Merge branch 'main' into jeongsoolee09/refine-amdmodule

An additional parameter may be anywhere in the
parameter list and shift around the exact index of
the callback argument in the parameter list.

So, "dynamically" determine the index by type-checking
a parameter in the parameter list.

Note 1: There may be multiple matches since we're
using `_` (don't care) as the argument index.

Note 2: We could have used DataFlow::InvokeNode.getCallback
if the supertype were not CallExpr, but jumping to
data flow node is an overkill here.

.github/workflows/build-ripunzip.yml

@@ -6,18 +6,18 @@ on:
       ripunzip-version:
         description: "what reference to checktout from google/runzip"
         required: false
-        default: v2.0.2
+        default: v1.2.1
       openssl-version:
         description: "what reference to checkout from openssl/openssl for Linux"
         required: false
-        default: openssl-3.5.0
+        default: openssl-3.3.0
 
 jobs:
   build:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, macos-13, windows-2022]
+        os: [ubuntu-22.04, macos-13, windows-2019]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4

.github/workflows/check-change-note.yml

@@ -16,6 +16,7 @@ on:
       - "shared/**/*.qll"
       - "!**/experimental/**"
       - "!ql/**"
+      - "!rust/**"
       - ".github/workflows/check-change-note.yml"
 
 jobs:

.github/workflows/codegen.yml

@@ -0,0 +1,34 @@
+name: Codegen
+
+on:
+  pull_request:
+    paths:
+      - "misc/bazel/**"
+      - "misc/codegen/**"
+      - "*.bazel*"
+      - .github/workflows/codegen.yml
+      - .pre-commit-config.yaml
+    branches:
+      - main
+      - rc/*
+      - codeql-cli-*
+
+permissions:
+  contents: read
+
+jobs:
+  codegen:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v4
+        with:
+          python-version-file: 'misc/codegen/.python-version'
+      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
+        name: Check that python code is properly formatted
+        with:
+          extra_args: autopep8 --all-files
+      - name: Run codegen tests
+        shell: bash
+        run: |
+          bazel test //misc/codegen/...

.github/workflows/csharp-qltest.yml

@@ -36,7 +36,7 @@ jobs:
   unit-tests:
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-latest]
+        os: [ubuntu-latest, windows-2019]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4
@@ -66,6 +66,6 @@ jobs:
           # Update existing stubs in the repo with the freshly generated ones
           mv "$STUBS_PATH/output/stubs/_frameworks" ql/test/resources/stubs/
           git status
-          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
+          codeql test run --threads=0 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-repeated-labels --check-redefined-labels --consistency-queries ql/consistency-queries -- ql/test/library-tests/dataflow/flowsources/aspremote
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/go-tests-other-os.yml

@@ -26,8 +26,9 @@ jobs:
         uses: ./go/actions/test
 
   test-win:
+    if: github.repository_owner == 'github'
     name: Test Windows
-    runs-on: windows-latest
+    runs-on: windows-latest-xl
     steps:
       - name: Check out code
         uses: actions/checkout@v4

.github/workflows/mad_modelDiff.yml

@@ -68,7 +68,7 @@ jobs:
             DATABASE=$2
             cd codeql-$QL_VARIANT
             SHORTNAME=`basename $DATABASE`
-            python misc/scripts/models-as-data/generate_mad.py --language java --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
+            python java/ql/src/utils/modelgenerator/GenerateFlowModel.py --with-summaries --with-sinks $DATABASE $SHORTNAME/$QL_VARIANT
             mkdir -p $MODELS/$SHORTNAME
             mv java/ql/lib/ext/generated/$SHORTNAME/$QL_VARIANT $MODELS/$SHORTNAME
             cd ..

.github/workflows/python-tooling.yml

@@ -1,35 +0,0 @@
-name: Python tooling
-
-on:
-  pull_request:
-    paths:
-      - "misc/bazel/**"
-      - "misc/codegen/**"
-      - "misc/scripts/models-as-data/bulk_generate_mad.py"
-      - "*.bazel*"
-      - .github/workflows/codegen.yml
-      - .pre-commit-config.yaml
-    branches:
-      - main
-      - rc/*
-      - codeql-cli-*
-
-permissions:
-  contents: read
-
-jobs:
-  check-python-tooling:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-      - uses: pre-commit/action@646c83fcd040023954eafda54b4db0192ce70507
-        name: Check that python code is properly formatted
-        with:
-          extra_args: black --all-files
-      - name: Run codegen tests
-        shell: bash
-        run: |
-          bazel test //misc/codegen/...

.github/workflows/ql-for-ql-dataset_measure.yml

@@ -53,7 +53,7 @@ jobs:
       - name: Create database
         run: |
           "${CODEQL}" database create \
-          --search-path "${{ github.workspace }}" \
+          --search-path "${{ github.workspace }}"
           --threads 4 \
             --language ql --source-root "${{ github.workspace }}/repo" \
             "${{ runner.temp }}/database"

.github/workflows/ruby-qltest-rtjo.yml

@@ -35,6 +35,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/ruby-qltest.yml

@@ -68,6 +68,6 @@ jobs:
           key: ruby-qltest
       - name: Run QL tests
         run: |
-          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
+          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
         env:
           GITHUB_TOKEN: ${{ github.token }}

.github/workflows/swift.yml

@@ -32,7 +32,7 @@ jobs:
     if: github.repository_owner == 'github'
     strategy:
       matrix:
-        runner: [ubuntu-latest, macos-15-xlarge]
+        runner: [ubuntu-latest, macos-13-xlarge]
       fail-fast: false
     runs-on: ${{ matrix.runner }}
     steps:

.github/workflows/validate-change-notes.yml

@@ -31,4 +31,4 @@ jobs:
       - name: Fail if there are any errors with existing change notes
 
         run: |
-          codeql pack release --groups actions,cpp,csharp,go,java,javascript,python,ruby,shared,swift -examples,-test,-experimental
+          codeql pack release --groups cpp,csharp,java,javascript,python,ruby,-examples,-test,-experimental

.gitignore

@@ -62,7 +62,6 @@ node_modules/
 
 # Temporary folders for working with generated models
 .model-temp
-/mad-generation-build
 
 # bazel-built in-tree extractor packs
 /*/extractor-pack
@@ -72,7 +71,3 @@ node_modules/
 
 # cargo build directory
 /target
-
-# some upgrade/downgrade checks create these files
-**/upgrades/*/*.dbscheme.stats
-**/downgrades/*/*.dbscheme.stats

.pre-commit-config.yaml

@@ -1,7 +1,5 @@
 # See https://pre-commit.com for more information
 # See https://pre-commit.com/hooks.html for more hooks
-default_language_version:
-  python: python3.12
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
     rev: v3.2.0
@@ -9,18 +7,18 @@ repos:
       - id: trailing-whitespace
         exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
       - id: end-of-file-fixer
-        exclude: Cargo.lock$|/test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
+        exclude: /test/.*$(?<!\.qlref)|.*\.patch$|.*\.qll?$
 
   - repo: https://github.com/pre-commit/mirrors-clang-format
     rev: v17.0.6
     hooks:
       - id: clang-format
 
-  - repo: https://github.com/psf/black
-    rev: 25.1.0
+  - repo: https://github.com/pre-commit/mirrors-autopep8
+    rev: v2.0.4
     hooks:
-      - id: black
-        files: ^(misc/codegen/.*|misc/scripts/models-as-data/.*)\.py$
+      - id: autopep8
+        files: ^misc/codegen/.*\.py
 
   - repo: local
     hooks:

CODEOWNERS

@@ -16,8 +16,7 @@
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
 # Experimental CodeQL cryptography
-**/experimental/**/quantum/ @github/ps-codeql
-/shared/quantum/ @github/ps-codeql
+**/experimental/quantum/ @github/ps-codeql
 
 # CodeQL tools and associated docs
 /docs/codeql/codeql-cli/ @github/codeql-cli-reviewers

Cargo.toml

@@ -10,4 +10,8 @@ members = [
     "rust/ast-generator",
     "rust/autobuild",
 ]
-exclude = ["mad-generation-build"]
+
+[patch.crates-io]
+# patch for build script bug preventing bazel build
+# see https://github.com/rust-lang/rustc_apfloat/pull/17
+rustc_apfloat = { git = "https://github.com/redsun82/rustc_apfloat.git", rev = "32968f16ef1b082243f9bf43a3fbd65c381b3e27" }

MODULE.bazel

@@ -24,7 +24,7 @@ bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
-bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
+bazel_dep(name = "rules_kotlin", version = "2.0.0-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
 bazel_dep(name = "rules_dotnet", version = "0.17.4")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
@@ -37,7 +37,7 @@ bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True
 # the versions there are canonical, the versions here are used for CI in github/codeql, as well as for the vendoring of dependencies.
 RUST_EDITION = "2024"
 
-RUST_VERSION = "1.86.0"
+RUST_VERSION = "1.85.0"
 
 rust = use_extension("@rules_rust//rust:extensions.bzl", "rust")
 rust.toolchain(
@@ -71,11 +71,11 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.98",
+    "vendor_ts__anyhow-1.0.97",
     "vendor_ts__argfile-0.2.1",
-    "vendor_ts__chalk-ir-0.103.0",
-    "vendor_ts__chrono-0.4.41",
-    "vendor_ts__clap-4.5.40",
+    "vendor_ts__chalk-ir-0.100.0",
+    "vendor_ts__chrono-0.4.40",
+    "vendor_ts__clap-4.5.35",
     "vendor_ts__dunce-1.0.5",
     "vendor_ts__either-1.15.0",
     "vendor_ts__encoding-0.2.33",
@@ -87,33 +87,33 @@ use_repo(
     "vendor_ts__lazy_static-1.5.0",
     "vendor_ts__mustache-0.9.0",
     "vendor_ts__num-traits-0.2.19",
-    "vendor_ts__num_cpus-1.17.0",
-    "vendor_ts__proc-macro2-1.0.95",
+    "vendor_ts__num_cpus-1.16.0",
+    "vendor_ts__proc-macro2-1.0.94",
     "vendor_ts__quote-1.0.40",
-    "vendor_ts__ra_ap_base_db-0.0.288",
-    "vendor_ts__ra_ap_cfg-0.0.288",
-    "vendor_ts__ra_ap_hir-0.0.288",
-    "vendor_ts__ra_ap_hir_def-0.0.288",
-    "vendor_ts__ra_ap_hir_expand-0.0.288",
-    "vendor_ts__ra_ap_hir_ty-0.0.288",
-    "vendor_ts__ra_ap_ide_db-0.0.288",
-    "vendor_ts__ra_ap_intern-0.0.288",
-    "vendor_ts__ra_ap_load-cargo-0.0.288",
-    "vendor_ts__ra_ap_parser-0.0.288",
-    "vendor_ts__ra_ap_paths-0.0.288",
-    "vendor_ts__ra_ap_project_model-0.0.288",
-    "vendor_ts__ra_ap_span-0.0.288",
-    "vendor_ts__ra_ap_stdx-0.0.288",
-    "vendor_ts__ra_ap_syntax-0.0.288",
-    "vendor_ts__ra_ap_vfs-0.0.288",
-    "vendor_ts__rand-0.9.1",
+    "vendor_ts__ra_ap_base_db-0.0.273",
+    "vendor_ts__ra_ap_cfg-0.0.273",
+    "vendor_ts__ra_ap_hir-0.0.273",
+    "vendor_ts__ra_ap_hir_def-0.0.273",
+    "vendor_ts__ra_ap_hir_expand-0.0.273",
+    "vendor_ts__ra_ap_hir_ty-0.0.273",
+    "vendor_ts__ra_ap_ide_db-0.0.273",
+    "vendor_ts__ra_ap_intern-0.0.273",
+    "vendor_ts__ra_ap_load-cargo-0.0.273",
+    "vendor_ts__ra_ap_parser-0.0.273",
+    "vendor_ts__ra_ap_paths-0.0.273",
+    "vendor_ts__ra_ap_project_model-0.0.273",
+    "vendor_ts__ra_ap_span-0.0.273",
+    "vendor_ts__ra_ap_stdx-0.0.273",
+    "vendor_ts__ra_ap_syntax-0.0.273",
+    "vendor_ts__ra_ap_vfs-0.0.273",
+    "vendor_ts__rand-0.9.0",
     "vendor_ts__rayon-1.10.0",
     "vendor_ts__regex-1.11.1",
     "vendor_ts__serde-1.0.219",
     "vendor_ts__serde_json-1.0.140",
-    "vendor_ts__serde_with-3.13.0",
-    "vendor_ts__syn-2.0.103",
-    "vendor_ts__toml-0.8.23",
+    "vendor_ts__serde_with-3.12.0",
+    "vendor_ts__syn-2.0.100",
+    "vendor_ts__toml-0.8.20",
     "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
     "vendor_ts__tracing-subscriber-0.3.19",
@@ -124,7 +124,6 @@ use_repo(
     "vendor_ts__tree-sitter-ruby-0.23.1",
     "vendor_ts__triomphe-0.1.14",
     "vendor_ts__ungrammar-1.16.1",
-    "vendor_ts__zstd-0.13.3",
 )
 
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
@@ -194,6 +193,10 @@ use_repo(
     kotlin_extractor_deps,
     "codeql_kotlin_defaults",
     "codeql_kotlin_embeddable",
+    "kotlin-compiler-1.5.0",
+    "kotlin-compiler-1.5.10",
+    "kotlin-compiler-1.5.20",
+    "kotlin-compiler-1.5.30",
     "kotlin-compiler-1.6.0",
     "kotlin-compiler-1.6.20",
     "kotlin-compiler-1.7.0",
@@ -205,7 +208,10 @@ use_repo(
     "kotlin-compiler-2.0.20-Beta2",
     "kotlin-compiler-2.1.0-Beta1",
     "kotlin-compiler-2.1.20-Beta1",
-    "kotlin-compiler-2.2.0-Beta1",
+    "kotlin-compiler-embeddable-1.5.0",
+    "kotlin-compiler-embeddable-1.5.10",
+    "kotlin-compiler-embeddable-1.5.20",
+    "kotlin-compiler-embeddable-1.5.30",
     "kotlin-compiler-embeddable-1.6.0",
     "kotlin-compiler-embeddable-1.6.20",
     "kotlin-compiler-embeddable-1.7.0",
@@ -217,7 +223,10 @@ use_repo(
     "kotlin-compiler-embeddable-2.0.20-Beta2",
     "kotlin-compiler-embeddable-2.1.0-Beta1",
     "kotlin-compiler-embeddable-2.1.20-Beta1",
-    "kotlin-compiler-embeddable-2.2.0-Beta1",
+    "kotlin-stdlib-1.5.0",
+    "kotlin-stdlib-1.5.10",
+    "kotlin-stdlib-1.5.20",
+    "kotlin-stdlib-1.5.30",
     "kotlin-stdlib-1.6.0",
     "kotlin-stdlib-1.6.20",
     "kotlin-stdlib-1.7.0",
@@ -229,7 +238,6 @@ use_repo(
     "kotlin-stdlib-2.0.20-Beta2",
     "kotlin-stdlib-2.1.0-Beta1",
     "kotlin-stdlib-2.1.20-Beta1",
-    "kotlin-stdlib-2.2.0-Beta1",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
@@ -239,24 +247,24 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
 use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
 
-lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
+lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
 
-lfs_archive(
+lfs_files(
     name = "ripunzip-linux",
-    src = "//misc/ripunzip:ripunzip-Linux.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+    srcs = ["//misc/ripunzip:ripunzip-linux"],
+    executable = True,
 )
 
-lfs_archive(
+lfs_files(
     name = "ripunzip-windows",
-    src = "//misc/ripunzip:ripunzip-Windows.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+    srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
+    executable = True,
 )
 
-lfs_archive(
+lfs_files(
     name = "ripunzip-macos",
-    src = "//misc/ripunzip:ripunzip-macOS.zip",
-    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+    srcs = ["//misc/ripunzip:ripunzip-macos"],
+    executable = True,
 )
 
 register_toolchains(

actions/ql/integration-tests/query-suite/actions-code-quality-extended.qls.expected

@@ -1 +0,0 @@
-

actions/ql/integration-tests/query-suite/test.py

@@ -2,7 +2,7 @@ import runs_on
 import pytest
 from query_suites import *
 
-well_known_query_suites = ['actions-code-quality.qls', 'actions-code-quality-extended.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
+well_known_query_suites = ['actions-code-quality.qls', 'actions-security-and-quality.qls', 'actions-security-extended.qls', 'actions-code-scanning.qls']
 
 @runs_on.posix
 @pytest.mark.parametrize("query_suite", well_known_query_suites)

actions/ql/lib/CHANGELOG.md

@@ -1,23 +1,3 @@
-## 0.4.12
-
-### Minor Analysis Improvements
-
-* Fixed performance issues in the parsing of Bash scripts in workflow files,
-  which led to out-of-disk errors when analysing certain workflow files with
-  complex interpolations of shell commands or quoted strings.
-
-## 0.4.11
-
-No user-facing changes.
-
-## 0.4.10
-
-No user-facing changes.
-
-## 0.4.9
-
-No user-facing changes.
-
 ## 0.4.8
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.10.md

@@ -1,3 +0,0 @@
-## 0.4.10
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.11.md

@@ -1,3 +0,0 @@
-## 0.4.11
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.12.md

@@ -1,7 +0,0 @@
-## 0.4.12
-
-### Minor Analysis Improvements
-
-* Fixed performance issues in the parsing of Bash scripts in workflow files,
-  which led to out-of-disk errors when analysing certain workflow files with
-  complex interpolations of shell commands or quoted strings.

actions/ql/lib/change-notes/released/0.4.9.md

@@ -1,3 +0,0 @@
-## 0.4.9
-
-No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.12
+lastReleaseVersion: 0.4.8

actions/ql/lib/codeql/actions/Ast.qll

@@ -50,8 +50,8 @@ class Expression extends AstNode instanceof ExpressionImpl {
   string getNormalizedExpression() { result = normalizeExpr(expression) }
 }
 
-/** An `env` in workflow, job or step. */
-class Env extends AstNode instanceof EnvImpl {
+/** A common class for `env` in workflow, job or step. */
+abstract class Env extends AstNode instanceof EnvImpl {
   /** Gets an environment variable value given its name. */
   ScalarValueImpl getEnvVarValue(string name) { result = super.getEnvVarValue(name) }
 

actions/ql/lib/codeql/actions/Bash.qll

@@ -8,64 +8,35 @@ class BashShellScript extends ShellScript {
     )
   }
 
-  /**
-   * Gets the line at 0-based index `lineIndex` within this shell script,
-   * assuming newlines as separators.
-   */
-  private string lineProducer(int lineIndex) {
-    result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", lineIndex)
+  private string lineProducer(int i) {
+    result = this.getRawScript().regexpReplaceAll("\\\\\\s*\n", "").splitAt("\n", i)
   }
 
-  private predicate cmdSubstitutionReplacement(string command, string id, int lineIndex) {
-    this.commandInSubstitution(lineIndex, command, id)
-    or
-    this.commandInBackticks(lineIndex, command, id)
-  }
-
-  /**
-   * Holds if there is a command substitution `$(command)` in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this command.
-   */
-  private predicate commandInSubstitution(int lineIndex, string command, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      command =
-        // Look for the command inside a $(...) command substitution
-        this.lineProducer(lineIndex)
-            .regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", occurrenceIndex,
-              occurrenceOffset)
-            // trim starting $( - TODO do this in first regex
-            .regexpReplaceAll("^\\$\\(", "")
-            // trim ending ) - TODO do this in first regex
-            .regexpReplaceAll("\\)$", "") and
-      id = "cmdsubs:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
+  private predicate cmdSubstitutionReplacement(string cmdSubs, string id, int k) {
+    exists(string line | line = this.lineProducer(k) |
+      exists(int i, int j |
+        cmdSubs =
+          // $() cmd substitution
+          line.regexpFind("\\$\\((?:[^()]+|\\((?:[^()]+|\\([^()]*\\))*\\))*\\)", i, j)
+              .regexpReplaceAll("^\\$\\(", "")
+              .regexpReplaceAll("\\)$", "") and
+        id = "cmdsubs:" + k + ":" + i + ":" + j
+      )
+      or
+      exists(int i, int j |
+        // `...` cmd substitution
+        cmdSubs =
+          line.regexpFind("\\`[^\\`]+\\`", i, j)
+              .regexpReplaceAll("^\\`", "")
+              .regexpReplaceAll("\\`$", "") and
+        id = "cmd:" + k + ":" + i + ":" + j
+      )
     )
   }
 
-  /**
-   * Holds if `command` is a command in backticks `` `...` `` in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this command.
-   */
-  private predicate commandInBackticks(int lineIndex, string command, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      command =
-        this.lineProducer(lineIndex)
-            .regexpFind("\\`[^\\`]+\\`", occurrenceIndex, occurrenceOffset)
-            // trim leading backtick - TODO do this in first regex
-            .regexpReplaceAll("^\\`", "")
-            // trim trailing backtick - TODO do this in first regex
-            .regexpReplaceAll("\\`$", "") and
-      id = "cmd:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset
-    )
-  }
-
-  private predicate rankedCmdSubstitutionReplacements(int i, string command, string commandId) {
-    // rank commands by their unique IDs
-    commandId = rank[i](string c, string id | this.cmdSubstitutionReplacement(c, id, _) | id) and
-    // since we cannot output (command, ID) tuples from the rank operation,
-    // we need to work out the specific command associated with the resulting ID
-    this.cmdSubstitutionReplacement(command, commandId, _)
+  private predicate rankedCmdSubstitutionReplacements(int i, string old, string new) {
+    old = rank[i](string old2 | this.cmdSubstitutionReplacement(old2, _, _) | old2) and
+    this.cmdSubstitutionReplacement(old, new, _)
   }
 
   private predicate doReplaceCmdSubstitutions(int line, int round, string old, string new) {
@@ -93,56 +64,31 @@ class BashShellScript extends ShellScript {
     this.cmdSubstitutionReplacement(result, _, i)
   }
 
-  /**
-   * Holds if `quotedStr` is a string in double quotes in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this quoted string.
-   */
-  private predicate doubleQuotedString(int lineIndex, string quotedStr, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      // double quoted string
-      quotedStr =
-        this.cmdSubstitutedLineProducer(lineIndex)
-            .regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", occurrenceIndex, occurrenceOffset) and
-      id =
-        "qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
-          quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
-    )
-  }
-
-  /**
-   * Holds if `quotedStr` is a string in single quotes in
-   * the line at `lineIndex` in the shell script,
-   * and `id` is a unique identifier for this quoted string.
-   */
-  private predicate singleQuotedString(int lineIndex, string quotedStr, string id) {
-    exists(int occurrenceIndex, int occurrenceOffset |
-      // single quoted string
-      quotedStr =
-        this.cmdSubstitutedLineProducer(lineIndex)
-            .regexpFind("'((?:\\\\.|[^'\\\\])*)'", occurrenceIndex, occurrenceOffset) and
-      id =
-        "qstr:" + lineIndex + ":" + occurrenceIndex + ":" + occurrenceOffset + ":" +
-          quotedStr.length() + ":" + quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
-    )
-  }
-
   private predicate quotedStringReplacement(string quotedStr, string id) {
-    exists(int lineIndex |
-      this.doubleQuotedString(lineIndex, quotedStr, id)
+    exists(string line, int k | line = this.cmdSubstitutedLineProducer(k) |
+      exists(int i, int j |
+        // double quoted string
+        quotedStr = line.regexpFind("\"((?:[^\"\\\\]|\\\\.)*)\"", i, j) and
+        id =
+          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
+            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
+      )
       or
-      this.singleQuotedString(lineIndex, quotedStr, id)
+      exists(int i, int j |
+        // single quoted string
+        quotedStr = line.regexpFind("'((?:\\\\.|[^'\\\\])*)'", i, j) and
+        id =
+          "qstr:" + k + ":" + i + ":" + j + ":" + quotedStr.length() + ":" +
+            quotedStr.regexpReplaceAll("[^a-zA-Z0-9]", "")
+      )
     ) and
     // Only do this for strings that might otherwise disrupt subsequent parsing
     quotedStr.regexpMatch("[\"'].*[$\n\r'\"" + Bash::separator() + "].*[\"']")
   }
 
-  private predicate rankedQuotedStringReplacements(int i, string quotedString, string quotedStringId) {
-    // rank quoted strings by their nearly-unique IDs
-    quotedStringId = rank[i](string s, string id | this.quotedStringReplacement(s, id) | id) and
-    // since we cannot output (string, ID) tuples from the rank operation,
-    // we need to work out the specific string associated with the resulting ID
-    this.quotedStringReplacement(quotedString, quotedStringId)
+  private predicate rankedQuotedStringReplacements(int i, string old, string new) {
+    old = rank[i](string old2 | this.quotedStringReplacement(old2, _) | old2) and
+    this.quotedStringReplacement(old, new)
   }
 
   private predicate doReplaceQuotedStrings(int line, int round, string old, string new) {

actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll

@@ -214,10 +214,6 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
       )
     )
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll

@@ -16,10 +16,6 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll

@@ -15,10 +15,6 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) { source instanceof RemoteFlowSource }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */

actions/ql/lib/ext/config/actions_permissions.yml

@@ -22,21 +22,16 @@ extensions:
       - ["actions/stale", "pull-requests: write"]
       - ["actions/attest-build-provenance", "id-token: write"]
       - ["actions/attest-build-provenance", "attestations: write"]
-      - ["actions/deploy-pages", "pages: write"]
-      - ["actions/deploy-pages", "id-token: write"]
-      - ["actions/delete-package-versions", "packages: write"]
       - ["actions/jekyll-build-pages", "contents: read"]
       - ["actions/jekyll-build-pages", "pages: write"]
       - ["actions/jekyll-build-pages", "id-token: write"]
       - ["actions/publish-action", "contents: write"]
-      - ["actions/versions-package-tools", "contents: read"]
+      - ["actions/versions-package-tools", "contents: read"]      
       - ["actions/versions-package-tools", "actions: read"]
-      - ["actions/reusable-workflows", "contents: read"]
+      - ["actions/reusable-workflows", "contents: read"]      
       - ["actions/reusable-workflows", "actions: read"]
-      - ["actions/ai-inference", "contents: read"]
-      - ["actions/ai-inference", "models: read"]
       # TODO: Add permissions for actions/download-artifact
       # TODO: Add permissions for actions/upload-artifact
-      # No permissions needed for actions/upload-pages-artifact
       # TODO: Add permissions for actions/cache
-      # No permissions needed for actions/configure-pages
+
+      

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.13-dev
+version: 0.4.9-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,21 +1,3 @@
-## 0.6.4
-
-No user-facing changes.
-
-## 0.6.3
-
-No user-facing changes.
-
-## 0.6.2
-
-### Minor Analysis Improvements
-
-* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.
-
-## 0.6.1
-
-No user-facing changes.
-
 ## 0.6.0
 
 ### Breaking Changes

actions/ql/src/Models/CompositeActionsSinks.ql

@@ -24,10 +24,6 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/CompositeActionsSources.ql

@@ -34,10 +34,6 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/CompositeActionsSummaries.ql

@@ -25,10 +25,6 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(CompositeAction c | c.getAnOutputExpr() = sink.asExpr())
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSinks.ql

@@ -24,10 +24,6 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     sink instanceof CodeInjectionSink and not madSink(sink, "code-injection")
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSources.ql

@@ -34,10 +34,6 @@ private module MyConfig implements DataFlow::ConfigSig {
     isSink(node) and
     set instanceof DataFlow::FieldContent
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSummaries.ql

@@ -25,10 +25,6 @@ private module MyConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) {
     exists(ReusableWorkflow w | w.getAnOutputExpr() = sink.asExpr())
   }
-
-  predicate observeDiffInformedIncrementalMode() { any() }
-
-  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/change-notes/released/0.6.1.md

@@ -1,3 +0,0 @@
-## 0.6.1
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.2.md

@@ -1,5 +0,0 @@
-## 0.6.2
-
-### Minor Analysis Improvements
-
-* The query `actions/missing-workflow-permissions` is now aware of the minimal permissions needed for the actions `deploy-pages`, `delete-package-versions`, `ai-inference`. This should lead to better alert messages and better fix suggestions.

actions/ql/src/change-notes/released/0.6.3.md

@@ -1,3 +0,0 @@
-## 0.6.3
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.4.md

@@ -1,3 +0,0 @@
-## 0.6.4
-
-No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.4
+lastReleaseVersion: 0.6.0

actions/ql/src/codeql-suites/actions-code-quality-extended.qls

@@ -1,3 +0,0 @@
-- queries: .
-- apply: code-quality-extended-selectors.yml
-  from: codeql/suite-helpers

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.5-dev
+version: 0.6.1-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/interpolation.yml

@@ -1,81 +0,0 @@
-name: Workflow with complex interpolation
-on: 
-  workflow_dispatch:
-    inputs:
-      choice-a:
-        required: true
-        type: choice
-        description: choice-a
-        default: a1
-        options: 
-        - a1
-        - a2
-        - a3
-      string-b:
-        required: false
-        type: string
-        description: string-b
-      string-c:
-        required: false
-        type: string
-        description: string-c
-      list-d:
-        required: true
-        type: string
-        default: d1 d2
-        description: list-d whitespace separated
-      list-e:
-        required: false
-        type: string
-        description: list-e whitespace separated
-      choice-f:
-        required: true
-        type: choice
-        description: choice-f
-        options: 
-        - false
-        - true
-          
-env:
-  DRY_TEST: false
-  B: ${{ github.event.inputs.string-b }}
-
-jobs:
-  job:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Produce values
-      id: produce-values
-      run: |
-        echo "region=region" >> $GITHUB_OUTPUT
-        echo "zone=zone" >> $GITHUB_OUTPUT
-
-    - name: Step with complex interpolation
-      id: complex
-      env:
-        CHOICE_A: ${{ github.event.inputs.choice-a }}
-        STRING_B: ${{ github.event.inputs.string-b }}
-        STRING_C: ${{ github.event.inputs.string-c }}
-        LIST_D: ${{ github.event.inputs.list-d }}
-        LIST_E: ${{ github.event.inputs.list-e }}
-        CHOICE_F: ${{ github.event.inputs.choice-f }}
-        REGION: ${{ steps.produce-values.outputs.region }}
-        ZONE: ${{ steps.produce-values.outputs.zone }}
-        DRY_TEST_JSON: ${{ fromJSON(env.DRY_TEST) }}
-        FUNCTION_NAME: my-function
-        USER_EMAIL: 'example@example.com'
-        TYPE: type
-        RANGE: '0-100'
-
-      run: |
-        comma_separated_list_d=$(echo "${LIST_D}" | sed "s/ /\",\"/g")
-        comma_separated_list_e=$(echo "${LIST_E}" | sed "s/ /\",\"/g")
-        c1=$(echo "${STRING_C}" | cut -d "-" -f 1)
-        c2=$(echo "${STRING_C}" | cut -d "-" -f 2)
-        # Similar commands that use JSON payloads with string interpolation.
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":["'"${comma_separated_list_d}"'"],"listE":"","dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-        response=$(aws lambda invoke --invocation-type RequestResponse --function-name "${FUNCTION_NAME}" --region "${REGION}" --cli-read-timeout 0 --cli-binary-format raw-in-base64-out --payload '{"appName":"my-app","chA":"'"${CHOICE_A}"'","c1":"'"${c1}"'","c2":"'"${c2}"'","a":"${CHOICE_A}","bValue":"${B}","zone":"${ZONE}","userEmail":"'"${USER_EMAIL}"'","region":"${REGION}","range":"${RANGE}","type":"${TYPE}","b":"${STRING_B}","listD":"","listE":["'"${comma_separated_list_e}"'"],"dryTest":'"${DRY_TEST_JSON}"',"f":"${CHOICE_F}"}' ./config.json --log-type Tail)
-      shell: bash

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms10.yml

@@ -1,10 +0,0 @@
-on:
-  workflow_call:
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/ai-inference

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms8.yml

@@ -1,10 +0,0 @@
-on:
-  workflow_call:
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/deploy-pages

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms9.yml

@@ -1,10 +0,0 @@
-on:
-  workflow_call:
-  workflow_dispatch:
-
-jobs:
-  build:
-    name: Build and test
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/delete-package-versions

actions/ql/test/query-tests/Security/CWE-275/MissingActionsPermissions.expected

@@ -3,6 +3,3 @@
 | .github/workflows/perms5.yml:7:5:10:32 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read} |
 | .github/workflows/perms6.yml:7:5:11:39 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, id-token: write, pages: write} |
 | .github/workflows/perms7.yml:7:5:10:38 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {} |
-| .github/workflows/perms8.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {id-token: write, pages: write} |
-| .github/workflows/perms9.yml:7:5:10:44 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {packages: write} |
-| .github/workflows/perms10.yml:7:5:10:33 | Job: build | Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read, models: read} |

config/add-overlay-annotations.py

@@ -1,274 +0,0 @@
-# This script is used to annotate .qll files without any existing overlay annotations
-# with overlay[local?] and overlay[caller?] annotations. Maintenance of overlay annotations
-# in annotated files will be handled by QL-for-QL queries.
-
-# It will walk the directory tree and annotate most .qll files, skipping only
-# some specific cases (e.g., empty files, files that configure dataflow for queries).
-
-# The script takes a list of languages and processes the corresponding directories.
-# If the optional --check argument is provided, the script checks for missing annotations,
-# but does not modify any files.
-
-# Usage: python3 add-overlay-annotations.py [--check] <language1> <language2> ...
-
-# The script will modify the files in place and print the changes made.
-# The script is designed to be run from the root of the repository.
-
-#!/usr/bin/python3
-import sys
-import os
-import re
-from difflib import context_diff
-
-OVERLAY_PATTERN = re.compile(r'overlay\[[a-zA-Z?_-]+\]')
-
-def has_overlay_annotations(lines):
-    '''
-    Check whether the given lines contain any overlay[...] annotations.
-    '''
-    return any(OVERLAY_PATTERN.search(line) for line in lines)
-
-
-def is_line_comment(line):
-    return line.startswith("//") or (line.startswith("/*") and line.endswith("*/"))
-
-
-def find_file_level_module_declaration(lines):
-    '''
-    Returns the index of the existing file-level module declaration if one
-    exists. Returns None otherwise.
-    '''
-    comment = False
-    for i, line in enumerate(lines):
-        trimmed = line.strip()
-
-        if is_line_comment(trimmed):
-            continue
-        elif trimmed.startswith("/*"):
-            comment = True
-        elif comment and trimmed.endswith("*/"):
-            comment = False
-        elif not comment and trimmed.endswith("module;"):
-            return i
-
-    return None
-
-
-def is_file_module_qldoc(i, lines):
-    '''
-    Assuming a qldoc ended on line i, determine if it belongs to the implicit
-    file-level module. If it is followed by another qldoc or imports, then it
-    does and if it is followed by any other non-empty, non-comment lines, then
-    we assume that is a declaration of some kind and the qldoc is attached to
-    that declaration.
-    '''
-    comment = False
-
-    for line in lines[i+1:]:
-        trimmed = line.strip()
-
-        if trimmed.startswith("import ") or trimmed.startswith("private import ") or trimmed.startswith("/**"):
-             return True
-        elif is_line_comment(trimmed) or not trimmed:
-             continue
-        elif trimmed.startswith("/*"):
-             comment = True
-        elif comment and trimmed.endswith("*/"):
-             comment = False
-        elif not comment and trimmed:
-             return False
-
-    return True
-
-
-def find_file_module_qldoc_declaration(lines):
-    '''
-    Returns the index of last line of the implicit file module qldoc if one
-    exists. Returns None otherwise.
-    '''
-
-    qldoc = False
-    comment = False
-    for i, line in enumerate(lines):
-        trimmed = line.strip()
-
-        if trimmed.startswith("//"):
-            continue
-        elif (qldoc or trimmed.startswith("/**")) and trimmed.endswith("*/"):
-            # a qldoc just ended; determine if it belongs to the implicit file module
-            if is_file_module_qldoc(i, lines):
-                return i
-            else:
-                return None
-        elif trimmed.startswith("/**"):
-            qldoc = True
-        elif trimmed.startswith("/*"):
-            comment = True
-        elif comment and trimmed.endswith("*/"):
-            comment = False
-        elif (not qldoc and not comment) and trimmed:
-            return None
-
-    return None
-
-
-def only_comments(lines):
-    '''
-    Returns true if the lines contain only comments and empty lines.
-    '''
-    comment = False
-
-    for line in lines:
-        trimmed = line.strip()
-
-        if not trimmed or is_line_comment(trimmed):
-            continue
-        elif trimmed.startswith("/*"):
-            comment = True
-        elif comment and trimmed.endswith("*/"):
-            comment = False
-        elif comment:
-            continue
-        elif trimmed:
-            return False
-
-    return True
-
-
-def insert_toplevel_maybe_local_annotation(filename, lines):
-    '''
-    Find a suitable place to insert an overlay[local?] annotation at the top of the file.
-    Returns a pair consisting of description and the modified lines or None if no overlay
-    annotation is necessary (e.g., for files that only contain comments).
-    '''
-    if only_comments(lines):
-        return None
-
-    i = find_file_level_module_declaration(lines)
-    if not i == None:
-        out_lines = lines[:i]
-        out_lines.append("overlay[local?]\n")
-        out_lines.extend(lines[i:])
-        return (f"Annotating \"{filename}\" via existing file-level module statement", out_lines)
-
-    i = find_file_module_qldoc_declaration(lines)
-    if not i == None:
-        out_lines = lines[:i+1]
-        out_lines.append("overlay[local?]\n")
-        out_lines.append("module;\n")
-        out_lines.extend(lines[i+1:])
-        return (f"Annotating \"{filename}\" which has a file-level module qldoc", out_lines)
-
-    out_lines = ["overlay[local?]\n", "module;\n", "\n"] + lines
-    return (f"Annotating \"{filename}\" without file-level module qldoc", out_lines)
-
-
-def insert_overlay_caller_annotations(lines):
-    '''
-    Mark pragma[inline] predicates as overlay[caller?] if they are not declared private.
-    '''
-    out_lines = []
-    for i, line in enumerate(lines):
-        trimmed = line.strip()
-        if trimmed == "pragma[inline]":
-            if i + 1 < len(lines) and not "private" in lines[i+1]:
-                whitespace = line[0: line.find(trimmed)]
-                out_lines.append(f"{whitespace}overlay[caller?]\n")
-        out_lines.append(line)
-    return out_lines
-
-
-def annotate_as_appropriate(filename, lines):
-    '''
-    Insert new overlay[...] annotations according to heuristics in files without existing
-    overlay annotations.
-
-    Returns None if no annotations are needed. Otherwise, returns a pair consisting of a
-    string describing the action taken and the modified content as a list of lines.
-    '''
-    if has_overlay_annotations(lines):
-        return None
-
-    # These simple heuristics filter out those .qll files that we no _not_ want to annotate
-    # as overlay[local?].  It is not clear that these heuristics are exactly what we want,
-    # but they seem to work well enough for now (as determined by speed and accuracy numbers).
-    if (filename.endswith("Test.qll") or
-        ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
-         any("implements DataFlow::ConfigSig" in line for line in lines))):
-        return None
-    elif not any(line for line in lines if line.strip()):
-        return None
-
-    lines = insert_overlay_caller_annotations(lines)
-    return insert_toplevel_maybe_local_annotation(filename, lines)
-
-
-def process_single_file(write, filename):
-    '''
-    Process a single file, annotating it as appropriate.
-    If write is set, the changes are written back to the file.
-    Returns True if the file requires changes.
-    '''
-    with open(filename) as f:
-        old = [line for line in f]
-
-    annotate_result = annotate_as_appropriate(filename, old)
-    if annotate_result is None:
-        return False
-
-    if not write:
-        return True
-
-    new = annotate_result[1]
-
-    diff = context_diff(old, new, fromfile=filename, tofile=filename)
-    diff = [line for line in diff]
-    if diff:
-        print(annotate_result[0])
-        for line in diff:
-            print(line.rstrip())
-        with open(filename, "w") as out_file:
-            for line in new:
-                out_file.write(line)
-
-    return True
-
-
-if len(sys.argv) > 1 and sys.argv[1] == "--check":
-  check = True
-  langs = sys.argv[2:]
-else:
-  check = False
-  langs = sys.argv[1:]
-
-dirs = []
-for lang in langs:
-    if lang in ["cpp", "go", "csharp", "java", "javascript", "python", "ruby", "rust", "swift"]:
-        dirs.append(f"{lang}/ql/lib")
-    else:
-        raise Exception(f"Unknown language \"{lang}\".")
-
-if dirs:
-    dirs.append("shared")
-
-missingAnnotations = []
-
-for roots in dirs:
-    for dirpath, dirnames, filenames in os.walk(roots):
-        for filename in filenames:
-            if filename.endswith(".qll") and not dirpath.endswith("tutorial"):
-                path = os.path.join(dirpath, filename)
-                res = process_single_file(not check, path)
-                if check and res:
-                    missingAnnotations.append(path)
-
-
-if len(missingAnnotations) > 0:
-    print("The following files have no overlay annotations:")
-    for path in missingAnnotations[:10]:
-      print("- " + path)
-    if len(missingAnnotations) > 10:
-      print("and " + str(len(missingAnnotations) - 10) + " additional files.")
-    print()
-    print("Please manually add overlay annotations or use the config/add-overlay-annotations.py script to automatically add sensible default overlay annotations.")
-    exit(1)

config/dbscheme-fragments.json

@@ -11,7 +11,6 @@
     "/*- Diagnostic messages -*/",
     "/*- Diagnostic messages: severity -*/",
     "/*- Source location prefix -*/",
-    "/*- Database metadata -*/",
     "/*- Lines of code -*/",
     "/*- Configuration files with key value pairs -*/",
     "/*- YAML -*/",
@@ -32,4 +31,4 @@
     "/*- Python dbscheme -*/",
     "/*- Empty location -*/"
   ]
-}
+}

config/opcode-qldoc.py

@@ -8,9 +8,9 @@ needs_an_re = re.compile(r'^(?!Unary)[AEIOU]')  # Name requiring "an" instead of
 start_qldoc_re = re.compile(r'^\s*/\*\*')  # Start of a QLDoc comment
 end_qldoc_re = re.compile(r'\*/\s*$')  # End of a QLDoc comment
 blank_qldoc_line_re = re.compile(r'^\s*\*\s*$')  # A line in a QLDoc comment with only the '*'
-instruction_class_re = re.compile(r'^class (?P<name>[A-Za-z0-9]+)Instruction\s')  # Declaration of an `Instruction` class
-opcode_base_class_re = re.compile(r'^abstract class (?P<name>[A-Za-z0-9]+)Opcode\s')  # Declaration of an `Opcode` base class
-opcode_class_re = re.compile(r'^  class (?P<name>[A-Za-z0-9]+)\s')  # Declaration of an `Opcode` class
+instruction_class_re = re.compile(r'^class (?P<name>[A-aa-z0-9]+)Instruction\s')  # Declaration of an `Instruction` class
+opcode_base_class_re = re.compile(r'^abstract class (?P<name>[A-aa-z0-9]+)Opcode\s')  # Declaration of an `Opcode` base class
+opcode_class_re = re.compile(r'^  class (?P<name>[A-aa-z0-9]+)\s')  # Declaration of an `Opcode` class
 
 script_dir = path.realpath(path.dirname(__file__))
 instruction_path = path.realpath(path.join(script_dir, '../cpp/ql/src/semmle/code/cpp/ir/implementation/raw/Instruction.qll'))

cpp/bulk_generation_targets.yml

@@ -1,31 +0,0 @@
-language: cpp
-strategy: dca
-destination: cpp/ql/lib/ext/generated
-targets:
-- name: zlib
-  with-sinks: false
-  with-sources: false
-- name: brotli
-  with-sinks: false
-  with-sources: false
-- name: libidn2
-  with-sinks: false
-  with-sources: false
-- name: libssh2
-  with-sinks: false
-  with-sources: false
-- name: sqlite
-  with-sinks: false
-  with-sources: false
-- name: openssl
-  with-sinks: false
-  with-sources: false
-- name: nghttp2
-  with-sinks: false
-  with-sources: false
-- name: libuv
-  with-sinks: false
-  with-sources: false
-- name: curl
-  with-sinks: false
-  with-sources: false

cpp/downgrades/3c45f8b9e71ec723bf50c40581e1f18f4f25e290/lambdas.ql

@@ -1,7 +0,0 @@
-class LambdaExpr extends @lambdaexpr {
-  string toString() { none() }
-}
-
-from LambdaExpr lambda, string default_capture, boolean has_explicit_return_type
-where lambdas(lambda, default_capture, has_explicit_return_type, _)
-select lambda, default_capture, has_explicit_return_type

cpp/downgrades/3c45f8b9e71ec723bf50c40581e1f18f4f25e290/upgrade.properties

@@ -1,3 +0,0 @@
-description: capture whether a lambda has an explicitly specified parameter list.
-compatibility: full
-lambdas.rel: run lambdas.qlo

cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/preprocdirects.ql

@@ -11,7 +11,7 @@ int getKind(int kind) {
   if kind = 14
   then result = 6 // Represent MSFT #import as #include
   else
-    if kind = 15 or kind = 16
+    if kind = 15 or kind = 6
     then result = 3 // Represent #elifdef and #elifndef as #elif
     else result = kind
 }

cpp/downgrades/7bc12b02a4363149f0727a4bce07952dbb9d98aa/builtintypes.ql

@@ -1,14 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-from BuiltinType type, string name, int kind, int kind_new, int size, int sign, int alignment
-where
-  builtintypes(type, name, kind, size, sign, alignment) and
-  if
-    type instanceof @complex_fp16 or
-    type instanceof @complex_std_bfloat16 or
-    type instanceof @complex_std_float16
-  then kind_new = 2
-  else kind_new = kind
-select type, name, kind_new, size, sign, alignment

cpp/downgrades/7bc12b02a4363149f0727a4bce07952dbb9d98aa/upgrade.properties

@@ -1,3 +0,0 @@
-description: Introduce new complex 16-bit floating-point types
-compatibility: backwards
-builtintypes.rel: run builtintypes.qlo

cpp/downgrades/9baef67d1ffc1551429dbe1c1130815693e28218/upgrade.properties

@@ -1,3 +0,0 @@
-description: Add a predicate `getAnAttribute` to `Namespace`
-compatibility: full
-namespaceattributes.rel: delete

cpp/downgrades/a8c2176e9a5cf9be8d17053a4c8e7e56b5aced6d/stmts.ql

@@ -1,13 +0,0 @@
-class Stmt extends @stmt {
-  string toString() { none() }
-}
-
-class Location extends @location_stmt {
-  string toString() { none() }
-}
-
-from Stmt id, int kind, Location loc, int new_kind
-where
-  stmts(id, kind, loc) and
-  if kind = 40 then new_kind = 4 else new_kind = kind
-select id, new_kind, loc

cpp/downgrades/a8c2176e9a5cf9be8d17053a4c8e7e56b5aced6d/upgrade.properties

@@ -1,3 +0,0 @@
-description: Support `__leave` statement
-compatibility: full
-stmts.rel: run stmts.qlo

cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/builtintypes.ql

@@ -1,9 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-from BuiltinType id, string name, int kind, int new_kind, int size, int sign, int alignment
-where
-  builtintypes(id, name, kind, size, sign, alignment) and
-  if kind = 62 then new_kind = 1 else new_kind = kind
-select id, name, new_kind, size, sign, alignment

cpp/downgrades/af887e83a815a9cefe774ffa80e2493a1365b9e2/upgrade.properties

@@ -1,3 +0,0 @@
-description: Support __mfp8 type
-compatibility: backwards
-builtintypes.rel: run builtintypes.qlo

cpp/downgrades/e38346051783182ea75822e4adf8d4c6a949bc37/builtintypes.ql

@@ -1,9 +0,0 @@
-class BuiltinType extends @builtintype {
-  string toString() { none() }
-}
-
-from BuiltinType id, string name, int kind, int new_kind, int size, int sign, int alignment
-where
-  builtintypes(id, name, kind, size, sign, alignment) and
-  if kind = 63 then /* @errortype */ new_kind = 1 else new_kind = kind
-select id, name, new_kind, size, sign, alignment

cpp/downgrades/e38346051783182ea75822e4adf8d4c6a949bc37/derivedtypes.ql

@@ -1,9 +0,0 @@
-class Type extends @type {
-  string toString() { none() }
-}
-
-from Type type, string name, int kind, int new_kind, Type type_id
-where
-  derivedtypes(type, name, kind, type_id) and
-  if kind = 11 then /* @gnu_vector */ new_kind = 5 else new_kind = kind
-select type, name, new_kind, type_id

cpp/downgrades/e38346051783182ea75822e4adf8d4c6a949bc37/upgrade.properties

@@ -1,5 +0,0 @@
-description: Arm scalable vector type support
-compatibility: backwards
-builtintypes.rel: run builtintypes.qlo
-derivedtypes.rel: run derivedtypes.qlo
-tupleelements.rel: delete

cpp/ql/integration-tests/query-suite/cpp-code-quality-extended.qls.expected

@@ -1 +0,0 @@
-

cpp/ql/integration-tests/query-suite/not_included_in_qls.expected

@@ -299,7 +299,6 @@ ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.q
 ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql
 ql/cpp/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql
 ql/cpp/ql/src/experimental/cryptography/inventory/new_models/UnknownAsymmetricKeyGeneration.ql
-ql/cpp/ql/src/experimental/quantum/PrintCBOMGraph.ql
 ql/cpp/ql/src/external/examples/filters/BumpMetricBy10.ql
 ql/cpp/ql/src/external/examples/filters/EditDefectMessage.ql
 ql/cpp/ql/src/external/examples/filters/ExcludeGeneratedCode.ql

cpp/ql/integration-tests/query-suite/test.py

@@ -2,7 +2,7 @@ import runs_on
 import pytest
 from query_suites import *
 
-well_known_query_suites = ['cpp-code-quality.qls', 'cpp-code-quality-extended.qls', 'cpp-security-and-quality.qls', 'cpp-security-extended.qls', 'cpp-code-scanning.qls']
+well_known_query_suites = ['cpp-code-quality.qls', 'cpp-security-and-quality.qls', 'cpp-security-extended.qls', 'cpp-code-scanning.qls']
 
 @runs_on.posix
 @pytest.mark.parametrize("query_suite", well_known_query_suites)

cpp/ql/lib/CHANGELOG.md

@@ -1,56 +1,3 @@
-## 5.2.0
-
-### Deprecated APIs
-
-* The `ThrowingFunction` class (`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the `AlwaysSehThrowingFunction` class instead.
-
-### New Features
-
-* Added a predicate `getAnAttribute` to `Namespace` to retrieve a namespace attribute.
-* The Microsoft-specific `__leave` statement is now supported.
-* A new class `LeaveStmt` extending `JumpStmt` was added to represent `__leave` statements.
-* Added a predicate `hasParameterList` to `LambdaExpression` to capture whether a lambda has an explicitly specified parameter list.
-
-### Bug Fixes
-
-* `resolveTypedefs` now properly resolves typedefs for `ArrayType`s.
-
-## 5.1.0
-
-### New Features
-
-* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.
-
-## 5.0.0
-
-### Breaking Changes
-
-* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
-* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
-* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
-* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
-* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
-* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
-
-### New Features
-
-* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
-* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
-* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
-* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
-* Added support for `wmain` as part of the ArgvSource model.
-
-### Bug Fixes
-
-* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
-* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.
-
-## 4.3.1
-
-### Bug Fixes
-
-* Fixed an infinite loop in `semmle.code.cpp.rangeanalysis.new.RangeAnalysis` when computing ranges in very large and complex function bodies.
-
 ## 4.3.0
 
 ### New Features

cpp/ql/lib/change-notes/2025-06-20-oracle-oci-models.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added `sql-injection` sink models for the Oracle Call Interface (OCI) database library functions `OCIStmtPrepare` and `OCIStmtPrepare2`.

cpp/ql/lib/change-notes/2025-06-24-float16.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added support for `__fp16 _Complex` and `__bf16 _Complex` types

cpp/ql/lib/change-notes/released/4.3.1.md

@@ -1,5 +0,0 @@
-## 4.3.1
-
-### Bug Fixes
-
-* Fixed an infinite loop in `semmle.code.cpp.rangeanalysis.new.RangeAnalysis` when computing ranges in very large and complex function bodies.

cpp/ql/lib/change-notes/released/5.0.0.md

@@ -1,23 +0,0 @@
-## 5.0.0
-
-### Breaking Changes
-
-* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
-* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
-* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
-* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
-* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
-* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
-
-### New Features
-
-* Added local flow source models for `ReadFile`, `ReadFileEx`, `MapViewOfFile`, `MapViewOfFile2`, `MapViewOfFile3`, `MapViewOfFile3FromApp`, `MapViewOfFileEx`, `MapViewOfFileFromApp`, `MapViewOfFileNuma2`, and `NtReadFile`.
-* Added the `pCmdLine` arguments of `WinMain` and `wWinMain` as local flow sources.
-* Added source models for `GetCommandLineA`, `GetCommandLineW`, `GetEnvironmentStringsA`, `GetEnvironmentStringsW`, `GetEnvironmentVariableA`, and `GetEnvironmentVariableW`.
-* Added summary models for `CommandLineToArgvA` and `CommandLineToArgvW`.
-* Added support for `wmain` as part of the ArgvSource model.
-
-### Bug Fixes
-
-* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
-* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ClassAggregateLiteral`s.

cpp/ql/lib/change-notes/released/5.1.0.md

@@ -1,5 +0,0 @@
-## 5.1.0
-
-### New Features
-
-* Added a predicate `getReferencedMember` to `UsingDeclarationEntry`, which yields a member depending on a type template parameter.

cpp/ql/lib/change-notes/released/5.2.0.md

@@ -1,16 +0,0 @@
-## 5.2.0
-
-### Deprecated APIs
-
-* The `ThrowingFunction` class (`semmle.code.cpp.models.interfaces.Throwing`) has been deprecated. Please use the `AlwaysSehThrowingFunction` class instead.
-
-### New Features
-
-* Added a predicate `getAnAttribute` to `Namespace` to retrieve a namespace attribute.
-* The Microsoft-specific `__leave` statement is now supported.
-* A new class `LeaveStmt` extending `JumpStmt` was added to represent `__leave` statements.
-* Added a predicate `hasParameterList` to `LambdaExpression` to capture whether a lambda has an explicitly specified parameter list.
-
-### Bug Fixes
-
-* `resolveTypedefs` now properly resolves typedefs for `ArrayType`s.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.2.0
+lastReleaseVersion: 4.3.0

cpp/ql/lib/experimental/quantum/Language.qll

@@ -1,130 +0,0 @@
-private import cpp as Language
-import semmle.code.cpp.dataflow.new.TaintTracking
-import codeql.quantum.experimental.Model
-private import OpenSSL.GenericSourceCandidateLiteral
-
-module CryptoInput implements InputSig<Language::Location> {
-  class DataFlowNode = DataFlow::Node;
-
-  class LocatableElement = Language::Locatable;
-
-  class UnknownLocation = Language::UnknownDefaultLocation;
-
-  LocatableElement dfn_to_element(DataFlow::Node node) {
-    result = node.asExpr() or
-    result = node.asParameter() or
-    result = node.asVariable() or
-    result = node.asDefiningArgument()
-    // TODO: do we need asIndirectExpr()?
-  }
-
-  string locationToFileBaseNameAndLineNumberString(Location location) {
-    result = location.getFile().getBaseName() + ":" + location.getStartLine()
-  }
-
-  predicate artifactOutputFlowsToGenericInput(
-    DataFlow::Node artifactOutput, DataFlow::Node otherInput
-  ) {
-    ArtifactFlow::flow(artifactOutput, otherInput)
-  }
-}
-
-module Crypto = CryptographyBase<Language::Location, CryptoInput>;
-
-module ArtifactFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source = any(Crypto::ArtifactInstance artifact).getOutputNode()
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    sink = any(Crypto::FlowAwareElement other).getInputNode()
-  }
-
-  predicate isBarrierOut(DataFlow::Node node) {
-    node = any(Crypto::FlowAwareElement element).getInputNode()
-  }
-
-  predicate isBarrierIn(DataFlow::Node node) {
-    node = any(Crypto::FlowAwareElement element).getOutputNode()
-  }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    node1.(AdditionalFlowInputStep).getOutput() = node2
-  }
-}
-
-module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;
-
-/**
- * An artifact output to node input configuration
- */
-abstract class AdditionalFlowInputStep extends DataFlow::Node {
-  abstract DataFlow::Node getOutput();
-
-  final DataFlow::Node getInput() { result = this }
-}
-
-/**
- * Generic data source to node input configuration
- */
-module GenericDataSourceFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source = any(Crypto::GenericSourceInstance i).getOutputNode()
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    sink = any(Crypto::FlowAwareElement other).getInputNode()
-  }
-
-  predicate isBarrierOut(DataFlow::Node node) {
-    node = any(Crypto::FlowAwareElement element).getInputNode()
-  }
-
-  predicate isBarrierIn(DataFlow::Node node) {
-    node = any(Crypto::FlowAwareElement element).getOutputNode()
-  }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    node1.(AdditionalFlowInputStep).getOutput() = node2
-  }
-}
-
-module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;
-
-private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof OpenSslGenericSourceCandidateLiteral
-{
-  override DataFlow::Node getOutputNode() { result.asExpr() = this }
-
-  override predicate flowsTo(Crypto::FlowAwareElement other) {
-    // TODO: separate config to avoid blowing up data-flow analysis
-    GenericDataSourceFlow::flow(this.getOutputNode(), other.getInputNode())
-  }
-
-  override string getAdditionalDescription() { result = this.toString() }
-}
-
-module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source = any(Crypto::ArtifactInstance artifact).getOutputNode()
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    sink = any(Crypto::FlowAwareElement other).getInputNode()
-  }
-
-  predicate isBarrierOut(DataFlow::Node node) {
-    node = any(Crypto::FlowAwareElement element).getInputNode()
-  }
-
-  predicate isBarrierIn(DataFlow::Node node) {
-    node = any(Crypto::FlowAwareElement element).getOutputNode()
-  }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    node1.(AdditionalFlowInputStep).getOutput() = node2
-  }
-}
-
-module ArtifactUniversalFlow = DataFlow::Global<ArtifactUniversalFlowConfig>;
-
-import OpenSSL.OpenSSL

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll

@@ -1,175 +0,0 @@
-import cpp
-private import experimental.quantum.Language
-private import semmle.code.cpp.dataflow.new.DataFlow
-private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-private import PaddingAlgorithmInstance
-
-/**
- * Traces 'known algorithms' to AVCs, specifically
- * algorithms that are in the set of known algorithm constants.
- * Padding-specific consumers exist that have their own values that
- * overlap with the known algorithm constants.
- * Padding consumers (specific padding consumers) are excluded from the set of sinks.
- */
-module KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof KnownOpenSslAlgorithmExpr and
-    // No need to flow direct operations to AVCs
-    not source.asExpr() instanceof OpenSslDirectAlgorithmOperationCall
-  }
-
-  predicate isSink(DataFlow::Node sink) {
-    exists(OpenSslAlgorithmValueConsumer c |
-      c.getInputNode() = sink and
-      // exclude padding algorithm consumers, since
-      // these consumers take in different constant values
-      // not in the typical "known algorithm" set
-      not c instanceof PaddingAlgorithmValueConsumer
-    )
-  }
-
-  predicate isBarrier(DataFlow::Node node) {
-    // False positive reducer, don't flow out through argv
-    exists(VariableAccess va, Variable v |
-      v.getAnAccess() = va and va = node.asExpr()
-      or
-      va = node.asIndirectExpr()
-    |
-      v.getName().matches("%argv")
-    )
-  }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    knownPassThroughStep(node1, node2)
-  }
-}
-
-module KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow =
-  DataFlow::Global<KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig>;
-
-module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OpenSslPaddingLiteral }
-
-  predicate isSink(DataFlow::Node sink) {
-    exists(PaddingAlgorithmValueConsumer c | c.getInputNode() = sink)
-  }
-
-  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-    knownPassThroughStep(node1, node2)
-  }
-}
-
-module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow =
-  DataFlow::Global<RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;
-
-class OpenSslAlgorithmAdditionalFlowStep extends AdditionalFlowInputStep {
-  OpenSslAlgorithmAdditionalFlowStep() { exists(AlgorithmPassthroughCall c | c.getInNode() = this) }
-
-  override DataFlow::Node getOutput() {
-    exists(AlgorithmPassthroughCall c | c.getInNode() = this and c.getOutNode() = result)
-  }
-}
-
-abstract class AlgorithmPassthroughCall extends Call {
-  abstract DataFlow::Node getInNode();
-
-  abstract DataFlow::Node getOutNode();
-}
-
-class CopyAndDupAlgorithmPassthroughCall extends AlgorithmPassthroughCall {
-  DataFlow::Node inNode;
-  DataFlow::Node outNode;
-
-  CopyAndDupAlgorithmPassthroughCall() {
-    // Flow out through any return or other argument of the same type
-    // Assume flow in and out is asIndirectExpr or asDefinitingArgument since a pointer is assumed
-    // to be involved
-    // NOTE: not attempting to detect openssl specific copy/dup functions, but anything suspected to be copy/dup
-    this.getTarget().getName().toLowerCase().matches(["%_dup%", "%_copy%"]) and
-    exists(Expr inArg, Type t |
-      inArg = this.getAnArgument() and t = inArg.getUnspecifiedType().stripType()
-    |
-      inNode.asIndirectExpr() = inArg and
-      (
-        // Case 1: flow through another argument as an out arg of the same type
-        exists(Expr outArg |
-          outArg = this.getAnArgument() and
-          outArg != inArg and
-          outArg.getUnspecifiedType().stripType() = t
-        |
-          outNode.asDefiningArgument() = outArg
-        )
-        or
-        // Case 2: flow through the return value if the result is the same as the intput type
-        exists(Expr outArg | outArg = this and outArg.getUnspecifiedType().stripType() = t |
-          outNode.asIndirectExpr() = outArg
-        )
-      )
-    )
-  }
-
-  override DataFlow::Node getInNode() { result = inNode }
-
-  override DataFlow::Node getOutNode() { result = outNode }
-}
-
-class NidToPointerPassthroughCall extends AlgorithmPassthroughCall {
-  DataFlow::Node inNode;
-  DataFlow::Node outNode;
-
-  NidToPointerPassthroughCall() {
-    this.getTarget().getName() in ["OBJ_nid2obj", "OBJ_nid2ln", "OBJ_nid2sn"] and
-    inNode.asExpr() = this.getArgument(0) and
-    outNode.asExpr() = this
-    //outNode.asIndirectExpr() = this
-  }
-
-  override DataFlow::Node getInNode() { result = inNode }
-
-  override DataFlow::Node getOutNode() { result = outNode }
-}
-
-class PointerToPointerPassthroughCall extends AlgorithmPassthroughCall {
-  DataFlow::Node inNode;
-  DataFlow::Node outNode;
-
-  PointerToPointerPassthroughCall() {
-    this.getTarget().getName() = "OBJ_txt2obj" and
-    inNode.asIndirectExpr() = this.getArgument(0) and
-    outNode.asIndirectExpr() = this
-    or
-    //outNode.asExpr() = this
-    this.getTarget().getName() in ["OBJ_obj2txt", "i2t_ASN1_OBJECT"] and
-    inNode.asIndirectExpr() = this.getArgument(2) and
-    outNode.asDefiningArgument() = this.getArgument(0)
-  }
-
-  override DataFlow::Node getInNode() { result = inNode }
-
-  override DataFlow::Node getOutNode() { result = outNode }
-}
-
-class PointerToNidPassthroughCall extends AlgorithmPassthroughCall {
-  DataFlow::Node inNode;
-  DataFlow::Node outNode;
-
-  PointerToNidPassthroughCall() {
-    this.getTarget().getName() in ["OBJ_obj2nid", "OBJ_ln2nid", "OBJ_sn2nid", "OBJ_txt2nid"] and
-    (
-      inNode.asIndirectExpr() = this.getArgument(0)
-      or
-      inNode.asExpr() = this.getArgument(0)
-    ) and
-    outNode.asExpr() = this
-  }
-
-  override DataFlow::Node getInNode() { result = inNode }
-
-  override DataFlow::Node getOutNode() { result = outNode }
-}
-
-// TODO: pkeys pass through EVP_PKEY_CTX_new and any similar variant
-predicate knownPassThroughStep(DataFlow::Node node1, DataFlow::Node node2) {
-  exists(AlgorithmPassthroughCall c | c.getInNode() = node1 and c.getOutNode() = node2)
-}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

@@ -1,81 +0,0 @@
-import cpp
-private import experimental.quantum.Language
-private import OpenSSLAlgorithmInstanceBase
-private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-private import AlgToAVCFlow
-private import codeql.quantum.experimental.Standardization::Types::KeyOpAlg as KeyOpAlg
-
-/**
- * Given a `KnownOpenSslBlockModeAlgorithmExpr`, converts this to a block family type.
- * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
- */
-predicate knownOpenSslConstantToBlockModeFamilyType(
-  KnownOpenSslBlockModeAlgorithmExpr e, KeyOpAlg::ModeOfOperationType type
-) {
-  exists(string name |
-    name = e.(KnownOpenSslAlgorithmExpr).getNormalizedName() and
-    (
-      name = "CBC" and type instanceof KeyOpAlg::CBC
-      or
-      name = "CFB%" and type instanceof KeyOpAlg::CFB
-      or
-      name = "CTR" and type instanceof KeyOpAlg::CTR
-      or
-      name = "GCM" and type instanceof KeyOpAlg::GCM
-      or
-      name = "OFB" and type instanceof KeyOpAlg::OFB
-      or
-      name = "XTS" and type instanceof KeyOpAlg::XTS
-      or
-      name = "CCM" and type instanceof KeyOpAlg::CCM
-      or
-      name = "CCM" and type instanceof KeyOpAlg::CCM
-      or
-      name = "ECB" and type instanceof KeyOpAlg::ECB
-    )
-  )
-}
-
-class KnownOpenSslBlockModeConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
-  Crypto::ModeOfOperationAlgorithmInstance instanceof KnownOpenSslBlockModeAlgorithmExpr
-{
-  OpenSslAlgorithmValueConsumer getterCall;
-
-  KnownOpenSslBlockModeConstantAlgorithmInstance() {
-    // Two possibilities:
-    // 1) The source is a literal and flows to a getter, then we know we have an instance
-    // 2) The source is a KnownOpenSslAlgorithm is call, and we know we have an instance immediately from that
-    // Possibility 1:
-    this instanceof OpenSslAlgorithmLiteral and
-    exists(DataFlow::Node src, DataFlow::Node sink |
-      // Sink is an argument to a CipherGetterCall
-      sink = getterCall.getInputNode() and
-      // Source is `this`
-      src.asExpr() = this and
-      // This traces to a getter
-      KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
-    )
-    or
-    // Possibility 2:
-    this instanceof OpenSslAlgorithmCall and
-    getterCall = this
-  }
-
-  override KeyOpAlg::ModeOfOperationType getModeType() {
-    knownOpenSslConstantToBlockModeFamilyType(this, result)
-    or
-    not knownOpenSslConstantToBlockModeFamilyType(this, _) and result = KeyOpAlg::OtherMode()
-  }
-
-  // NOTE: I'm not going to attempt to parse out the mode specific part, so returning
-  // the same as the raw name for now.
-  override string getRawModeAlgorithmName() {
-    result = this.(Literal).getValue().toString()
-    or
-    result = this.(Call).getTarget().getName()
-  }
-
-  override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -1,129 +0,0 @@
-import cpp
-private import experimental.quantum.Language
-private import KnownAlgorithmConstants
-private import Crypto::KeyOpAlg as KeyOpAlg
-private import OpenSSLAlgorithmInstanceBase
-private import PaddingAlgorithmInstance
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
-private import AlgToAVCFlow
-private import BlockAlgorithmInstance
-
-/**
- * Given a `KnownOpenSslCipherAlgorithmExpr`, converts this to a cipher family type.
- * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
- */
-predicate knownOpenSslConstantToCipherFamilyType(
-  KnownOpenSslCipherAlgorithmExpr e, Crypto::KeyOpAlg::TAlgorithm type
-) {
-  exists(string name |
-    name = e.(KnownOpenSslAlgorithmExpr).getNormalizedName() and
-    (
-      name.matches("AES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES())
-      or
-      name.matches("ARIA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::ARIA())
-      or
-      name.matches("BLOWFISH%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH())
-      or
-      name.matches("BF%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH())
-      or
-      name.matches("CAMELLIA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CAMELLIA())
-      or
-      name.matches("CHACHA20%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CHACHA20())
-      or
-      name.matches("CAST5%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::CAST5())
-      or
-      name.matches("2DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DOUBLE_DES())
-      or
-      name.matches("3DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TRIPLE_DES())
-      or
-      name.matches("DES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES())
-      or
-      name.matches("DESX%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DESX())
-      or
-      name.matches("GOST%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::GOST())
-      or
-      name.matches("IDEA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::IDEA())
-      or
-      name.matches("KUZNYECHIK%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::KUZNYECHIK())
-      or
-      name.matches("MAGMA%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::MAGMA())
-      or
-      name.matches("RC2%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC2())
-      or
-      name.matches("RC4%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC4())
-      or
-      name.matches("RC5%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC5())
-      or
-      name.matches("RSA%") and type = KeyOpAlg::TAsymmetricCipher(KeyOpAlg::RSA())
-      or
-      name.matches("SEED%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::SEED())
-      or
-      name.matches("SM4%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::SM4())
-    )
-  )
-}
-
-class KnownOpenSslCipherConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
-  Crypto::KeyOperationAlgorithmInstance instanceof KnownOpenSslCipherAlgorithmExpr
-{
-  OpenSslAlgorithmValueConsumer getterCall;
-
-  KnownOpenSslCipherConstantAlgorithmInstance() {
-    // Two possibilities:
-    // 1) The source is a literal and flows to a getter, then we know we have an instance
-    // 2) The source is a KnownOpenSslAlgorithm is call, and we know we have an instance immediately from that
-    // Possibility 1:
-    this instanceof OpenSslAlgorithmLiteral and
-    exists(DataFlow::Node src, DataFlow::Node sink |
-      // Sink is an argument to a CipherGetterCall
-      sink = getterCall.getInputNode() and
-      // Source is `this`
-      src.asExpr() = this and
-      // This traces to a getter
-      KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
-    )
-    or
-    // Possibility 2:
-    this instanceof OpenSslAlgorithmCall and
-    getterCall = this
-  }
-
-  override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() {
-    // if there is a block mode associated with the same element, then that's the block mode
-    // note, if none are associated, we may need to parse if the cipher is a block cipher
-    // to determine if this is an unknown vs not relevant.
-    result = this
-  }
-
-  override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() {
-    //TODO: the padding is either self, or it flows through getter ctx to a set padding call
-    // like EVP_PKEY_CTX_set_rsa_padding
-    result = this
-    // TODO or trace through getter ctx to set padding
-  }
-
-  override string getRawAlgorithmName() {
-    result = this.(Literal).getValue().toString()
-    or
-    result = this.(Call).getTarget().getName()
-  }
-
-  override int getKeySizeFixed() {
-    this.(KnownOpenSslCipherAlgorithmExpr).getExplicitKeySize() = result
-  }
-
-  override KeyOpAlg::AlgorithmType getAlgorithmType() {
-    knownOpenSslConstantToCipherFamilyType(this, result)
-    or
-    not knownOpenSslConstantToCipherFamilyType(this, _) and
-    result = Crypto::KeyOpAlg::TUnknownKeyOperationAlgorithmType()
-  }
-
-  override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
-
-  override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
-    // TODO: trace to any key size initializer, symmetric and asymmetric
-    none()
-  }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -1,60 +0,0 @@
-import cpp
-private import experimental.quantum.Language
-private import KnownAlgorithmConstants
-private import OpenSSLAlgorithmInstanceBase
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
-private import AlgToAVCFlow
-
-class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
-  Crypto::EllipticCurveInstance instanceof KnownOpenSslEllipticCurveAlgorithmExpr
-{
-  OpenSslAlgorithmValueConsumer getterCall;
-
-  KnownOpenSslEllipticCurveConstantAlgorithmInstance() {
-    // Two possibilities:
-    // 1) The source is a literal and flows to a getter, then we know we have an instance
-    // 2) The source is a KnownOpenSslAlgorithm is call, and we know we have an instance immediately from that
-    // Possibility 1:
-    this instanceof OpenSslAlgorithmLiteral and
-    exists(DataFlow::Node src, DataFlow::Node sink |
-      // Sink is an argument to a CipherGetterCall
-      sink = getterCall.getInputNode() and
-      // Source is `this`
-      src.asExpr() = this and
-      // This traces to a getter
-      KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
-    )
-    or
-    // Possibility 2:
-    this instanceof OpenSslAlgorithmCall and
-    getterCall = this
-  }
-
-  override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
-
-  override string getRawEllipticCurveName() {
-    result = this.(Literal).getValue().toString()
-    or
-    result = this.(Call).getTarget().getName()
-  }
-
-  override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
-    if
-      Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
-        _)
-    then
-      Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
-        result)
-    else result = Crypto::OtherEllipticCurveType()
-  }
-
-  override string getParsedEllipticCurveName() {
-    result = this.(KnownOpenSslAlgorithmExpr).getNormalizedName()
-  }
-
-  override int getKeySize() {
-    Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.(KnownOpenSslAlgorithmExpr)
-          .getNormalizedName(), result, _)
-  }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -1,89 +0,0 @@
-import cpp
-private import experimental.quantum.Language
-private import KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
-private import AlgToAVCFlow
-
-predicate knownOpenSslConstantToHashFamilyType(
-  KnownOpenSslHashAlgorithmExpr e, Crypto::THashType type
-) {
-  exists(string name |
-    name = e.(KnownOpenSslAlgorithmExpr).getNormalizedName() and
-    (
-      name = "BLAKE2B" and type instanceof Crypto::BLAKE2B
-      or
-      name = "BLAKE2S" and type instanceof Crypto::BLAKE2S
-      or
-      name.matches("GOST%") and type instanceof Crypto::GOST_HASH
-      or
-      name = "MD2" and type instanceof Crypto::MD2
-      or
-      name = "MD4" and type instanceof Crypto::MD4
-      or
-      name = "MD5" and type instanceof Crypto::MD5
-      or
-      name = "MDC2" and type instanceof Crypto::MDC2
-      or
-      name = "POLY1305" and type instanceof Crypto::POLY1305
-      or
-      name.matches(["SHA", "SHA1"]) and type instanceof Crypto::SHA1
-      or
-      name.matches("SHA_%") and not name.matches(["SHA1", "SHA3-"]) and type instanceof Crypto::SHA2
-      or
-      name.matches("SHA3-%") and type instanceof Crypto::SHA3
-      or
-      name = "SHAKE" and type instanceof Crypto::SHAKE
-      or
-      name = "SM3" and type instanceof Crypto::SM3
-      or
-      name = "RIPEMD160" and type instanceof Crypto::RIPEMD160
-      or
-      name = "WHIRLPOOL" and type instanceof Crypto::WHIRLPOOL
-    )
-  )
-}
-
-class KnownOpenSslHashConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
-  Crypto::HashAlgorithmInstance instanceof KnownOpenSslHashAlgorithmExpr
-{
-  OpenSslAlgorithmValueConsumer getterCall;
-
-  KnownOpenSslHashConstantAlgorithmInstance() {
-    // Two possibilities:
-    // 1) The source is a literal and flows to a getter, then we know we have an instance
-    // 2) The source is a KnownOpenSslAlgorithm is call, and we know we have an instance immediately from that
-    // Possibility 1:
-    this instanceof OpenSslAlgorithmLiteral and
-    exists(DataFlow::Node src, DataFlow::Node sink |
-      // Sink is an argument to a CipherGetterCall
-      sink = getterCall.getInputNode() and
-      // Source is `this`
-      src.asExpr() = this and
-      // This traces to a getter
-      KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
-    )
-    or
-    // Possibility 2:
-    this instanceof OpenSslAlgorithmCall and
-    getterCall = this
-  }
-
-  override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
-
-  override Crypto::THashType getHashFamily() {
-    knownOpenSslConstantToHashFamilyType(this, result)
-    or
-    not knownOpenSslConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()
-  }
-
-  override string getRawHashAlgorithmName() {
-    result = this.(Literal).getValue().toString()
-    or
-    result = this.(Call).getTarget().getName()
-  }
-
-  override int getFixedDigestLength() {
-    this.(KnownOpenSslHashAlgorithmExpr).getExplicitDigestLength() = result
-  }
-}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KeyAgreementAlgorithmInstance.qll

@@ -1,64 +0,0 @@
-import cpp
-private import experimental.quantum.Language
-private import KnownAlgorithmConstants
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
-private import AlgToAVCFlow
-
-predicate knownOpenSslConstantToKeyAgreementFamilyType(
-  KnownOpenSslKeyAgreementAlgorithmExpr e, Crypto::TKeyAgreementType type
-) {
-  exists(string name |
-    name = e.(KnownOpenSslAlgorithmExpr).getNormalizedName() and
-    (
-      name = "ECDH" and type = Crypto::ECDH()
-      or
-      name = "DH" and type = Crypto::DH()
-      or
-      name = "EDH" and type = Crypto::EDH()
-      or
-      name = "ESDH" and type = Crypto::EDH()
-    )
-  )
-}
-
-class KnownOpenSslKeyAgreementConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
-  Crypto::KeyAgreementAlgorithmInstance instanceof KnownOpenSslKeyAgreementAlgorithmExpr
-{
-  OpenSslAlgorithmValueConsumer getterCall;
-
-  KnownOpenSslKeyAgreementConstantAlgorithmInstance() {
-    // Two possibilities:
-    // 1) The source is a literal and flows to a getter, then we know we have an instance
-    // 2) The source is a KnownOpenSslAlgorithm is call, and we know we have an instance immediately from that
-    // Possibility 1:
-    this instanceof OpenSslAlgorithmLiteral and
-    exists(DataFlow::Node src, DataFlow::Node sink |
-      // Sink is an argument to a CipherGetterCall
-      sink = getterCall.getInputNode() and
-      // Source is `this`
-      src.asExpr() = this and
-      // This traces to a getter
-      KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
-    )
-    or
-    // Possibility 2:
-    this instanceof OpenSslAlgorithmCall and
-    getterCall = this
-  }
-
-  override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
-
-  override Crypto::TKeyAgreementType getKeyAgreementType() {
-    knownOpenSslConstantToKeyAgreementFamilyType(this, result)
-    or
-    not knownOpenSslConstantToKeyAgreementFamilyType(this, _) and
-    result = Crypto::OtherKeyAgreementType()
-  }
-
-  override string getRawKeyAgreementAlgorithmName() {
-    result = this.(Literal).getValue().toString()
-    or
-    result = this.(Call).getTarget().getName()
-  }
-}