Bump actions/setup-dotnet from 4 to 5

Bumps [actions/setup-dotnet](https://github.com/actions/setup-dotnet) from 4 to 5.
- [Release notes](https://github.com/actions/setup-dotnet/releases)
- [Commits](https://github.com/actions/setup-dotnet/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-dotnet
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

.bazelversion

@@ -1 +1 @@
-8.4.2
+8.1.1

.gitattributes

@@ -82,6 +82,9 @@
 /csharp/paket.main.bzl linguist-generated=true
 /csharp/paket.main_extension.bzl linguist-generated=true
 
+# ripunzip tool
+/misc/ripunzip/ripunzip-* filter=lfs diff=lfs merge=lfs -text
+
 # swift prebuilt resources
 /swift/third_party/resources/*.zip filter=lfs diff=lfs merge=lfs -text
 /swift/third_party/resources/*.tar.zst filter=lfs diff=lfs merge=lfs -text

.github/copilot-instructions.md

@@ -0,0 +1,4 @@
+When reviewing code:
+* do not review changes in files with `.expected` extension (they are automatically ensured to be correct).
+* in `.ql` and `.qll` files, do not try to review the code itself as you don't understand the programming language
+  well enough to make comments in these languages. You can still check for typos or comment improvements.

.github/dependabot.yml

@@ -40,8 +40,3 @@ updates:
       - dependency-name: "*"
     reviewers:
       - "github/codeql-go"
-
-  - package-ecosystem: bazel
-    directory: "/"
-    schedule:
-      interval: weekly

.github/instructions/expected-files.instructions.md

@@ -1,4 +0,0 @@
----
-applyTo: "**/*.expected"
----
-Ignore these files. These are generated to be correct by running the tests, and should not be edited manually.

.github/instructions/ql-files.instructions.md

@@ -1,6 +0,0 @@
----
-applyTo: "**/*.ql,**/*.qll"
----
-When reviewing these QL files, do not make any comment on the code itself. You don't understand the QL programming language well enough yet. You can only make comments about the following aspects:
-* comments (lines starting with `//` or block comments enclosed in `/* ... */`): you can suggest improvements to the clarity of comments, or point out spelling mistakes
-* typos in identifiers

.github/workflows/build-ripunzip.yml

@@ -0,0 +1,74 @@
+name: Build runzip
+
+on:
+  workflow_dispatch:
+    inputs:
+      ripunzip-version:
+        description: "what reference to checktout from google/runzip"
+        required: false
+        default: v2.0.2
+      openssl-version:
+        description: "what reference to checkout from openssl/openssl for Linux"
+        required: false
+        default: openssl-3.5.0
+
+jobs:
+  build:
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [ubuntu-22.04, macos-13, windows-2022]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v5
+        with:
+          repository: google/ripunzip
+          ref: ${{ inputs.ripunzip-version }}
+      # we need to avoid ripunzip dynamically linking into libssl
+      # see https://github.com/sfackler/rust-openssl/issues/183
+      - if: runner.os == 'Linux'
+        name: checkout openssl
+        uses: actions/checkout@v5
+        with:
+          repository: openssl/openssl
+          path: openssl
+          ref: ${{ inputs.openssl-version }}
+      - if: runner.os == 'Linux'
+        name: build and install openssl with fPIC
+        shell: bash
+        working-directory: openssl
+        run: |
+          ./config -fPIC --prefix=$HOME/.local --openssldir=$HOME/.local/ssl
+          make -j $(nproc)
+          make install_sw -j $(nproc)
+      - if: runner.os == 'Linux'
+        name: build (linux)
+        shell: bash
+        run: |
+          env OPENSSL_LIB_DIR=$HOME/.local/lib64 OPENSSL_INCLUDE_DIR=$HOME/.local/include OPENSSL_STATIC=yes cargo build --release
+          mv target/release/ripunzip ripunzip-linux
+      - if: runner.os == 'Windows'
+        name: build (windows)
+        shell: bash
+        run: |
+          cargo build --release
+          mv target/release/ripunzip ripunzip-windows
+      - name: build (macOS)
+        if: runner.os == 'macOS'
+        shell: bash
+        run: |
+          rustup target install x86_64-apple-darwin
+          rustup target install aarch64-apple-darwin
+          cargo build --target x86_64-apple-darwin --release
+          cargo build --target aarch64-apple-darwin --release
+          lipo -create -output ripunzip-macos \
+            -arch x86_64 target/x86_64-apple-darwin/release/ripunzip \
+            -arch arm64 target/aarch64-apple-darwin/release/ripunzip
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ripunzip-${{ runner.os }}
+          path: ripunzip-*
+      - name: Check built binary
+        shell: bash
+        run: |
+          ./ripunzip-* --version

.github/workflows/codeql-analysis.yml

@@ -32,9 +32,9 @@ jobs:
 
     steps:
     - name: Setup dotnet
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@v5
       with:
-        dotnet-version: 10.0.100
+        dotnet-version: 9.0.300
 
     - name: Checkout repository
       uses: actions/checkout@v5

.github/workflows/csharp-qltest.yml

@@ -41,16 +41,16 @@ jobs:
     steps:
       - uses: actions/checkout@v5
       - name: Setup dotnet
-        uses: actions/setup-dotnet@v4
+        uses: actions/setup-dotnet@v5
         with:
-          dotnet-version: 10.0.100
+          dotnet-version: 9.0.300
       - name: Extractor unit tests
         run: |
           dotnet tool restore
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=10.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.Cpp.Tests
         shell: bash
   stubgentest:
     runs-on: ubuntu-latest

.gitignore

@@ -76,6 +76,3 @@ node_modules/
 # some upgrade/downgrade checks create these files
 **/upgrades/*/*.dbscheme.stats
 **/downgrades/*/*.dbscheme.stats
-
-# Mergetool files
-*.orig

CODEOWNERS

@@ -1,33 +1,17 @@
-# Catch-all for anything which isn't matched by a line lower down
-* @github/code-scanning-alert-coverage
-
-# CodeQL language libraries
 /actions/ @github/codeql-dynamic
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
-/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor @github/code-scanning-language-coverage
-/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor @github/code-scanning-language-coverage
+/csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor
+/csharp/autobuilder/Semmle.Autobuild.Cpp.Tests @github/codeql-c-extractor
 /go/ @github/codeql-go
-/go/codeql-tools/ @github/codeql-go @github/code-scanning-language-coverage
-/go/downgrades/ @github/codeql-go @github/code-scanning-language-coverage
-/go/extractor/ @github/codeql-go @github/code-scanning-language-coverage
-/go/extractor-smoke-test/ @github/codeql-go @github/code-scanning-language-coverage
-/go/ql/test/extractor-tests/ @github/codeql-go @github/code-scanning-language-coverage
 /java/ @github/codeql-java
 /javascript/ @github/codeql-javascript
-/javascript/extractor/ @github/codeql-javascript @github/code-scanning-language-coverage
 /python/ @github/codeql-python
-/python/extractor/ @github/codeql-python @github/code-scanning-language-coverage
-/ql/ @github/codeql-ql-for-ql-reviewers
 /ruby/ @github/codeql-ruby
-/ruby/extractor/ @github/codeql-ruby @github/code-scanning-language-coverage
 /rust/ @github/codeql-rust
-/rust/extractor/ @github/codeql-rust @github/code-scanning-language-coverage
-/shared/ @github/codeql-shared-libraries-reviewers
 /swift/ @github/codeql-swift
-/swift/extractor/ @github/codeql-swift @github/code-scanning-language-coverage
 /misc/codegen/ @github/codeql-swift
-/java/kotlin-extractor/ @github/codeql-kotlin @github/code-scanning-language-coverage
+/java/kotlin-extractor/ @github/codeql-kotlin
 /java/ql/test-kotlin1/ @github/codeql-kotlin
 /java/ql/test-kotlin2/ @github/codeql-kotlin
 
@@ -41,6 +25,9 @@
 /docs/codeql/ql-language-reference/ @github/codeql-frontend-reviewers
 /docs/query-*-style-guide.md @github/codeql-analysis-reviewers
 
+# QL for QL reviewers
+/ql/ @github/codeql-ql-for-ql-reviewers
+
 # Bazel (excluding BUILD.bazel files)
 MODULE.bazel @github/codeql-ci-reviewers
 .bazelversion @github/codeql-ci-reviewers

Cargo.toml

@@ -10,3 +10,4 @@ members = [
     "rust/ast-generator",
     "rust/autobuild",
 ]
+exclude = ["mad-generation-build"]

MODULE.bazel

@@ -19,16 +19,16 @@ bazel_dep(name = "rules_go", version = "0.56.1")
 bazel_dep(name = "rules_pkg", version = "1.0.1")
 bazel_dep(name = "rules_nodejs", version = "6.2.0-codeql.1")
 bazel_dep(name = "rules_python", version = "0.40.0")
-bazel_dep(name = "rules_shell", version = "0.5.0")
-bazel_dep(name = "bazel_skylib", version = "1.8.1")
+bazel_dep(name = "rules_shell", version = "0.3.0")
+bazel_dep(name = "bazel_skylib", version = "1.7.1")
 bazel_dep(name = "abseil-cpp", version = "20240116.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
-bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
+bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
-bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
+bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
-bazel_dep(name = "rules_rust", version = "0.66.0")
+bazel_dep(name = "rules_rust", version = "0.63.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
 
 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
@@ -89,8 +89,8 @@ use_repo(
     "vendor_py__cc-1.2.14",
     "vendor_py__clap-4.5.30",
     "vendor_py__regex-1.11.1",
-    "vendor_py__tree-sitter-0.24.7",
-    "vendor_py__tree-sitter-graph-0.12.0",
+    "vendor_py__tree-sitter-0.20.4",
+    "vendor_py__tree-sitter-graph-0.7.0",
 )
 
 # deps for ruby+rust
@@ -98,54 +98,54 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.100",
+    "vendor_ts__anyhow-1.0.99",
     "vendor_ts__argfile-0.2.1",
     "vendor_ts__chalk-ir-0.104.0",
-    "vendor_ts__chrono-0.4.42",
-    "vendor_ts__clap-4.5.48",
+    "vendor_ts__chrono-0.4.41",
+    "vendor_ts__clap-4.5.44",
     "vendor_ts__dunce-1.0.5",
     "vendor_ts__either-1.15.0",
     "vendor_ts__encoding-0.2.33",
     "vendor_ts__figment-0.10.19",
-    "vendor_ts__flate2-1.1.2",
+    "vendor_ts__flate2-1.1.0",
     "vendor_ts__glob-0.3.3",
-    "vendor_ts__globset-0.4.16",
+    "vendor_ts__globset-0.4.15",
     "vendor_ts__itertools-0.14.0",
     "vendor_ts__lazy_static-1.5.0",
     "vendor_ts__mustache-0.9.0",
     "vendor_ts__num-traits-0.2.19",
     "vendor_ts__num_cpus-1.17.0",
-    "vendor_ts__proc-macro2-1.0.101",
-    "vendor_ts__quote-1.0.41",
-    "vendor_ts__ra_ap_base_db-0.0.301",
-    "vendor_ts__ra_ap_cfg-0.0.301",
-    "vendor_ts__ra_ap_hir-0.0.301",
-    "vendor_ts__ra_ap_hir_def-0.0.301",
-    "vendor_ts__ra_ap_hir_expand-0.0.301",
-    "vendor_ts__ra_ap_hir_ty-0.0.301",
-    "vendor_ts__ra_ap_ide_db-0.0.301",
-    "vendor_ts__ra_ap_intern-0.0.301",
-    "vendor_ts__ra_ap_load-cargo-0.0.301",
-    "vendor_ts__ra_ap_parser-0.0.301",
-    "vendor_ts__ra_ap_paths-0.0.301",
-    "vendor_ts__ra_ap_project_model-0.0.301",
-    "vendor_ts__ra_ap_span-0.0.301",
-    "vendor_ts__ra_ap_stdx-0.0.301",
-    "vendor_ts__ra_ap_syntax-0.0.301",
-    "vendor_ts__ra_ap_vfs-0.0.301",
+    "vendor_ts__proc-macro2-1.0.97",
+    "vendor_ts__quote-1.0.40",
+    "vendor_ts__ra_ap_base_db-0.0.300",
+    "vendor_ts__ra_ap_cfg-0.0.300",
+    "vendor_ts__ra_ap_hir-0.0.300",
+    "vendor_ts__ra_ap_hir_def-0.0.300",
+    "vendor_ts__ra_ap_hir_expand-0.0.300",
+    "vendor_ts__ra_ap_hir_ty-0.0.300",
+    "vendor_ts__ra_ap_ide_db-0.0.300",
+    "vendor_ts__ra_ap_intern-0.0.300",
+    "vendor_ts__ra_ap_load-cargo-0.0.300",
+    "vendor_ts__ra_ap_parser-0.0.300",
+    "vendor_ts__ra_ap_paths-0.0.300",
+    "vendor_ts__ra_ap_project_model-0.0.300",
+    "vendor_ts__ra_ap_span-0.0.300",
+    "vendor_ts__ra_ap_stdx-0.0.300",
+    "vendor_ts__ra_ap_syntax-0.0.300",
+    "vendor_ts__ra_ap_vfs-0.0.300",
     "vendor_ts__rand-0.9.2",
-    "vendor_ts__rayon-1.11.0",
-    "vendor_ts__regex-1.11.3",
-    "vendor_ts__serde-1.0.228",
-    "vendor_ts__serde_json-1.0.145",
-    "vendor_ts__serde_with-3.14.1",
-    "vendor_ts__syn-2.0.106",
-    "vendor_ts__toml-0.9.7",
+    "vendor_ts__rayon-1.10.0",
+    "vendor_ts__regex-1.11.1",
+    "vendor_ts__serde-1.0.219",
+    "vendor_ts__serde_json-1.0.142",
+    "vendor_ts__serde_with-3.14.0",
+    "vendor_ts__syn-2.0.104",
+    "vendor_ts__toml-0.9.5",
     "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
-    "vendor_ts__tracing-subscriber-0.3.20",
-    "vendor_ts__tree-sitter-0.25.9",
-    "vendor_ts__tree-sitter-embedded-template-0.25.0",
+    "vendor_ts__tracing-subscriber-0.3.19",
+    "vendor_ts__tree-sitter-0.24.6",
+    "vendor_ts__tree-sitter-embedded-template-0.23.2",
     "vendor_ts__tree-sitter-json-0.24.8",
     "vendor_ts__tree-sitter-ql-0.23.1",
     "vendor_ts__tree-sitter-ruby-0.23.1",
@@ -172,7 +172,7 @@ http_archive(
 )
 
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
-dotnet.toolchain(dotnet_version = "10.0.100")
+dotnet.toolchain(dotnet_version = "9.0.300")
 use_repo(dotnet, "dotnet_toolchains")
 
 register_toolchains("@dotnet_toolchains//:all")
@@ -269,16 +269,24 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
 use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
 
-ripunzip_archive = use_repo_rule("//misc/ripunzip:ripunzip.bzl", "ripunzip_archive")
+lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
 
-# go to https://github.com/GoogleChrome/ripunzip/releases to find latest version and corresponding sha256s
-ripunzip_archive(
-    name = "ripunzip",
-    sha256_linux = "71482d7a7e4ea9176d5596161c49250c34b136b157c45f632b1111323fbfc0de",
-    sha256_macos_arm = "604194ab13f0aba3972995d995f11002b8fc285c8170401fcd46655065df20c9",
-    sha256_macos_intel = "65367b94fd579d93d46f2d2595cc4c9a60cfcf497e3c824f9d1a7b80fa8bd38a",
-    sha256_windows = "ac3874075def2b9e5074a3b5945005ab082cc6e689e1de658da8965bc23e643e",
-    version = "2.0.4",
+lfs_archive(
+    name = "ripunzip-linux",
+    src = "//misc/ripunzip:ripunzip-Linux.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+)
+
+lfs_archive(
+    name = "ripunzip-windows",
+    src = "//misc/ripunzip:ripunzip-Windows.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
+)
+
+lfs_archive(
+    name = "ripunzip-macos",
+    src = "//misc/ripunzip:ripunzip-macOS.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 
 register_toolchains(

actions/ql/lib/CHANGELOG.md

@@ -1,35 +1,3 @@
-## 0.4.24
-
-No user-facing changes.
-
-## 0.4.23
-
-No user-facing changes.
-
-## 0.4.22
-
-No user-facing changes.
-
-## 0.4.21
-
-No user-facing changes.
-
-## 0.4.20
-
-No user-facing changes.
-
-## 0.4.19
-
-No user-facing changes.
-
-## 0.4.18
-
-No user-facing changes.
-
-## 0.4.17
-
-No user-facing changes.
-
 ## 0.4.16
 
 No user-facing changes.

actions/ql/lib/change-notes/2025-11-28-fix-code-injection-alert-filtering.md

@@ -1,4 +0,0 @@
----
-category: majorAnalysis
----
-* The query `actions/code-injection/medium` has been updated to include results which were incorrectly excluded while filtering out results that are reported by `actions/code-injection/critical`.

actions/ql/lib/change-notes/released/0.4.17.md

@@ -1,3 +0,0 @@
-## 0.4.17
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.18.md

@@ -1,3 +0,0 @@
-## 0.4.18
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.19.md

@@ -1,3 +0,0 @@
-## 0.4.19
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.20.md

@@ -1,3 +0,0 @@
-## 0.4.20
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.21.md

@@ -1,3 +0,0 @@
-## 0.4.21
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.22.md

@@ -1,3 +0,0 @@
-## 0.4.22
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.23.md

@@ -1,3 +0,0 @@
-## 0.4.23
-
-No user-facing changes.

actions/ql/lib/change-notes/released/0.4.24.md

@@ -1,3 +0,0 @@
-## 0.4.24
-
-No user-facing changes.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.24
+lastReleaseVersion: 0.4.16

actions/ql/lib/codeql/actions/security/ArgumentInjectionQuery.qll

@@ -100,6 +100,8 @@ private module ArgumentInjectionConfig implements DataFlow::ConfigSig {
 
   predicate observeDiffInformedIncrementalMode() { any() }
 
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     result = sink.getLocation()
     or

actions/ql/lib/codeql/actions/security/ArtifactPoisoningQuery.qll

@@ -333,6 +333,8 @@ private module ArtifactPoisoningConfig implements DataFlow::ConfigSig {
 
   predicate observeDiffInformedIncrementalMode() { any() }
 
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     result = sink.getLocation()
     or

actions/ql/lib/codeql/actions/security/CodeInjectionQuery.qll

@@ -19,7 +19,12 @@ class CodeInjectionSink extends DataFlow::Node {
 Event getRelevantCriticalEventForSink(DataFlow::Node sink) {
   inPrivilegedContext(sink.asExpr(), result) and
   not exists(ControlCheck check | check.protects(sink.asExpr(), result, "code-injection")) and
-  not isGithubScriptUsingToJson(sink.asExpr())
+  // exclude cases where the sink is a JS script and the expression uses toJson
+  not exists(UsesStep script |
+    script.getCallee() = "actions/github-script" and
+    script.getArgumentExpr("script") = sink.asExpr() and
+    exists(getAToJsonReferenceExpression(sink.asExpr().(Expression).getExpression(), _))
+  )
 }
 
 /**
@@ -75,6 +80,8 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
 
   predicate observeDiffInformedIncrementalMode() { any() }
 
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     result = sink.getLocation()
     or
@@ -86,38 +93,3 @@ private module CodeInjectionConfig implements DataFlow::ConfigSig {
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a code script. */
 module CodeInjectionFlow = TaintTracking::Global<CodeInjectionConfig>;
-
-/**
- * Holds if there is a code injection flow from `source` to `sink` with
- * critical severity, linked by `event`.
- */
-predicate criticalSeverityCodeInjection(
-  CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
-) {
-  CodeInjectionFlow::flowPath(source, sink) and
-  event = getRelevantCriticalEventForSink(sink.getNode()) and
-  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
-}
-
-/**
- * Holds if there is a code injection flow from `source` to `sink` with medium severity.
- */
-predicate mediumSeverityCodeInjection(
-  CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
-) {
-  CodeInjectionFlow::flowPath(source, sink) and
-  not criticalSeverityCodeInjection(source, sink, _) and
-  not isGithubScriptUsingToJson(sink.getNode().asExpr())
-}
-
-/**
- * Holds if `expr` is the `script` input to `actions/github-script` and it uses
- * `toJson`.
- */
-predicate isGithubScriptUsingToJson(Expression expr) {
-  exists(UsesStep script |
-    script.getCallee() = "actions/github-script" and
-    script.getArgumentExpr("script") = expr and
-    exists(getAToJsonReferenceExpression(expr.getExpression(), _))
-  )
-}

actions/ql/lib/codeql/actions/security/EnvPathInjectionQuery.qll

@@ -130,6 +130,8 @@ private module EnvPathInjectionConfig implements DataFlow::ConfigSig {
 
   predicate observeDiffInformedIncrementalMode() { any() }
 
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     result = sink.getLocation()
     or

actions/ql/lib/codeql/actions/security/EnvVarInjectionQuery.qll

@@ -184,6 +184,8 @@ private module EnvVarInjectionConfig implements DataFlow::ConfigSig {
 
   predicate observeDiffInformedIncrementalMode() { any() }
 
+  Location getASelectedSourceLocation(DataFlow::Node source) { none() }
+
   Location getASelectedSinkLocation(DataFlow::Node sink) {
     result = sink.getLocation()
     or

actions/ql/lib/codeql/actions/security/OutputClobberingQuery.qll

@@ -212,6 +212,8 @@ private module OutputClobberingConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate an environment variable. */

actions/ql/lib/codeql/actions/security/RequestForgeryQuery.qll

@@ -18,6 +18,8 @@ private module RequestForgeryConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof RequestForgerySink }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used to construct and evaluate a system command. */

actions/ql/lib/codeql/actions/security/SecretExfiltrationQuery.qll

@@ -17,6 +17,8 @@ private module SecretExfiltrationConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink instanceof SecretExfiltrationSink }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 /** Tracks flow of unsafe user input that is used in a context where it may lead to a secret exfiltration. */

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.25-dev
+version: 0.4.17-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,37 +1,3 @@
-## 0.6.16
-
-No user-facing changes.
-
-## 0.6.15
-
-No user-facing changes.
-
-## 0.6.14
-
-No user-facing changes.
-
-## 0.6.13
-
-No user-facing changes.
-
-## 0.6.12
-
-No user-facing changes.
-
-## 0.6.11
-
-No user-facing changes.
-
-## 0.6.10
-
-No user-facing changes.
-
-## 0.6.9
-
-### Minor Analysis Improvements
-
-* Actions analysis now reports file coverage information on the CodeQL status page.
-
 ## 0.6.8
 
 No user-facing changes.

actions/ql/src/Models/CompositeActionsSinks.ql

@@ -26,6 +26,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/CompositeActionsSources.ql

@@ -36,6 +36,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/CompositeActionsSummaries.ql

@@ -27,6 +27,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSinks.ql

@@ -26,6 +26,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSources.ql

@@ -36,6 +36,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Models/ReusableWorkflowsSummaries.ql

@@ -27,6 +27,8 @@ private module MyConfig implements DataFlow::ConfigSig {
   }
 
   predicate observeDiffInformedIncrementalMode() { any() }
+
+  Location getASelectedSourceLocation(DataFlow::Node sink) { none() }
 }
 
 module MyFlow = TaintTracking::Global<MyConfig>;

actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql

@@ -20,7 +20,10 @@ import CodeInjectionFlow::PathGraph
 import codeql.actions.security.ControlChecks
 
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink, Event event
-where criticalSeverityCodeInjection(source, sink, event)
+where
+  CodeInjectionFlow::flowPath(source, sink) and
+  event = getRelevantCriticalEventForSink(sink.getNode()) and
+  source.getNode().(RemoteFlowSource).getEventName() = event.getName()
 select sink.getNode(), source, sink,
   "Potential code injection in $@, which may be controlled by an external user ($@).", sink,
   sink.getNode().asExpr().(Expression).getRawExpression(), event, event.getName()

actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql

@@ -19,7 +19,15 @@ import codeql.actions.security.CodeInjectionQuery
 import CodeInjectionFlow::PathGraph
 
 from CodeInjectionFlow::PathNode source, CodeInjectionFlow::PathNode sink
-where mediumSeverityCodeInjection(source, sink)
+where
+  CodeInjectionFlow::flowPath(source, sink) and
+  inNonPrivilegedContext(sink.getNode().asExpr()) and
+  // exclude cases where the sink is a JS script and the expression uses toJson
+  not exists(UsesStep script |
+    script.getCallee() = "actions/github-script" and
+    script.getArgumentExpr("script") = sink.getNode().asExpr() and
+    exists(getAToJsonReferenceExpression(sink.getNode().asExpr().(Expression).getExpression(), _))
+  )
 select sink.getNode(), source, sink,
   "Potential code injection in $@, which may be controlled by an external user.", sink,
   sink.getNode().asExpr().(Expression).getRawExpression()

actions/ql/src/Security/CWE-275/MissingActionsPermissions.md

@@ -2,8 +2,6 @@
 
 If a GitHub Actions job or workflow has no explicit permissions set, then the repository permissions are used. Repositories created under organizations inherit the organization permissions. The organizations or repositories created before February 2023 have the default permissions set to read-write. Often these permissions do not adhere to the principle of least privilege and can be reduced to read-only, leaving the `write` permission only to a specific types as `issues: write` or `pull-requests: write`.
 
-Note that this query cannot check whether the organization or repository token settings are set to read-only. However, even if they are, it is recommended to define explicit permissions (`contents: read` and `packages: read` are equivalent to the read-only default) so that (a) the actual needs of the workflow are documented, and (b) the permissions will remain restricted if the default is subsequently changed, or the workflow is copied to a different repository or organization.
-
 ## Recommendation
 
 Add the `permissions` key to the job or the root of workflow (in this case it is applied to all jobs in the workflow that do not have their own `permissions` key) and assign the least privileges required to complete the task.

actions/ql/src/change-notes/2025-09-05-file-coverage.md

@@ -1,5 +1,4 @@
-## 0.6.9
-
-### Minor Analysis Improvements
-
+---
+category: minorAnalysis
+---
 * Actions analysis now reports file coverage information on the CodeQL status page.

actions/ql/src/change-notes/released/0.6.10.md

@@ -1,3 +0,0 @@
-## 0.6.10
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.11.md

@@ -1,3 +0,0 @@
-## 0.6.11
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.12.md

@@ -1,3 +0,0 @@
-## 0.6.12
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.13.md

@@ -1,3 +0,0 @@
-## 0.6.13
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.14.md

@@ -1,3 +0,0 @@
-## 0.6.14
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.15.md

@@ -1,3 +0,0 @@
-## 0.6.15
-
-No user-facing changes.

actions/ql/src/change-notes/released/0.6.16.md

@@ -1,3 +0,0 @@
-## 0.6.16
-
-No user-facing changes.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.16
+lastReleaseVersion: 0.6.8

actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql

@@ -19,5 +19,5 @@ import SecretExfiltrationFlow::PathGraph
 from SecretExfiltrationFlow::PathNode source, SecretExfiltrationFlow::PathNode sink
 where SecretExfiltrationFlow::flowPath(source, sink)
 select sink.getNode(), source, sink,
-  "Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource.",
+  "Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource.",
   sink, sink.getNode().asExpr().(Expression).getRawExpression()

actions/ql/src/experimental/Security/CWE-829/ArtifactPoisoningPathTraversal.ql

@@ -1,5 +1,5 @@
 /**
- * @name Artifact Poisoning (Path Traversal)
+ * @name Artifact Poisoning (Path Traversal).
  * @description An attacker may be able to poison the workflow's artifacts and influence on consequent steps.
  * @kind problem
  * @problem.severity error

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.17-dev
+version: 0.6.9-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-094/.github/workflows/push_and_workflow_dispatch.yml

@@ -1,18 +0,0 @@
-on:
-  push:
-  workflow_dispatch:
-
-jobs:
-  echo-chamber:
-    runs-on: ubuntu-latest
-    steps:
-    - run: echo '${{ github.event.commits[11].message }}'
-    - run: echo '${{ github.event.commits[11].author.email }}'
-    - run: echo '${{ github.event.commits[11].author.name }}'
-    - run: echo '${{ github.event.head_commit.message }}'
-    - run: echo '${{ github.event.head_commit.author.email }}'
-    - run: echo '${{ github.event.head_commit.author.name }}'
-    - run: echo '${{ github.event.head_commit.committer.email }}'
-    - run: echo '${{ github.event.head_commit.committer.name }}'
-    - run: echo '${{ github.event.commits[11].committer.email }}'
-    - run: echo '${{ github.event.commits[11].committer.name }}'

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionCritical.expected

@@ -435,16 +435,6 @@ nodes
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
-| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message |
-| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email |
-| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name |
-| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
-| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email |
-| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name |
-| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email |
-| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
-| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
-| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
 | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint |
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
 | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |

actions/ql/test/query-tests/Security/CWE-094/CodeInjectionMedium.expected

@@ -435,16 +435,6 @@ nodes
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
-| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | semmle.label | github.event.commits[11].message |
-| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | semmle.label | github.event.commits[11].author.email |
-| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | semmle.label | github.event.commits[11].author.name |
-| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | semmle.label | github.event.head_commit.message |
-| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | semmle.label | github.event.head_commit.author.email |
-| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | semmle.label | github.event.head_commit.author.name |
-| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | semmle.label | github.event.head_commit.committer.email |
-| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | semmle.label | github.event.head_commit.committer.name |
-| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | semmle.label | github.event.commits[11].committer.email |
-| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | semmle.label | github.event.commits[11].committer.name |
 | .github/workflows/reusable-workflow-1.yml:6:7:6:11 | input taint | semmle.label | input taint |
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | semmle.label | inputs.taint |
 | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
@@ -729,16 +719,6 @@ subpaths
 | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:14:19:14:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} |
 | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:15:19:15:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} |
 | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push.yml:16:19:16:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
-| .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:9:19:9:57 | github.event.commits[11].message | ${{ github.event.commits[11].message }} |
-| .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:10:19:10:62 | github.event.commits[11].author.email | ${{ github.event.commits[11].author.email }} |
-| .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:11:19:11:61 | github.event.commits[11].author.name | ${{ github.event.commits[11].author.name }} |
-| .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:12:19:12:57 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
-| .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:13:19:13:62 | github.event.head_commit.author.email | ${{ github.event.head_commit.author.email }} |
-| .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:14:19:14:61 | github.event.head_commit.author.name | ${{ github.event.head_commit.author.name }} |
-| .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:15:19:15:65 | github.event.head_commit.committer.email | ${{ github.event.head_commit.committer.email }} |
-| .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:16:19:16:64 | github.event.head_commit.committer.name | ${{ github.event.head_commit.committer.name }} |
-| .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:17:19:17:65 | github.event.commits[11].committer.email | ${{ github.event.commits[11].committer.email }} |
-| .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/push_and_workflow_dispatch.yml:18:19:18:64 | github.event.commits[11].committer.name | ${{ github.event.commits[11].committer.name }} |
 | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | .github/workflows/reusable-workflow-caller-1.yml:11:15:11:52 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:36:21:36:39 | inputs.taint | ${{ inputs.taint }} |
 | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | .github/workflows/reusable-workflow-1.yml:44:19:44:56 | github.event.pull_request.title | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:53:26:53:39 | env.log | ${{ env.log }} |
 | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | .github/workflows/reusable-workflow-1.yml:45:24:45:61 | github.event.changes.title.from | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/reusable-workflow-1.yml:66:34:66:52 | env.prev_log | ${{ env.prev_log }} |
@@ -749,10 +729,6 @@ subpaths
 | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:333:34:333:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:423:34:423:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test10.yml:518:34:518:77 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
-| .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test20.yml:15:54:15:94 | github.event.pull_request.head.ref | ${{ github.event.pull_request.head.ref }} |
-| .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:22:35:22:73 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
-| .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:23:36:23:74 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
-| .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/test21.yml:24:50:24:88 | github.event.head_commit.message | ${{ github.event.head_commit.message }} |
 | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches1.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches2.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |
 | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | Potential code injection in $@, which may be controlled by an external user. | .github/workflows/workflow_run_branches4.yml:13:20:13:63 | github.event.workflow_run.head_branch | ${{ github.event.workflow_run.head_branch }} |

actions/ql/test/query-tests/Security/CWE-200/SecretExfiltration.expected

@@ -3,4 +3,4 @@ nodes
 | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | semmle.label | github.event.pull_request.title |
 subpaths
 #select
-| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |
+| .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | Potential secret exfiltration in $@, which may be be leaked to an attacker-controlled resource. | .github/workflows/test1.yml:15:11:16:75 | github.event.pull_request.title | ${{ github.event.pull_request.title }} |

config/add-overlay-annotations.py

@@ -177,12 +177,6 @@ def insert_overlay_caller_annotations(lines):
         out_lines.append(line)
     return out_lines
 
-explicitly_global = set([
-    "java/ql/lib/semmle/code/java/dispatch/VirtualDispatch.qll",
-    "java/ql/lib/semmle/code/java/dispatch/DispatchFlow.qll",
-    "java/ql/lib/semmle/code/java/dispatch/ObjFlow.qll",
-    "java/ql/lib/semmle/code/java/dispatch/internal/Unification.qll",
-])
 
 def annotate_as_appropriate(filename, lines):
     '''
@@ -202,9 +196,6 @@ def annotate_as_appropriate(filename, lines):
         ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
          any("implements DataFlow::ConfigSig" in line for line in lines))):
         return None
-    elif filename in explicitly_global:
-        # These files are explicitly global and should not be annotated.
-        return None
     elif not any(line for line in lines if line.strip()):
         return None
 

config/dbscheme-fragments.json

@@ -9,7 +9,6 @@
   "fragments": [
     "/*- Compilations -*/",
     "/*- External data -*/",
-    "/*- Overlay support -*/",
     "/*- Files and folders -*/",
     "/*- Diagnostic messages -*/",
     "/*- Diagnostic messages: severity -*/",

config/identical-files.json

@@ -276,13 +276,5 @@
   "Python model summaries test extension": [
     "python/ql/test/library-tests/dataflow/model-summaries/InlineTaintTest.ext.yml",
     "python/ql/test/library-tests/dataflow/model-summaries/NormalDataflowTest.ext.yml"
-  ],
-  "XML discard predicates": [
-    "javascript/ql/lib/semmle/javascript/internal/OverlayXml.qll",
-    "java/ql/lib/semmle/code/java/internal/OverlayXml.qll",
-    "go/ql/lib/semmle/go/internal/OverlayXml.qll",
-    "python/ql/lib/semmle/python/internal/OverlayXml.qll",
-    "csharp/ql/lib/semmle/code/csharp/internal/OverlayXml.qll",
-    "cpp/ql/lib/semmle/code/cpp/internal/OverlayXml.qll"
   ]
 }

cpp/downgrades/1a6854060d5d3ada16c580a29f8c5ce21f3367f8/upgrade.properties

@@ -1,3 +0,0 @@
-description: Support expanded compilation argument lists
-compatibility: full
-compilation_expanded_args.rel: delete

cpp/downgrades/2121ffec11fac265524955fee1775217364d4ca4/upgrade.properties

@@ -1,2 +0,0 @@
-description: Fix decltype qualifier issue
-compatibility: full

cpp/downgrades/a42ce5fc943254097f85471b94ae2247e819104a/upgrade.properties

@@ -1,4 +0,0 @@
-description: Add databaseMetadata and overlayChangedFiles relations
-compatibility: full
-databaseMetadata.rel: delete
-overlayChangedFiles.rel: delete

cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected

@@ -7,10 +7,12 @@ ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
 ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
 ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
 ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
 ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
 ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
 ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
 ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
@@ -28,6 +30,7 @@ ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
 ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
 ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
 ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
 ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
 ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
 ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -40,6 +43,7 @@ ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
 ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
 ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
 ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql

cpp/ql/lib/CHANGELOG.md

@@ -1,55 +1,3 @@
-## 6.1.3
-
-No user-facing changes.
-
-## 6.1.2
-
-No user-facing changes.
-
-## 6.1.1
-
-### Minor Analysis Improvements
-
-* The class `DataFlow::FieldContent` now covers both `union` and `struct`/`class` types. A new predicate `FieldContent.getAField` has been added to access the union members associated with the `FieldContent`. The old `FieldContent` has been renamed to `NonUnionFieldContent`.
-
-## 6.1.0
-
-### New Features
-
-* New predicates `getAnExpandedArgument` and `getExpandedArgument` were added to the `Compilation` class, yielding compilation arguments after expansion of response files.
-
-### Bug Fixes
-
-* Improve performance of the range analysis in cases where it would otherwise take an exorbitant amount of time.
-
-## 6.0.1
-
-No user-facing changes.
-
-## 6.0.0
-
-### Breaking Changes
-
-* The "Guards" libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been totally rewritten to recognize many more guards. The API remains unchanged, but the `GuardCondition` class now extends `Element` instead of `Expr`.
-
-### New Features
-
-* C/C++ `build-mode: none` support is now generally available.
-
-## 5.6.1
-
-No user-facing changes.
-
-## 5.6.0
-
-### Deprecated APIs
-
-* The predicate `getAContructorCall` in the class `SslContextClass` has been deprecated. Use `getAConstructorCall` instead.
-
-### New Features
-
-* Added predicates `getTransitiveNumberOfVlaDimensionStmts`, `getTransitiveVlaDimensionStmt`, and `getParentVlaDecl` to `VlaDeclStmt` for handling `VlaDeclStmt`s whose base type is defined in terms of another `VlaDeclStmt` via a `typedef`.
-
 ## 5.5.0
 
 ### New Features

cpp/ql/lib/change-notes/2025-09-02-vla.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added predicates `getTransitiveNumberOfVlaDimensionStmts`, `getTransitiveVlaDimensionStmt`, and `getParentVlaDecl` to `VlaDeclStmt` for handling `VlaDeclStmt`s whose base type defined in terms of an other `VlaDeclStmt` via a `typedef`.

cpp/ql/lib/change-notes/2025-09-03-rename-api.md

@@ -0,0 +1,4 @@
+---
+category: deprecated
+---
+* The predicate `getAContructorCall` in the class `SslContextClass` has been deprecated. Use `getAConstructorCall` instead.

cpp/ql/lib/change-notes/2026-01-02-constant-folding.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Some constants will now be represented by their unfolded expression trees. The `isConstant` predicate of `Expr` will no longer yield a result for those constants.

cpp/ql/lib/change-notes/released/5.6.0.md

@@ -1,9 +0,0 @@
-## 5.6.0
-
-### Deprecated APIs
-
-* The predicate `getAContructorCall` in the class `SslContextClass` has been deprecated. Use `getAConstructorCall` instead.
-
-### New Features
-
-* Added predicates `getTransitiveNumberOfVlaDimensionStmts`, `getTransitiveVlaDimensionStmt`, and `getParentVlaDecl` to `VlaDeclStmt` for handling `VlaDeclStmt`s whose base type is defined in terms of another `VlaDeclStmt` via a `typedef`.

cpp/ql/lib/change-notes/released/5.6.1.md

@@ -1,3 +0,0 @@
-## 5.6.1
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/6.0.0.md

@@ -1,9 +0,0 @@
-## 6.0.0
-
-### Breaking Changes
-
-* The "Guards" libraries (`semmle.code.cpp.controlflow.Guards` and `semmle.code.cpp.controlflow.IRGuards`) have been totally rewritten to recognize many more guards. The API remains unchanged, but the `GuardCondition` class now extends `Element` instead of `Expr`.
-
-### New Features
-
-* C/C++ `build-mode: none` support is now generally available.

cpp/ql/lib/change-notes/released/6.0.1.md

@@ -1,3 +0,0 @@
-## 6.0.1
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/6.1.0.md

@@ -1,9 +0,0 @@
-## 6.1.0
-
-### New Features
-
-* New predicates `getAnExpandedArgument` and `getExpandedArgument` were added to the `Compilation` class, yielding compilation arguments after expansion of response files.
-
-### Bug Fixes
-
-* Improve performance of the range analysis in cases where it would otherwise take an exorbitant amount of time.

cpp/ql/lib/change-notes/released/6.1.1.md

@@ -1,5 +0,0 @@
-## 6.1.1
-
-### Minor Analysis Improvements
-
-* The class `DataFlow::FieldContent` now covers both `union` and `struct`/`class` types. A new predicate `FieldContent.getAField` has been added to access the union members associated with the `FieldContent`. The old `FieldContent` has been renamed to `NonUnionFieldContent`.

cpp/ql/lib/change-notes/released/6.1.2.md

@@ -1,3 +0,0 @@
-## 6.1.2
-
-No user-facing changes.

cpp/ql/lib/change-notes/released/6.1.3.md

@@ -1,3 +0,0 @@
-## 6.1.3
-
-No user-facing changes.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.1.3
+lastReleaseVersion: 5.5.0

cpp/ql/lib/cpp.qll

@@ -74,4 +74,3 @@ import semmle.code.cpp.Preprocessor
 import semmle.code.cpp.Iteration
 import semmle.code.cpp.NameQualifiers
 import DefaultOptions
-private import semmle.code.cpp.internal.Overlay

cpp/ql/lib/experimental/quantum/Language.qll

@@ -14,8 +14,8 @@ module CryptoInput implements InputSig<Language::Location> {
     result = node.asExpr() or
     result = node.asParameter() or
     result = node.asVariable() or
-    result = node.asDefiningArgument() or
-    result = node.asIndirectExpr()
+    result = node.asDefiningArgument()
+    // TODO: do we need asIndirectExpr()?
   }
 
   string locationToFileBaseNameAndLineNumberString(Location location) {
@@ -53,7 +53,7 @@ module ArtifactFlowConfig implements DataFlow::ConfigSig {
   }
 }
 
-module ArtifactFlow = TaintTracking::Global<ArtifactFlowConfig>;
+module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;
 
 /**
  * An artifact output to node input configuration
@@ -93,13 +93,7 @@ module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig
 
 private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof OpenSslGenericSourceCandidateLiteral
 {
-  override DataFlow::Node getOutputNode() {
-    // OpenSSL algorithms may be referenced either by string name or by numeric ID:
-    // String names (e.g. "AES-256-CBC") appear in the AST as character pointer
-    // literals. For these we must use `asIndirectExpr`. Numeric IDs (e.g. NID_aes_256_cbc)
-    // appear as integer literals. For these, we must use `asExpr` to get the "value" node.
-    [result.asIndirectExpr(), result.asExpr()] = this
-  }
+  override DataFlow::Node getOutputNode() { result.asExpr() = this }
 
   override predicate flowsTo(Crypto::FlowAwareElement other) {
     // TODO: separate config to avoid blowing up data-flow analysis
@@ -109,4 +103,28 @@ private class ConstantDataSource extends Crypto::GenericConstantSourceInstance i
   override string getAdditionalDescription() { result = this.toString() }
 }
 
+module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    source = any(Crypto::ArtifactInstance artifact).getOutputNode()
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sink = any(Crypto::FlowAwareElement other).getInputNode()
+  }
+
+  predicate isBarrierOut(DataFlow::Node node) {
+    node = any(Crypto::FlowAwareElement element).getInputNode()
+  }
+
+  predicate isBarrierIn(DataFlow::Node node) {
+    node = any(Crypto::FlowAwareElement element).getOutputNode()
+  }
+
+  predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    node1.(AdditionalFlowInputStep).getOutput() = node2
+  }
+}
+
+module ArtifactUniversalFlow = DataFlow::Global<ArtifactUniversalFlowConfig>;
+
 import OpenSSL.OpenSSL

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll

@@ -14,13 +14,9 @@ private import PaddingAlgorithmInstance
  */
 module KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    (
-      source.asExpr() instanceof KnownOpenSslAlgorithmExpr or
-      source.asIndirectExpr() instanceof KnownOpenSslAlgorithmExpr
-    ) and
+    source.asExpr() instanceof KnownOpenSslAlgorithmExpr and
     // No need to flow direct operations to AVCs
-    not source.asExpr() instanceof OpenSslDirectAlgorithmOperationCall and
-    not source.asIndirectExpr() instanceof OpenSslDirectAlgorithmOperationCall
+    not source.asExpr() instanceof OpenSslDirectAlgorithmOperationCall
   }
 
   predicate isSink(DataFlow::Node sink) {
@@ -50,12 +46,10 @@ module KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::
 }
 
 module KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow =
-  TaintTracking::Global<KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig>;
+  DataFlow::Global<KnownOpenSslAlgorithmToAlgorithmValueConsumerConfig>;
 
 module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof OpenSslSpecialPaddingLiteral
-  }
+  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OpenSslPaddingLiteral }
 
   predicate isSink(DataFlow::Node sink) {
     exists(PaddingAlgorithmValueConsumer c | c.getInputNode() = sink)
@@ -67,7 +61,7 @@ module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataF
 }
 
 module RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow =
-  TaintTracking::Global<RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;
+  DataFlow::Global<RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig>;
 
 class OpenSslAlgorithmAdditionalFlowStep extends AdditionalFlowInputStep {
   OpenSslAlgorithmAdditionalFlowStep() { exists(AlgorithmPassthroughCall c | c.getInNode() = this) }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

@@ -53,8 +53,7 @@ class KnownOpenSslBlockModeConstantAlgorithmInstance extends OpenSslAlgorithmIns
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.getInputNode() and
       // Source is `this`
-      // NOTE: src literals can be ints or strings, so need to consider asExpr and asIndirectExpr
-      this = [src.asExpr(), src.asIndirectExpr()] and
+      src.asExpr() = this and
       // This traces to a getter
       KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
     )

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -2,10 +2,12 @@ import cpp
 private import experimental.quantum.Language
 private import KnownAlgorithmConstants
 private import Crypto::KeyOpAlg as KeyOpAlg
-private import experimental.quantum.OpenSSL.Operations.OpenSSLOperationBase
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-private import OpenSSLAlgorithmInstances
+private import OpenSSLAlgorithmInstanceBase
+private import PaddingAlgorithmInstance
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
 private import AlgToAVCFlow
+private import BlockAlgorithmInstance
 
 /**
  * Given a `KnownOpenSslCipherAlgorithmExpr`, converts this to a cipher family type.
@@ -77,8 +79,7 @@ class KnownOpenSslCipherConstantAlgorithmInstance extends OpenSslAlgorithmInstan
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.getInputNode() and
       // Source is `this`
-      // NOTE: src literals can be ints or strings, so need to consider asExpr and asIndirectExpr
-      this = [src.asExpr(), src.asIndirectExpr()] and
+      src.asExpr() = this and
       // This traces to a getter
       KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
     )
@@ -96,13 +97,10 @@ class KnownOpenSslCipherConstantAlgorithmInstance extends OpenSslAlgorithmInstan
   }
 
   override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() {
+    //TODO: the padding is either self, or it flows through getter ctx to a set padding call
+    // like EVP_PKEY_CTX_set_rsa_padding
     result = this
-    or
-    exists(OperationStep s |
-      this.getAvc().(AvcContextCreationStep).flowsToOperationStep(s) and
-      s.getAlgorithmValueConsumerForInput(PaddingAlgorithmIO()) =
-        result.(OpenSslAlgorithmInstance).getAvc()
-    )
+    // TODO or trace through getter ctx to set padding
   }
 
   override string getRawAlgorithmName() {
@@ -119,7 +117,7 @@ class KnownOpenSslCipherConstantAlgorithmInstance extends OpenSslAlgorithmInstan
     knownOpenSslConstantToCipherFamilyType(this, result)
     or
     not knownOpenSslConstantToCipherFamilyType(this, _) and
-    result = Crypto::KeyOpAlg::TOtherKeyOperationAlgorithmType()
+    result = Crypto::KeyOpAlg::TUnknownKeyOperationAlgorithmType()
   }
 
   override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -21,8 +21,7 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.getInputNode() and
       // Source is `this`
-      // NOTE: src literals can be ints or strings, so need to consider asExpr and asIndirectExpr
-      this = [src.asExpr(), src.asIndirectExpr()] and
+      src.asExpr() = this and
       // This traces to a getter
       KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
     )
@@ -40,7 +39,7 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith
     result = this.(Call).getTarget().getName()
   }
 
-  override Crypto::EllipticCurveType getEllipticCurveType() {
+  override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
     if
       Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
         _)

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -59,8 +59,7 @@ class KnownOpenSslHashConstantAlgorithmInstance extends OpenSslAlgorithmInstance
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.getInputNode() and
       // Source is `this`
-      // NOTE: src literals can be ints or strings, so need to consider asExpr and asIndirectExpr
-      this = [src.asExpr(), src.asIndirectExpr()] and
+      src.asExpr() = this and
       // This traces to a getter
       KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
     )
@@ -72,7 +71,7 @@ class KnownOpenSslHashConstantAlgorithmInstance extends OpenSslAlgorithmInstance
 
   override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
 
-  override Crypto::THashType getHashType() {
+  override Crypto::THashType getHashFamily() {
     knownOpenSslConstantToHashFamilyType(this, result)
     or
     not knownOpenSslConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KeyAgreementAlgorithmInstance.qll

@@ -37,8 +37,7 @@ class KnownOpenSslKeyAgreementConstantAlgorithmInstance extends OpenSslAlgorithm
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.getInputNode() and
       // Source is `this`
-      // NOTE: src literals can be ints or strings, so need to consider asExpr and asIndirectExpr
-      this = [src.asExpr(), src.asIndirectExpr()] and
+      src.asExpr() = this and
       // This traces to a getter
       KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
     )

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll

@@ -171,15 +171,9 @@ class KnownOpenSslKeyAgreementAlgorithmExpr extends Expr instanceof KnownOpenSsl
 }
 
 predicate knownOpenSslAlgorithmOperationCall(Call c, string normalized, string algType) {
-  c.getTarget().getName() in [
-      "EVP_RSA_gen", "RSA_generate_key_ex", "RSA_generate_key", "RSA_new", "RSA_sign", "RSA_verify"
-    ] and
+  c.getTarget().getName() in ["EVP_RSA_gen", "RSA_generate_key_ex", "RSA_generate_key", "RSA_new"] and
   normalized = "RSA" and
   algType = "ASYMMETRIC_ENCRYPTION"
-  or
-  c.getTarget().getName() in ["DSA_do_sign", "DSA_do_verify"] and
-  normalized = "DSA" and
-  algType = "SIGNATURE"
 }
 
 /**

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/MACAlgorithmInstance.qll

@@ -2,13 +2,12 @@ import cpp
 private import experimental.quantum.Language
 private import KnownAlgorithmConstants
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
 private import experimental.quantum.OpenSSL.Operations.OpenSSLOperations
-private import Crypto::KeyOpAlg as KeyOpAlg
 private import AlgToAVCFlow
 
 class KnownOpenSslMacConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
-  Crypto::KeyOperationAlgorithmInstance instanceof KnownOpenSslMacAlgorithmExpr
+  Crypto::MacAlgorithmInstance instanceof KnownOpenSslMacAlgorithmExpr
 {
   OpenSslAlgorithmValueConsumer getterCall;
 
@@ -22,8 +21,7 @@ class KnownOpenSslMacConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.getInputNode() and
       // Source is `this`
-      // NOTE: src literals can be ints or strings, so need to consider asExpr and asIndirectExpr
-      this = [src.asExpr(), src.asIndirectExpr()] and
+      src.asExpr() = this and
       // This traces to a getter
       KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
     )
@@ -35,34 +33,17 @@ class KnownOpenSslMacConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
 
   override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
 
-  override string getRawAlgorithmName() {
+  override string getRawMacAlgorithmName() {
     result = this.(Literal).getValue().toString()
     or
     result = this.(Call).getTarget().getName()
   }
 
-  override Crypto::KeyOpAlg::AlgorithmType getAlgorithmType() {
-    if this instanceof KnownOpenSslHMacAlgorithmExpr
-    then result = KeyOpAlg::TMac(KeyOpAlg::HMAC())
-    else
-      if this instanceof KnownOpenSslCMacAlgorithmExpr
-      then result = KeyOpAlg::TMac(KeyOpAlg::CMAC())
-      else result = KeyOpAlg::TMac(KeyOpAlg::OtherMacAlgorithmType())
+  override Crypto::MacType getMacType() {
+    this instanceof KnownOpenSslHMacAlgorithmExpr and result = Crypto::HMAC()
+    or
+    this instanceof KnownOpenSslCMacAlgorithmExpr and result = Crypto::CMAC()
   }
-
-  override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
-    // TODO: trace to any key size initializer?
-    none()
-  }
-
-  override int getKeySizeFixed() {
-    // TODO: are there known fixed key sizes to consider?
-    none()
-  }
-
-  override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() { none() }
-
-  override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() { none() }
 }
 
 class KnownOpenSslHMacConstantAlgorithmInstance extends Crypto::HmacAlgorithmInstance,
@@ -79,13 +60,9 @@ class KnownOpenSslHMacConstantAlgorithmInstance extends Crypto::HmacAlgorithmIns
       // where the current AVC traces to a HashAlgorithmIO consuming operation step.
       // TODO: need to consider getting reset values, tracing down to the first set for now
       exists(OperationStep s, AvcContextCreationStep avc |
-        avc = super.getAvc() and
+        avc = this.getAvc() and
         avc.flowsToOperationStep(s) and
         s.getAlgorithmValueConsumerForInput(HashAlgorithmIO()) = result
       )
   }
-
-  override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() { none() }
-
-  override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() { none() }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll

@@ -1,10 +1,10 @@
 import cpp
 private import experimental.quantum.Language
 private import OpenSSLAlgorithmInstanceBase
-private import experimental.quantum.OpenSSL.Operations.OpenSSLOperationBase
 private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
 private import AlgToAVCFlow
-private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 private import codeql.quantum.experimental.Standardization::Types::KeyOpAlg as KeyOpAlg
 
 /**
@@ -18,14 +18,13 @@ private import codeql.quantum.experimental.Standardization::Types::KeyOpAlg as K
  *     # define RSA_PKCS1_WITH_TLS_PADDING 7
  *     # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
  */
-class OpenSslSpecialPaddingLiteral extends Literal {
+class OpenSslPaddingLiteral extends Literal {
   // TODO: we can be more specific about where the literal is in a larger expression
   // to avoid literals that are clealy not representing an algorithm, e.g., array indices.
-  OpenSslSpecialPaddingLiteral() { this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] }
+  OpenSslPaddingLiteral() { this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] }
 }
 
 /**
- * Holds if `e` has the given `type`.
  * Given a `KnownOpenSslPaddingAlgorithmExpr`, converts this to a padding family type.
  * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
@@ -46,6 +45,9 @@ predicate knownOpenSslConstantToPaddingFamilyType(
   )
 }
 
+//abstract class OpenSslPaddingAlgorithmInstance extends OpenSslAlgorithmInstance, Crypto::PaddingAlgorithmInstance{}
+// TODO: need to alter this to include known padding constants which don't have the
+// same mechanics as those with known nids
 class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
   Crypto::PaddingAlgorithmInstance instanceof Expr
 {
@@ -64,8 +66,7 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.getInputNode() and
       // Source is `this`
-      // NOTE: src literals can be ints or strings, so need to consider asExpr and asIndirectExpr
-      this = [src.asExpr(), src.asIndirectExpr()] and
+      src.asExpr() = this and
       // This traces to a getter
       KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink) and
       isPaddingSpecificConsumer = false
@@ -78,13 +79,12 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta
     isPaddingSpecificConsumer = false
     or
     // Possibility 3: padding-specific literal
-    this instanceof OpenSslSpecialPaddingLiteral and
+    this instanceof OpenSslPaddingLiteral and
     exists(DataFlow::Node src, DataFlow::Node sink |
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.getInputNode() and
       // Source is `this`
-      // NOTE: src literals can be ints or strings, so need to consider asExpr and asIndirectExpr
-      this = [src.asExpr(), src.asIndirectExpr()] and
+      src.asExpr() = this and
       // This traces to a padding-specific consumer
       RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow::flow(src, sink)
     ) and
@@ -124,6 +124,44 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta
   }
 }
 
+// // Values used for EVP_PKEY_CTX_set_rsa_padding, these are
+// // not the same as 'typical' constants found in the set of known algorithm constants
+// // they do not have an NID
+// // TODO: what about setting the padding directly?
+// class KnownRSAPaddingConstant extends OpenSslPaddingAlgorithmInstance, Crypto::PaddingAlgorithmInstance instanceof Literal
+// {
+//   KnownRSAPaddingConstant() {
+//     // from rsa.h in openssl:
+//     // # define RSA_PKCS1_PADDING          1
+//     // # define RSA_NO_PADDING             3
+//     // # define RSA_PKCS1_OAEP_PADDING     4
+//     // # define RSA_X931_PADDING           5
+//     // /* EVP_PKEY_ only */
+//     // # define RSA_PKCS1_PSS_PADDING      6
+//     // # define RSA_PKCS1_WITH_TLS_PADDING 7
+//     // /* internal RSA_ only */
+//     // # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8
+//     this instanceof Literal and
+//     this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8]
+//     // TODO: trace to padding-specific consumers
+//     RsaPaddingAlgorithmToPaddingAlgorithmValueConsumerFlow
+//   }
+//   override string getRawPaddingAlgorithmName() { result = this.(Literal).getValue().toString() }
+//   override Crypto::TPaddingType getPaddingType() {
+//     if this.(Literal).getValue().toInt() in [1, 6, 7, 8]
+//     then result = Crypto::PKCS1_v1_5()
+//     else
+//       if this.(Literal).getValue().toInt() = 3
+//       then result = Crypto::NoPadding()
+//       else
+//         if this.(Literal).getValue().toInt() = 4
+//         then result = Crypto::OAEP()
+//         else
+//           if this.(Literal).getValue().toInt() = 5
+//           then result = Crypto::ANSI_X9_23()
+//           else result = Crypto::OtherPadding()
+//   }
+// }
 class OaepPaddingAlgorithmInstance extends Crypto::OaepPaddingAlgorithmInstance,
   KnownOpenSslPaddingConstantAlgorithmInstance
 {
@@ -132,18 +170,10 @@ class OaepPaddingAlgorithmInstance extends Crypto::OaepPaddingAlgorithmInstance,
   }
 
   override Crypto::HashAlgorithmInstance getOaepEncodingHashAlgorithm() {
-    exists(OperationStep s |
-      this.getAvc().(AvcContextCreationStep).flowsToOperationStep(s) and
-      s.getAlgorithmValueConsumerForInput(HashAlgorithmOaepIO()) =
-        result.(OpenSslAlgorithmInstance).getAvc()
-    )
+    none() //TODO
   }
 
   override Crypto::HashAlgorithmInstance getMgf1HashAlgorithm() {
-    exists(OperationStep s |
-      this.getAvc().(AvcContextCreationStep).flowsToOperationStep(s) and
-      s.getAlgorithmValueConsumerForInput(HashAlgorithmMgf1IO()) =
-        result.(OpenSslAlgorithmInstance).getAvc()
-    )
+    none() //TODO
   }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/SignatureAlgorithmInstance.qll

@@ -47,8 +47,7 @@ class KnownOpenSslSignatureConstantAlgorithmInstance extends OpenSslAlgorithmIns
       // Sink is an argument to a signature getter call
       sink = getterCall.getInputNode() and
       // Source is `this`
-      // NOTE: src literals can be ints or strings, so need to consider asExpr and asIndirectExpr
-      this = [src.asExpr(), src.asIndirectExpr()] and
+      src.asExpr() = this and
       // This traces to a getter
       KnownOpenSslAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
     )

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll

@@ -12,17 +12,15 @@ class EvpCipherAlgorithmValueConsumer extends CipherAlgorithmValueConsumer {
   DataFlow::Node resultNode;
 
   EvpCipherAlgorithmValueConsumer() {
-    resultNode.asIndirectExpr() = this and
+    resultNode.asExpr() = this and
     (
-      this.(Call).getTarget().getName() in ["EVP_get_cipherbyname", "EVP_get_cipherbyobj"] and
-      valueArgNode.asIndirectExpr() = this.(Call).getArgument(0)
-      or
-      this.(Call).getTarget().getName() = "EVP_get_cipherbynid" and
-      // algorithm is an NID (int), use asExpr()
+      this.(Call).getTarget().getName() in [
+          "EVP_get_cipherbyname", "EVP_get_cipherbyobj", "EVP_get_cipherbynid"
+        ] and
       valueArgNode.asExpr() = this.(Call).getArgument(0)
       or
       this.(Call).getTarget().getName() in ["EVP_CIPHER_fetch", "EVP_ASYM_CIPHER_fetch"] and
-      valueArgNode.asIndirectExpr() = this.(Call).getArgument(1)
+      valueArgNode.asExpr() = this.(Call).getArgument(1)
     )
   }
 

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll

@@ -23,7 +23,7 @@ class DirectAlgorithmValueConsumer extends OpenSslAlgorithmValueConsumer instanc
    */
   override DataFlow::Node getResultNode() {
     this instanceof OpenSslDirectAlgorithmFetchCall and
-    result.asIndirectExpr() = this
+    result.asExpr() = this
     // NOTE: if instanceof OpenSslDirectAlgorithmOperationCall then there is no algorithm generated
     // the algorithm is directly used
   }