml
+++ b/actions/ql/integration-tests/all-platforms/filters-default/src/.github/unreachable-workflow.yml
--- a/actions/ql/integration-tests/all-platforms/filters-default/src/.github/workflows/workflow.yml
+++ b/actions/ql/integration-tests/all-platforms/filters-default/src/.github/workflows/workflow.yml
--- a/actions/ql/integration-tests/all-platforms/filters-default/src/action.yml
+++ b/actions/ql/integration-tests/all-platforms/filters-default/src/action.yml
--- a/actions/ql/integration-tests/all-platforms/filters-default/src/unreachable-workflow.yml
+++ b/actions/ql/integration-tests/all-platforms/filters-default/src/unreachable-workflow.yml
--- a/actions/ql/integration-tests/all-platforms/filters-default/test.py
+++ b/actions/ql/integration-tests/all-platforms/filters-default/test.py
--- a/csharp/ql/integration-tests/all-platforms/diag_missing_project_files/test.py
+++ b/csharp/ql/integration-tests/all-platforms/diag_missing_project_files/test.py
@@ -1,2 +1,8 @@
+import pytest
+import runs_on
+
+
+# Skipping the test on macos-15, as we're running into trouble.
+@pytest.mark.only_if(not runs_on.macos_15)
 def test(codeql, csharp):
    codeql.database.create(_assert_failure=True)
--- a/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py
+++ b/csharp/ql/integration-tests/posix/standalone_dependencies_no_framework/test.py
@@ -3,8 +3,11 @@ import pytest
 import os


-# Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.
-@pytest.mark.only_if(runs_on.linux or (runs_on.macos and runs_on.x86_64))
+# Skipping the test on the ARM runners and macos-15, as we're running into trouble with Mono and nuget.
+@pytest.mark.only_if(
+    runs_on.linux
+    or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15)
+)
 def test(codeql, csharp):
    os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_DOTNET_FRAMEWORK_REFERENCES"] = (
        "/non-existent-path"
--- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget
+++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget
@@ -3,8 +3,11 @@ import runs_on
 import pytest


-# Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.
-@pytest.mark.only_if(runs_on.linux or (runs_on.macos and runs_on.x86_64))
+# Skipping the test on the ARM runners and macos-15, as we're running into trouble with Mono and nuget.
+@pytest.mark.only_if(
+    runs_on.linux
+    or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15)
+)
 def test(codeql, csharp):
    # making sure we're not doing any fallback restore:
    os.environ["CODEQL_EXTRACTOR_CSHARP_BUILDLESS_NUGET_FEEDS_CHECK_FALLBACK_TIMEOUT"] = "1"
--- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py
+++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget/test.py
@@ -2,7 +2,10 @@ import runs_on
 import pytest


-# Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.
-@pytest.mark.only_if(runs_on.linux or (runs_on.macos and runs_on.x86_64))
+# Skipping the test on the ARM runners and macos-15, as we're running into trouble with Mono and nuget.
+@pytest.mark.only_if(
+    runs_on.linux
+    or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15)
+)
 def test(codeql, csharp):
    codeql.database.create(build_mode="none")
--- a/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py
+++ b/csharp/ql/integration-tests/posix/standalone_dependencies_nuget_no_sources/test.py
@@ -3,6 +3,9 @@ import pytest


 # Skipping the test on the ARM runners, as we're running into trouble with Mono and nuget.
-@pytest.mark.only_if(runs_on.linux or (runs_on.macos and runs_on.x86_64))
+@pytest.mark.only_if(
+    runs_on.linux
+    or (runs_on.macos and runs_on.x86_64 and not runs_on.macos_15)
+)
 def test(codeql, csharp):
    codeql.database.create(source_root="proj", build_mode="none")
--- a/docs/codeql/codeql-language-guides/codeql-for-actions.rst
+++ b/docs/codeql/codeql-language-guides/codeql-for-actions.rst
@@ -12,6 +12,6 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat
   codeql-library-for-actions
   customizing-library-models-for-actions

-  :doc:`CodeQL library for GitHub Actions <codeql-library-for-actions>`: When you're analyzing a Ruby program, you can make use of the large collection of classes in the CodeQL library for GitHub Actions.
+-  :doc:`CodeQL library for GitHub Actions <codeql-library-for-actions>`: When you're analyzing GitHub Actions code, you can make use of the large collection of classes in the CodeQL library for GitHub Actions.

 -  :doc:`Customizing library models for GitHub Actions <customizing-library-models-for-actions>`: You can model frameworks and libraries that your codebase depends on using data extensions and publish them as CodeQL model packs.
--- a/docs/codeql/codeql-language-guides/codeql-library-for-actions.rst
+++ b/docs/codeql/codeql-language-guides/codeql-library-for-actions.rst
@@ -95,7 +95,7 @@ to all AST classes:
   * - ``getAChildNode()``
     - Gets a child node of this node.
   * - ``getParentNode()``
-     - Gets the parent of this `AstNode`, if this node is not a root node.
+     - Gets the parent of this ``AstNode``, if this node is not a root node.
   * - ``getATriggerEvent()``
     - Gets an Actions trigger event that can start the enclosing Actions workflow, if any.
     
@@ -104,9 +104,9 @@ Workflows
 ~~~~~~~~~

 A workflow is a configurable automated process made up of one or more jobs,
-defined in a workflow YAML file in the `.github/workflows` directory of a GitHub repository.
+defined in a workflow YAML file in the ``.github/workflows`` directory of a GitHub repository.

-In the CodeQL AST library, a `Workflow` is an `AstNode` representing the mapping at the top level of an Actions YAML workflow file.
+In the CodeQL AST library, a ``Workflow`` is an ``AstNode`` representing the mapping at the top level of an Actions YAML workflow file.

 See the GitHub Actions documentation on `workflows <https://docs.github.com/en/actions/writing-workflows/about-workflows>`__ and `workflow syntax <https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions>`__ for more information.

@@ -116,16 +116,17 @@ See the GitHub Actions documentation on `workflows <https://docs.github.com/en/a
   * - CodeQL class
     - Description and selected predicates
   * - ``Workflow``
-     -  An Actions workflow, defined as a mapping at the top level of a workflow YAML file in `.github/workflows`. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions.
-        - `getAJob()` - Gets a job within the `jobs` mapping of this workflow.
-        - `getEnv()` - Gets an `env` mapping within this workflow declaring workflow-level environment variables, if any.
-        - `getJob(string jobId)` - Gets a job within the `jobs` mapping of this workflow with the given job ID.
-        - `getOn()` - Gets the `on` mapping defining the events that trigger this workflow.
-        - `getPermissions()` - Gets a `permissions` mapping within this workflow declaring workflow-level token permissions, if any.
-        - `getStrategy()` - Gets a `strategy` mapping for the jobs in this workflow, if any.
-        - `getName()` - Gets the name of this workflow, if defined within the workflow.
+     -  An Actions workflow, defined as a mapping at the top level of a workflow YAML file in ``.github/workflows``. See https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions.

-The following example lists all jobs in a workflow with the name declaration `name: test`:
+        - ``getAJob()`` - Gets a job within the ``jobs`` mapping of this workflow.
+        - ``getEnv()`` - Gets an ``env`` mapping within this workflow declaring workflow-level environment variables, if any.
+        - ``getJob(string jobId)`` - Gets a job within the ``jobs`` mapping of this workflow with the given job ID.
+        - ``getOn()`` - Gets the ``on`` mapping defining the events that trigger this workflow.
+        - ``getPermissions()`` - Gets a ``permissions`` mapping within this workflow declaring workflow-level token permissions, if any.
+        - ``getStrategy()`` - Gets a ``strategy`` mapping for the jobs in this workflow, if any.
+        - ``getName()`` - Gets the name of this workflow, if defined within the workflow.
+
+The following example lists all jobs in a workflow with the name declaration ``name: test``:

 .. code-block:: ql

--- a/docs/codeql/codeql-language-guides/customizing-library-models-for-actions.rst
+++ b/docs/codeql/codeql-language-guides/customizing-library-models-for-actions.rst
@@ -1,6 +1,6 @@
 .. _customizing-library-models-for-actions:

-Customizing Library Models for GitHub Actions
+Customizing library models for GitHub Actions
 =============================================

 .. include:: ../reusables/beta-note-customizing-library-models.rst
--- a/docs/codeql/codeql-language-guides/customizing-library-models-for-ruby.rst
+++ b/docs/codeql/codeql-language-guides/customizing-library-models-for-ruby.rst
@@ -1,7 +1,7 @@
 .. _customizing-library-models-for-ruby:


-Customizing Library Models for Ruby
+Customizing library models for Ruby
 ===================================

 .. include:: ../reusables/beta-note-customizing-library-models.rst
--- a/docs/codeql/codeql-language-guides/index.rst
+++ b/docs/codeql/codeql-language-guides/index.rst
@@ -7,9 +7,9 @@ Experiment and learn how to write effective and efficient queries for CodeQL dat

 .. toctree::

-   codeql-for-actions
   codeql-for-cpp
   codeql-for-csharp
+   codeql-for-actions
   codeql-for-go
   codeql-for-java
   codeql-for-javascript
--- a/docs/codeql/query-help/index.rst
+++ b/docs/codeql/query-help/index.rst
@@ -29,9 +29,9 @@ For a full list of the CWEs covered by these queries, see ":doc:`CodeQL CWE cove
   :hidden:
   :titlesonly:

-   actions
   cpp
   csharp
+   actions
   go
   java
   javascript
--- a/docs/codeql/reusables/supported-frameworks.rst
+++ b/docs/codeql/reusables/supported-frameworks.rst
@@ -54,8 +54,8 @@ and the CodeQL library pack ``codeql/actions-all`` (`changelog <https://github.c
   :align: left

   Name, Category
-   `GitHub Actions workflow YAML files <https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions>`, Workflows
-   `GitHub Actions action metadata YAML files <https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions>`, Actions
+   `GitHub Actions workflow YAML files <https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions>`__, Workflows
+   `GitHub Actions action metadata YAML files <https://docs.github.com/en/actions/sharing-automations/creating-actions/metadata-syntax-for-github-actions>`__, Actions

 Go built-in support
 ================================
--- a/go/documentation/library-coverage/coverage.csv
+++ b/go/documentation/library-coverage/coverage.csv
@@ -56,7 +56,7 @@ github.com/gobuffalo/envy,,7,,,,,,,,,,,,,,,,,,,,7,,,,,
 github.com/gobwas/ws,,2,,,,,,,,,,,,,,,,,,,,,,2,,,
 github.com/gofiber/fiber,5,,,,,,,,4,,,,,,,,,1,,,,,,,,,
 github.com/gogf/gf-jwt,1,,,,1,,,,,,,,,,,,,,,,,,,,,,
-github.com/gogf/gf/database/gdb,51,,,,,,,,,,,,,,51,,,,,,,,,,,,
+github.com/gogf/gf/database/gdb,51,39,21,,,,,,,,,,,,51,,,,,,39,,,,,21,
 github.com/going/toolkit/xmlpath,2,,,,,,,,,,,,,,,,,,2,,,,,,,,
 github.com/golang-jwt/jwt,3,,11,,2,1,,,,,,,,,,,,,,,,,,,,11,
 github.com/golang/glog,90,,,,,,90,,,,,,,,,,,,,,,,,,,,
@@ -94,7 +94,7 @@ github.com/sendgrid/sendgrid-go/helpers/mail,,,1,,,,,,,,,,,,,,,,,,,,,,,1,
 github.com/sirupsen/logrus,145,,,,,,145,,,,,,,,,,,,,,,,,,,,
 github.com/spf13/afero,34,,,,,,,,34,,,,,,,,,,,,,,,,,,
 github.com/square/go-jose,3,,4,,2,1,,,,,,,,,,,,,,,,,,,,4,
-github.com/uptrace/bun,63,,,,,,,,,,,,,,63,,,,,,,,,,,,
+github.com/uptrace/bun,63,8,,,,,,,,,,,,,63,,,,,,8,,,,,,
 github.com/valyala/fasthttp,35,50,5,,,,,,8,,,,17,8,,2,,,,,,,,50,,5,
 go.mongodb.org/mongo-driver/mongo,14,11,5,,,,,14,,,,,,,,,,,,,11,,,,,5,
 go.uber.org/zap,33,,11,,,,33,,,,,,,,,,,,,,,,,,,11,
--- a/go/documentation/library-coverage/coverage.rst
+++ b/go/documentation/library-coverage/coverage.rst
@@ -8,7 +8,7 @@ Go framework & library support

   Framework / library,Package,Flow sources,Taint & value steps,Sinks (total)
   `Afero <https://github.com/spf13/afero>`_,``github.com/spf13/afero*``,,,34
-   `Bun <https://bun.uptrace.dev/>`_,``github.com/uptrace/bun*``,,,63
+   `Bun <https://bun.uptrace.dev/>`_,``github.com/uptrace/bun*``,8,,63
   `CleverGo <https://github.com/clevergo/clevergo>`_,"``clevergo.tech/clevergo*``, ``github.com/clevergo/clevergo*``",,,2
   `Couchbase official client(gocb) <https://github.com/couchbase/gocb>`_,"``github.com/couchbase/gocb*``, ``gopkg.in/couchbase/gocb*``",44,96,16
   `Couchbase unofficial client <http://www.github.com/couchbase/go-couchbase>`_,``github.com/couchbaselabs/gocb*``,22,48,8
@@ -22,7 +22,7 @@ Go framework & library support
   `Go kit <https://gokit.io/>`_,``github.com/go-kit/kit*``,,,1
   `Go-spew <https://github.com/davecgh/go-spew>`_,``github.com/davecgh/go-spew/spew*``,,,9
   `GoDotEnv <https://github.com/joho/godotenv>`_,``github.com/joho/godotenv*``,4,,
-   `GoFrame <https://goframe.org/en/>`_,``github.com/gogf/gf*``,,,51
+   `GoFrame <https://goframe.org/en/>`_,``github.com/gogf/gf*``,39,21,51
   `Gokogiri <https://github.com/moovweb/gokogiri>`_,"``github.com/jbowtie/gokogiri*``, ``github.com/moovweb/gokogiri*``",,,10
   `Iris <https://www.iris-go.com/>`_,``github.com/kataras/iris*``,,,14
   `Kubernetes <https://kubernetes.io/>`_,"``k8s.io/api*``, ``k8s.io/apimachinery*``",,57,
@@ -74,5 +74,5 @@ Go framework & library support
   `yaml <https://gopkg.in/yaml.v3>`_,``gopkg.in/yaml*``,,9,
   `zap <https://go.uber.org/zap>`_,``go.uber.org/zap*``,,11,33
   Others,``github.com/kanikanema/gorqlite``,8,2,24
-   Totals,,641,1048,1556
+   Totals,,688,1069,1556

--- a/go/extractor/go.mod
+++ b/go/extractor/go.mod
@@ -10,7 +10,7 @@ toolchain go1.24.0
 //    bazel mod tidy
 require (
 	golang.org/x/mod v0.24.0
-	golang.org/x/tools v0.31.0
+	golang.org/x/tools v0.32.0
 )

-require golang.org/x/sync v0.12.0 // indirect
+require golang.org/x/sync v0.13.0 // indirect
--- a/go/extractor/go.sum
+++ b/go/extractor/go.sum
@@ -2,7 +2,7 @@ github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
 golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
-golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
-golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
-golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
-golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
+golang.org/x/sync v0.13.0 h1:AauUjRAJ9OSnvULf/ARrrVywoJDy0YS2AwQ98I37610=
+golang.org/x/sync v0.13.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
--- a/go/extractor/toolchain/toolchain.go
+++ b/go/extractor/toolchain/toolchain.go
@@ -259,7 +259,7 @@ func GetPkgsInfo(patterns []string, includingDeps bool, extractTests bool, flags
 			break
 		}
 		if decErr != nil {
-			log.Printf("Error decoding output of go list -json: %s", err.Error())
+			log.Printf("Error decoding output of go list -json: %s", decErr.Error())
 			return nil, decErr
 		}
 		pkgAbsDir, err := filepath.Abs(pkgInfo.Dir)
--- a/go/ql/test/experimental/CWE-285/vendor/modules.txt
+++ b/go/ql/test/experimental/CWE-285/vendor/modules.txt
@@ -1,3 +1,3 @@
 # github.com/msteinert/pam v1.0.0
 ## explicit
-github.com/msteinert/pam
+github.com/msteinert/pam
--- a/go/ql/test/experimental/CWE-321-V2/vendor/modules.txt
+++ b/go/ql/test/experimental/CWE-321-V2/vendor/modules.txt
@@ -1,6 +1,6 @@
 # github.com/go-jose/go-jose/v3 v3.0.0
 ## explicit
-github.com/go-jose/go-jose/v3
+github.com/go-jose/go-jose/v3/jwt
 # github.com/golang-jwt/jwt/v5 v5.0.0
 ## explicit
 github.com/golang-jwt/jwt/v5
--- a/go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/modules.txt
+++ b/go/ql/test/experimental/CWE-522-DecompressionBombs/vendor/modules.txt
@@ -3,13 +3,20 @@
 github.com/DataDog/zstd
 # github.com/dsnet/compress v0.0.1
 ## explicit
-github.com/dsnet/compress
+github.com/dsnet/compress/bzip2
+github.com/dsnet/compress/flate
 # github.com/golang/snappy v0.0.4
 ## explicit
 github.com/golang/snappy
 # github.com/klauspost/compress v1.16.6
 ## explicit
-github.com/klauspost/compress
+github.com/klauspost/compress/zstd
+github.com/klauspost/compress/snappy
+github.com/klauspost/compress/s2
+github.com/klauspost/compress/zlib
+github.com/klauspost/compress/zip
+github.com/klauspost/compress/flate
+github.com/klauspost/compress/gzip
 # github.com/klauspost/pgzip v1.2.6
 ## explicit
 github.com/klauspost/pgzip
--- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/github.com/golang/glog/stub.go
+++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/github.com/golang/glog/stub.go
@@ -7,8 +7,6 @@
 // Package glog is a stub of github.com/golang/glog, generated by depstubber.
 package glog

-import ()
-
 func Error(_ ...interface{}) {}

 func ErrorDepth(_ int, _ ...interface{}) {}
--- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/k8s.io/klog/stub.go
+++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/k8s.io/klog/stub.go
@@ -7,8 +7,6 @@
 // Package klog is a stub of k8s.io/klog, generated by depstubber.
 package klog

-import ()
-
 func Error(_ ...interface{}) {}

 func ErrorDepth(_ int, _ ...interface{}) {}
--- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/modules.txt
@@ -1,14 +1,9 @@
-# github.com/github/depstubber v0.0.0-20200916130315-f3217697abd4
-## explicit
 # github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 ## explicit
 github.com/golang/glog
 # github.com/sirupsen/logrus v1.7.0
 ## explicit
 github.com/sirupsen/logrus
-# golang.org/x/sys v0.0.0-20191026070338-33540a1f6037
-golang.org/x/sys/unix
-golang.org/x/sys/windows
 # k8s.io/klog v1.0.0
 ## explicit
 k8s.io/klog
--- a/go/ql/test/library-tests/semmle/go/frameworks/Beego/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Beego/vendor/modules.txt
@@ -1,6 +1,10 @@
 # github.com/astaxie/beego v1.12.3
 ## explicit
 github.com/astaxie/beego
+github.com/astaxie/beego/context
+github.com/astaxie/beego/logs
+github.com/astaxie/beego/utils
 # github.com/beego/beego/v2 v2.1.2
 ## explicit
-github.com/beego/beego/v2
+github.com/beego/beego/v2/server/web
+github.com/beego/beego/v2/server/web/context
--- a/go/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/ElazarlGoproxy/vendor/modules.txt
@@ -3,3 +3,4 @@
 github.com/elazarl/goproxy
 # github.com/github/depstubber v0.0.0-20201214172518-12c3da4b7c9d
 ## explicit
+github.com/github/depstubber
--- a/go/ql/test/library-tests/semmle/go/frameworks/Email/vendor/github.com/sendgrid/sendgrid-go/helpers/mail/stub.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Email/vendor/github.com/sendgrid/sendgrid-go/helpers/mail/stub.go
@@ -7,8 +7,6 @@
 // Package mail is a stub of github.com/sendgrid/sendgrid-go/helpers/mail, generated by depstubber.
 package mail

-import ()
-
 type Asm struct {
 	GroupID         int
 	GroupsToDisplay []int
--- a/go/ql/test/library-tests/semmle/go/frameworks/Email/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Email/vendor/modules.txt
@@ -1,3 +1,3 @@
 # github.com/sendgrid/sendgrid-go v3.5.0+incompatible
 ## explicit
-github.com/sendgrid/sendgrid-go
+github.com/sendgrid/sendgrid-go/helpers/mail
--- a/go/ql/test/library-tests/semmle/go/frameworks/Gin/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Gin/vendor/modules.txt
@@ -1,3 +1,4 @@
 # github.com/gin-gonic/gin v1.6.2
 ## explicit
 github.com/gin-gonic/gin
+github.com/gin-gonic/gin/binding
--- a/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/GoMicro/vendor/modules.txt
@@ -1,6 +1,11 @@
 # go-micro.dev/v4 v4.10.2
 ## explicit
 go-micro.dev/v4
+go-micro.dev/v4/api
+go-micro.dev/v4/client
+go-micro.dev/v4/server
 # google.golang.org/protobuf v1.28.1
 ## explicit
-google.golang.org/protobuf
+google.golang.org/protobuf/proto
+google.golang.org/protobuf/reflect/protoreflect
+google.golang.org/protobuf/runtime/protoimpl
--- a/go/ql/test/library-tests/semmle/go/frameworks/Iris/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Iris/vendor/modules.txt
@@ -1,6 +1,6 @@
 # github.com/kataras/iris/v12 v12.2.5
 ## explicit
-github.com/kataras/iris/v12
+github.com/kataras/iris/v12/context
 # github.com/Shopify/goreferrer v0.0.0-20220729165902-8cddb4f5de06
 ## explicit
 github.com/Shopify/goreferrer
--- a/go/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/api/core/v1/stub.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/api/core/v1/stub.go
@@ -7,8 +7,6 @@
 // Package core is a stub of k8s.io/api/core/v1, generated by depstubber.
 package core

-import ()
-
 type Secret struct {
 	TypeMeta   interface{}
 	ObjectMeta interface{}
--- a/go/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/apimachinery/pkg/runtime/stub.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/k8s.io/apimachinery/pkg/runtime/stub.go
@@ -7,8 +7,6 @@
 // Package runtime is a stub of k8s.io/apimachinery/pkg/runtime, generated by depstubber.
 package runtime

-import ()
-
 type ProtobufMarshaller interface {
 	MarshalTo(_ []byte) (int, error)
 }
--- a/go/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/K8sIoApiCoreV1/vendor/modules.txt
@@ -1,6 +1,7 @@
 # k8s.io/api v0.20.0
 ## explicit
-k8s.io/api
+k8s.io/api/core/v1
+k8s.io/apimachinery/pkg/runtime
 # k8s.io/apimachinery v0.20.0
 ## explicit
-k8s.io/apimachinery
+k8s.io/apimachinery/pkg/runtime
--- a/go/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/vendor/k8s.io/apimachinery/pkg/runtime/schema/stub.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/vendor/k8s.io/apimachinery/pkg/runtime/schema/stub.go
@@ -7,8 +7,6 @@
 // Package schema is a stub of k8s.io/apimachinery/pkg/runtime/schema, generated by depstubber.
 package schema

-import ()
-
 type GroupKind struct {
 	Group string
 	Kind  string
--- a/go/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/K8sIoApimachineryPkgRuntime/vendor/modules.txt
@@ -1,3 +1,5 @@
 # k8s.io/apimachinery v0.19.4
 ## explicit
-k8s.io/apimachinery
+k8s.io/apimachinery/pkg/conversion
+k8s.io/apimachinery/pkg/runtime
+k8s.io/apimachinery/pkg/runtime/schema
--- a/go/ql/test/library-tests/semmle/go/frameworks/K8sIoClientGo/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/K8sIoClientGo/vendor/modules.txt
@@ -18,7 +18,7 @@ golang.org/x/oauth2
 golang.org/x/time
 # k8s.io/client-go v0.19.0
 ## explicit
-k8s.io/client-go
+k8s.io/client-go/kubernetes/typed/core/v1
 # k8s.io/utils v0.0.0-20201110183641-67b214c5f920
 ## explicit
 k8s.io/utils
--- a/go/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/NoSQL/vendor/modules.txt
@@ -1,6 +1,3 @@
-# go.mongodb.org/mongo-driver v1.3.2
-## explicit
-go.mongodb.org/mongo-driver
 # github.com/couchbase/gocb/v2 v2.2.0
 ## explicit
 github.com/couchbase/gocb/v2
@@ -10,6 +7,10 @@ github.com/google/uuid
 # github.com/opentracing/opentracing-go v1.2.0
 ## explicit
 github.com/opentracing/opentracing-go
+# go.mongodb.org/mongo-driver v1.3.2
+## explicit
+go.mongodb.org/mongo-driver/bson
+go.mongodb.org/mongo-driver/mongo
 # gopkg.in/couchbase/gocb.v1 v1.6.7
 ## explicit
 gopkg.in/couchbase/gocb.v1
--- a/go/ql/test/library-tests/semmle/go/frameworks/Revel/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Revel/vendor/modules.txt
@@ -3,7 +3,9 @@
 github.com/go-stack/stack
 # github.com/revel/modules v1.0.0
 ## explicit
-github.com/revel/modules
+github.com/revel/modules/orm/gorp/app/controllers
+github.com/revel/modules/static/app/controllers
 # github.com/revel/revel v1.0.0
 ## explicit
 github.com/revel/revel
+github.com/revel/revel/logger
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/gogf/vendor/modules.txt
@@ -1,6 +1,7 @@
 # github.com/gogf/gf v1.16.9
 ## explicit
-github.com/gogf/gf
+github.com/gogf/gf/database/gdb
+github.com/gogf/gf/frame/g
 # github.com/BurntSushi/toml v0.3.1
 ## explicit
 github.com/BurntSushi/toml
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/pg.go
@@ -1,7 +1,7 @@
 package main

 //go:generate depstubber -vendor github.com/go-pg/pg Conn,DB,Tx Q
-//go:generate depstubber -vendor github.com/go-pg/pg/orm Query Q
+//go:generate depstubber -vendor github.com/go-pg/pg/orm Query,Formatter Q
 //go:generate depstubber -vendor github.com/go-pg/pg/v9 Conn,DB,Tx Q

 import (
--- a/go/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/go-pg/pg/orm/stub.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SQL/vendor/github.com/go-pg/pg/orm/stub.go
@@ -2,7 +2,7 @@
 // This is a simple stub for github.com/go-pg/pg/orm, strictly for use in testing.

 // See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/go-pg/pg/orm (exports: Query, Formatter; functions: Q)
+// Source: github.com/go-pg/pg/orm (exports: Query,Formatter; functions: Q)

 // Package orm is a stub of github.com/go-pg/pg/orm, generated by depstubber.
 package orm
@@ -94,6 +94,34 @@ func (_ *Field) Value(_ reflect.Value) reflect.Value {
 	return reflect.Value{}
 }

+type Formatter struct{}
+
+func (_ Formatter) Append(_ []byte, _ string, _ ...interface{}) []byte {
+	return nil
+}
+
+func (_ Formatter) AppendBytes(_ []byte, _ []byte, _ ...interface{}) []byte {
+	return nil
+}
+
+func (_ Formatter) FormatQuery(_ []byte, _ string, _ ...interface{}) []byte {
+	return nil
+}
+
+func (_ Formatter) Param(_ string) interface{} {
+	return nil
+}
+
+func (_ Formatter) String() string {
+	return ""
+}
+
+func (_ Formatter) WithParam(_ string, _ interface{}) Formatter {
+	return Formatter{}
+}
+
+func (_ *Formatter) SetParam(_ string, _ interface{}) {}
+
 type Method struct {
 	Index int
 }
@@ -491,18 +519,3 @@ type TableModel interface {
 	Table() *Table
 	Value() reflect.Value
 }
-
-type Formatter struct {
-}
-
-func (f Formatter) Append(dst []byte, src string, params ...interface{}) []byte {
-	return nil
-}
-
-func (f Formatter) AppendBytes(dst, src []byte, params ...interface{}) []byte {
-	return nil
-}
-
-func (f Formatter) FormatQuery(dst []byte, query string, params ...interface{}) []byte {
-	return nil
-}
--- a/go/ql/test/library-tests/semmle/go/frameworks/Spew/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Spew/vendor/modules.txt
@@ -1,6 +1,6 @@
 # github.com/davecgh/go-spew v1.1.1
 ## explicit
-github.com/davecgh/go-spew
+github.com/davecgh/go-spew/spew
 # github.com/github/depstubber v0.0.0-20200916130315-f3217697abd4
 ## explicit
 github.com/github/depstubber
--- a/go/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/stub.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/github.com/codeskyblue/go-sh/stub.go
@@ -1,10 +1,11 @@
 // Code generated by depstubber. DO NOT EDIT.
 // This is a simple stub for github.com/codeskyblue/go-sh, strictly for use in testing.

+// See the LICENSE file for information about the licensing of the original library.
 // Source: github.com/codeskyblue/go-sh (exports: ; functions: Command,InteractiveSession)

-// Package go_sh is a stub of github.com/codeskyblue/go-sh, generated by depstubber.
-package go_sh
+// Package go_pkg is a stub of github.com/codeskyblue/go-sh, generated by depstubber.
+package go_pkg

 import (
 	io "io"
@@ -32,15 +33,11 @@ type Session struct {

 func (_ *Session) Alias(_ string, _ string, _ ...string) {}

-func (_ *Session) Call(_ string, _ ...interface{}) interface {
-	Error() string
-} {
+func (_ *Session) Call(_ string, _ ...interface{}) error {
 	return nil
 }

-func (_ *Session) CombinedOutput() ([]uint8, interface {
-	Error() string
-}) {
+func (_ *Session) CombinedOutput() ([]byte, error) {
 	return nil, nil
 }

@@ -50,15 +47,11 @@ func (_ *Session) Command(_ string, _ ...interface{}) *Session {

 func (_ *Session) Kill(_ os.Signal) {}

-func (_ *Session) Output() ([]uint8, interface {
-	Error() string
-}) {
+func (_ *Session) Output() ([]byte, error) {
 	return nil, nil
 }

-func (_ *Session) Run() interface {
-	Error() string
-} {
+func (_ *Session) Run() error {
 	return nil
 }

@@ -82,9 +75,7 @@ func (_ *Session) SetTimeout(_ time.Duration) *Session {
 	return nil
 }

-func (_ *Session) Start() interface {
-	Error() string
-} {
+func (_ *Session) Start() error {
 	return nil
 }

@@ -92,32 +83,22 @@ func (_ *Session) Test(_ string, _ string) bool {
 	return false
 }

-func (_ *Session) UnmarshalJSON(_ interface{}) interface {
-	Error() string
-} {
+func (_ *Session) UnmarshalJSON(_ interface{}) error {
 	return nil
 }

-func (_ *Session) UnmarshalXML(_ interface{}) interface {
-	Error() string
-} {
+func (_ *Session) UnmarshalXML(_ interface{}) error {
 	return nil
 }

-func (_ *Session) Wait() interface {
-	Error() string
-} {
+func (_ *Session) Wait() error {
 	return nil
 }

-func (_ *Session) WaitTimeout(_ time.Duration) interface {
-	Error() string
-} {
+func (_ *Session) WaitTimeout(_ time.Duration) error {
 	return nil
 }

-func (_ *Session) WriteStdout(_ string) interface {
-	Error() string
-} {
+func (_ *Session) WriteStdout(_ string) error {
 	return nil
 }
--- a/go/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/stub.go
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/golang.org/x/crypto/ssh/stub.go
@@ -1,6 +1,7 @@
 // Code generated by depstubber. DO NOT EDIT.
 // This is a simple stub for golang.org/x/crypto/ssh, strictly for use in testing.

+// See the LICENSE file for information about the licensing of the original library.
 // Source: golang.org/x/crypto/ssh (exports: Session; functions: )

 // Package ssh is a stub of golang.org/x/crypto/ssh, generated by depstubber.
@@ -16,102 +17,70 @@ type Session struct {
 	Stderr io.Writer
 }

-func (_ *Session) Close() interface {
-	Error() string
-} {
+func (_ *Session) Close() error {
 	return nil
 }

-func (_ *Session) CombinedOutput(_ string) ([]uint8, interface {
-	Error() string
-}) {
+func (_ *Session) CombinedOutput(_ string) ([]byte, error) {
 	return nil, nil
 }

-func (_ *Session) Output(_ string) ([]uint8, interface {
-	Error() string
-}) {
+func (_ *Session) Output(_ string) ([]byte, error) {
 	return nil, nil
 }

-func (_ *Session) RequestPty(_ string, _ int, _ int, _ TerminalModes) interface {
-	Error() string
-} {
+func (_ *Session) RequestPty(_ string, _ int, _ int, _ TerminalModes) error {
 	return nil
 }

-func (_ *Session) RequestSubsystem(_ string) interface {
-	Error() string
-} {
+func (_ *Session) RequestSubsystem(_ string) error {
 	return nil
 }

-func (_ *Session) Run(_ string) interface {
-	Error() string
-} {
+func (_ *Session) Run(_ string) error {
 	return nil
 }

-func (_ *Session) SendRequest(_ string, _ bool, _ []uint8) (bool, interface {
-	Error() string
-}) {
+func (_ *Session) SendRequest(_ string, _ bool, _ []byte) (bool, error) {
 	return false, nil
 }

-func (_ *Session) Setenv(_ string, _ string) interface {
-	Error() string
-} {
+func (_ *Session) Setenv(_ string, _ string) error {
 	return nil
 }

-func (_ *Session) Shell() interface {
-	Error() string
-} {
+func (_ *Session) Shell() error {
 	return nil
 }

-func (_ *Session) Signal(_ Signal) interface {
-	Error() string
-} {
+func (_ *Session) Signal(_ Signal) error {
 	return nil
 }

-func (_ *Session) Start(_ string) interface {
-	Error() string
-} {
+func (_ *Session) Start(_ string) error {
 	return nil
 }

-func (_ *Session) StderrPipe() (io.Reader, interface {
-	Error() string
-}) {
+func (_ *Session) StderrPipe() (io.Reader, error) {
 	return nil, nil
 }

-func (_ *Session) StdinPipe() (io.WriteCloser, interface {
-	Error() string
-}) {
+func (_ *Session) StdinPipe() (io.WriteCloser, error) {
 	return nil, nil
 }

-func (_ *Session) StdoutPipe() (io.Reader, interface {
-	Error() string
-}) {
+func (_ *Session) StdoutPipe() (io.Reader, error) {
 	return nil, nil
 }

-func (_ *Session) Wait() interface {
-	Error() string
-} {
+func (_ *Session) Wait() error {
 	return nil
 }

-func (_ *Session) WindowChange(_ int, _ int) interface {
-	Error() string
-} {
+func (_ *Session) WindowChange(_ int, _ int) error {
 	return nil
 }

 type Signal string

-type TerminalModes map[uint8]uint32
+type TerminalModes map[byte]uint32
--- a/go/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/SystemCommandExecutors/vendor/modules.txt
@@ -3,4 +3,4 @@
 github.com/codeskyblue/go-sh
 # golang.org/x/crypto v0.0.0-20200323165209-0ec3e9974c59
 ## explicit
-golang.org/x/crypto
+golang.org/x/crypto/ssh
--- a/go/ql/test/library-tests/semmle/go/frameworks/WebSocket/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/WebSocket/vendor/modules.txt
@@ -9,7 +9,7 @@ github.com/gorilla/websocket
 github.com/sacOO7/gowebsocket
 # golang.org/x/net v0.0.0-20200505041828-1ed23360d12c
 ## explicit
-golang.org/x/net
+golang.org/x/net/websocket
 # nhooyr.io/websocket v1.8.5
 ## explicit
 nhooyr.io/websocket
--- a/go/ql/test/library-tests/semmle/go/frameworks/Zap/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/frameworks/Zap/vendor/modules.txt
@@ -1,3 +1,4 @@
 # go.uber.org/zap v1.16.0
 ## explicit
 go.uber.org/zap
+go.uber.org/zap/zapcore
--- a/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-020/IncompleteHostnameRegexp/vendor/modules.txt
@@ -1,5 +1,3 @@
 # github.com/elazarl/goproxy v0.0.0-20201021153353-00ad82a08272
 ## explicit
 github.com/elazarl/goproxy
-# github.com/github/depstubber v0.0.0-20201214172518-12c3da4b7c9d
-## explicit
--- a/go/ql/test/query-tests/Security/CWE-079/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-079/vendor/modules.txt
@@ -6,7 +6,7 @@ github.com/gobwas/ws
 github.com/gorilla/websocket
 # golang.org/x/net v0.0.0-20200505041828-1ed23360d12c
 ## explicit
-golang.org/x/net
+golang.org/x/net/websocket
 # nhooyr.io/websocket v1.8.5
 ## explicit
 nhooyr.io/websocket
--- a/go/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/bson/primitive/stub.go
+++ b/go/ql/test/query-tests/Security/CWE-089/vendor/go.mongodb.org/mongo-driver/bson/primitive/stub.go
@@ -7,8 +7,6 @@
 // Package primitive is a stub of go.mongodb.org/mongo-driver/bson/primitive, generated by depstubber.
 package primitive

-import ()
-
 type D []E

 func (_ D) Map() M {
--- a/go/ql/test/query-tests/Security/CWE-089/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-089/vendor/modules.txt
@@ -3,4 +3,6 @@
 github.com/Masterminds/squirrel
 # go.mongodb.org/mongo-driver v1.3.3
 ## explicit
-go.mongodb.org/mongo-driver
+go.mongodb.org/mongo-driver/bson
+go.mongodb.org/mongo-driver/mongo
+go.mongodb.org/mongo-driver/mongo/options
--- a/go/ql/test/query-tests/Security/CWE-312/vendor/github.com/golang/glog/stub.go
+++ b/go/ql/test/query-tests/Security/CWE-312/vendor/github.com/golang/glog/stub.go
@@ -7,6 +7,4 @@
 // Package glog is a stub of github.com/golang/glog, generated by depstubber.
 package glog

-import ()
-
 func Info(_ ...interface{}) {}
--- a/go/ql/test/query-tests/Security/CWE-312/vendor/k8s.io/klog/stub.go
+++ b/go/ql/test/query-tests/Security/CWE-312/vendor/k8s.io/klog/stub.go
@@ -7,6 +7,4 @@
 // Package klog is a stub of k8s.io/klog, generated by depstubber.
 package klog

-import ()
-
 func Info(_ ...interface{}) {}
--- a/go/ql/test/query-tests/Security/CWE-312/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-312/vendor/modules.txt
@@ -9,7 +9,8 @@ github.com/sirupsen/logrus
 k8s.io/klog
 # github.com/golang/protobuf v1.4.2
 ## explicit
-github.com/golang/protobuf
+github.com/golang/protobuf/proto
 # google.golang.org/protobuf v1.23.0
 ## explicit
-google.golang.org/protobuf
+google.golang.org/protobuf/reflect/protoreflect
+google.golang.org/protobuf/runtime/protoimpl
--- a/go/ql/test/query-tests/Security/CWE-347/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-347/vendor/modules.txt
@@ -3,7 +3,7 @@
 github.com/gin-gonic/gin
 # github.com/go-jose/go-jose/v3 v3.0.0
 ## explicit
-github.com/go-jose/go-jose/v3
+github.com/go-jose/go-jose/v3/jwt
 # github.com/golang-jwt/jwt/v5 v5.0.0
 ## explicit
 github.com/golang-jwt/jwt/v5
--- a/go/ql/test/query-tests/Security/CWE-640/vendor/github.com/sendgrid/sendgrid-go/helpers/mail/stub.go
+++ b/go/ql/test/query-tests/Security/CWE-640/vendor/github.com/sendgrid/sendgrid-go/helpers/mail/stub.go
@@ -7,8 +7,6 @@
 // Package mail is a stub of github.com/sendgrid/sendgrid-go/helpers/mail, generated by depstubber.
 package mail

-import ()
-
 type Asm struct {
 	GroupID         int
 	GroupsToDisplay []int
--- a/go/ql/test/query-tests/Security/CWE-640/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-640/vendor/modules.txt
@@ -1,3 +1,3 @@
 # github.com/sendgrid/sendgrid-go v3.5.0+incompatible
 ## explicit
-github.com/sendgrid/sendgrid-go
+github.com/sendgrid/sendgrid-go/helpers/mail
--- a/go/ql/test/query-tests/Security/CWE-643/vendor/github.com/antchfx/htmlquery/stub.go
+++ b/go/ql/test/query-tests/Security/CWE-643/vendor/github.com/antchfx/htmlquery/stub.go
@@ -7,8 +7,6 @@
 // Package htmlquery is a stub of github.com/antchfx/htmlquery, generated by depstubber.
 package htmlquery

-import ()
-
 func Find(_ interface{}, _ string) []interface{} {
 	return nil
 }
--- a/go/ql/test/query-tests/Security/CWE-643/vendor/github.com/antchfx/jsonquery/stub.go
+++ b/go/ql/test/query-tests/Security/CWE-643/vendor/github.com/antchfx/jsonquery/stub.go
@@ -7,8 +7,6 @@
 // Package jsonquery is a stub of github.com/antchfx/jsonquery, generated by depstubber.
 package jsonquery

-import ()
-
 func Find(_ *Node, _ string) []*Node {
 	return nil
 }
--- a/go/ql/test/query-tests/Security/CWE-643/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-643/vendor/modules.txt
@@ -1,6 +1,7 @@
 # github.com/ChrisTrenkamp/goxpath v0.0.0-20190607011252-c5096ec8773d
 ## explicit
 github.com/ChrisTrenkamp/goxpath
+github.com/ChrisTrenkamp/goxpath/tree
 # github.com/antchfx/htmlquery v1.2.2
 ## explicit
 github.com/antchfx/htmlquery
@@ -18,10 +19,11 @@ github.com/antchfx/xpath
 github.com/go-xmlpath/xmlpath
 # github.com/jbowtie/gokogiri v0.0.0-20190301021639-37f655d3078f
 ## explicit
-github.com/jbowtie/gokogiri
+github.com/jbowtie/gokogiri/xml
+github.com/jbowtie/gokogiri/xpath
 # github.com/lestrrat-go/libxml2 v0.0.0-20231124114421-99c71026c2f5
 ## explicit
-github.com/lestrrat-go/libxml2
+github.com/lestrrat-go/libxml2/parser
 # github.com/santhosh-tekuri/xpathparser v1.0.0
 ## explicit
 github.com/santhosh-tekuri/xpathparser
--- a/go/ql/test/query-tests/Security/CWE-798/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-798/vendor/modules.txt
@@ -6,7 +6,7 @@ github.com/appleboy/gin-jwt/v2
 github.com/cristalhq/jwt/v3
 # github.com/go-kit/kit v0.12.0
 ## explicit
-github.com/go-kit/kit
+github.com/go-kit/kit/auth/jwt
 # github.com/gogf/gf-jwt/v2 v2.0.1
 ## explicit
 github.com/gogf/gf-jwt/v2
@@ -18,13 +18,13 @@ github.com/golang-jwt/jwt/v4
 github.com/iris-contrib/middleware/jwt
 # github.com/kataras/iris/v12 v12.2.0
 ## explicit
-github.com/kataras/iris/v12
+github.com/kataras/iris/v12/middleware/jwt
 # github.com/kataras/jwt v0.1.8
 ## explicit
 github.com/kataras/jwt
 # github.com/lestrrat/go-jwx v0.9.1
 ## explicit
-github.com/lestrrat/go-jwx
+github.com/lestrrat/go-jwx/jwk
 # github.com/square/go-jose/v3 v3.0.0-20200630053402-0a67ce9b0693
 ## explicit
 github.com/square/go-jose/v3
--- a/go/ql/test/query-tests/Security/CWE-918/vendor/modules.txt
+++ b/go/ql/test/query-tests/Security/CWE-918/vendor/modules.txt
@@ -9,7 +9,7 @@ github.com/gorilla/websocket
 github.com/sacOO7/gowebsocket
 # golang.org/x/net v0.0.0-20200421231249-e086a090c8fd
 ## explicit
-golang.org/x/net
+golang.org/x/net/websocket
 # nhooyr.io/websocket v1.8.5
 ## explicit
 nhooyr.io/websocket
--- a/go/ql/test/query-tests/filters/ClassifyFiles/vendor/github.com/onsi/ginkgo/stub.go
+++ b/go/ql/test/query-tests/filters/ClassifyFiles/vendor/github.com/onsi/ginkgo/stub.go
@@ -7,8 +7,6 @@
 // Package ginkgo is a stub of github.com/onsi/ginkgo, generated by depstubber.
 package ginkgo

-import ()
-
 func Fail(_ string, _ ...int) {}

 type GinkgoTestingT interface {
--- a/go/ql/test/query-tests/filters/ClassifyFiles/vendor/github.com/onsi/gomega/stub.go
+++ b/go/ql/test/query-tests/filters/ClassifyFiles/vendor/github.com/onsi/gomega/stub.go
@@ -7,6 +7,4 @@
 // Package gomega is a stub of github.com/onsi/gomega, generated by depstubber.
 package gomega

-import ()
-
 func RegisterFailHandler(_ interface{}) {}
--- a/java/ql/integration-tests/java/buildless-inherit-trust-store/test.py
+++ b/java/ql/integration-tests/java/buildless-inherit-trust-store/test.py
@@ -1,10 +1,16 @@
 import subprocess
 import os
+import runs_on


 def test(codeql, java, cwd):
    # This serves the "repo" directory on https://locahost:4443
-    repo_server_process = subprocess.Popen(["python3", "../server.py"], cwd="repo")
+    command = ["python3", "../server.py"]
+    if runs_on.github_actions and runs_on.posix:
+        # On GitHub Actions, we saw the server timing out while running in parallel with other tests
+        # we work around that by running it with higher permissions
+        command = ["sudo"] + command
+    repo_server_process = subprocess.Popen(command, cwd="repo")
    certspath = cwd / "jdk8_shipped_cacerts_plus_cert_pem"
    # If we override MAVEN_OPTS, we'll break cross-test maven isolation, so we need to append to it instead
    maven_opts = os.environ["MAVEN_OPTS"] + f" -Djavax.net.ssl.trustStore={certspath}"
--- a/java/ql/integration-tests/java/buildless-snapshot-repository/test.py
+++ b/java/ql/integration-tests/java/buildless-snapshot-repository/test.py
@@ -6,8 +6,9 @@ def test(codeql, java):
    # This serves the "repo" directory on http://localhost:9427
    command = ["python3", "-m", "http.server", "9427", "-b", "localhost"]
    if runs_on.github_actions and runs_on.posix:
-        # On GitHub Actions, we try to run the server with higher priority
-        command = ["sudo", "nice", "-n", "10"] + command
+        # On GitHub Actions, we saw the server timing out while running in parallel with other tests
+        # we work around that by running it with higher permissions
+        command = ["sudo"] + command
    repo_server_process = subprocess.Popen(
        command, cwd="repo"
    )
--- a/java/ql/integration-tests/java/gradle-sample-without-wrapper-or-gradle-buildless/diagnostics.expected
+++ b/java/ql/integration-tests/java/gradle-sample-without-wrapper-or-gradle-buildless/diagnostics.expected
@@ -1,10 +1,10 @@
 {
-  "markdownMessage": "Build tool(s) should have been able to provide a recommended classpath but the attempt failed. Extraction will continue, but external dependencies will be inferred from the Java package names used. Consider troubleshooting the build tool error or using a build mode other than 'none'.",
-  "severity": "note",
+  "markdownMessage": "Analyzed a Gradle project without the [Gradle wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html). This may use an incompatible version of Gradle.",
+  "severity": "warning",
  "source": {
    "extractorName": "java",
-    "id": "java/autobuilder/buildless/classpath-from-tool-failed",
-    "name": "Failed to extract dependency information from build tool tool Gradle"
+    "id": "java/autobuilder/guessed-gradle-version",
+    "name": "Required Gradle version not specified"
  },
  "visibility": {
    "cliSummaryTable": true,
@@ -13,12 +13,12 @@
  }
 }
 {
-  "markdownMessage": "Built a Gradle project without the [Gradle wrapper](https://docs.gradle.org/current/userguide/gradle_wrapper.html). This may use an incompatible version of Gradle.",
-  "severity": "warning",
+  "markdownMessage": "Build tool(s) should have been able to provide a recommended classpath but the attempt failed. Extraction will continue, but external dependencies will be inferred from the Java package names used. Consider troubleshooting the build tool error or using a build mode other than 'none'.",
+  "severity": "note",
  "source": {
    "extractorName": "java",
-    "id": "java/autobuilder/guessed-gradle-version",
-    "name": "Required Gradle version not specified"
+    "id": "java/autobuilder/buildless/classpath-from-tool-failed",
+    "name": "Failed to extract dependency information from build tool tool Gradle"
  },
  "visibility": {
    "cliSummaryTable": true,
--- a/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected
+++ b/java/ql/integration-tests/java/query-suite/java-code-quality.qls.expected
@@ -0,0 +1,11 @@
+ql/java/ql/src/Language Abuse/TypeVariableHidesType.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/java/ql/src/Likely Bugs/Collections/WriteOnlyContainer.ql
+ql/java/ql/src/Likely Bugs/Comparison/IncomparableEquals.ql
+ql/java/ql/src/Likely Bugs/Comparison/InconsistentEqualsHashCode.ql
+ql/java/ql/src/Likely Bugs/Comparison/MissingInstanceofInEquals.ql
+ql/java/ql/src/Likely Bugs/Comparison/RefEqBoxed.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/ContradictoryTypeChecks.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/SuspiciousDateFormat.ql
+ql/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql
+ql/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql
--- a/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected
+++ b/java/ql/integration-tests/java/query-suite/java-code-scanning.qls.expected
@@ -0,0 +1,79 @@
+ql/java/ql/src/Diagnostics/ExtractionErrors.ql
+ql/java/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/java/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCode.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCodeJava.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql
+ql/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
+ql/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+ql/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
+ql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
+ql/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql
+ql/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
+ql/java/ql/src/Security/CWE/CWE-079/XSS.ql
+ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+ql/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql
+ql/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql
+ql/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
+ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
+ql/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql
+ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
+ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql
+ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
+ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+ql/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
+ql/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql
+ql/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql
+ql/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
+ql/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
+ql/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql
+ql/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
+ql/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
+ql/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+ql/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
+ql/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql
+ql/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql
+ql/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql
+ql/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
+ql/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql
+ql/java/ql/src/Security/CWE/CWE-552/UrlForward.ql
+ql/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
+ql/java/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+ql/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
+ql/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
+ql/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
+ql/java/ql/src/Security/CWE/CWE-730/ReDoS.ql
+ql/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
+ql/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
+ql/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
+ql/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
+ql/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
+ql/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql
+ql/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
+ql/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql
+ql/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql
+ql/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql
+ql/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql
+ql/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
+ql/java/ql/src/Telemetry/ExternalLibraryUsage.ql
+ql/java/ql/src/Telemetry/ExtractorInformation.ql
+ql/java/ql/src/Telemetry/SupportedExternalApis.ql
+ql/java/ql/src/Telemetry/SupportedExternalSinks.ql
+ql/java/ql/src/Telemetry/SupportedExternalSources.ql
+ql/java/ql/src/Telemetry/SupportedExternalTaint.ql
+ql/java/ql/src/Telemetry/UnsupportedExternalAPIs.ql
--- a/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected
+++ b/java/ql/integration-tests/java/query-suite/java-security-and-quality.qls.expected
@@ -0,0 +1,243 @@
+ql/java/ql/src/Advisory/Declarations/MissingOverrideAnnotation.ql
+ql/java/ql/src/Advisory/Deprecated Code/AvoidDeprecatedCallableAccess.ql
+ql/java/ql/src/Advisory/Documentation/ImpossibleJavadocThrows.ql
+ql/java/ql/src/Advisory/Documentation/SpuriousJavadocParam.ql
+ql/java/ql/src/Compatibility/JDK9/JdkInternalAccess.ql
+ql/java/ql/src/Compatibility/JDK9/UnderscoreIdentifier.ql
+ql/java/ql/src/DeadCode/UselessParameter.ql
+ql/java/ql/src/Diagnostics/ExtractionErrors.ql
+ql/java/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/java/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
+ql/java/ql/src/Language Abuse/ChainedInstanceof.ql
+ql/java/ql/src/Language Abuse/IterableIterator.ql
+ql/java/ql/src/Language Abuse/OverridePackagePrivate.ql
+ql/java/ql/src/Language Abuse/TypeVarExtendsFinalType.ql
+ql/java/ql/src/Language Abuse/TypeVariableHidesType.ql
+ql/java/ql/src/Language Abuse/UselessNullCheck.ql
+ql/java/ql/src/Language Abuse/UselessTypeTest.ql
+ql/java/ql/src/Language Abuse/WrappedIterator.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/BadAbsOfRandom.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/ConstantExpAppearsNonConstant.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/LShiftLargerThanTypeWidth.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/MultiplyRemainder.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/RandomUsedOnce.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/WhitespaceContradictsPrecedence.ql
+ql/java/ql/src/Likely Bugs/Cloning/MissingCallToSuperClone.ql
+ql/java/ql/src/Likely Bugs/Cloning/MissingMethodClone.ql
+ql/java/ql/src/Likely Bugs/Collections/ArrayIndexOutOfBounds.ql
+ql/java/ql/src/Likely Bugs/Collections/ContainsTypeMismatch.ql
+ql/java/ql/src/Likely Bugs/Collections/IteratorRemoveMayFail.ql
+ql/java/ql/src/Likely Bugs/Collections/ReadOnlyContainer.ql
+ql/java/ql/src/Likely Bugs/Collections/RemoveTypeMismatch.ql
+ql/java/ql/src/Likely Bugs/Collections/WriteOnlyContainer.ql
+ql/java/ql/src/Likely Bugs/Comparison/CompareIdenticalValues.ql
+ql/java/ql/src/Likely Bugs/Comparison/CovariantCompareTo.ql
+ql/java/ql/src/Likely Bugs/Comparison/CovariantEquals.ql
+ql/java/ql/src/Likely Bugs/Comparison/EqualsArray.ql
+ql/java/ql/src/Likely Bugs/Comparison/HashedButNoHash.ql
+ql/java/ql/src/Likely Bugs/Comparison/IncomparableEquals.ql
+ql/java/ql/src/Likely Bugs/Comparison/InconsistentCompareTo.ql
+ql/java/ql/src/Likely Bugs/Comparison/InconsistentEqualsHashCode.ql
+ql/java/ql/src/Likely Bugs/Comparison/MissingInstanceofInEquals.ql
+ql/java/ql/src/Likely Bugs/Comparison/RefEqBoxed.ql
+ql/java/ql/src/Likely Bugs/Comparison/StringComparison.ql
+ql/java/ql/src/Likely Bugs/Comparison/UselessComparisonTest.ql
+ql/java/ql/src/Likely Bugs/Comparison/WrongNanComparison.ql
+ql/java/ql/src/Likely Bugs/Concurrency/CallsToConditionWait.ql
+ql/java/ql/src/Likely Bugs/Concurrency/CallsToRunnableRun.ql
+ql/java/ql/src/Likely Bugs/Concurrency/DateFormatThreadUnsafe.ql
+ql/java/ql/src/Likely Bugs/Concurrency/DoubleCheckedLocking.ql
+ql/java/ql/src/Likely Bugs/Concurrency/DoubleCheckedLockingWithInitRace.ql
+ql/java/ql/src/Likely Bugs/Concurrency/FutileSynchOnField.ql
+ql/java/ql/src/Likely Bugs/Concurrency/NonSynchronizedOverride.ql
+ql/java/ql/src/Likely Bugs/Concurrency/NotifyNotNotifyAll.ql
+ql/java/ql/src/Likely Bugs/Concurrency/SleepWithLock.ql
+ql/java/ql/src/Likely Bugs/Concurrency/StartInConstructor.ql
+ql/java/ql/src/Likely Bugs/Concurrency/SynchOnBoxedType.ql
+ql/java/ql/src/Likely Bugs/Concurrency/SynchSetUnsynchGet.ql
+ql/java/ql/src/Likely Bugs/Concurrency/SynchWriteObject.ql
+ql/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql
+ql/java/ql/src/Likely Bugs/Finalization/NullifiedSuperFinalize.ql
+ql/java/ql/src/Likely Bugs/Frameworks/JUnit/BadSuiteMethod.ql
+ql/java/ql/src/Likely Bugs/Frameworks/Swing/BadlyOverriddenAdapter.ql
+ql/java/ql/src/Likely Bugs/Inheritance/NoNonFinalInConstructor.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/ContainerSizeCmpZero.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/ContradictoryTypeChecks.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/DangerousNonCircuitLogic.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/EqualsTypo.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/HashCodeTypo.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/MissingFormatArg.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/MissingSpaceTypo.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/SelfAssignment.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/StringBufferCharInit.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/SuspiciousDateFormat.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/ToStringTypo.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/UnusedFormatArg.ql
+ql/java/ql/src/Likely Bugs/Nullness/NullAlways.ql
+ql/java/ql/src/Likely Bugs/Nullness/NullExprDeref.ql
+ql/java/ql/src/Likely Bugs/Nullness/NullMaybe.ql
+ql/java/ql/src/Likely Bugs/Reflection/AnnotationPresentCheck.ql
+ql/java/ql/src/Likely Bugs/Resource Leaks/CloseReader.ql
+ql/java/ql/src/Likely Bugs/Resource Leaks/CloseSql.ql
+ql/java/ql/src/Likely Bugs/Resource Leaks/CloseWriter.ql
+ql/java/ql/src/Likely Bugs/Serialization/IncorrectSerialVersionUID.ql
+ql/java/ql/src/Likely Bugs/Serialization/IncorrectSerializableMethods.ql
+ql/java/ql/src/Likely Bugs/Serialization/MissingVoidConstructorOnExternalizable.ql
+ql/java/ql/src/Likely Bugs/Serialization/MissingVoidConstructorsOnSerializable.ql
+ql/java/ql/src/Likely Bugs/Serialization/NonSerializableInnerClass.ql
+ql/java/ql/src/Likely Bugs/Serialization/ReadResolveObject.ql
+ql/java/ql/src/Likely Bugs/Statements/ContinueInFalseLoop.ql
+ql/java/ql/src/Likely Bugs/Statements/MissingEnumInSwitch.ql
+ql/java/ql/src/Likely Bugs/Statements/PartiallyMaskedCatch.ql
+ql/java/ql/src/Likely Bugs/Statements/UseBraces.ql
+ql/java/ql/src/Likely Bugs/Termination/ConstantLoopCondition.ql
+ql/java/ql/src/Likely Bugs/Termination/SpinOnField.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCode.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCodeJava.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql
+ql/java/ql/src/Performance/InefficientEmptyStringTest.ql
+ql/java/ql/src/Performance/InefficientKeySetIterator.ql
+ql/java/ql/src/Performance/InefficientOutputStream.ql
+ql/java/ql/src/Performance/InefficientPrimConstructor.ql
+ql/java/ql/src/Performance/InnerClassCouldBeStatic.ql
+ql/java/ql/src/Performance/NewStringString.ql
+ql/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
+ql/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+ql/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
+ql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.ql
+ql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
+ql/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql
+ql/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecTaintedEnvironment.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
+ql/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql
+ql/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
+ql/java/ql/src/Security/CWE/CWE-079/XSS.ql
+ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
+ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql
+ql/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+ql/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql
+ql/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql
+ql/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
+ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
+ql/java/ql/src/Security/CWE/CWE-117/LogInjection.ql
+ql/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql
+ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
+ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
+ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
+ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql
+ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql
+ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
+ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
+ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+ql/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
+ql/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql
+ql/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql
+ql/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql
+ql/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
+ql/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql
+ql/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
+ql/java/ql/src/Security/CWE/CWE-297/InsecureJavaMail.ql
+ql/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+ql/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageAndroidDatabase.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageAndroidFilesystem.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageSharedPrefs.ql
+ql/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
+ql/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql
+ql/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
+ql/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
+ql/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+ql/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql
+ql/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
+ql/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql
+ql/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql
+ql/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql
+ql/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql
+ql/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql
+ql/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.ql
+ql/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
+ql/java/ql/src/Security/CWE/CWE-522/InsecureBasicAuth.ql
+ql/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql
+ql/java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.ql
+ql/java/ql/src/Security/CWE/CWE-532/SensitiveInfoLog.ql
+ql/java/ql/src/Security/CWE/CWE-552/UrlForward.ql
+ql/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
+ql/java/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+ql/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
+ql/java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+ql/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
+ql/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
+ql/java/ql/src/Security/CWE/CWE-730/ReDoS.ql
+ql/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
+ql/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
+ql/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql
+ql/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
+ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
+ql/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
+ql/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
+ql/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
+ql/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql
+ql/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql
+ql/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
+ql/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql
+ql/java/ql/src/Security/CWE/CWE-926/ContentProviderIncompletePermissions.ql
+ql/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql
+ql/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql
+ql/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql
+ql/java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.ql
+ql/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql
+ql/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
+ql/java/ql/src/Telemetry/ExternalLibraryUsage.ql
+ql/java/ql/src/Telemetry/ExtractorInformation.ql
+ql/java/ql/src/Telemetry/SupportedExternalApis.ql
+ql/java/ql/src/Telemetry/SupportedExternalSinks.ql
+ql/java/ql/src/Telemetry/SupportedExternalSources.ql
+ql/java/ql/src/Telemetry/SupportedExternalTaint.ql
+ql/java/ql/src/Telemetry/UnsupportedExternalAPIs.ql
+ql/java/ql/src/Violations of Best Practice/Boxed Types/BoxedVariable.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/CreatesEmptyZip.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/DeadRefTypes.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/InterfaceCannotBeImplemented.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/UnreadLocal.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/UnusedLabel.ql
+ql/java/ql/src/Violations of Best Practice/Declarations/NoConstantsOnly.ql
+ql/java/ql/src/Violations of Best Practice/Exception Handling/IgnoreExceptionalReturn.ql
+ql/java/ql/src/Violations of Best Practice/Exception Handling/NumberFormatException.ql
+ql/java/ql/src/Violations of Best Practice/Implementation Hiding/AbstractToConcreteCollection.ql
+ql/java/ql/src/Violations of Best Practice/Implementation Hiding/ExposeRepresentation.ql
+ql/java/ql/src/Violations of Best Practice/Implementation Hiding/GetClassGetResource.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/AmbiguousOuterSuper.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/ConfusingMethodNames.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/ConfusingOverloading.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/FieldMasksSuperField.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/LocalShadowsFieldConfusing.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/SameNameAsSuper.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToRunFinalizersOnExit.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToStringToString.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/DefaultToString.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/NextFromIterator.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/PrintLnArray.ql
--- a/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected
+++ b/java/ql/integration-tests/java/query-suite/java-security-extended.qls.expected
@@ -0,0 +1,123 @@
+ql/java/ql/src/Diagnostics/ExtractionErrors.ql
+ql/java/ql/src/Diagnostics/ExtractionWarnings.ql
+ql/java/ql/src/Diagnostics/SuccessfullyExtractedFiles.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/InformationLoss.ql
+ql/java/ql/src/Likely Bugs/Concurrency/UnreleasedLock.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCode.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCodeJava.ql
+ql/java/ql/src/Metrics/Summaries/LinesOfCodeKotlin.ql
+ql/java/ql/src/Security/CWE/CWE-020/OverlyLargeRange.ql
+ql/java/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+ql/java/ql/src/Security/CWE/CWE-022/ZipSlip.ql
+ql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.ql
+ql/java/ql/src/Security/CWE/CWE-023/PartialPathTraversalFromRemote.ql
+ql/java/ql/src/Security/CWE/CWE-074/JndiInjection.ql
+ql/java/ql/src/Security/CWE/CWE-074/XsltInjection.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecRelative.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecTaintedEnvironment.ql
+ql/java/ql/src/Security/CWE/CWE-078/ExecUnescaped.ql
+ql/java/ql/src/Security/CWE/CWE-079/AndroidWebViewAddJavascriptInterface.ql
+ql/java/ql/src/Security/CWE/CWE-079/AndroidWebViewSettingsEnabledJavaScript.ql
+ql/java/ql/src/Security/CWE/CWE-079/XSS.ql
+ql/java/ql/src/Security/CWE/CWE-089/SqlConcatenated.ql
+ql/java/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+ql/java/ql/src/Security/CWE/CWE-090/LdapInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/ArbitraryApkInstallation.ql
+ql/java/ql/src/Security/CWE/CWE-094/GroovyInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/InsecureBeanValidation.ql
+ql/java/ql/src/Security/CWE/CWE-094/JexlInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/MvelInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/SpelInjection.ql
+ql/java/ql/src/Security/CWE/CWE-094/TemplateInjection.ql
+ql/java/ql/src/Security/CWE/CWE-1104/MavenPomDependsOnBintray.ql
+ql/java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql
+ql/java/ql/src/Security/CWE/CWE-113/ResponseSplitting.ql
+ql/java/ql/src/Security/CWE/CWE-117/LogInjection.ql
+ql/java/ql/src/Security/CWE/CWE-1204/StaticInitializationVector.ql
+ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql
+ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql
+ql/java/ql/src/Security/CWE/CWE-134/ExternallyControlledFormatString.ql
+ql/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+ql/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/java/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveNotifications.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidSensitiveTextField.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsAllowsContentAccess.ql
+ql/java/ql/src/Security/CWE/CWE-200/AndroidWebViewSettingsFileAccess.ql
+ql/java/ql/src/Security/CWE/CWE-200/SpringBootActuators.ql
+ql/java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql
+ql/java/ql/src/Security/CWE/CWE-209/SensitiveDataExposureThroughErrorMessage.ql
+ql/java/ql/src/Security/CWE/CWE-209/StackTraceExposure.ql
+ql/java/ql/src/Security/CWE/CWE-266/IntentUriPermissionManipulation.ql
+ql/java/ql/src/Security/CWE/CWE-273/UnsafeCertTrust.ql
+ql/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql
+ql/java/ql/src/Security/CWE/CWE-287/AndroidInsecureLocalAuthentication.ql
+ql/java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
+ql/java/ql/src/Security/CWE/CWE-295/ImproperWebViewCertificateValidation.ql
+ql/java/ql/src/Security/CWE/CWE-295/InsecureTrustManager.ql
+ql/java/ql/src/Security/CWE/CWE-297/InsecureJavaMail.ql
+ql/java/ql/src/Security/CWE/CWE-297/UnsafeHostnameVerification.ql
+ql/java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageAndroidDatabase.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageAndroidFilesystem.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageCookie.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageProperties.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageSharedPrefs.ql
+ql/java/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+ql/java/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+ql/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql
+ql/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.ql
+ql/java/ql/src/Security/CWE/CWE-335/PredictableSeed.ql
+ql/java/ql/src/Security/CWE/CWE-338/JHipsterGeneratedPRNG.ql
+ql/java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql
+ql/java/ql/src/Security/CWE/CWE-352/CsrfUnprotectedRequestType.ql
+ql/java/ql/src/Security/CWE/CWE-352/SpringCSRFProtection.ql
+ql/java/ql/src/Security/CWE/CWE-367/TOCTOURace.ql
+ql/java/ql/src/Security/CWE/CWE-421/SocketAuthRace.ql
+ql/java/ql/src/Security/CWE/CWE-441/UnsafeContentUriResolution.ql
+ql/java/ql/src/Security/CWE/CWE-470/FragmentInjection.ql
+ql/java/ql/src/Security/CWE/CWE-470/FragmentInjectionInPreferenceActivity.ql
+ql/java/ql/src/Security/CWE/CWE-489/DebuggableAttributeEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-489/WebviewDebuggingEnabled.ql
+ql/java/ql/src/Security/CWE/CWE-501/TrustBoundaryViolation.ql
+ql/java/ql/src/Security/CWE/CWE-502/UnsafeDeserialization.ql
+ql/java/ql/src/Security/CWE/CWE-522/InsecureBasicAuth.ql
+ql/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql
+ql/java/ql/src/Security/CWE/CWE-524/SensitiveKeyboardCache.ql
+ql/java/ql/src/Security/CWE/CWE-532/SensitiveInfoLog.ql
+ql/java/ql/src/Security/CWE/CWE-552/UrlForward.ql
+ql/java/ql/src/Security/CWE/CWE-601/UrlRedirect.ql
+ql/java/ql/src/Security/CWE/CWE-611/XXE.ql
+ql/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql
+ql/java/ql/src/Security/CWE/CWE-643/XPathInjection.ql
+ql/java/ql/src/Security/CWE/CWE-676/PotentiallyDangerousFunction.ql
+ql/java/ql/src/Security/CWE/CWE-681/NumericCastTainted.ql
+ql/java/ql/src/Security/CWE/CWE-730/PolynomialReDoS.ql
+ql/java/ql/src/Security/CWE/CWE-730/ReDoS.ql
+ql/java/ql/src/Security/CWE/CWE-730/RegexInjection.ql
+ql/java/ql/src/Security/CWE/CWE-732/ReadingFromWorldWritableFile.ql
+ql/java/ql/src/Security/CWE/CWE-749/UnsafeAndroidAccess.ql
+ql/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
+ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsApiCall.ql
+ql/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql
+ql/java/ql/src/Security/CWE/CWE-807/TaintedPermissionsCheck.ql
+ql/java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql
+ql/java/ql/src/Security/CWE/CWE-835/InfiniteLoop.ql
+ql/java/ql/src/Security/CWE/CWE-917/OgnlInjection.ql
+ql/java/ql/src/Security/CWE/CWE-918/RequestForgery.ql
+ql/java/ql/src/Security/CWE/CWE-925/ImproperIntentVerification.ql
+ql/java/ql/src/Security/CWE/CWE-926/ContentProviderIncompletePermissions.ql
+ql/java/ql/src/Security/CWE/CWE-926/ImplicitlyExportedAndroidComponent.ql
+ql/java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.ql
+ql/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql
+ql/java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.ql
+ql/java/ql/src/Security/CWE/CWE-940/AndroidIntentRedirection.ql
+ql/java/ql/src/Telemetry/DatabaseQualityDiagnostics.ql
+ql/java/ql/src/Telemetry/ExternalLibraryUsage.ql
+ql/java/ql/src/Telemetry/ExtractorInformation.ql
+ql/java/ql/src/Telemetry/SupportedExternalApis.ql
+ql/java/ql/src/Telemetry/SupportedExternalSinks.ql
+ql/java/ql/src/Telemetry/SupportedExternalSources.ql
+ql/java/ql/src/Telemetry/SupportedExternalTaint.ql
+ql/java/ql/src/Telemetry/UnsupportedExternalAPIs.ql
--- a/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected
+++ b/java/ql/integration-tests/java/query-suite/not_included_in_qls.expected
@@ -0,0 +1,285 @@
+ql/java/ql/src/Advisory/Declarations/NonFinalImmutableField.ql
+ql/java/ql/src/Advisory/Declarations/NonPrivateField.ql
+ql/java/ql/src/Advisory/Documentation/MissingJavadocMethods.ql
+ql/java/ql/src/Advisory/Documentation/MissingJavadocParameters.ql
+ql/java/ql/src/Advisory/Documentation/MissingJavadocReturnValues.ql
+ql/java/ql/src/Advisory/Documentation/MissingJavadocThrows.ql
+ql/java/ql/src/Advisory/Documentation/MissingJavadocTypes.ql
+ql/java/ql/src/Advisory/Java Objects/AvoidCloneMethodAccess.ql
+ql/java/ql/src/Advisory/Java Objects/AvoidCloneOverride.ql
+ql/java/ql/src/Advisory/Java Objects/AvoidCloneableInterface.ql
+ql/java/ql/src/Advisory/Java Objects/AvoidFinalizeOverride.ql
+ql/java/ql/src/Advisory/Naming/NamingConventionsConstants.ql
+ql/java/ql/src/Advisory/Naming/NamingConventionsMethods.ql
+ql/java/ql/src/Advisory/Naming/NamingConventionsPackages.ql
+ql/java/ql/src/Advisory/Naming/NamingConventionsRefTypes.ql
+ql/java/ql/src/Advisory/Naming/NamingConventionsVariables.ql
+ql/java/ql/src/Advisory/Statements/MissingDefaultInSwitch.ql
+ql/java/ql/src/Advisory/Statements/OneStatementPerLine.ql
+ql/java/ql/src/Advisory/Statements/TerminateIfElseIfWithElse.ql
+ql/java/ql/src/Advisory/Types/GenericsConstructor.ql
+ql/java/ql/src/Advisory/Types/GenericsReturnType.ql
+ql/java/ql/src/Advisory/Types/GenericsVariable.ql
+ql/java/ql/src/AlertSuppression.ql
+ql/java/ql/src/AlertSuppressionAnnotations.ql
+ql/java/ql/src/Architecture/Dependencies/MutualDependency.ql
+ql/java/ql/src/Architecture/Dependencies/UnusedMavenDependencyBinary.ql
+ql/java/ql/src/Architecture/Dependencies/UnusedMavenDependencySource.ql
+ql/java/ql/src/Architecture/Refactoring Opportunities/DeeplyNestedClass.ql
+ql/java/ql/src/Architecture/Refactoring Opportunities/FeatureEnvy.ql
+ql/java/ql/src/Architecture/Refactoring Opportunities/HubClasses.ql
+ql/java/ql/src/Architecture/Refactoring Opportunities/InappropriateIntimacy.ql
+ql/java/ql/src/Complexity/BlockWithTooManyStatements.ql
+ql/java/ql/src/Complexity/ComplexCondition.ql
+ql/java/ql/src/DeadCode/DeadClass.ql
+ql/java/ql/src/DeadCode/DeadEnumConstant.ql
+ql/java/ql/src/DeadCode/DeadField.ql
+ql/java/ql/src/DeadCode/DeadMethod.ql
+ql/java/ql/src/DeadCode/FLinesOfDeadCode.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbContainerInterference.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbFileIO.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbGraphics.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbNative.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbReflection.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbSecurityConfiguration.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbSerialization.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbSetSocketOrUrlFactory.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbSocketAsServer.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbStaticFieldNonFinal.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbSynchronization.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbThis.ql
+ql/java/ql/src/Frameworks/JavaEE/EJB/EjbThreads.ql
+ql/java/ql/src/Frameworks/Spring/Architecture/Refactoring Opportunities/MissingParentBean.ql
+ql/java/ql/src/Frameworks/Spring/Architecture/Refactoring Opportunities/TooManyBeans.ql
+ql/java/ql/src/Frameworks/Spring/Architecture/Refactoring Opportunities/UnusedBean.ql
+ql/java/ql/src/Frameworks/Spring/Architecture/Refactoring Opportunities/UselessPropertyOverride.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/AvoidAutowiring.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/DontUseConstructorArgIndex.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/ImportsFirst.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/NoBeanDescription.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/ParentShouldNotUseAbstractClass.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/UseIdInsteadOfName.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/UseLocalRef.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/UseSetterInjection.ql
+ql/java/ql/src/Frameworks/Spring/Violations of Best Practice/UseShortcutForms.ql
+ql/java/ql/src/Frameworks/Spring/XML Configuration Errors/MissingSetters.ql
+ql/java/ql/src/Language Abuse/CastThisToTypeParameter.ql
+ql/java/ql/src/Language Abuse/DubiousDowncastOfThis.ql
+ql/java/ql/src/Language Abuse/DubiousTypeTestOfThis.ql
+ql/java/ql/src/Language Abuse/EmptyMethod.ql
+ql/java/ql/src/Language Abuse/EmptyStatement.ql
+ql/java/ql/src/Language Abuse/EnumIdentifier.ql
+ql/java/ql/src/Language Abuse/ImplementsAnnotation.ql
+ql/java/ql/src/Language Abuse/MissedTernaryOpportunity.ql
+ql/java/ql/src/Language Abuse/UselessUpcast.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/BadCheckOdd.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/CondExprTypes.ql
+ql/java/ql/src/Likely Bugs/Arithmetic/OctalLiteral.ql
+ql/java/ql/src/Likely Bugs/Comparison/BitwiseSignCheck.ql
+ql/java/ql/src/Likely Bugs/Comparison/DefineEqualsWhenAddingFields.ql
+ql/java/ql/src/Likely Bugs/Comparison/EqualsUsesInstanceOf.ql
+ql/java/ql/src/Likely Bugs/Comparison/NoAssignInBooleanExprs.ql
+ql/java/ql/src/Likely Bugs/Comparison/NoComparisonOnFloats.ql
+ql/java/ql/src/Likely Bugs/Comparison/ObjectComparison.ql
+ql/java/ql/src/Likely Bugs/Concurrency/BusyWait.ql
+ql/java/ql/src/Likely Bugs/Concurrency/EmptyRunMethodInThread.ql
+ql/java/ql/src/Likely Bugs/Concurrency/InconsistentAccess.ql
+ql/java/ql/src/Likely Bugs/Concurrency/LazyInitStaticField.ql
+ql/java/ql/src/Likely Bugs/Concurrency/NotifyWithoutSynch.ql
+ql/java/ql/src/Likely Bugs/Concurrency/PriorityCalls.ql
+ql/java/ql/src/Likely Bugs/Concurrency/WaitOutsideLoop.ql
+ql/java/ql/src/Likely Bugs/Concurrency/WaitWithTwoLocks.ql
+ql/java/ql/src/Likely Bugs/Concurrency/YieldCalls.ql
+ql/java/ql/src/Likely Bugs/Frameworks/JUnit/TearDownNoSuper.ql
+ql/java/ql/src/Likely Bugs/Frameworks/JUnit/TestCaseNoTests.ql
+ql/java/ql/src/Likely Bugs/Frameworks/Swing/ThreadSafety.ql
+ql/java/ql/src/Likely Bugs/I18N/MissingLocaleArgument.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/ConstructorTypo.ql
+ql/java/ql/src/Likely Bugs/Likely Typos/NestedLoopsSameVariable.ql
+ql/java/ql/src/Likely Bugs/Serialization/NonSerializableComparator.ql
+ql/java/ql/src/Likely Bugs/Serialization/NonSerializableField.ql
+ql/java/ql/src/Likely Bugs/Serialization/TransientNotSerializable.ql
+ql/java/ql/src/Likely Bugs/Statements/EmptyBlock.ql
+ql/java/ql/src/Likely Bugs/Statements/EmptySynchronizedBlock.ql
+ql/java/ql/src/Likely Bugs/Statements/ImpossibleCast.ql
+ql/java/ql/src/Likely Bugs/Statements/InconsistentCallOnResult.ql
+ql/java/ql/src/Likely Bugs/Statements/ReturnValueIgnored.ql
+ql/java/ql/src/Likely Bugs/Statements/StaticFieldWrittenByInstance.ql
+ql/java/ql/src/Metrics/Authors/AuthorsPerFile.ql
+ql/java/ql/src/Metrics/Callables/CCyclomaticComplexity.ql
+ql/java/ql/src/Metrics/Callables/CLinesOfCode.ql
+ql/java/ql/src/Metrics/Callables/CLinesOfComment.ql
+ql/java/ql/src/Metrics/Callables/CNumberOfCalls.ql
+ql/java/ql/src/Metrics/Callables/CNumberOfParameters.ql
+ql/java/ql/src/Metrics/Callables/CNumberOfStatements.ql
+ql/java/ql/src/Metrics/Callables/StatementNestingDepth.ql
+ql/java/ql/src/Metrics/Dependencies/ExternalDependencies.ql
+ql/java/ql/src/Metrics/Dependencies/ExternalDependenciesSourceLinks.ql
+ql/java/ql/src/Metrics/Files/FAfferentCoupling.ql
+ql/java/ql/src/Metrics/Files/FCommentRatio.ql
+ql/java/ql/src/Metrics/Files/FCyclomaticComplexity.ql
+ql/java/ql/src/Metrics/Files/FEfferentCoupling.ql
+ql/java/ql/src/Metrics/Files/FLines.ql
+ql/java/ql/src/Metrics/Files/FLinesOfCode.ql
+ql/java/ql/src/Metrics/Files/FLinesOfComment.ql
+ql/java/ql/src/Metrics/Files/FLinesOfCommentedCode.ql
+ql/java/ql/src/Metrics/Files/FLinesOfDuplicatedCode.ql
+ql/java/ql/src/Metrics/Files/FLinesOfSimilarCode.ql
+ql/java/ql/src/Metrics/Files/FNumberOfClasses.ql
+ql/java/ql/src/Metrics/Files/FNumberOfInterfaces.ql
+ql/java/ql/src/Metrics/Files/FNumberOfTests.ql
+ql/java/ql/src/Metrics/Files/FSelfContainedness.ql
+ql/java/ql/src/Metrics/RefTypes/TAfferentCoupling.ql
+ql/java/ql/src/Metrics/RefTypes/TEfferentCoupling.ql
+ql/java/ql/src/Metrics/RefTypes/TEfferentSourceCoupling.ql
+ql/java/ql/src/Metrics/RefTypes/TInheritanceDepth.ql
+ql/java/ql/src/Metrics/RefTypes/TLackOfCohesionCK.ql
+ql/java/ql/src/Metrics/RefTypes/TLackOfCohesionHS.ql
+ql/java/ql/src/Metrics/RefTypes/TLinesOfCode.ql
+ql/java/ql/src/Metrics/RefTypes/TLinesOfComment.ql
+ql/java/ql/src/Metrics/RefTypes/TNumberOfCallables.ql
+ql/java/ql/src/Metrics/RefTypes/TNumberOfFields.ql
+ql/java/ql/src/Metrics/RefTypes/TNumberOfStatements.ql
+ql/java/ql/src/Metrics/RefTypes/TPercentageOfComments.ql
+ql/java/ql/src/Metrics/RefTypes/TPercentageOfComplexCode.ql
+ql/java/ql/src/Metrics/RefTypes/TResponse.ql
+ql/java/ql/src/Metrics/RefTypes/TSelfContainedness.ql
+ql/java/ql/src/Metrics/RefTypes/TSizeOfAPI.ql
+ql/java/ql/src/Metrics/RefTypes/TSpecialisationIndex.ql
+ql/java/ql/src/Metrics/Summaries/FrameworkCoverage.ql
+ql/java/ql/src/Metrics/Summaries/GeneratedVsManualCoverage.ql
+ql/java/ql/src/Performance/ConcatenationInLoops.ql
+ql/java/ql/src/Security/CWE/CWE-020/ExternalAPIsUsedWithUntrustedData.ql
+ql/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql
+ql/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql
+ql/java/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+ql/java/ql/src/Security/CWE/CWE-312/CleartextStorageClass.ql
+ql/java/ql/src/Security/CWE/CWE-319/HttpsUrls.ql
+ql/java/ql/src/Security/CWE/CWE-319/UseSSL.ql
+ql/java/ql/src/Security/CWE/CWE-319/UseSSLSocketFactories.ql
+ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsComparison.ql
+ql/java/ql/src/Security/CWE/CWE-798/HardcodedCredentialsSourceCall.ql
+ql/java/ql/src/Security/CWE/CWE-798/HardcodedPasswordField.ql
+ql/java/ql/src/Security/CWE/CWE-833/LockOrderInconsistency.ql
+ql/java/ql/src/Violations of Best Practice/Boolean Logic/SimplifyBoolExpr.ql
+ql/java/ql/src/Violations of Best Practice/Comments/CommentedCode.ql
+ql/java/ql/src/Violations of Best Practice/Comments/TodoComments.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/AssignmentInReturn.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/DeadStoreOfLocal.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/DeadStoreOfLocalUnread.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/EmptyFinalize.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/FinalizerNullsFields.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/LocalInitialisedButNotUsed.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/LocalNotRead.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/NonAssignedFields.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/PointlessForwardingMethod.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/UnusedField.ql
+ql/java/ql/src/Violations of Best Practice/Dead Code/UnusedLocal.ql
+ql/java/ql/src/Violations of Best Practice/Declarations/BreakInSwitchCase.ql
+ql/java/ql/src/Violations of Best Practice/Declarations/MakeImportsExplicit.ql
+ql/java/ql/src/Violations of Best Practice/Exception Handling/DroppedExceptions.ql
+ql/java/ql/src/Violations of Best Practice/Exception Handling/ExceptionCatch.ql
+ql/java/ql/src/Violations of Best Practice/Implementation Hiding/StaticArray.ql
+ql/java/ql/src/Violations of Best Practice/Magic Constants/MagicConstantsNumbers.ql
+ql/java/ql/src/Violations of Best Practice/Magic Constants/MagicConstantsString.ql
+ql/java/ql/src/Violations of Best Practice/Magic Constants/MagicNumbersUseConstant.ql
+ql/java/ql/src/Violations of Best Practice/Magic Constants/MagicStringsUseConstant.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/ConfusingOverridesNames.ql
+ql/java/ql/src/Violations of Best Practice/Naming Conventions/LocalShadowsField.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/CallsToSystemExit.ql
+ql/java/ql/src/Violations of Best Practice/Undesirable Calls/GarbageCollection.ql
+ql/java/ql/src/Violations of Best Practice/legacy/AutoBoxing.ql
+ql/java/ql/src/Violations of Best Practice/legacy/FinallyMayNotComplete.ql
+ql/java/ql/src/Violations of Best Practice/legacy/InexactVarArg.ql
+ql/java/ql/src/Violations of Best Practice/legacy/ParameterAssignment.ql
+ql/java/ql/src/Violations of Best Practice/legacy/UnnecessaryCast.ql
+ql/java/ql/src/Violations of Best Practice/legacy/UnnecessaryImport.ql
+ql/java/ql/src/definitions.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-016/InsecureSpringActuatorConfig.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-020/Log4jJndiInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-036/OpenStream.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-073/FilePathInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExec.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-078/CommandInjectionRuntimeExecLocal.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-078/ExecTainted.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisAnnotationSqlInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-089/MyBatisMapperXmlSqlInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/BeanShellInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/InsecureDexLoading.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/JShellInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/JakartaExpressionInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/JythonInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/ScriptInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/SpringImplicitViewManipulation.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-094/SpringViewManipulation.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-1004/SensitiveCookieNotHttpOnly.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-200/InsecureWebResourceResponse.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-200/SensitiveAndroidFileLeak.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-208/PossibleTimingAttackAgainstSignature.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstHeader.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-208/TimingAttackAgainstSignature.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-295/JxBrowserWithoutCertValidation.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-297/IgnoredHostnameVerification.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-297/InsecureLdapEndpoint.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-346/UnvalidatedCors.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-347/Auth0NoVerifier.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-348/ClientSuppliedIpUsedInSecurityCheck.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-470/LoadClassNoSignatureCheck.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-470/UnsafeReflection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-489/EJBMain.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-489/WebComponentMain.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-489/devMode.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeDeserializationRmi.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInConfigurationClass.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-502/UnsafeSpringExporterInXMLConfiguration.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-548/InsecureDirectoryConfig.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-555/CredentialsInPropertiesFile.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-555/PasswordInConfigurationFile.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-598/SensitiveGetQuery.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-600/UncaughtServletException.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-601/SpringUrlRedirect.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-625/PermissiveDotRegex.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-652/XQueryInjection.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-665/InsecureRmiJmxEnvironmentConfiguration.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-755/NFEAndroidDoS.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-759/HashWithoutSalt.ql
+ql/java/ql/src/experimental/Security/CWE/CWE-939/IncorrectURLVerification.ql
+ql/java/ql/src/external/DuplicateAnonymous.ql
+ql/java/ql/src/external/DuplicateBlock.ql
+ql/java/ql/src/external/DuplicateMethod.ql
+ql/java/ql/src/external/MostlyDuplicateClass.ql
+ql/java/ql/src/external/MostlyDuplicateFile.ql
+ql/java/ql/src/external/MostlyDuplicateMethod.ql
+ql/java/ql/src/external/MostlySimilarFile.ql
+ql/java/ql/src/filters/ClassifyFiles.ql
+ql/java/ql/src/meta/frameworks/Coverage.ql
+ql/java/ql/src/meta/ssa/AmbiguousToString.ql
+ql/java/ql/src/meta/ssa/TooFewPhiInputs.ql
+ql/java/ql/src/meta/ssa/UncertainDefWithoutPrior.ql
+ql/java/ql/src/meta/ssa/UseWithoutUniqueSsaVariable.ql
+ql/java/ql/src/utils/modelconverter/ExtractNeutrals.ql
+ql/java/ql/src/utils/modelconverter/ExtractSinks.ql
+ql/java/ql/src/utils/modelconverter/ExtractSources.ql
+ql/java/ql/src/utils/modelconverter/ExtractSummaries.ql
+ql/java/ql/src/utils/modeleditor/ApplicationModeEndpoints.ql
+ql/java/ql/src/utils/modeleditor/FrameworkModeEndpoints.ql
+ql/java/ql/src/utils/modelgenerator/CaptureContentSummaryModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureMixedNeutralModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureMixedSummaryModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureNeutralModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureSinkModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureSourceModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureSummaryModels.ql
+ql/java/ql/src/utils/modelgenerator/CaptureTypeBasedSummaryModels.ql
+ql/java/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPartialPath.ql
+ql/java/ql/src/utils/modelgenerator/debug/CaptureSummaryModelsPath.ql
+ql/java/ql/src/utils/stub-generator/MinimalStubsFromSource.ql
--- a/java/ql/integration-tests/java/query-suite/test.py
+++ b/java/ql/integration-tests/java/query-suite/test.py
@@ -0,0 +1,29 @@
+import os
+import runs_on
+import pytest
+
+well_known_query_suites = ['java-code-quality.qls', 'java-security-and-quality.qls', 'java-security-extended.qls', 'java-code-scanning.qls']
+
+@runs_on.posix
+@pytest.mark.parametrize("query_suite", well_known_query_suites)
+def test(codeql, java, cwd, expected_files, semmle_code_dir, query_suite):
+    actual = codeql.resolve.queries(query_suite, _capture=True).strip()
+    actual = sorted(actual.splitlines())
+    actual = [os.path.relpath(q, semmle_code_dir) for q in actual]
+    actual_file_name = query_suite + '.actual'
+    expected_files.add(actual_file_name)
+    (cwd / actual_file_name).write_text('\n'.join(actual)+'\n')
+
+@runs_on.posix
+def test_not_included_queries(codeql, java, cwd, expected_files, semmle_code_dir):
+    all_queries = codeql.resolve.queries(semmle_code_dir / 'ql' / 'java' / 'ql' / 'src', _capture=True).strip().splitlines()
+
+    included_in_qls = set()
+    for query_suite in well_known_query_suites:
+        included_in_qls |= set(codeql.resolve.queries(query_suite, _capture=True).strip().splitlines())
+
+    not_included = sorted(set(all_queries) - included_in_qls)
+    not_included = [os.path.relpath(q, semmle_code_dir) for q in not_included]
+    not_included_file_name = 'not_included_in_qls.actual'
+    expected_files.add(not_included_file_name)
+    (cwd / not_included_file_name).write_text('\n'.join(not_included)+'\n')
--- a/java/ql/lib/change-notes/2025-04-09-enum-type-exclusion.md
+++ b/java/ql/lib/change-notes/2025-04-09-enum-type-exclusion.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Enum-typed values are now assumed to be safe by most queries. This means that queries may return fewer results where an enum value is used in a sensitive context, e.g. pasted into a query string.
--- a/java/ql/lib/semmle/code/java/security/Sanitizers.qll
+++ b/java/ql/lib/semmle/code/java/security/Sanitizers.qll
@@ -23,6 +23,7 @@ class SimpleTypeSanitizer extends DataFlow::Node {
    this.getType()
        .(RefType)
        .getASourceSupertype*()
-        .hasQualifiedName("java.time.temporal", "TemporalAccessor")
+        .hasQualifiedName("java.time.temporal", "TemporalAccessor") or
+    this.getType() instanceof EnumType
  }
 }
--- a/java/ql/src/codeql-suites/java-security-and-quality.qls
+++ b/java/ql/src/codeql-suites/java-security-and-quality.qls
@@ -1,4 +1,164 @@
 - description: Security-and-quality queries for Java
 - queries: .
- apply: security-and-quality-selectors.yml
-  from: codeql/suite-helpers
+- include:
+    kind:
+    - problem
+    - path-problem
+    precision:
+    - high
+    - very-high
+    tags contain:
+    - security
+- include:
+    kind:
+    - problem
+    - path-problem
+    precision: medium
+    problem.severity:
+    - error
+    - warning
+    tags contain:
+    - security
+- include:
+    id:
+      - java/abs-of-random
+      - java/abstract-to-concrete-cast
+      - java/call-to-object-tostring
+      - java/call-to-thread-run
+      - java/chained-type-tests
+      - java/class-name-matches-super-class
+      - java/comparison-of-identical-expressions
+      - java/comparison-with-nan
+      - java/confusing-method-name
+      - java/confusing-method-signature
+      - java/constant-comparison
+      - java/constant-loop-condition
+      - java/constants-only-interface
+      - java/continue-in-false-loop
+      - java/contradictory-type-checks
+      - java/database-resource-leak
+      - java/deprecated-call
+      - java/dereferenced-expr-may-be-null
+      - java/dereferenced-value-is-always-null
+      - java/dereferenced-value-may-be-null
+      - java/empty-container
+      - java/empty-zip-file-entry
+      - java/equals-on-arrays
+      - java/equals-on-unrelated-types
+      - java/equals-typo
+      - java/evaluation-to-constant
+      - java/field-masks-super-field
+      - java/hashcode-typo
+      - java/hashing-without-hashcode
+      - java/ignored-error-status-of-call
+      - java/implicit-cast-in-compound-assignment
+      - java/inconsistent-compareto-and-equals
+      - java/inconsistent-equals-and-hashcode
+      - java/inconsistent-javadoc-throws
+      - java/inconsistent-sync-writeobject
+      - java/incorrect-serial-version-uid
+      - java/index-out-of-bounds
+      - java/ineffective-annotation-present-check
+      - java/inefficient-boxed-constructor
+      - java/inefficient-empty-string-test
+      - java/inefficient-key-set-iterator
+      - java/inefficient-output-stream
+      - java/inefficient-string-constructor
+      - java/input-resource-leak
+      - java/integer-multiplication-cast-to-long
+      - java/internal-representation-exposure
+      - java/iterable-wraps-iterator
+      - java/iterator-hasnext-calls-next
+      - java/iterator-implements-iterable
+      - java/iterator-remove-failure
+      - java/jdk-internal-api-access
+      - java/local-shadows-field
+      - java/local-variable-is-never-read
+      - java/lshift-larger-than-type-width
+      - java/misleading-indentation
+      - java/missing-call-to-super-clone
+      - java/missing-case-in-switch
+      - java/missing-clone-method
+      - java/missing-format-argument
+      - java/missing-no-arg-constructor-on-externalizable
+      - java/missing-no-arg-constructor-on-serializable
+      - java/missing-override-annotation
+      - java/missing-space-in-concatenation
+      - java/missing-super-finalize
+      - java/multiplication-of-remainder
+      - java/non-final-call-in-constructor
+      - java/non-null-boxed-variable
+      - java/non-overriding-package-private
+      - java/non-serializable-inner-class
+      - java/non-short-circuit-evaluation
+      - java/non-static-nested-class
+      - java/non-sync-override
+      - java/notify-instead-of-notify-all
+      - java/output-resource-leak
+      - java/print-array
+      - java/random-used-once
+      - java/redundant-assignment
+      - java/reference-equality-of-boxed-types
+      - java/reference-equality-on-strings
+      - java/run-finalizers-on-exit
+      - java/sleep-with-lock-held
+      - java/spin-on-field
+      - java/string-buffer-char-init
+      - java/subtle-inherited-call
+      - java/suspicious-date-format
+      - java/sync-on-boxed-types
+      - java/test-for-negative-container-size
+      - java/thread-start-in-constructor
+      - java/thread-unsafe-dateformat
+      - java/tostring-typo
+      - java/type-bound-extends-final
+      - java/type-mismatch-access
+      - java/type-mismatch-modification
+      - java/type-variable-hides-type
+      - java/uncaught-number-format-exception
+      - java/unchecked-cast-in-equals
+      - java/underscore-identifier
+      - java/unimplementable-interface
+      - java/unknown-javadoc-parameter
+      - java/unreachable-catch-clause
+      - java/unreleased-lock
+      - java/unsafe-double-checked-locking
+      - java/unsafe-double-checked-locking-init-order
+      - java/unsafe-get-resource
+      - java/unsafe-sync-on-field
+      - java/unsynchronized-getter
+      - java/unused-container
+      - java/unused-format-argument
+      - java/unused-label
+      - java/unused-parameter
+      - java/unused-reference-type
+      - java/useless-null-check
+      - java/useless-tostring-call
+      - java/useless-type-test
+      - java/wait-on-condition-interface
+      - java/whitespace-contradicts-precedence
+      - java/wrong-compareto-signature
+      - java/wrong-equals-signature
+      - java/wrong-junit-suite-signature
+      - java/wrong-object-serialization-signature
+      - java/wrong-readresolve-signature
+      - java/wrong-swing-event-adapter-signature
+- include:
+    kind:
+    - diagnostic
+- include:
+    kind:
+    - metric
+    tags contain:
+    - summary
+- exclude:
+    deprecated: //
+- exclude:
+    query path:
+      - /^experimental\/.*/
+      - Metrics/Summaries/FrameworkCoverage.ql
+      - /Diagnostics/Internal/.*/
+- exclude:
+    tags contain:
+      - modeleditor
+      - modelgenerator
--- a/javascript/extractor/src/com/semmle/js/extractor/Main.java
+++ b/javascript/extractor/src/com/semmle/js/extractor/Main.java
@@ -42,7 +42,7 @@ public class Main {
   * A version identifier that should be updated every time the extractor changes in such a way that
   * it may produce different tuples for the same file under the same {@link ExtractorConfig}.
   */
-  public static final String EXTRACTOR_VERSION = "2025-03-20";
+  public static final String EXTRACTOR_VERSION = "2025-04-10";

  public static final Pattern NEWLINE = Pattern.compile("\n");

--- a/javascript/extractor/src/com/semmle/js/parser/JSONParser.java
+++ b/javascript/extractor/src/com/semmle/js/parser/JSONParser.java
@@ -205,9 +205,6 @@ public class JSONParser {
        char c = peek();
        switch (c) {
          case ']':
-            if (!needsComma) {
-              raise("Omitted elements are not allowed in JSON.");
-            }
            next();
            break out;
          case ',':
--- a/javascript/extractor/tests/json/input/array-trailing-comma.json
+++ b/javascript/extractor/tests/json/input/array-trailing-comma.json
@@ -0,0 +1,6 @@
+{
+    "array": [
+        "foo",
+        "bar",
+    ]
+}
--- a/javascript/extractor/tests/json/output/trap/array-trailing-comma.json.trap
+++ b/javascript/extractor/tests/json/output/trap/array-trailing-comma.json.trap
@@ -0,0 +1,33 @@
+#10000=@"/array-trailing-comma.json;sourcefile"
+files(#10000,"/array-trailing-comma.json")
+#10001=@"/;folder"
+folders(#10001,"/")
+containerparent(#10001,#10000)
+#10002=@"loc,{#10000},0,0,0,0"
+locations_default(#10002,#10000,0,0,0,0)
+hasLocation(#10000,#10002)
+#20000=*
+json(#20000,5,#10000,0,"{\n    "" ...     ]\n}")
+#20001=@"loc,{#10000},1,1,6,1"
+locations_default(#20001,#10000,1,1,6,1)
+json_locations(#20000,#20001)
+#20002=*
+json(#20002,4,#20000,0,"[\n      ... ,\n    ]")
+#20003=@"loc,{#10000},2,14,5,5"
+locations_default(#20003,#10000,2,14,5,5)
+json_locations(#20002,#20003)
+#20004=*
+json(#20004,3,#20002,0,"""foo""")
+#20005=@"loc,{#10000},3,9,3,13"
+locations_default(#20005,#10000,3,9,3,13)
+json_locations(#20004,#20005)
+json_literals("foo","""foo""",#20004)
+#20006=*
+json(#20006,3,#20002,1,"""bar""")
+#20007=@"loc,{#10000},4,9,4,13"
+locations_default(#20007,#10000,4,9,4,13)
+json_locations(#20006,#20007)
+json_literals("bar","""bar""",#20006)
+json_properties(#20000,"array",#20002)
+numlines(#10000,6,0,0)
+filetype(#10000,"json")
--- a/javascript/ql/lib/change-notes/2025-04-02-mkdirp.md
+++ b/javascript/ql/lib/change-notes/2025-04-02-mkdirp.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for additional `mkdirp` methods as sinks in path-injection queries.
--- a/javascript/ql/lib/change-notes/2025-04-07-open-package.md
+++ b/javascript/ql/lib/change-notes/2025-04-07-open-package.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for the `open` package.
--- a/javascript/ql/lib/change-notes/2025-04-09-make-dir.md
+++ b/javascript/ql/lib/change-notes/2025-04-09-make-dir.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added support for the `make-dir` package.
--- a/javascript/ql/lib/ext/make-dir.model.yml
+++ b/javascript/ql/lib/ext/make-dir.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["make-dir", "Member[makeDirectory,makeDirectorySync].Argument[0]", "path-injection"]
--- a/javascript/ql/lib/ext/mkdirp.model.yml
+++ b/javascript/ql/lib/ext/mkdirp.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["mkdirp", "Member[nativeSync,native,manual,manualSync,mkdirpNative,mkdirpManual,mkdirpManualSync,mkdirpNativeSync,mkdirpSync,sync].Argument[0]", "path-injection"]
+      - ["mkdirp", "Argument[0]", "path-injection"]
--- a/javascript/ql/lib/ext/open.model.yml
+++ b/javascript/ql/lib/ext/open.model.yml
@@ -0,0 +1,7 @@
+extensions:
+  - addsTo:
+      pack: codeql/javascript-all
+      extensible: sinkModel
+    data:
+      - ["open", "Argument[0]", "path-injection"]
+      - ["open", "Member[openApp].Argument[0]", "path-injection"]
--- a/javascript/ql/lib/javascript.qll
+++ b/javascript/ql/lib/javascript.qll
@@ -136,6 +136,7 @@ import semmle.javascript.frameworks.UriLibraries
 import semmle.javascript.frameworks.Vue
 import semmle.javascript.frameworks.Vuex
 import semmle.javascript.frameworks.Webix
+import semmle.javascript.frameworks.WebResponse
 import semmle.javascript.frameworks.WebSocket
 import semmle.javascript.frameworks.XmlParsers
 import semmle.javascript.frameworks.xUnit
--- a/javascript/ql/lib/semmle/javascript/frameworks/Files.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/Files.qll
@@ -427,16 +427,3 @@ class Chokidar extends FileNameProducer, FileSystemAccess, API::CallNode {
    )
  }
 }
-
-/**
- * A call to the [`mkdirp`](https://www.npmjs.com/package/mkdirp) library.
- */
-private class Mkdirp extends FileSystemAccess, API::CallNode {
-  Mkdirp() {
-    this = API::moduleImport("mkdirp").getACall()
-    or
-    this = API::moduleImport("mkdirp").getMember("sync").getACall()
-  }
-
-  override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
-}
--- a/javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
+++ b/javascript/ql/lib/semmle/javascript/frameworks/HTTP.qll
@@ -108,6 +108,12 @@ module Http {
     * Gets the route handler that sends this expression.
     */
    abstract RouteHandler getRouteHandler();
+
+    /**
+     * Gets a header definition associated with this response body, if it they are provided
+     * by the same call.
+     */
+    HeaderDefinition getAnAssociatedHeaderDefinition() { none() }
  }

  /**
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Mads Navntoft	4042fa48e9	hack: dummy change to trigger qlucie	2025-05-15 21:31:32 +02:00
Tom Hvitved	7ed8a85e08	Merge pull request #19246 from hvitved/rust/cache-tweaks	2025-04-10 19:02:25 +02:00
Felicity Chapman	c2baf9a052	Merge pull request #19270 from github/felicitymay-patch-1 CodeQL docs: Fix ordering in side navigation bar for Query help	2025-04-10 15:10:14 +01:00
Napalys Klicius	43bf0beae9	Merge pull request #19263 from Napalys/js/make-dir-lib JS: Add support for `make-dir` package	2025-04-10 15:09:43 +02:00
Asger F	eac14b9837	Merge pull request #19200 from asgerf/js/web-response JS: Add sinks for calls to 'new Response()'	2025-04-10 14:41:32 +02:00
Napalys	171a84609e	Applied copilot suggestion.	2025-04-10 14:13:48 +02:00
Felicity Chapman	78a26cfdb2	Update index.rst	2025-04-10 13:09:51 +01:00
Joe Farebrother	7f7fca9e27	Merge pull request #19165 from joefarebrother/python-qual-loop-var-capture Python: Modernize the Loop Variable Capture query	2025-04-10 13:07:05 +01:00
Asger F	d2a4f1e17a	Merge pull request #19267 from asgerf/js/json-array-trailing-comma JS: Tolerate trailing commas in JSON arrays	2025-04-10 12:38:16 +02:00
Joe Farebrother	6802037c89	Update qhelp formatting	2025-04-10 09:52:18 +01:00
Joe Farebrother	00999baf9a	Apply docs review suggestion - Reword query description. Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>	2025-04-10 09:06:01 +01:00
Asger F	3da1f261f7	JS: Change note	2025-04-10 07:21:48 +02:00
Asger F	cfa1a9b603	JS: Update extractor version string	2025-04-10 07:20:53 +02:00
Asger F	1434f7acd2	JS: Tolerate trailing comma in JSON array Previously we'd fail to extract some tsconfig.json files because of this.	2025-04-10 07:20:51 +02:00
Asger F	800dd168c2	JS: Add failing TRAP test for trailing comma	2025-04-10 07:20:49 +02:00
Tom Hvitved	0e31bf1e7b	Merge pull request #19265 from hvitved/rust/crate-graph-self-crate-ref	2025-04-09 22:54:53 +02:00
Tom Hvitved	a6b20d7731	Merge pull request #19259 from hvitved/ruby/fix-bad-join Ruby: Fix bad join in `DeadStoreOfLocal.ql`	2025-04-09 19:03:33 +02:00
Tom Hvitved	1ba06ab3bf	Merge pull request #19216 from hvitved/rust/path-resolution-path-attr Rust: Handle path attributes in path resolution	2025-04-09 18:57:56 +02:00
Aditya Sharad	ef0065546a	Merge pull request #19264 from github/coadaflorin-actions-docs-patch Update codeql-library-for-actions.rst	2025-04-09 21:46:28 +05:30
Aditya Sharad	29af6f7f0d	Merge pull request #19257 from adityasharad/actions/fix/autobuild-powershell-spaces Actions: Fix invocation of autobuild PowerShell script	2025-04-09 21:26:32 +05:30
Tom Hvitved	52401aaa73	Address review comments	2025-04-09 17:19:25 +02:00
Chris Smowton	cc379b543c	Merge pull request #19260 from smowton/smowton/feature/sanitize-enum-types Java: Add EnumType to SimpleTypeSanitizer	2025-04-09 16:05:13 +01:00
Chris Smowton	7a8dfdb971	Grammar	2025-04-09 15:52:48 +01:00
Chris Smowton	f31b49b022	Change note	2025-04-09 15:41:48 +01:00
Tom Hvitved	fbab715cb6	Rust: Allow for crate self-references in crate graph paths	2025-04-09 15:21:34 +02:00
Joe Farebrother	84aa2e8627	Apply review suggestion - Tweak wording of example comment Co-authored-by: Taus <tausbn@github.com>	2025-04-09 14:07:38 +01:00
Chris Smowton	949812243b	Merge pull request #19261 from smowton/smowton/admin/improve-gradle-wrapper-message Java: Update test expectation	2025-04-09 14:03:52 +01:00
Florin Coada	0acccf240a	Update codeql-library-for-actions.rst	2025-04-09 13:45:21 +01:00
Napalys	5ec71ab9af	Added change note	2025-04-09 14:42:34 +02:00
Napalys	ce2fc25cdb	Added `make-dir` model as data	2025-04-09 14:42:29 +02:00
Napalys	674f40b35f	Added test cases for `make-dir` package.	2025-04-09 14:41:12 +02:00
Chris Smowton	5c7a4eb511	Reorder test expectations	2025-04-09 12:51:18 +01:00
Napalys Klicius	f02783a9c6	Merge pull request #19210 from Napalys/js/mkdirp JS: Modeling of `mkdirp` functions	2025-04-09 13:43:37 +02:00
Tom Hvitved	9323f1aaf0	Merge pull request #19250 from hvitved/rust/fix-bad-joins Rust: Fix bad joins	2025-04-09 13:36:01 +02:00
Chris Smowton	3373c2457c	Update test expectation	2025-04-09 12:27:48 +01:00
Chris Smowton	0a293cf357	Add EnumType to SimpleTypeSanitizer	2025-04-09 12:12:35 +01:00
Owen Mansel-Chan	b6053e3f91	Merge pull request #19076 from owen-mc/go/update-depstubber-files Go: update files generated by depstubber	2025-04-09 11:44:20 +01:00
Napalys Klicius	0751d73eab	Merge pull request #19256 from Napalys/js/open_package JS: Model as Data `open` package	2025-04-09 11:54:44 +02:00
Asger F	da7d6d3346	JS: Change note	2025-04-09 11:28:21 +02:00
Tom Hvitved	35f9157e42	Ruby: Fix bad join in `DeadStoreOfLocal.ql`	2025-04-09 09:28:55 +02:00
Paolo Tranquilli	8d467c7d02	Merge pull request #19255 from github/redsun82/rust-setup Rust: add test setup script	2025-04-09 08:51:58 +02:00
Aditya Sharad	2e75dbd519	Actions: Fix invocation of autobuild PowerShell script Pass the quoted script path to PowerShell using `-File`. This ensures the path is treated as a string rather than a command, and correctly handles file paths that contain spaces, unblocking integration tests. Add logging to autobuild.cmd for easier debugging.	2025-04-08 20:00:25 -07:00
Aditya Sharad	c4c351c9dd	Merge pull request #19239 from adityasharad/actions/integration-test-default-filters Actions: Create initial integration test for default filters	2025-04-08 23:07:58 +05:30
Aditya Sharad	21af1c6113	Merge pull request #19241 from adityasharad/actions/fix/docs-table-block-formatting Docs: Fix formatting of GitHub Actions content	2025-04-08 22:07:30 +05:30
Tamás Vajk	c0f2ce77d4	Merge pull request #19254 from tamasvajk/tamasvajk/test-queries-not-in-qls Java: Add test to check queries not included in well-known query suites	2025-04-08 18:20:19 +02:00
Óscar San José	6d95950081	Merge pull request #19252 from github/oscarsj/nice-servers-for-java-tests Run test servers with `sudo` when running on `macos-15`	2025-04-08 18:04:25 +02:00
Paolo Tranquilli	25bd0c3b21	Rust: add test setup script	2025-04-08 17:28:57 +02:00
Tamás Vajk	d39045e3e1	Merge pull request #19245 from tamasvajk/tamasvajk/improvement-security-and-quality-suite-selector Java: Add explicit filtering for quality queries that should be included in security-and-quality	2025-04-08 17:08:28 +02:00
Tamas Vajk	e163344907	Java: Add test to check queries not included in well-known query suites	2025-04-08 17:06:46 +02:00
Tamas Vajk	6abff483da	Java: Add explicit filtering for quality queries that should be included in security-and-quality	2025-04-08 16:47:41 +02:00
Tamas Vajk	259a09386e	Move query suite selector logic to security-and-quality-suite	2025-04-08 16:47:41 +02:00
Tamás Vajk	f325f53273	Merge pull request #19229 from tamasvajk/test/java-query-suite Java: add integration test for query suite contents	2025-04-08 16:47:07 +02:00
Óscar San José	afe3e5332f	Update java/ql/integration-tests/java/buildless-inherit-trust-store/test.py Co-authored-by: Paolo Tranquilli <redsun82@github.com>	2025-04-08 16:29:23 +02:00
Óscar San José	1eb4a1aa81	Update java/ql/integration-tests/java/buildless-snapshot-repository/test.py Co-authored-by: Paolo Tranquilli <redsun82@github.com>	2025-04-08 16:29:16 +02:00
Óscar San José	3b56f95480	use only sudo for running maven test server (remove nice)	2025-04-08 16:19:33 +02:00
Paolo Tranquilli	84c728f847	Merge pull request #19244 from github/redsun82/bazel-update Bazel: update to 8.1.1	2025-04-08 15:58:29 +02:00
Óscar San José	e49fb839b8	Update java/ql/integration-tests/java/buildless-inherit-trust-store/test.py Co-authored-by: Paolo Tranquilli <redsun82@github.com>	2025-04-08 15:28:18 +02:00
Michael B. Gale	87f2ccb5a2	Merge pull request #19249 from github/mbg/go/fix-getpkginfo-decerr Go: Fix `err` instead of `decErr` in `GetPkgsInfo`	2025-04-08 14:21:14 +01:00
Óscar San José	b5e1b25553	use sudo nice for running maven test server	2025-04-08 13:51:09 +02:00
Simon Friis Vindum	9dc008b9f4	Merge pull request #19214 from paldepind/rust-ti-associated Rust: Associated types	2025-04-08 13:46:36 +02:00
Tom Hvitved	95add2f60b	Rust: Fix bad join in `getAPrivateVisibleModule` Before ``` Pipeline standard for PathResolution::getAPrivateVisibleModule/1#3829a5ee@822d5hwq was evaluated in 24 iterations totaling 16ms (delta sizes total: 4843). 105047 ~63652% {2} r1 = SCAN `PathResolution::resolvePathPrivate/3#56db2cdf#reorder_1_2_0_3#prev_delta` OUTPUT In.0, In.0 69 ~0% {2} r2 = JOIN `#PathResolution::ItemNode.getImmediateParentModule/0#dispred#57c4c6d5Plus#bf#reorder_1_0#prev_delta` WITH `PathResolution::resolvePathPrivate/3#56db2cdf#reorder_1_2_0_3#prev` ON FIRST 1 OUTPUT Lhs.0, Lhs.1 5766690 ~148309% {2} r3 = JOIN `PathResolution::resolvePathPrivate/3#56db2cdf#reorder_1_2_0_3#prev_delta` WITH `#PathResolution::ItemNode.getImmediateParentModule/0#dispred#57c4c6d5Plus#bf#reorder_1_0#prev` ON FIRST 1 OUTPUT Lhs.0, Rhs.1 5871806 ~143984% {2} r4 = r1 UNION r2 UNION r3 6859 ~148% {2} \| AND NOT `PathResolution::getAPrivateVisibleModule/1#3829a5ee#prev`(FIRST 2) return r4 ``` After ``` Pipeline standard for PathResolution::getAPrivateVisibleModule/1#3829a5ee@5edefhwp was evaluated in 12 iterations totaling 0ms (delta sizes total: 3515). 339 ~1% {2} r1 = SCAN `PathResolution::isItemParent/1#d5e587d6#prev_delta` OUTPUT In.0, In.0 3130 ~0% {2} r2 = JOIN `PathResolution::isItemParent/1#d5e587d6#prev_delta` WITH `#PathResolution::ItemNode.getImmediateParentModule/0#dispred#57c4c6d5Plus#bf#reorder_1_0#prev` ON FIRST 1 OUTPUT Lhs.0, Rhs.1 46 ~0% {2} r3 = JOIN `#PathResolution::ItemNode.getImmediateParentModule/0#dispred#57c4c6d5Plus#bf#reorder_1_0#prev_delta` WITH `PathResolution::isItemParent/1#d5e587d6#prev` ON FIRST 1 OUTPUT Lhs.0, Lhs.1 3515 ~2% {2} r4 = r1 UNION r2 UNION r3 3515 ~2% {2} \| AND NOT `PathResolution::getAPrivateVisibleModule/1#3829a5ee#prev`(FIRST 2) return r4 ```	2025-04-08 13:11:32 +02:00
Tom Hvitved	2e1b8b8b0e	Rust: Fix bad join in `unqualifiedPathLookup` Before ``` Pipeline standard for PathResolution::unqualifiedPathLookup/2#6b171b76#reorder_2_0_1@822d53wq was evaluated in 61 iterations totaling 118ms (delta sizes total: 131072). 606491 ~0% {4} r1 = SCAN `PathResolution::getASuccessor/3#febac7bd#prev_delta` OUTPUT In.1, In.2, In.0, In.3 106457 ~1% {3} \| JOIN WITH `PathResolution::unqualifiedPathLookup/4#e32cdfce_1230#join_rhs` ON FIRST 3 OUTPUT Lhs.3, Rhs.3, Lhs.1 606491 ~2% {4} r2 = SCAN `PathResolution::getASuccessor/3#febac7bd#prev_delta` OUTPUT In.0, In.2, In.3, In.1 19261 ~0% {4} r3 = JOIN r2 WITH `PathResolution::ModuleLikeNode.isRoot/0#dispred#21662e64` ON FIRST 1 OUTPUT Lhs.3, Lhs.0, Lhs.1, Lhs.2 42776643 ~1% {4} r4 = JOIN r2 WITH `doublyBoundedFastTC@PathResolution::hasChild/2#6b318d51#2@PathResolution::isRoot/1#a01ce5c3#1@PathResolution::hasCratePath/1#73ea688d#1` ON FIRST 1 OUTPUT Lhs.3, Rhs.1, Lhs.1, Lhs.2 42795904 ~1% {4} r5 = r3 UNION r4 24921 ~6% {3} \| JOIN WITH `PathResolution::RelevantPath.isCratePath/2#e595e892_120#join_rhs` ON FIRST 2 OUTPUT Lhs.3, Rhs.2, Lhs.2 131378 ~2% {3} r6 = r1 UNION r5 131072 ~2% {3} \| AND NOT `PathResolution::unqualifiedPathLookup/2#6b171b76#reorder_2_0_1#prev`(FIRST 3) return r6 ``` After ``` Pipeline standard for PathResolution::unqualifiedPathLookup/2#6b171b76#reorder_2_0_1@0553a4wi was evaluated in 66 iterations totaling 10ms (delta sizes total: 131072). 610251 ~0% {4} r1 = SCAN `PathResolution::getASuccessor/3#febac7bd#prev_delta` OUTPUT In.1, In.2, In.0, In.3 131378 ~0% {3} \| JOIN WITH `PathResolution::unqualifiedPathLookup1/4#781de0cd_1230#join_rhs` ON FIRST 3 OUTPUT Lhs.3, Rhs.3, Lhs.1 131072 ~0% {3} \| AND NOT `PathResolution::unqualifiedPathLookup/2#6b171b76#reorder_2_0_1#prev`(FIRST 3) return r1 ```	2025-04-08 13:10:52 +02:00
Michael B. Gale	7798b716ff	Go: Fix `err` instead of `decErr` in `GetPkgsInfo`	2025-04-08 12:04:48 +01:00
Óscar San José	a7943d88b1	Merge pull request #19234 from github/oscarsj/csharp-disable-nuget-tests Disable csharp tests that use nuget on macos-15	2025-04-08 12:38:28 +02:00
Geoffrey White	866fc6b320	Merge pull request #19235 from geoffw0/ssaconsistency Rust: SSA inconsistency counts	2025-04-08 10:49:19 +01:00
Tom Hvitved	7459548118	Rust: Cache tweaks	2025-04-08 11:49:16 +02:00
Owen Mansel-Chan	8c878cd8f5	Merge pull request #19243 from github/dependabot/go_modules/go/extractor/extractor-dependencies-891a2402ea Bump golang.org/x/tools from 0.31.0 to 0.32.0 in /go/extractor in the extractor-dependencies group	2025-04-08 10:30:29 +01:00
Owen Mansel-Chan	5f6c59580c	Merge pull request #19240 from github/workflow/coverage/update Update CSV framework coverage reports	2025-04-08 10:28:22 +01:00
Geoffrey White	fd3dcb2d00	Rust: More precise imports.	2025-04-08 09:30:14 +01:00
Paolo Tranquilli	15606dd894	Bazel: update to 8.1.1	2025-04-08 08:20:54 +02:00
Napalys	4a4d78bbde	Added change note	2025-04-08 08:12:42 +02:00
Napalys	b8802a29f4	Added `open` package model as data.	2025-04-08 08:12:30 +02:00
Napalys	df89739085	Added test cases for `open` package.	2025-04-08 08:10:10 +02:00
dependabot[bot]	2f9be926fb	Bump golang.org/x/tools Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/tools](https://github.com/golang/tools). Updates `golang.org/x/tools` from 0.31.0 to 0.32.0 - [Release notes](https://github.com/golang/tools/releases) - [Commits](https://github.com/golang/tools/compare/v0.31.0...v0.32.0) --- updated-dependencies: - dependency-name: golang.org/x/tools dependency-version: 0.32.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: extractor-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>	2025-04-08 03:42:17 +00:00
Aditya Sharad	cf4989e1f8	Docs: Place GitHub Actions link lower in sidebar Order by the human-readable language name that is rendered, i.e. 'GitHub Actions', not 'actions'.	2025-04-07 17:37:24 -07:00
Aditya Sharad	98b6e5ce2f	Docs: Fix formatting of GitHub Actions content Discovered in internal review of docs preview. Use double backticks to render inline code blocks. Use __ after inline hyperlinks. Use an extra blank line to format the Actions library predicates table correctly. Fix some rogue references to Ruby and case inconsistency.	2025-04-07 17:33:43 -07:00
github-actions[bot]	5adf135134	Add changed framework coverage reports	2025-04-08 00:22:09 +00:00
Óscar San José	5e74bdc8dd	Disable csharp test failing on macos-15	2025-04-07 18:16:33 +02:00
Geoffrey White	ee54ba4c48	Rust: Autoformat.	2025-04-07 17:06:15 +01:00
Geoffrey White	9c1567375d	Shared: Implement getInconsistencyCounts for SSA.	2025-04-07 16:20:42 +01:00
Simon Friis Vindum	48e5b0a731	Merge branch 'main' into rust-ti-associated	2025-04-07 17:07:05 +02:00
Simon Friis Vindum	602e617bc6	Rust: Add type inference test for trait with multiple associated types	2025-04-07 17:02:51 +02:00
Simon Friis Vindum	8e76bb1a43	Rust: Minor changes based on PR review	2025-04-07 16:46:54 +02:00
Óscar San José	3744ef7379	Disable csharp tests that use nuget on macos-15	2025-04-07 16:24:48 +02:00
Tom Hvitved	13f4a6afa6	Rust: Handle path attributes in path resolution	2025-04-07 15:24:17 +02:00
Tom Hvitved	edb7aaabab	Rust: Add path attribute test	2025-04-07 15:23:27 +02:00
Tamás Vajk	ffcf6d6e58	Apply suggestions from code review Co-authored-by: Paolo Tranquilli <redsun82@github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-04-07 14:52:57 +02:00
Geoffrey White	2c2506c4f8	Rust: Add Rust SSA inconsistency infrastructure.	2025-04-07 12:16:45 +01:00
Tamas Vajk	d17d44125c	Java: add integration test for query suite contents	2025-04-07 12:49:16 +02:00
Joe Farebrother	e08072d77b	Fix qhelp formatting	2025-04-04 12:51:46 +01:00
Joe Farebrother	de7e611962	Rewrite documentation	2025-04-04 12:36:13 +01:00
Joe Farebrother	b5805503fe	Cleanups	2025-04-04 11:56:07 +01:00
Joe Farebrother	9fb1c31206	Update tests to inline expectations	2025-04-04 10:13:39 +01:00
Joe Farebrother	adfe89fadc	Update test output	2025-04-04 09:47:21 +01:00
Simon Friis Vindum	77e1b231a6	Rust: Handle associated types in trait methods	2025-04-04 10:24:55 +02:00
Simon Friis Vindum	f9ff92a705	Rust: Expand on type inference tests for associated types	2025-04-04 10:16:09 +02:00
Asger F	6c33013788	JS: Enable association with headers without needing a route handler Previously it was not possible to associate a ResponseSendArgument with its header definitions if they did not have the same route handler. But for calls like `new Response(body, { headers })` the headers are fairly obvious whereas the route handler is unnecessarily hard to find. So we use the direct and obvious association between 'body' and 'headers' in the call.	2025-04-03 11:08:10 +02:00
Asger F	db2720ea5b	JS: Initial model of Response	2025-04-03 11:08:05 +02:00
Napalys	0e7bff0f81	Added change note.	2025-04-03 10:45:17 +02:00
Napalys	04a39eb735	Removed old `mkdirp` modeling and replaced it with `MaD`.	2025-04-03 10:45:16 +02:00
Napalys	3fa24d6026	Add sink model for `mkdirp` and update tests for path injection alerts.	2025-04-03 10:45:14 +02:00
Napalys	533f1a93e2	JS: Added test cases for `mkdirp`.	2025-04-03 10:45:12 +02:00
Asger F	9ebaac82cf	JS: Add tests for Response object sink	2025-04-02 13:47:18 +02:00
Joe Farebrother	c37809a187	Reduce scope of allowImplicitRead to avoid cartesian product.	2025-04-02 09:35:50 +01:00
Joe Farebrother	2d6476ad21	Update names and alert message	2025-04-02 09:35:43 +01:00
Joe Farebrother	11830bf661	Move to separate folder	2025-04-02 09:35:39 +01:00
Joe Farebrother	5b7200a041	Use flow path in alerts	2025-04-02 09:35:32 +01:00
Joe Farebrother	08b4281187	Update query message and remove field case	2025-04-02 09:35:25 +01:00
Joe Farebrother	efdb4a6d82	Use global dataflow for loop variable capture	2025-04-02 09:35:17 +01:00
Owen Mansel-Chan	e44f7f946f	Sort package paths in vendor/modules.txt	2025-03-21 09:45:50 +00:00
Owen Mansel-Chan	7e04a9f6c0	Improve stubs (made by old version of depstubber?)	2025-03-20 12:33:39 +00:00
Owen Mansel-Chan	6147f0a873	Fix outdated depstubber command	2025-03-20 12:32:56 +00:00
Owen Mansel-Chan	40768332d8	Remove empty imports from stubs	2025-03-20 12:32:12 +00:00
Owen Mansel-Chan	81e85010f9	List subpackages in vendor/modules.txt These were all generated by running depstubber.	2025-03-20 12:30:57 +00:00
@@ -1 +1 @@
 .0.0
 .1.1