Python: Exclude sources in functions with unclear returns

A common source of FPs is when the flow inside a function depends on some argument to the function. In this case, if a non-container class is being returned in _some_ branch, we behave as if it _always_ is returned, leading to false positives where the code is actually safe because the argument to the function prevents the bad return from being executed.
Python: Use global data-flow for ContainsNonContainer.ql
2026-05-24 08:07:07 +02:00 · 2026-04-14 09:11:28 +00:00 · 2026-04-14 09:11:28 +00:00 · 2026-04-14 09:11:28 +00:00 · 2026-04-14 09:11:28 +00:00 · 2026-04-14 09:11:28 +00:00
299 changed files with 64785 additions and 72324 deletions
--- a/actions/justfile
+++ b/actions/justfile
@@ -1,7 +0,0 @@
-import '../lib.just'
-
-[group('build')]
-build: (_build_dist "actions")
-
-[group('test')]
-language-tests *EXTRA_ARGS: (_language_tests EXTRA_ARGS source_dir() 'ql/test')
--- a/actions/ql/integration-tests/justfile
+++ b/actions/ql/integration-tests/justfile
@@ -1,4 +0,0 @@
-import "../../../lib.just"
-
-[no-cd]
-test *ARGS=".": (_integration_test ARGS)
--- a/actions/ql/justfile
+++ b/actions/ql/justfile
@@ -1,6 +0,0 @@
-import "../../lib.just"
-
-[no-cd]
-format *ARGS=".": (_format_ql ARGS)
-
-consistency_queries := ""
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 0.4.33
-
-No user-facing changes.
-
 ## 0.4.32

 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.33.md
+++ b/actions/ql/lib/change-notes/released/0.4.33.md
@@ -1,3 +0,0 @@
-## 0.4.33
-
-No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.33
+lastReleaseVersion: 0.4.32
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.34-dev
+version: 0.4.33-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 0.6.25
-
-No user-facing changes.
-
 ## 0.6.24

 No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.25.md
+++ b/actions/ql/src/change-notes/released/0.6.25.md
@@ -1,3 +0,0 @@
-## 0.6.25
-
-No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.25
+lastReleaseVersion: 0.6.24
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.26-dev
+version: 0.6.25-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/actions/ql/test/justfile
+++ b/actions/ql/test/justfile
@@ -1,8 +0,0 @@
-import "../justfile"
-
-base_flags := ""
-
-all_checks := default_db_checks
-
-[no-cd]
-test *ARGS=".": (_codeql_test "actions" base_flags all_checks ARGS)
--- a/cpp/justfile
+++ b/cpp/justfile
@@ -1,8 +0,0 @@
-import '../lib.just'
-import? '../../cpp-coding-standards.just'
-
-[group('build')]
-build: (_build_dist "cpp")
-
-[group('test')]
-language-tests *EXTRA_ARGS: (_language_tests EXTRA_ARGS source_dir() 'ql/test' '../../semmlecode-cpp-tests')
--- a/cpp/ql/consistency-queries/badLocations.ql
+++ b/cpp/ql/consistency-queries/badLocations.ql
@@ -1,9 +0,0 @@
-import cpp
-
-// Locations should either be :0:0:0:0 locations (UnknownLocation, or
-// a whole file), or all 4 fields should be positive.
-from Location l
-where
-  [l.getStartLine(), l.getEndLine(), l.getStartColumn(), l.getEndColumn()] != 0 and
-  [l.getStartLine(), l.getEndLine(), l.getStartColumn(), l.getEndColumn()] < 1
-select l
--- a/cpp/ql/consistency-queries/nullInToString.ql
+++ b/cpp/ql/consistency-queries/nullInToString.ql
@@ -1,5 +0,0 @@
-import cpp
-
-from Element e
-where e.toString().matches("%(null)%")
-select e
--- a/cpp/ql/consistency-queries/qlpack.yml
+++ b/cpp/ql/consistency-queries/qlpack.yml
@@ -1,5 +0,0 @@
-name: codeql/cpp-consistency-queries
-groups: [cpp, test, consistency-queries]
-dependencies:
-  codeql/cpp-all: ${workspace}
-extractor: cpp
--- a/cpp/ql/consistency-queries/unusedLocations.ql
+++ b/cpp/ql/consistency-queries/unusedLocations.ql
@@ -1,10 +0,0 @@
-import cpp
-
-from Location l
-where
-  not any(Element e).getLocation() = l and
-  not any(LambdaCapture lc).getLocation() = l and
-  not any(MacroAccess ma).getActualLocation() = l and
-  not any(NamespaceDeclarationEntry nde).getBodyLocation() = l and
-  not any(XmlLocatable xml).getLocation() = l
-select l
--- a/cpp/ql/consistency-queries/variableDeclarationsWithoutTypes.ql
+++ b/cpp/ql/consistency-queries/variableDeclarationsWithoutTypes.ql
@@ -1,5 +0,0 @@
-import cpp
-
-from VariableDeclarationEntry i
-where not exists(i.getType())
-select i
--- a/cpp/ql/consistency-queries/variablesWithoutTypes.ql
+++ b/cpp/ql/consistency-queries/variablesWithoutTypes.ql
@@ -1,5 +0,0 @@
-import cpp
-
-from Variable i
-where not exists(i.getType())
-select i
--- a/cpp/ql/integration-tests/justfile
+++ b/cpp/ql/integration-tests/justfile
@@ -1,4 +0,0 @@
-import "../../../lib.just"
-
-[no-cd]
-test *ARGS=".": (_integration_test ARGS)
--- a/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
@@ -43,7 +43,6 @@ ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
-ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
 ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
 ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
 ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql
--- a/cpp/ql/justfile
+++ b/cpp/ql/justfile
@@ -1,6 +0,0 @@
-import "../../lib.just"
-
-[no-cd]
-format *ARGS=".": (_format_ql ARGS)
-
-consistency_queries := source_dir() / "consistency-queries"
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,23 +1,3 @@
-## 9.0.0
-
-### Breaking Changes
-
-* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
-
-### New Features
-
-* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
-* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
-* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
-* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
-* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
-* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
-
-### Minor Analysis Improvements
-
-* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
-* Added dataflow through members initialized via non-static data member initialization (NSDMI).
-
 ## 8.0.3

 No user-facing changes.
--- a/cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md
+++ b/cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
--- a/cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md
+++ b/cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md
@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
+* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
--- a/cpp/ql/lib/change-notes/2026-03-24-field-init.md
+++ b/cpp/ql/lib/change-notes/2026-03-24-field-init.md
@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
+* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
--- a/cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md
+++ b/cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md
@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
--- a/cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md
+++ b/cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added dataflow through members initialized via non-static data member initialization (NSDMI).
--- a/cpp/ql/lib/change-notes/2026-03-31-http-flow-sources.md
+++ b/cpp/ql/lib/change-notes/2026-03-31-http-flow-sources.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
--- a/cpp/ql/lib/change-notes/2026-03-31-meson.md
+++ b/cpp/ql/lib/change-notes/2026-03-31-meson.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
--- a/cpp/ql/lib/change-notes/2026-04-14-throwing.md
+++ b/cpp/ql/lib/change-notes/2026-04-14-throwing.md
@@ -1,5 +0,0 @@
---
-category: breaking
---
-* The deprecated `NonThrowingFunction` class has been removed, use `NonCppThrowingFunction` instead.
-* The deprecated `ThrowingFunction` class has been removed, use `AlwaysSehThrowingFunction` instead.
--- a/cpp/ql/lib/change-notes/released/9.0.0.md
+++ b/cpp/ql/lib/change-notes/released/9.0.0.md
@@ -1,19 +0,0 @@
-## 9.0.0
-
-### Breaking Changes
-
-* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
-
-### New Features
-
-* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
-* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
-* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
-* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
-* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
-* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
-
-### Minor Analysis Improvements
-
-* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
-* Added dataflow through members initialized via non-static data member initialization (NSDMI).
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 9.0.0
+lastReleaseVersion: 8.0.3
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 9.0.1-dev
+version: 8.0.4-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/NonThrowing.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/NonThrowing.qll
@@ -11,3 +11,10 @@ import semmle.code.cpp.models.Models
 * The function may still raise a structured exception handling (SEH) exception.
 */
 abstract class NonCppThrowingFunction extends Function { }
+
+/**
+ * A function that is guaranteed to never throw.
+ *
+ * DEPRECATED: use `NonCppThrowingFunction` instead.
+ */
+deprecated class NonThrowingFunction = NonCppThrowingFunction;
--- a/cpp/ql/lib/semmle/code/cpp/models/interfaces/Throwing.qll
+++ b/cpp/ql/lib/semmle/code/cpp/models/interfaces/Throwing.qll
@@ -10,6 +10,19 @@ import semmle.code.cpp.Function
 import semmle.code.cpp.models.Models
 import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs

+/**
+ * A function that is known to raise an exception.
+ *
+ * DEPRECATED: use `AlwaysSehThrowingFunction` instead.
+ */
+abstract deprecated class ThrowingFunction extends Function {
+  /**
+   * Holds if this function may throw an exception during evaluation.
+   * If `unconditional` is `true` the function always throws an exception.
+   */
+  abstract predicate mayThrowException(boolean unconditional);
+}
+
 /**
 * A function that unconditionally raises a structured exception handling (SEH) exception.
 */
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,17 +1,3 @@
-## 1.6.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
-
-### Minor Analysis Improvements
-
-* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
-* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
-* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
-* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
-* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
-
 ## 1.5.15

 No user-facing changes.
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @problem.severity warning
 * @security-severity 8.8
- * @precision high
+ * @precision medium
 * @id cpp/suspicious-add-sizeof
 * @tags security
 *       external/cwe/cwe-468
--- a/cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md
+++ b/cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md
+++ b/cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md
+++ b/cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md
+++ b/cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
--- a/cpp/ql/src/change-notes/2026-03-30-warning-diagnostics.md
+++ b/cpp/ql/src/change-notes/2026-03-30-warning-diagnostics.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
--- a/cpp/ql/src/change-notes/2026-04-02-suspicious-add-sizeof.md
+++ b/cpp/ql/src/change-notes/2026-04-02-suspicious-add-sizeof.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
--- a/cpp/ql/src/change-notes/released/1.6.0.md
+++ b/cpp/ql/src/change-notes/released/1.6.0.md
@@ -1,13 +0,0 @@
-## 1.6.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
-
-### Minor Analysis Improvements
-
-* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
-* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
-* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
-* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
-* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.0
+lastReleaseVersion: 1.5.15
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.1-dev
+version: 1.5.16-dev
 groups:
  - cpp
  - queries
--- a/cpp/ql/test/justfile
+++ b/cpp/ql/test/justfile
@@ -1,12 +0,0 @@
-import "../justfile"
-
-base_flags := "--include-location-in-star"
-
-all_checks := f"""\
-    {{default_db_checks}}\
-    --check-undefined-labels \
-    --check-unused-labels \
-    --consistency-queries={{consistency_queries}}"""
-
-[no-cd]
-test *ARGS=".": (_codeql_test "cpp" base_flags all_checks ARGS)
--- a/csharp/justfile
+++ b/csharp/justfile
@@ -1,7 +0,0 @@
-import '../lib.just'
-
-[group('build')]
-build: (_build_dist "csharp")
-
-[group('test')]
-language-tests *EXTRA_ARGS: (_language_tests EXTRA_ARGS source_dir() 'ql/test')
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.7.64
-
-No user-facing changes.
-
 ## 1.7.63

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.64.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.64.md
@@ -1,3 +0,0 @@
-## 1.7.64
-
-No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.64
+lastReleaseVersion: 1.7.63
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.65-dev
+version: 1.7.64-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.7.64
-
-No user-facing changes.
-
 ## 1.7.63

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.64.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.64.md
@@ -1,3 +0,0 @@
-## 1.7.64
-
-No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.64
+lastReleaseVersion: 1.7.63
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.65-dev
+version: 1.7.64-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/examples/snippets/integer_literal.ql
+++ b/csharp/ql/examples/snippets/integer_literal.ql
@@ -9,5 +9,5 @@
 import csharp

 from IntegerLiteral literal
-where literal.getIntValue() = 0
+where literal.getValue().toInt() = 0
 select literal
--- a/csharp/ql/integration-tests/justfile
+++ b/csharp/ql/integration-tests/justfile
@@ -1,4 +0,0 @@
-import "../../../lib.just"
-
-[no-cd]
-test *ARGS=".": (_integration_test ARGS)
--- a/csharp/ql/justfile
+++ b/csharp/ql/justfile
@@ -1,6 +0,0 @@
-import "../../lib.just"
-
-[no-cd]
-format *ARGS=".": (_format_ql ARGS)
-
-consistency_queries := source_dir() / "consistency-queries"
--- a/csharp/ql/lib/CHANGELOG.md
+++ b/csharp/ql/lib/CHANGELOG.md
@@ -1,13 +1,3 @@
-## 5.4.12
-
-### Minor Analysis Improvements
-
-* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
-* The `cs/log-forging` query no longer treats arguments to extension methods with
-  source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
-  through extension method bodies, reducing false positives when extension methods
-  sanitize input internally.
-
 ## 5.4.11

 No user-facing changes.
--- a/csharp/ql/lib/change-notes/2026-03-19-fix-log-forging-extension-methods.md
+++ b/csharp/ql/lib/change-notes/2026-03-19-fix-log-forging-extension-methods.md
@@ -1,8 +1,6 @@
-## 5.4.12
-
-### Minor Analysis Improvements
-
-* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
+---
+category: minorAnalysis
+---
 * The `cs/log-forging` query no longer treats arguments to extension methods with
  source code on `ILogger` types as sinks. Instead, taint is tracked interprocedurally
  through extension method bodies, reducing false positives when extension methods
--- a/csharp/ql/lib/change-notes/2026-03-26-expanded-assignments.md
+++ b/csharp/ql/lib/change-notes/2026-03-26-expanded-assignments.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The extractor no longer synthesizes expanded forms of compound assignments. This may have a small impact on the results of queries that explicitly or implicitly rely on the expanded form of compound assignments.
--- a/csharp/ql/lib/codeql-pack.release.yml
+++ b/csharp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 5.4.12
+lastReleaseVersion: 5.4.11
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 5.4.13-dev
+version: 5.4.12-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/lib/semmle/code/csharp/Conversion.qll
+++ b/csharp/ql/lib/semmle/code/csharp/Conversion.qll
@@ -713,7 +713,7 @@ private class SignedIntegralConstantExpr extends Expr {
 }

 private predicate convConstantIntExpr(SignedIntegralConstantExpr e, SimpleType toType) {
-  exists(int n | n = e.getIntValue() |
+  exists(int n | n = e.getValue().toInt() |
    toType = any(SByteType t | n in [t.minValue() .. t.maxValue()])
    or
    toType = any(ByteType t | n in [t.minValue() .. t.maxValue()])
@@ -730,7 +730,7 @@ private predicate convConstantIntExpr(SignedIntegralConstantExpr e, SimpleType t

 private predicate convConstantLongExpr(SignedIntegralConstantExpr e) {
  e.getType() instanceof LongType and
-  e.getIntValue() >= 0
+  e.getValue().toInt() >= 0
 }

 /** 6.1.10: Implicit reference conversions involving type parameters. */
--- a/csharp/ql/lib/semmle/code/csharp/commons/ComparisonTest.qll
+++ b/csharp/ql/lib/semmle/code/csharp/commons/ComparisonTest.qll
@@ -161,7 +161,7 @@ private newtype TComparisonTest =
      compare.getComparisonKind().isCompare() and
      outerKind = outer.getComparisonKind() and
      outer.getAnArgument() = compare.getExpr() and
-      i = outer.getAnArgument().getIntValue()
+      i = outer.getAnArgument().getValue().toInt()
    |
      outerKind.isEquality() and
      (
--- a/csharp/ql/lib/semmle/code/csharp/commons/Constants.qll
+++ b/csharp/ql/lib/semmle/code/csharp/commons/Constants.qll
@@ -32,13 +32,13 @@ private module ConstantComparisonOperation {

  private int maxValue(Expr expr) {
    if convertedType(expr) instanceof IntegralType and exists(expr.getValue())
-    then result = expr.getIntValue()
+    then result = expr.getValue().toInt()
    else result = convertedType(expr).maxValue()
  }

  private int minValue(Expr expr) {
    if convertedType(expr) instanceof IntegralType and exists(expr.getValue())
-    then result = expr.getIntValue()
+    then result = expr.getValue().toInt()
    else result = convertedType(expr).minValue()
  }

--- a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll
@@ -60,16 +60,25 @@ private module GuardsInput implements
    override boolean asBooleanValue() { boolConst(this, result) }
  }

-  private class IntegerConstant extends ConstantExpr {
-    IntegerConstant() { exists(this.getIntValue()) }
+  private predicate intConst(Expr e, int i) {
+    e.getValue().toInt() = i and
+    (
+      e.getType() instanceof Enum
+      or
+      e.getType() instanceof IntegralType
+    )
+  }

-    override int asIntegerValue() { result = this.getIntValue() }
+  private class IntegerConstant extends ConstantExpr {
+    IntegerConstant() { intConst(this, _) }
+
+    override int asIntegerValue() { intConst(this, result) }
  }

  private class EnumConst extends ConstantExpr {
    EnumConst() { this.getType() instanceof Enum and this.hasValue() }

-    override int asIntegerValue() { result = this.getIntValue() }
+    override int asIntegerValue() { result = this.getValue().toInt() }
  }

  private class StringConstant extends ConstantExpr instanceof StringLiteral {
@@ -508,35 +517,35 @@ class EnumerableCollectionExpr extends Expr {
          |
            // x.Length == 0
            ct.getComparisonKind().isEquality() and
-            ct.getAnArgument().getIntValue() = 0 and
+            ct.getAnArgument().getValue().toInt() = 0 and
            branch = isEmpty
            or
            // x.Length == k, k > 0
            ct.getComparisonKind().isEquality() and
-            ct.getAnArgument().getIntValue() > 0 and
+            ct.getAnArgument().getValue().toInt() > 0 and
            branch = true and
            isEmpty = false
            or
            // x.Length != 0
            ct.getComparisonKind().isInequality() and
-            ct.getAnArgument().getIntValue() = 0 and
+            ct.getAnArgument().getValue().toInt() = 0 and
            branch = isEmpty.booleanNot()
            or
            // x.Length != k, k != 0
            ct.getComparisonKind().isInequality() and
-            ct.getAnArgument().getIntValue() != 0 and
+            ct.getAnArgument().getValue().toInt() != 0 and
            branch = false and
            isEmpty = false
            or
            // x.Length > k, k >= 0
            ct.getComparisonKind().isLessThan() and
-            ct.getFirstArgument().getIntValue() >= 0 and
+            ct.getFirstArgument().getValue().toInt() >= 0 and
            branch = true and
            isEmpty = false
            or
            // x.Length >= k, k > 0
            ct.getComparisonKind().isLessThanEquals() and
-            ct.getFirstArgument().getIntValue() > 0 and
+            ct.getFirstArgument().getValue().toInt() > 0 and
            branch = true and
            isEmpty = false
          )
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ConstantUtils.qll
@@ -23,7 +23,7 @@ predicate systemArrayLengthAccess(PropertyAccess pa) {
 * - a read of the `Length` of an array with `val` lengths.
 */
 private predicate constantIntegerExpr(ExprNode e, int val) {
-  e.getExpr().getIntValue() = val
+  e.getValue().toInt() = val
  or
  exists(ExprNode src |
    e = getAnExplicitDefinitionRead(src) and
--- a/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll
+++ b/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll
@@ -57,13 +57,6 @@ class Expr extends ControlFlowElement, @expr {
  /** Gets the value of this expression, if any */
  string getValue() { expr_value(this, result) }

-  /** Gets the integer value of this expression, if any. */
-  cached
-  int getIntValue() {
-    result = this.getValue().toInt() and
-    (this.getType() instanceof IntegralType or this.getType() instanceof Enum)
-  }
-
  /** Holds if this expression has a value. */
  final predicate hasValue() { exists(this.getValue()) }

--- a/csharp/ql/lib/semmle/code/csharp/frameworks/system/runtime/CompilerServices.qll
+++ b/csharp/ql/lib/semmle/code/csharp/frameworks/system/runtime/CompilerServices.qll
@@ -81,7 +81,7 @@ class SystemRuntimeCompilerServicesInlineArrayAttribute extends Attribute {
  /**
   * Gets the length of the inline array.
   */
-  int getLength() { result = this.getConstructorArgument(0).getIntValue() }
+  int getLength() { result = this.getConstructorArgument(0).getValue().toInt() }
 }

 /** An attribute of type `System.Runtime.CompilerServices.OverloadResolutionPriority`. */
@@ -94,5 +94,5 @@ class SystemRuntimeCompilerServicesOverloadResolutionPriorityAttribute extends A
  /**
   * Gets the priority number.
   */
-  int getPriority() { result = this.getConstructorArgument(0).getIntValue() }
+  int getPriority() { result = this.getConstructorArgument(0).getValue().toInt() }
 }
--- a/csharp/ql/src/CHANGELOG.md
+++ b/csharp/ql/src/CHANGELOG.md
@@ -1,14 +1,3 @@
-## 1.7.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
-* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
-
-### Major Analysis Improvements
-
-* The `cs/constant-condition` query has been simplified. The query no longer reports trivially constant conditions as they were found to generally be intentional. As a result, it should now produce fewer false positives. Additionally, the simplification means that it now reports all the results that `cs/constant-comparison` used to report, and as consequence, that query has been deleted.
-
 ## 1.6.6

 No user-facing changes.
--- a/csharp/ql/src/Likely
+++ b/csharp/ql/src/Likely
@@ -13,7 +13,7 @@
 import csharp

 predicate isDefinitelyPositive(Expr e) {
-  e.getIntValue() >= 0 or
+  e.getValue().toInt() >= 0 or
  e.(PropertyAccess).getTarget().hasName("Length") or
  e.(MethodCall).getTarget().hasUndecoratedName("Count")
 }
@@ -23,12 +23,12 @@ where
  t.getLeftOperand() = lhs and
  t.getRightOperand() = rhs and
  not isDefinitelyPositive(lhs.getLeftOperand().stripCasts()) and
-  lhs.getRightOperand().(IntegerLiteral).getIntValue() = 2 and
+  lhs.getRightOperand().(IntegerLiteral).getValue() = "2" and
  (
-    t instanceof EQExpr and rhs.getIntValue() = 1 and parity = "oddness"
+    t instanceof EQExpr and rhs.getValue() = "1" and parity = "oddness"
    or
-    t instanceof NEExpr and rhs.getIntValue() = 1 and parity = "evenness"
+    t instanceof NEExpr and rhs.getValue() = "1" and parity = "evenness"
    or
-    t instanceof GTExpr and rhs.getIntValue() = 0 and parity = "oddness"
+    t instanceof GTExpr and rhs.getValue() = "0" and parity = "oddness"
  )
 select t, "Possibly invalid test for " + parity + ". This will fail for negative numbers."
--- a/Bugs/MishandlingJapaneseEra.ql
+++ b/Bugs/MishandlingJapaneseEra.ql
@@ -27,8 +27,8 @@ predicate isExactEraStartDateCreation(ObjectCreation cr) {
    cr.getType().hasFullyQualifiedName("System", "DateTime") or
    cr.getType().hasFullyQualifiedName("System", "DateTimeOffset")
  ) and
-  isEraStart(cr.getArgument(0).getIntValue(), cr.getArgument(1).getIntValue(),
-    cr.getArgument(2).getIntValue())
+  isEraStart(cr.getArgument(0).getValue().toInt(), cr.getArgument(1).getValue().toInt(),
+    cr.getArgument(2).getValue().toInt())
 }

 predicate isDateFromJapaneseCalendarToDateTime(MethodCall mc) {
@@ -44,7 +44,7 @@ predicate isDateFromJapaneseCalendarToDateTime(MethodCall mc) {
    mc.getNumberOfArguments() = 7 // implicitly current era
    or
    mc.getNumberOfArguments() = 8 and
-    mc.getArgument(7).getIntValue() = 0
+    mc.getArgument(7).getValue() = "0"
  ) // explicitly current era
 }

--- a/Bugs/PossibleLossOfPrecision.ql
+++ b/Bugs/PossibleLossOfPrecision.ql
@@ -40,8 +40,8 @@ predicate convertedToFloatOrDecimal(Expr e, Type t) {
 /** Holds if `div` is an exact integer division. */
 predicate exactDivision(DivExpr div) {
  exists(int numerator, int denominator |
-    numerator = div.getNumerator().stripCasts().getIntValue() and
-    denominator = div.getDenominator().stripCasts().getIntValue() and
+    numerator = div.getNumerator().stripCasts().getValue().toInt() and
+    denominator = div.getDenominator().stripCasts().getValue().toInt() and
    numerator % denominator = 0
  )
 }
--- a/Features/InsufficientKeySize.ql
+++ b/Features/InsufficientKeySize.ql
@@ -20,7 +20,7 @@ predicate incorrectUseOfRC2(Assignment e, string msg) {
        .getDeclaringType()
        .hasFullyQualifiedName("System.Security.Cryptography", "RC2CryptoServiceProvider")
  ) and
-  e.getRightOperand().getIntValue() < 128 and
+  e.getRightOperand().getValue().toInt() < 128 and
  msg = "Key size should be at least 128 bits for RC2 encryption."
 }

@@ -28,7 +28,7 @@ predicate incorrectUseOfDsa(ObjectCreation e, string msg) {
  e.getTarget()
      .getDeclaringType()
      .hasFullyQualifiedName("System.Security.Cryptography", "DSACryptoServiceProvider") and
-  exists(Expr i | e.getArgument(0) = i and i.getIntValue() < 2048) and
+  exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
  msg = "Key size should be at least 2048 bits for DSA encryption."
 }

@@ -36,7 +36,7 @@ predicate incorrectUseOfRsa(ObjectCreation e, string msg) {
  e.getTarget()
      .getDeclaringType()
      .hasFullyQualifiedName("System.Security.Cryptography", "RSACryptoServiceProvider") and
-  exists(Expr i | e.getArgument(0) = i and i.getIntValue() < 2048) and
+  exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
  msg = "Key size should be at least 2048 bits for RSA encryption."
 }

--- a/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/csharp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,5 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
+* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/csharp/ql/src/change-notes/2026-03-31-constantcondition-simplify.md
+++ b/csharp/ql/src/change-notes/2026-03-31-constantcondition-simplify.md
@@ -1,10 +1,4 @@
-## 1.7.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `cs/log-forging` has been reduced from 7.8 (high) to 6.1 (medium).
-* The `@security-severity` metadata of `cs/web/xss` has been increased from 6.1 (medium) to 7.8 (high).
-
-### Major Analysis Improvements
-
+---
+category: majorAnalysis
+---
 * The `cs/constant-condition` query has been simplified. The query no longer reports trivially constant conditions as they were found to generally be intentional. As a result, it should now produce fewer false positives. Additionally, the simplification means that it now reports all the results that `cs/constant-comparison` used to report, and as consequence, that query has been deleted.
--- a/csharp/ql/src/codeql-pack.release.yml
+++ b/csharp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.0
+lastReleaseVersion: 1.6.6
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.1-dev
+version: 1.6.7-dev
 groups:
  - csharp
  - queries
--- a/csharp/ql/test/justfile
+++ b/csharp/ql/test/justfile
@@ -1,14 +0,0 @@
-import "../justfile"
-
-base_flags := ""
-
-all_checks := f"""\
-    {{default_db_checks}}\
-    --check-undefined-labels \
-    --check-repeated-labels \
-    --check-redefined-labels \
-    --additional-packs=ql \
-    --consistency-queries={{consistency_queries}}"""
-
-[no-cd]
-test *ARGS=".": (_codeql_test "csharp" base_flags all_checks ARGS)
--- a/go/extractor/go.mod
+++ b/go/extractor/go.mod
@@ -9,8 +9,8 @@ toolchain go1.26.0
 // when adding or removing dependencies, run
 //    bazel mod tidy
 require (
-	golang.org/x/mod v0.35.0
-	golang.org/x/tools v0.44.0
+	golang.org/x/mod v0.34.0
+	golang.org/x/tools v0.43.0
 )

 require github.com/stretchr/testify v1.11.1
--- a/go/extractor/go.sum
+++ b/go/extractor/go.sum
@@ -6,12 +6,12 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI=
+golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
-golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
+golang.org/x/tools v0.43.0 h1:12BdW9CeB3Z+J/I/wj34VMl8X+fEXBxVR90JeMX5E7s=
+golang.org/x/tools v0.43.0/go.mod h1:uHkMso649BX2cZK6+RpuIPXS3ho2hZo4FVwfoy1vIk0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/go/justfile
+++ b/go/justfile
@@ -1,7 +0,0 @@
-import '../lib.just'
-
-[group('build')]
-build: (_build_dist "go")
-
-[group('test')]
-language-tests *EXTRA_ARGS: (_language_tests EXTRA_ARGS source_dir() 'ql/test')
--- a/go/ql/consistency-queries/CHANGELOG.md
+++ b/go/ql/consistency-queries/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 1.0.47
-
-No user-facing changes.
-
 ## 1.0.46

 No user-facing changes.
--- a/go/ql/consistency-queries/change-notes/released/1.0.47.md
+++ b/go/ql/consistency-queries/change-notes/released/1.0.47.md
@@ -1,3 +0,0 @@
-## 1.0.47
-
-No user-facing changes.
--- a/go/ql/consistency-queries/codeql-pack.release.yml
+++ b/go/ql/consistency-queries/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.47
+lastReleaseVersion: 1.0.46
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.48-dev
+version: 1.0.47-dev
 groups:
  - go
  - queries
--- a/go/ql/integration-tests/justfile
+++ b/go/ql/integration-tests/justfile
@@ -1,4 +0,0 @@
-import "../../../lib.just"
-
-[no-cd]
-test *ARGS=".": (_integration_test ARGS)
--- a/go/ql/justfile
+++ b/go/ql/justfile
@@ -1,6 +0,0 @@
-import "../../lib.just"
-
-[no-cd]
-format *ARGS=".": (_format_ql ARGS)
-
-consistency_queries := source_dir() / "consistency-queries"
--- a/go/ql/lib/CHANGELOG.md
+++ b/go/ql/lib/CHANGELOG.md
@@ -1,7 +1,3 @@
-## 7.0.5
-
-No user-facing changes.
-
 ## 7.0.4

 No user-facing changes.
--- a/go/ql/lib/change-notes/released/7.0.5.md
+++ b/go/ql/lib/change-notes/released/7.0.5.md
@@ -1,3 +0,0 @@
-## 7.0.5
-
-No user-facing changes.
--- a/go/ql/lib/codeql-pack.release.yml
+++ b/go/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.0.5
+lastReleaseVersion: 7.0.4
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.0.6-dev
+version: 7.0.5-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/src/CHANGELOG.md
+++ b/go/ql/src/CHANGELOG.md
@@ -1,10 +1,3 @@
-## 1.6.0
-
-### Query Metadata Changes
-
-* The `@security-severity` metadata of `go/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
-* The `@security-severity` metadata of `go/html-template-escaping-bypass-xss`, `go/reflected-xss` and `go/stored-xss` has been increased from 6.1 (medium) to 7.8 (high).
-
 ## 1.5.10

 No user-facing changes.
--- a/go/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/go/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -1,6 +1,5 @@
-## 1.6.0
-
-### Query Metadata Changes
-
+---
+category: queryMetadata
+---
 * The `@security-severity` metadata of `go/log-injection` has been reduced from 7.8 (high) to 6.1 (medium).
 * The `@security-severity` metadata of `go/html-template-escaping-bypass-xss`, `go/reflected-xss` and `go/stored-xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/go/ql/src/codeql-pack.release.yml
+++ b/go/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.0
+lastReleaseVersion: 1.5.10
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.1-dev
+version: 1.5.11-dev
 groups:
  - go
  - queries
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Taus	01a9bec7df	Python: Exclude sources in functions with unclear returns A common source of FPs is when the flow inside a function depends on some argument to the function. In this case, if a non-container class is being returned in _some_ branch, we behave as if it _always_ is returned, leading to false positives where the code is actually safe because the argument to the function prevents the bad return from being executed.	2026-04-14 09:11:28 +00:00
Taus	71318cb3d5	Python: Use global data-flow for ContainsNonContainer.ql Replaces the `classTracker`-based approach with one based on global data-flow. To make it easy to share across queries, this is implemented as a parameterised module. The data-flow configuration itself keeps track of two flow states: whether we're tracking a reference to a class or a reference to an instance.	2026-04-14 09:11:28 +00:00
Taus	d74f34bb66	Python: Get rid of `isinstance` FPs Eliminates cases where we explicitly check whether the object in question is an instance of (a subclass of) a built-in container type.	2026-04-14 09:11:28 +00:00
Taus	8046bfe12f	Python: Remove some FPs for ContainsNonContainer.ql First fix handles the case where there's interference from a class-based decorator on a function. In this case, _technically_ we have an instance of the decorator class, but in practice this decorator will (hopefully) forward all accesses to the thing it wraps. The second fix has to do with methods that are added dynamically using `setattr`. In this case, we cannot be sure that the relevant methods are actually missing.	2026-04-14 09:11:28 +00:00
Taus	fe9def3ff2	Python: Port ContainsNonContainer.ql Uses the new `DuckTyping` module to handle recognising whether a class is a container or not. Only trivial test changes (one version uses "class", the other "Class"). Note that the ported query has no understanding of built-in classes. At some point we'll likely want to replace `hasUnresolvedBase` (which will hold for any class that extends a built-in) with something that's aware of the built-in classes.	2026-04-14 09:11:28 +00:00