Merge pull request #11828 from github/release-prep/2.12.0

Release preparation for version 2.12.0

.github/workflows/ruby-build.yml

@@ -115,9 +115,10 @@ jobs:
       - name: Build Query Pack
         run: |
           rm -rf target/packs
-          codeql pack create ../shared/ssa --output target/packs
           codeql pack create ../misc/suite-helpers --output target/packs
           codeql pack create ../shared/regex --output target/packs
+          codeql pack create ../shared/ssa --output target/packs
+          codeql pack create ../shared/tutorial --output target/packs
           codeql pack create ql/lib --output target/packs
           codeql pack create -j0 ql/src --output target/packs --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
           PACK_FOLDER=$(readlink -f target/packs/codeql/ruby-queries/*)

config/identical-files.json

@@ -505,14 +505,6 @@
     "python/ql/lib/semmle/python/dataflow/new/internal/TypeTracker.qll",
     "ruby/ql/lib/codeql/ruby/typetracking/TypeTracker.qll"
   ],
-  "CodeQL Tutorial": [
-    "cpp/ql/lib/tutorial.qll",
-    "csharp/ql/lib/tutorial.qll",
-    "java/ql/lib/tutorial.qll",
-    "javascript/ql/lib/tutorial.qll",
-    "python/ql/lib/tutorial.qll",
-    "ruby/ql/lib/tutorial.qll"
-  ],
   "AccessPathSyntax": [
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/AccessPathSyntax.qll",
     "go/ql/lib/semmle/go/dataflow/internal/AccessPathSyntax.qll",

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,24 @@
+## 0.5.0
+
+### Breaking Changes
+
+The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
+
+### Deprecated APIs
+
+* Deprecated `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
+* Deprecated `semmle.code.cpp.security.TaintTrackingImpl`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
+* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
+
+### Minor Analysis Improvements
+
+* The `ArgvSource` flow source now uses the second parameter of `main` as its source instead of the uses of this parameter.
+* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.
+* The `getaddrinfo` function is now recognized as a flow source.
+* The `secure_getenv` and `_wgetenv` functions are now recognized as local flow sources.
+* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.
+* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.
+
 ## 0.4.6
 
 No user-facing changes.

cpp/ql/lib/change-notes/2022-11-14-deprecate-ast-gvn.md

@@ -1,6 +0,0 @@
----
-category: deprecated
----
-
-
-* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.

cpp/ql/lib/change-notes/2022-11-16-must-flow.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.

cpp/ql/lib/change-notes/2022-11-17-deleted-deps.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.

cpp/ql/lib/change-notes/2022-11-25-deprecate-default-taint-tracking.md

@@ -1,6 +0,0 @@
----
-category: deprecated
----
-
-* Deprecated `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
-* Deprecated `semmle.code.cpp.security.TaintTrackingImpl`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.

cpp/ql/lib/change-notes/2022-12-08-support-getaddrinfo-dataflow.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `getaddrinfo` function is now recognized as a flow source.

cpp/ql/lib/change-notes/2022-12-08-support-getenv-variants.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `secure_getenv` and `_wgetenv` functions are now recognized as local flow sources.

cpp/ql/lib/change-notes/2022-12-08-support-scanf-dataflow.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.

cpp/ql/lib/change-notes/2022-12-09-generalize-argv-source.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.

cpp/ql/lib/change-notes/2022-12-19-argv-as-parameter-flowsource.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `ArgvSource` flow source now uses the second parameter of `main` as its source instead of the uses of this parameter.

cpp/ql/lib/change-notes/released/0.5.0.md

@@ -0,0 +1,20 @@
+## 0.5.0
+
+### Breaking Changes
+
+The predicates in the `MustFlow::Configuration` class used by the `MustFlow` library (`semmle.code.cpp.ir.dataflow.MustFlow`) have changed to be defined directly in terms of the C++ IR instead of IR dataflow nodes.
+
+### Deprecated APIs
+
+* Deprecated `semmle.code.cpp.ir.dataflow.DefaultTaintTracking`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
+* Deprecated `semmle.code.cpp.security.TaintTrackingImpl`. Use `semmle.code.cpp.ir.dataflow.TaintTracking`.
+* Deprecated `semmle.code.cpp.valuenumbering.GlobalValueNumberingImpl`. Use `semmle.code.cpp.valuenumbering.GlobalValueNumbering`, which exposes the same API.
+
+### Minor Analysis Improvements
+
+* The `ArgvSource` flow source now uses the second parameter of `main` as its source instead of the uses of this parameter.
+* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.
+* The `getaddrinfo` function is now recognized as a flow source.
+* The `secure_getenv` and `_wgetenv` functions are now recognized as local flow sources.
+* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.
+* Deleted the deprecated `getName` and `getShortName` predicates from the `Folder` class.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.6
+lastReleaseVersion: 0.5.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 0.5.0-dev
+version: 0.5.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
@@ -7,3 +7,4 @@ library: true
 upgrades: upgrades
 dependencies:
   codeql/ssa: ${workspace}
+  codeql/tutorial: ${workspace}

cpp/ql/lib/semmle/code/cpp/valuenumbering/GlobalValueNumberingImpl.qll

@@ -183,7 +183,7 @@ private newtype GvnBase =
   // global variable will only get the same value number if they are
   // guaranteed to have the same value.
   GVN_OtherVariable(Variable x, ControlFlowNode dominator) { mk_OtherVariable(x, dominator, _) } or
-  GVN_FieldAccess(GVN s, Field f) {
+  deprecated GVN_FieldAccess(GVN s, Field f) {
     mk_DotFieldAccess(s, f, _) or
     mk_PointerFieldAccess_with_deref(s, f, _) or
     mk_ImplicitThisFieldAccess_with_deref(s, f, _)
@@ -192,7 +192,7 @@ private newtype GvnBase =
   // time the pointer was dereferenced, so we need to include a definition
   // location. As a crude (but safe) approximation, we use
   // `mostRecentSideEffect` to compute a definition location.
-  GVN_Deref(GVN p, ControlFlowNode dominator) {
+  deprecated GVN_Deref(GVN p, ControlFlowNode dominator) {
     mk_Deref(p, dominator, _) or
     mk_PointerFieldAccess(p, _, dominator, _) or
     mk_ImplicitThisFieldAccess_with_qualifier(p, _, dominator, _)
@@ -201,10 +201,12 @@ private newtype GvnBase =
     mk_ThisExpr(fcn, _) or
     mk_ImplicitThisFieldAccess(fcn, _, _, _)
   } or
-  GVN_Conversion(Type t, GVN child) { mk_Conversion(t, child, _) } or
-  GVN_BinaryOp(GVN lhs, GVN rhs, string opname) { mk_BinaryOp(lhs, rhs, opname, _) } or
-  GVN_UnaryOp(GVN child, string opname) { mk_UnaryOp(child, opname, _) } or
-  GVN_ArrayAccess(GVN x, GVN i, ControlFlowNode dominator) { mk_ArrayAccess(x, i, dominator, _) } or
+  deprecated GVN_Conversion(Type t, GVN child) { mk_Conversion(t, child, _) } or
+  deprecated GVN_BinaryOp(GVN lhs, GVN rhs, string opname) { mk_BinaryOp(lhs, rhs, opname, _) } or
+  deprecated GVN_UnaryOp(GVN child, string opname) { mk_UnaryOp(child, opname, _) } or
+  deprecated GVN_ArrayAccess(GVN x, GVN i, ControlFlowNode dominator) {
+    mk_ArrayAccess(x, i, dominator, _)
+  } or
   // Any expression that is not handled by the cases above is
   // given a unique number based on the expression itself.
   GVN_Unanalyzable(Expr e) { not analyzableExpr(e) }
@@ -340,7 +342,7 @@ private predicate analyzableDotFieldAccess(DotFieldAccess access) {
   not analyzableConst(access)
 }
 
-private predicate mk_DotFieldAccess(GVN qualifier, Field target, DotFieldAccess access) {
+deprecated private predicate mk_DotFieldAccess(GVN qualifier, Field target, DotFieldAccess access) {
   analyzableDotFieldAccess(access) and
   target = access.getTarget() and
   qualifier = globalValueNumber(access.getQualifier().getFullyConverted())
@@ -353,7 +355,7 @@ private predicate analyzablePointerFieldAccess(PointerFieldAccess access) {
   not analyzableConst(access)
 }
 
-private predicate mk_PointerFieldAccess(
+deprecated private predicate mk_PointerFieldAccess(
   GVN qualifier, Field target, ControlFlowNode dominator, PointerFieldAccess access
 ) {
   analyzablePointerFieldAccess(access) and
@@ -366,7 +368,7 @@ private predicate mk_PointerFieldAccess(
  * `obj->field` is equivalent to `(*obj).field`, so we need to wrap an
  * extra `GVN_Deref` around the qualifier.
  */
-private predicate mk_PointerFieldAccess_with_deref(
+deprecated private predicate mk_PointerFieldAccess_with_deref(
   GVN new_qualifier, Field target, PointerFieldAccess access
 ) {
   exists(GVN qualifier, ControlFlowNode dominator |
@@ -391,7 +393,7 @@ private predicate mk_ImplicitThisFieldAccess(
   fcn = access.getEnclosingFunction()
 }
 
-private predicate mk_ImplicitThisFieldAccess_with_qualifier(
+deprecated private predicate mk_ImplicitThisFieldAccess_with_qualifier(
   GVN qualifier, Field target, ControlFlowNode dominator, ImplicitThisFieldAccess access
 ) {
   exists(Function fcn |
@@ -400,7 +402,7 @@ private predicate mk_ImplicitThisFieldAccess_with_qualifier(
   )
 }
 
-private predicate mk_ImplicitThisFieldAccess_with_deref(
+deprecated private predicate mk_ImplicitThisFieldAccess_with_deref(
   GVN new_qualifier, Field target, ImplicitThisFieldAccess access
 ) {
   exists(GVN qualifier, ControlFlowNode dominator |
@@ -434,7 +436,7 @@ private predicate analyzableConversion(Conversion conv) {
   not analyzableConst(conv)
 }
 
-private predicate mk_Conversion(Type t, GVN child, Conversion conv) {
+deprecated private predicate mk_Conversion(Type t, GVN child, Conversion conv) {
   analyzableConversion(conv) and
   t = conv.getUnspecifiedType() and
   child = globalValueNumber(conv.getExpr())
@@ -448,7 +450,7 @@ private predicate analyzableBinaryOp(BinaryOperation op) {
   not analyzableConst(op)
 }
 
-private predicate mk_BinaryOp(GVN lhs, GVN rhs, string opname, BinaryOperation op) {
+deprecated private predicate mk_BinaryOp(GVN lhs, GVN rhs, string opname, BinaryOperation op) {
   analyzableBinaryOp(op) and
   lhs = globalValueNumber(op.getLeftOperand().getFullyConverted()) and
   rhs = globalValueNumber(op.getRightOperand().getFullyConverted()) and
@@ -463,7 +465,7 @@ private predicate analyzableUnaryOp(UnaryOperation op) {
   not analyzableConst(op)
 }
 
-private predicate mk_UnaryOp(GVN child, string opname, UnaryOperation op) {
+deprecated private predicate mk_UnaryOp(GVN child, string opname, UnaryOperation op) {
   analyzableUnaryOp(op) and
   child = globalValueNumber(op.getOperand().getFullyConverted()) and
   opname = op.getOperator()
@@ -486,7 +488,9 @@ private predicate analyzableArrayAccess(ArrayExpr ae) {
   not analyzableConst(ae)
 }
 
-private predicate mk_ArrayAccess(GVN base, GVN offset, ControlFlowNode dominator, ArrayExpr ae) {
+deprecated private predicate mk_ArrayAccess(
+  GVN base, GVN offset, ControlFlowNode dominator, ArrayExpr ae
+) {
   analyzableArrayAccess(ae) and
   base = globalValueNumber(ae.getArrayBase().getFullyConverted()) and
   offset = globalValueNumber(ae.getArrayOffset().getFullyConverted()) and
@@ -499,7 +503,7 @@ private predicate analyzablePointerDereferenceExpr(PointerDereferenceExpr deref)
   not analyzableConst(deref)
 }
 
-private predicate mk_Deref(GVN p, ControlFlowNode dominator, PointerDereferenceExpr deref) {
+deprecated private predicate mk_Deref(GVN p, ControlFlowNode dominator, PointerDereferenceExpr deref) {
   analyzablePointerDereferenceExpr(deref) and
   p = globalValueNumber(deref.getOperand().getFullyConverted()) and
   dominator = mostRecentSideEffect(deref)

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 0.5.0
+
+### Minor Analysis Improvements
+
+* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be placed on the line before an alert.
+* The `cpp/missing-check-scanf` query no longer reports the free'ing of `scanf` output variables as potential reads.
+
 ## 0.4.6
 
 No user-facing changes.

cpp/ql/src/change-notes/2022-12-15-no-scanf-buffer-allocation-warnings.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `cpp/missing-check-scanf` query no longer reports the free'ing of `scanf` output variables as potential reads.

cpp/ql/src/change-notes/released/0.5.0.md

@@ -1,4 +1,6 @@
----
-category: minorAnalysis
----
-* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be place on the line before an alert.
+## 0.5.0
+
+### Minor Analysis Improvements
+
+* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be placed on the line before an alert.
+* The `cpp/missing-check-scanf` query no longer reports the free'ing of `scanf` output variables as potential reads.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.6
+lastReleaseVersion: 0.5.0

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 0.5.0-dev
+version: 0.5.0
 groups: 
   - cpp
   - queries

csharp/codeql-extractor.yml

@@ -4,6 +4,10 @@ version: 1.22.1
 column_kind: "utf16"
 extra_env_vars:
   DOTNET_GENERATE_ASPNET_CERTIFICATE: "false"
+github_api_languages:
+  - C#
+scc_languages:
+  - C#
 file_types:
   - name: cs
     display_name: C# sources

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.4.0
+
+No user-facing changes.
+
 ## 1.3.6
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.4.0.md

@@ -0,0 +1,3 @@
+## 1.4.0
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.6
+lastReleaseVersion: 1.4.0

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.4.0-dev
+version: 1.4.0
 groups:
     - csharp
     - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.4.0
+
+No user-facing changes.
+
 ## 1.3.6
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.4.0.md

@@ -0,0 +1,3 @@
+## 1.4.0
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.3.6
+lastReleaseVersion: 1.4.0

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.4.0-dev
+version: 1.4.0
 groups:
     - csharp
     - solorigate

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,12 @@
+## 0.5.0
+
+### Minor Analysis Improvements
+
+* C# 11: Added support for list- and slice patterns in the extractor.
+* Deleted the deprecated `getNameWithoutBrackets` predicate from the `ValueOrRefType` class in `Type.qll`.
+* `Element::hasQualifiedName/1` has been deprecated. Use `hasQualifiedName/2` or `hasQualifiedName/3` instead.
+* Added TCP/UDP sockets as taint sources.
+
 ## 0.4.6
 
 No user-facing changes.

csharp/ql/lib/change-notes/2022-08-24-tcp-udp-sources.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added tcp/upd sockets as taint sources.

csharp/ql/lib/change-notes/2022-11-14-deprecatehasqualifiedname.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* `Element::hasQualifiedName/1` has been deprecated. Use `hasQualifiedName/2` or `hasQualifiedName/3` instead.

csharp/ql/lib/change-notes/2022-11-17-deleted-deps.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Deleted the deprecated `getNameWithoutBrackets` predicate from the `ValueOrRefType` class in `Type.qll`.

csharp/ql/lib/change-notes/2022-12-08-listpatterns.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* C# 11: Added support for list- and slice patterns in the extractor.

csharp/ql/lib/change-notes/released/0.5.0.md

@@ -0,0 +1,8 @@
+## 0.5.0
+
+### Minor Analysis Improvements
+
+* C# 11: Added support for list- and slice patterns in the extractor.
+* Deleted the deprecated `getNameWithoutBrackets` predicate from the `ValueOrRefType` class in `Type.qll`.
+* `Element::hasQualifiedName/1` has been deprecated. Use `hasQualifiedName/2` or `hasQualifiedName/3` instead.
+* Added TCP/UDP sockets as taint sources.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.6
+lastReleaseVersion: 0.5.0

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 0.5.0-dev
+version: 0.5.0
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
@@ -7,6 +7,7 @@ library: true
 upgrades: upgrades
 dependencies:
   codeql/ssa: ${workspace}
+  codeql/tutorial: ${workspace}
 dataExtensions:
   - ext/*.model.yml
   - ext/generated/*.model.yml

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,18 @@
+## 0.5.0
+
+### New Queries
+
+* Added a new query, `csharp/telemetry/supported-external-api`, to detect supported 3rd party APIs used in a codebase.
+
+### Minor Analysis Improvements
+
+* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be placed on the line before an alert.
+* The extensible predicates for Models as Data have been renamed (the `ext` prefix has been removed). As an example, `extSummaryModel` has been renamed to `summaryModel`.
+
+### Bug Fixes
+
+* Fixes a bug where the Owin.qll framework library will look for "URI" instead of "Uri" in the OwinRequest class.
+
 ## 0.4.6
 
 No user-facing changes.

csharp/ql/src/change-notes/2022-12-01-supported-external-apis-query.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* Added a new query, `csharp/telemetry/supported-external-api`, to detect supported 3rd party APIs used in a codebase.

csharp/ql/src/change-notes/2022-12-05-owin-uri-fix.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Fixes a bug where the Owin.qll framework library will look for "URI" instead of "Uri" in the OwinRequest class.

csharp/ql/src/change-notes/2022-12-15-rename-mad-extensibles.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The extensible predicates for Models as Data have been renamed (the `ext` prefix has been removed). As an example `extSummaryModel` has been renamed to `summaryModel`.

csharp/ql/src/change-notes/released/0.5.0.md

@@ -0,0 +1,14 @@
+## 0.5.0
+
+### New Queries
+
+* Added a new query, `csharp/telemetry/supported-external-api`, to detect supported 3rd party APIs used in a codebase.
+
+### Minor Analysis Improvements
+
+* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be placed on the line before an alert.
+* The extensible predicates for Models as Data have been renamed (the `ext` prefix has been removed). As an example, `extSummaryModel` has been renamed to `summaryModel`.
+
+### Bug Fixes
+
+* Fixes a bug where the Owin.qll framework library will look for "URI" instead of "Uri" in the OwinRequest class.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.6
+lastReleaseVersion: 0.5.0

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 0.5.0-dev
+version: 0.5.0
 groups: 
   - csharp
   - queries

docs/codeql/reusables/codespaces-template-note.rst

@@ -0,0 +1,8 @@
+.. pull-quote::
+
+   Note
+
+   You can use the CodeQL template (beta) in `GitHub Codespaces <https://github.com/codespaces/new?template_repository=github/codespaces-codeql>`__ to try out the QL concepts and programming-language-agnostic examples in these tutorials. The template includes a guided introduction to working with QL, and makes it easy to get started.
+   
+   When you're ready to run CodeQL queries on actual codebases, you will need to install the CodeQL extension in Visual Studio Code. For instructions, see ":ref:`Setting up CodeQL in Visual Studio Code <setting-up-codeql-in-visual-studio-code>`."
+   

docs/codeql/writing-codeql-queries/find-the-thief.rst

@@ -50,7 +50,7 @@ You start asking some creative questions and making notes of the answers so you
 
 There is too much information to search through by hand, so you decide to use your newly acquired QL skills to help you with your investigation...
 
-.. include:: ../reusables/setup-to-run-tutorials.rst
+.. include:: ../reusables/codespaces-template-note.rst
 
 QL libraries
 ------------

docs/codeql/writing-codeql-queries/introduction-to-ql.rst

@@ -14,17 +14,17 @@ QL is a logic programming language, so it is built up of logical formulas. QL us
 
 QL also supports recursion and aggregates. This allows you to write complex recursive queries using simple QL syntax and directly use aggregates such as ``count``, ``sum``, and ``average``.
 
+.. include:: ../reusables/codespaces-template-note.rst
+
 Running a query
 ---------------
 
-You can try out the following examples and exercises using :ref:`CodeQL for VS Code <codeql-for-visual-studio-code>`, or you can run them in the `query console on LGTM.com <https://lgtm.com/query>`__. Before you can run a query on LGTM.com, you need to select a language and project to query (for these logic examples, any language and project will do).
+You can try out the following examples and exercises using :ref:`CodeQL for VS Code <codeql-for-visual-studio-code>` or the `CodeQL template <https://github.com/codespaces/new?template_repository=github/codespaces-codeql>`__ on GitHub Codespaces.
 
-Once you have selected a language, the query console is populated with the query:
+Here is an example of a basic query:
 
 .. code-block:: ql
 
-   import <language>
-
    select "hello world"
 
 This query returns the string ``"hello world"``.
@@ -52,39 +52,33 @@ Simple exercises
 
 You can write simple queries using the some of the basic functions that are available for the ``int``, ``date``, ``float``, ``boolean`` and ``string`` types. To apply a function, append it to the argument. For example, ``1.toString()`` converts the value ``1`` to a string. Notice that as you start typing a function, a pop-up is displayed making it easy to select the function that you want. Also note that you can apply multiple functions in succession. For example, ``100.log().sqrt()`` first takes the natural logarithm of 100 and then computes the square root of the result.
 
-Exercise 1
-~~~~~~~~~~
+Exercise 1 - Strings
+~~~~~~~~~~~~~~~~~~~~
 
 Write a query which returns the length of the string ``"lgtm"``. (Hint: `here <https://codeql.github.com/docs/ql-language-reference/ql-language-specification/#built-ins-for-string>`__ is the list of the functions that can be applied to strings.)
 
-➤ `See answer in the query console on LGTM.com <https://lgtm.com/query/2103060623/>`__
+➤ `Check your answer <#exercise-1>`__
 
-There is often more than one way to define a query. For example, we can also write the above query in the shorter form:
-
-.. code-block:: ql
-
-   select "lgtm".length()
-
-Exercise 2
-~~~~~~~~~~
+Exercise 2 - Numbers
+~~~~~~~~~~~~~~~~~~~~
 
 Write a query which returns the sine of the minimum of ``3^5`` (``3`` raised to the power ``5``) and ``245.6``.
 
-➤ `See answer in the query console on LGTM.com <https://lgtm.com/query/2093780343/>`__
+➤ `Check your answer <#exercise-2>`__
 
-Exercise 3
-~~~~~~~~~~
+Exercise 3 - Booleans
+~~~~~~~~~~~~~~~~~~~~~
 
 Write a query which returns the opposite of the boolean ``false``.
 
-➤ `See answer in the query console on LGTM.com <https://lgtm.com/query/2093780344/>`__
+➤ `Check your answer <#exercise-3>`__
 
-Exercise 4
-~~~~~~~~~~
+Exercise 4 - Dates
+~~~~~~~~~~~~~~~~~~
 
 Write a query which computes the number of days between June 10 and September 28, 2017.
 
-➤ `See answer in the query console on LGTM.com <https://lgtm.com/query/2100260596/>`__
+➤ `Check your answer <#exercise-4>`__
 
 Example query with multiple results
 -----------------------------------
@@ -98,8 +92,6 @@ The exercises above all show queries with exactly one result, but in fact many q
          x*x + y*y = z*z
    select x, y, z
 
-➤ `See this in the query console on LGTM.com <https://lgtm.com/query/2100790036/>`__
-
 To simplify the query, we can introduce a class ``SmallInt`` representing the integers between 1 and 10. We can also define a predicate ``square()`` on integers in that class. Defining classes and predicates in this way makes it easy to reuse code without having to repeat it every time.
 
 .. code-block:: ql
@@ -113,17 +105,17 @@ To simplify the query, we can introduce a class ``SmallInt`` representing the in
    where x.square() + y.square() = z.square()
    select x, y, z
 
-➤ `See this in the query console on LGTM.com <https://lgtm.com/query/2101340747/>`__
-
 Example CodeQL queries
 ----------------------
 
 The previous examples used the primitive types built in to QL. Although we chose a project to query, we didn't use the information in that project's database.
-The following example queries *do* use these databases and give you an idea of how to use CodeQL to analyze projects.
+The following example queries *do* use these databases and give you an idea of how to use CodeQL to analyze projects. 
 
 Queries using the CodeQL libraries can find errors and uncover variants of important security vulnerabilities in codebases.
 Visit `GitHub Security Lab <https://securitylab.github.com/>`__ to read about examples of vulnerabilities that we have recently found in open source projects.
 
+Before you can run the following examples, you will need to install the CodeQL extension for Visual Studio Code. For more information, see :ref:`Setting up CodeQL in Visual Studio Code <setting-up-codeql-in-visual-studio-code>`. You will also need to import and select a database in the corresponding programming language. For more information about obtaining CodeQL databases, see `Analyzing your projects <https://codeql.github.com/docs/codeql-for-visual-studio-code/analyzing-your-projects/#choosing-a-database>`__ in the CodeQL for VS Code documentation.
+
 To import the CodeQL library for a specific programming language, type ``import <language>`` at the start of the query.
 
 .. code-block:: ql
@@ -134,7 +126,7 @@ To import the CodeQL library for a specific programming language, type ``import
    where count(f.getAnArg()) > 7
    select f
 
-➤ `See this in the query console on LGTM.com <https://lgtm.com/query/2096810474/>`__. The ``from`` clause defines a variable ``f`` representing a Python function. The ``where`` part limits the functions ``f`` to those with more than 7 arguments. Finally, the ``select`` clause lists these functions.
+The ``from`` clause defines a variable ``f`` representing a Python function. The ``where`` part limits the functions ``f`` to those with more than 7 arguments. Finally, the ``select`` clause lists these functions.
 
 .. code-block:: ql
 
@@ -144,7 +136,7 @@ To import the CodeQL library for a specific programming language, type ``import
    where c.getText().regexpMatch("(?si).*\\bTODO\\b.*")
    select c
 
-➤ `See this in the query console on LGTM.com <https://lgtm.com/query/2101530483/>`__. The ``from`` clause defines a variable ``c`` representing a JavaScript comment. The ``where`` part limits the comments ``c`` to those containing the word ``"TODO"``. The ``select`` clause lists these comments.
+The ``from`` clause defines a variable ``c`` representing a JavaScript comment. The ``where`` part limits the comments ``c`` to those containing the word ``"TODO"``. The ``select`` clause lists these comments.
 
 .. code-block:: ql
 
@@ -154,9 +146,56 @@ To import the CodeQL library for a specific programming language, type ``import
    where not exists(p.getAnAccess())
    select p
 
-➤ `See this in the query console on LGTM.com <https://lgtm.com/query/2098670762/>`__. The ``from`` clause defines a variable ``p`` representing a Java parameter. The ``where`` clause finds unused parameters by limiting the parameters ``p`` to those which are not accessed. Finally, the ``select`` clause lists these parameters.
+The ``from`` clause defines a variable ``p`` representing a Java parameter. The ``where`` clause finds unused parameters by limiting the parameters ``p`` to those which are not accessed. Finally, the ``select`` clause lists these parameters.
 
 Further reading
 ---------------
 
--  For a more technical description of the underlying language, see the ":ref:`QL language reference <ql-language-reference>`."
+-  For a more technical description of the underlying language, see the ":ref:`QL language reference <ql-language-reference>`."
+
+--------------
+
+Answers
+-------
+
+Exercise 1
+~~~~~~~~~~
+
+.. code-block:: ql
+
+   from string s
+   where s = "lgtm"
+   select s.length()
+   
+There is often more than one way to define a query. For example, we can also write the above query in the shorter form:
+
+.. code-block:: ql
+
+   select "lgtm".length()
+
+Exercise 2
+~~~~~~~~~~
+
+.. code-block:: ql
+
+   from float x, float y
+   where x = 3.pow(5) and y = 245.6
+   select x.minimum(y).sin()
+
+Exercise 3
+~~~~~~~~~~
+
+.. code-block:: ql
+
+   from boolean b
+   where b = false
+   select b.booleanNot()
+
+Exercise 4
+~~~~~~~~~~
+
+.. code-block:: ql
+
+   from date start, date end
+   where start = "10/06/2017".toDate() and end = "28/09/2017".toDate()
+   select start.daysTo(end)

go/Makefile

@@ -1,4 +1,4 @@
-all: extractor ql/lib/go.dbscheme install-deps
+all: extractor ql/lib/go.dbscheme
 
 ifeq ($(OS),Windows_NT)
 EXE = .exe
@@ -36,9 +36,6 @@ autoformat:
 check-formatting:
 	test -z "$$(find . -path '**/vendor' -prune -or -type f -iname '*.go' ! -empty -print0 | xargs -0 grep -L "//\s*autoformat-ignore" | xargs gofmt -l)"
 
-install-deps:
-	bash scripts/install-deps.sh $(CODEQL_LOCK_MODE)
-
 ifeq ($(QHELP_OUT_DIR),)
 # If not otherwise specified, compile qhelp to markdown in place
 QHELP_OUT_DIR := ql/src
@@ -75,7 +72,7 @@ tools-win64: $(addsuffix .exe,$(addprefix tools/win64/,$(BINARIES)))
 $(addsuffix .exe,$(addprefix tools/win64/,$(BINARIES))):
 	env GOOS=windows GOARCH=amd64 go build -mod=vendor -o $@ ./extractor/cli/$(basename $(@F))
 
-.PHONY: extractor-common extractor extractor-full install-deps
+.PHONY: extractor-common extractor extractor-full
 extractor-common: codeql-extractor.yml LICENSE ql/lib/go.dbscheme \
 	tools/tokenizer.jar $(CODEQL_TOOLS)
 	rm -rf $(EXTRACTOR_PACK_OUT)

go/README.md

@@ -9,17 +9,6 @@ It contains two major components:
   - static analysis libraries and queries written in [CodeQL](https://codeql.github.com/docs/) that can be
     used to analyze such a database to find coding mistakes or security vulnerabilities.
 
-## Installation
-
-Clone this repository.
-
-Run `scripts/install-deps.sh`. This will ensure that the necessary external CodeQL packs are
-downloaded to your machine. You will need to re-run this script whenever you pull new commits from
-the repo.
-
-If you want to use the CodeQL extension for Visual Studio Code, import this repository into your VS
-Code workspace.
-
 ## Usage
 
 To analyze a Go codebase, either use the [CodeQL command-line

go/codeql-extractor.yml

@@ -6,6 +6,10 @@ pull_request_triggers:
   - "**/glide.yaml"
   - "**/Gopkg.toml"
 column_kind: "utf8"
+github_api_languages:
+  - Go
+scc_languages:
+  - Go
 file_types:
   - name: go
     display_name: Go

go/ql/lib/CHANGELOG.md

@@ -1,3 +1,24 @@
+## 0.4.0
+
+### Breaking Changes
+
+* The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTracking::Configuration` has changed from `allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to `allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
+
+### Deprecated APIs
+
+* The `BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new `BarrierGuard` parameterized module.
+
+### Minor Analysis Improvements
+
+* The predicate `getNumParameter` on `FuncTypeExpr` has been changed to actually give the number of parameters. It previously gave the number of parameter declarations. `getNumParameterDecl` has been introduced to preserve this functionality.
+* The definition of `mayHaveSideEffects` for `ReturnStmt` was incorrect when more than one expression was being returned. Such return statements were effectively considered to never have side effects. This has now been fixed. In rare circumstances `globalValueNumber` may have incorrectly treated two values as the same when they were in fact distinct.
+* Queries that care about SQL, such as `go/sql-injection`, now recognise SQL-consuming functions belonging to the `gorqlite` and `GoFrame` packages.
+* `rsync` has been added to the list of commands which may evaluate its parameters as a shell command.
+
+### Bug Fixes
+
+* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
+
 ## 0.3.6
 
 No user-facing changes.

go/ql/lib/change-notes/2022-11-17-allow-implicit-read-signature.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTracking::Configuration` has changed from `allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to `allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.

go/ql/lib/change-notes/2022-11-17-barrierguard-deprecation.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* The `BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new `BarrierGuard` parameterized module.

go/ql/lib/change-notes/2022-11-17-rsync-argument-injection.md

@@ -1,4 +0,0 @@
----
- category: minorAnalysis
----
- * `rsync` has been added to the list of commands which may evaluate its parameters as a shell command.

go/ql/lib/change-notes/2022-12-03-gorqlite-goframe.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Queries that care about SQL, such as `go/sql-injection`, now recognise SQL-consuming functions belonging to the `gorqlite` and `GoFrame` packages.

go/ql/lib/change-notes/2022-12-16-implicit-read-flowstates.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.

go/ql/lib/change-notes/2022-12-6-may-have-side-effects-return-stmt.md

@@ -1,8 +0,0 @@
----
-category: minorAnalysis
----
-The definition of `mayHaveSideEffects` for `ReturnStmt` was incorrect when more
-than one expression was being returned. Such return statements were
-effectively considered to never have side effects. This has now been fixed.
-In rare circumstances `globalValueNumber` may have incorrectly treated two
-values as the same when they were in fact distinct.

go/ql/lib/change-notes/released/0.4.0.md

@@ -0,0 +1,20 @@
+## 0.4.0
+
+### Breaking Changes
+
+* The signature of `allowImplicitRead` on `DataFlow::Configuration` and `TaintTracking::Configuration` has changed from `allowImplicitRead(DataFlow::Node node, DataFlow::Content c)` to `allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)`.
+
+### Deprecated APIs
+
+* The `BarrierGuard` class has been deprecated. Such barriers and sanitizers can now instead be created using the new `BarrierGuard` parameterized module.
+
+### Minor Analysis Improvements
+
+* The predicate `getNumParameter` on `FuncTypeExpr` has been changed to actually give the number of parameters. It previously gave the number of parameter declarations. `getNumParameterDecl` has been introduced to preserve this functionality.
+* The definition of `mayHaveSideEffects` for `ReturnStmt` was incorrect when more than one expression was being returned. Such return statements were effectively considered to never have side effects. This has now been fixed. In rare circumstances `globalValueNumber` may have incorrectly treated two values as the same when they were in fact distinct.
+* Queries that care about SQL, such as `go/sql-injection`, now recognise SQL-consuming functions belonging to the `gorqlite` and `GoFrame` packages.
+* `rsync` has been added to the list of commands which may evaluate its parameters as a shell command.
+
+### Bug Fixes
+
+* Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.

go/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.6
+lastReleaseVersion: 0.4.0

go/ql/lib/qlpack.yml

@@ -1,7 +1,10 @@
 name: codeql/go-all
-version: 0.4.0-dev
+version: 0.4.0
 groups: go
 dbscheme: go.dbscheme
 extractor: go
 library: true
 upgrades: upgrades
+dependencies:
+  codeql/tutorial: ${workspace}
+

go/ql/lib/semmle/go/AST.qll

@@ -194,24 +194,27 @@ class DeclParent extends @declparent, AstNode {
 }
 
 /**
- * An AST node whose children include fields.
+ * An AST node whose children include field declarations.
+ *
+ * A field declaration can be in a struct, a function (for parameter or result
+ * variables), or an interface (in which case it is a method or embedding spec).
  */
 class FieldParent extends @fieldparent, AstNode {
   /**
-   * Gets the `i`th field of this node.
+   * Gets the `i`th field declaration of this node.
    *
-   * Note that the precise indices of fields are considered an implementation detail
-   * and are subject to change without notice.
+   * Note that the precise indices of field declarations are considered an
+   * implementation detail and are subject to change without notice.
    */
   FieldBase getField(int i) { fields(result, this, i) }
 
   /**
-   * Gets a child field of this node in the AST.
+   * Gets a child field declaration of this node in the AST.
    */
   FieldBase getAField() { result = this.getField(_) }
 
   /**
-   * Gets the number of child fields of this node.
+   * Gets the number of child field declarations of this node.
    */
   int getNumFields() { result = count(this.getAField()) }
 }

go/ql/lib/semmle/go/Decls.qll

@@ -416,8 +416,35 @@ class AliasSpec extends @aliasspec, TypeSpec { }
 class TypeDefSpec extends @typedefspec, TypeSpec { }
 
 /**
- * A field declaration, of a struct, a function (in which case this is a parameter or result variable),
- * or an interface (in which case this is a method or embedding spec).
+ * A field declaration, in a struct, a function (for parameter or result
+ * variables), or an interface (in which case this is a method or embedding
+ * spec).
+ *
+ * Examples:
+ *
+ * ```go
+ * Name string `json:"name"`
+ * s string
+ * x, y int
+ * p *Point
+ * Close() error
+ * io.Reader
+ * ~int | float32
+ * ```
+ * as in the following code:
+ * ```go
+ * struct {
+ *   io.Reader
+ *   Name string `json:"name"`
+ *   x, y int
+ * }
+ * func (p *Point) f(s string) (x, y int) { }
+ * type MyInterface interface {
+ *   Close() error
+ *   io.Reader
+ *   ~int32 | float32
+ * }
+ * ```
  */
 class FieldBase extends @field, ExprParent {
   /**
@@ -433,6 +460,22 @@ class FieldBase extends @field, ExprParent {
 
 /**
  * A field declaration in a struct type.
+ *
+ * Examples:
+ *
+ * ```go
+ * Name string `json:"name"`
+ * x, y int
+ * ```
+ *
+ * as in the following code:
+ *
+ * ```go
+ * struct {
+ *   Name string `json:"name"`
+ *   x, y int
+ * }
+ * ```
  */
 class FieldDecl extends FieldBase, Documentable, ExprParent {
   StructTypeExpr st;
@@ -464,6 +507,20 @@ class FieldDecl extends FieldBase, Documentable, ExprParent {
 
 /**
  * An embedded field declaration in a struct.
+ *
+ * Examples:
+ *
+ * ```go
+ * io.Reader
+ * ```
+ *
+ * as in the following code:
+ *
+ * ```go
+ * struct {
+ *   io.Reader
+ * }
+ * ```
  */
 class EmbeddedFieldDecl extends FieldDecl {
   EmbeddedFieldDecl() { not exists(this.getNameExpr(_)) }
@@ -473,6 +530,20 @@ class EmbeddedFieldDecl extends FieldDecl {
 
 /**
  * A function parameter or result variable declaration.
+ *
+ * Examples:
+ *
+ * ```go
+ * s string
+ * x, y int
+ * ```
+ *
+ * as in the following code:
+ *
+ * ```go
+ * func f(s string, x, y int) { }
+ * func g() (s string, x, y int){ return }
+ * ```
  */
 class ParameterOrResultDecl extends FieldBase, Documentable, ExprParent {
   int rawIndex;
@@ -507,6 +578,19 @@ class ParameterOrResultDecl extends FieldBase, Documentable, ExprParent {
 
 /**
  * A parameter declaration.
+ *
+ * Examples:
+ *
+ * ```go
+ * s string
+ * x, y int
+ * ```
+ *
+ * as in the following code:
+ *
+ * ```go
+ * func f(s string, x, y int) { }
+ * ```
  */
 class ParameterDecl extends ParameterOrResultDecl {
   ParameterDecl() { rawIndex >= 0 }
@@ -524,6 +608,20 @@ class ParameterDecl extends ParameterOrResultDecl {
 
 /**
  * A receiver declaration in a function declaration.
+ *
+ * Examples:
+ *
+ * ```go
+ * p *Point
+ * r io.Reader
+ * ```
+ *
+ * as in the following code:
+ *
+ * ```go
+ * func (p *Point) f() { }
+ * func (r io.Reader) g() { }
+ * ```
  */
 class ReceiverDecl extends FieldBase, Documentable, ExprParent {
   FuncDecl fd;
@@ -547,6 +645,22 @@ class ReceiverDecl extends FieldBase, Documentable, ExprParent {
 
 /**
  * A result variable declaration.
+ *
+ * Examples:
+ *
+ * ```go
+ * error
+ * r io.Reader
+ * x, y int
+ * ```
+ *
+ * as in the following code:
+ *
+ * ```go
+ * func f(error) { return nil }
+ * func g(r io.Reader) { return nil }
+ * func h(x, y int) { return }
+ * ```
  */
 class ResultVariableDecl extends ParameterOrResultDecl {
   ResultVariableDecl() { rawIndex < 0 }
@@ -564,6 +678,22 @@ class ResultVariableDecl extends ParameterOrResultDecl {
 
 /**
  * A type parameter declaration in a type specification.
+ *
+ * Examples:
+ *
+ * ```go
+ * S, T comparable
+ * U any
+ * K ~int32 | float32
+ * _ any
+ * ```
+ *
+ * as in the following code:
+ *
+ * ```go
+ * type GenericStruct[S, T comparable, U any, K ~int32 | float32, _ any] struct { }
+ * func GenericFunction[S, T comparable, U any, K ~int32 | float32, _ any]() {}
+ * ```
  */
 class TypeParamDecl extends @typeparamdecl, Documentable, ExprParent {
   TypeParamDecl() { typeparamdecls(this, _, _) }
@@ -615,6 +745,24 @@ class TypeParamDecl extends @typeparamdecl, Documentable, ExprParent {
 
 /**
  * A method or embedding specification in an interface type expression.
+ *
+ * Examples:
+ *
+ * ```go
+ * Close() error
+ * io.Reader
+ * ~int32 | float32
+ * ```
+ *
+ * as in the following code:
+ *
+ * ```go
+ * type MyInterface interface {
+ *   Close() error
+ *   io.Reader
+ *   ~int32 | float32
+ * }
+ * ```
  */
 class InterfaceMemberSpec extends FieldBase, Documentable, ExprParent {
   InterfaceTypeExpr ite;
@@ -636,6 +784,20 @@ class InterfaceMemberSpec extends FieldBase, Documentable, ExprParent {
 
 /**
  * A method specification in an interface.
+ *
+ * Examples:
+ *
+ * ```go
+ * Close() error
+ * ```
+ *
+ * as in the following code:
+ *
+ * ```go
+ * type MyInterface interface {
+ *   Close() error
+ * }
+ * ```
  */
 class MethodSpec extends InterfaceMemberSpec {
   Expr name;
@@ -654,6 +816,22 @@ class MethodSpec extends InterfaceMemberSpec {
 
 /**
  * An embedding specification in an interface.
+ *
+ * Examples:
+ *
+ * ```go
+ * io.Reader
+ * ~int32 | float32
+ * ```
+ *
+ * as in the following code:
+ *
+ * ```go
+ * type MyInterface interface {
+ *   io.Reader
+ *   ~int32 | float32
+ * }
+ * ```
  */
 class EmbeddingSpec extends InterfaceMemberSpec {
   EmbeddingSpec() { not exists(this.getChildExpr(1)) }

go/ql/lib/semmle/go/Expr.qll

@@ -980,18 +980,36 @@ class StructTypeExpr extends @structtypeexpr, TypeExpr, FieldParent {
  * Examples:
  *
  * ```go
- * func(a, b int, c float32) (float32, bool)
+ * func(a int, b, c float32) (float32, bool)
  * ```
  */
 class FuncTypeExpr extends @functypeexpr, TypeExpr, ScopeNode, FieldParent {
   /** Gets the `i`th parameter of this function type (0-based). */
   ParameterDecl getParameterDecl(int i) { result = this.getField(i) and i >= 0 }
 
-  /** Gets a parameter of this function type. */
+  /**
+   * Gets a parameter declaration of this function type.
+   *
+   * For example, for `func(a int, b, c float32) (float32, bool)` the result is
+   * `a int` or `b, c float32`.
+   */
   ParameterDecl getAParameterDecl() { result = this.getParameterDecl(_) }
 
-  /** Gets the number of parameters of this function type. */
-  int getNumParameter() { result = count(this.getAParameterDecl()) }
+  /**
+   * Gets the number of parameter declarations of this function type.
+   *
+   * For example, for `func(a int, b, c float32) (float32, bool)` the result is 2:
+   * `a int` and `b, c float32`.
+   */
+  int getNumParameterDecl() { result = count(this.getAParameterDecl()) }
+
+  /**
+   * Gets the number of parameters of this function type.
+   *
+   * For example, for `func(a int, b, c float32) (float32, bool)` the result is 3:
+   * `a`, `b` and `c`.
+   */
+  int getNumParameter() { result = count(this.getAParameterDecl().getANameExpr()) }
 
   /** Gets the `i`th result of this function type (0-based). */
   ResultVariableDecl getResultDecl(int i) { result = this.getField(-(i + 1)) }
@@ -1011,9 +1029,9 @@ class FuncTypeExpr extends @functypeexpr, TypeExpr, ScopeNode, FieldParent {
 
   /** Gets the `i`th child of this node, parameters first followed by results. */
   override AstNode getUniquelyNumberedChild(int i) {
-    if i < this.getNumParameter()
+    if i < this.getNumParameterDecl()
     then result = this.getParameterDecl(i)
-    else result = this.getResultDecl(i - this.getNumParameter())
+    else result = this.getResultDecl(i - this.getNumParameterDecl())
   }
 }
 

go/ql/src/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.0
+
+### Minor Analysis Improvements
+
+* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be placed on the line before an alert.
+
 ## 0.3.6
 
 No user-facing changes.

go/ql/src/change-notes/2022-12-19-alert-suppressions.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be place on the line before an alert.

go/ql/src/change-notes/released/0.4.0.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
-* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be place on the line before an alert.
+## 0.4.0
+
+### Minor Analysis Improvements
+
+* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be placed on the line before an alert.

go/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.3.6
+lastReleaseVersion: 0.4.0

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 0.4.0-dev
+version: 0.4.0
 groups:
   - go
   - queries

go/scripts/install-deps.sh

@@ -1,22 +0,0 @@
-#!/bin/bash
-
-# Installs any necessary QL pack dependencies from the package registry.
-# The optional argument must be a valid value for the `--mode` option to `codeql pack install`
-
-SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
-GO_ROOT=$(dirname "$SCRIPT_DIR")
-
-if [ $# -eq 0 ]; then
-    LOCK_MODE="use-lock"
-elif [ $# -eq 1 ]; then
-    LOCK_MODE=$1
-else
-    echo "Usage: install-deps.sh [<lock-mode>]"
-    echo "  lock-mode: One of 'use-lock' (default), 'verify', 'update', or 'no-lock'"
-    exit 1
-fi
-
-for d in ql/lib ql/src ql/test ql/examples
-do
-    codeql pack install --mode ${LOCK_MODE} "${GO_ROOT}/${d}"
-done

java/ql/lib/CHANGELOG.md

@@ -1,3 +1,22 @@
+## 0.5.0
+
+### Minor Analysis Improvements
+
+* Added more dataflow models for frequently-used JDK APIs.
+* The extraction of Kotlin extension methods has been improved when default parameter values are present. The dispatch and extension receiver parameters are extracted in the correct order. The `ExtensionMethod::getExtensionReceiverParameterIndex` predicate has been introduced to facilitate getting the correct extension parameter index.
+* The query `java/insecure-cookie` now uses global dataflow to track secure cookies being set to the HTTP response object.
+* The library `PathSanitizer.qll` has been improved to detect more path validation patterns in Kotlin.
+* Models as Data models for Java are defined as data extensions instead of being inlined in the code. New models should be added in the `lib/ext` folder.
+* Added a taint model for the method `java.nio.file.Path.getParent`.
+* Fixed a problem in the taint model for the method `java.nio.file.Paths.get`.
+* Deleted the deprecated `LocalClassDeclStmtNode` and `LocalClassDeclStmt` classes from `PrintAst.qll` and `Statement.qll` respectively.
+* Deleted the deprecated `getLocalClass` predicate from `LocalTypeDeclStmt`, and the deprecated `getLocalClassDeclStmt` predicate from `LocalClassOrInterface`.
+* Added support for Android Manifest `<activity-aliases>` elements in data flow sources. 
+
+### Bug Fixes
+
+* We now correctly handle empty block comments, like `/**/`. Previously these could be mistaken for Javadoc comments and led to attribution of Javadoc tags to the wrong declaration.
+
 ## 0.4.6
 
 No user-facing changes.

java/ql/lib/change-notes/2022-10-17-android-activity-alias.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added support for Android Manifest `<activity-aliases>` elements in data flow sources. 

java/ql/lib/change-notes/2022-11-17-deleted-deps.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Deleted the deprecated `LocalClassDeclStmtNode` and `LocalClassDeclStmt` classes from `PrintAst.qll` and `Statement.qll` respectively.
-* Deleted the deprecated `getLocalClass` predicate from `LocalTypeDeclStmt`, and the deprecated `getLocalClassDeclStmt` predicate from `LocalClassOrInterface`.

java/ql/lib/change-notes/2022-11-21-paths-get-fix.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Added a taint model for the method `java.nio.file.Path.getParent`.
-* Fixed a problem in the taint model for the method `java.nio.file.Paths.get`.

java/ql/lib/change-notes/2022-11-23-mad-data-extensions.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Models as Data models for Java are defined as data extensions instead of being inlined in the code. New models should be added in the `lib/ext` folder.

java/ql/lib/change-notes/2022-12-05-insecure-cookie-global-flow.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The query `java/insecure-cookie` now uses global dataflow to track secure cookies being set to the HTTP response object.

java/ql/lib/change-notes/2022-12-05-kotlin-path-sanitizer.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The library `PathSanitizer.qll` has been improved to detect more path validation patterns in Kotlin.

java/ql/lib/change-notes/2022-12-09-default-extension-methods.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The extraction of Kotlin extension methods has been improved when default parameter values are present. The dispatch and extension receiver parameters are extracted in the correct order. The `ExtensionMethod::getExtensionReceiverParameterIndex` predicate has been introduced to facilitate getting the correct extension parameter index.

java/ql/lib/change-notes/2022-12-15-empty-multiline-comments.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* We now correctly handle empty block comments, like `/**/`. Previously these could be mistaken for Javadoc comments and led to attribution of Javadoc tags to the wrong declaration.

java/ql/lib/change-notes/2022-12-16-add-top-jdk-models.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added more dataflow models for frequently-used JDK APIs.

java/ql/lib/change-notes/released/0.5.0.md

@@ -0,0 +1,18 @@
+## 0.5.0
+
+### Minor Analysis Improvements
+
+* Added more dataflow models for frequently-used JDK APIs.
+* The extraction of Kotlin extension methods has been improved when default parameter values are present. The dispatch and extension receiver parameters are extracted in the correct order. The `ExtensionMethod::getExtensionReceiverParameterIndex` predicate has been introduced to facilitate getting the correct extension parameter index.
+* The query `java/insecure-cookie` now uses global dataflow to track secure cookies being set to the HTTP response object.
+* The library `PathSanitizer.qll` has been improved to detect more path validation patterns in Kotlin.
+* Models as Data models for Java are defined as data extensions instead of being inlined in the code. New models should be added in the `lib/ext` folder.
+* Added a taint model for the method `java.nio.file.Path.getParent`.
+* Fixed a problem in the taint model for the method `java.nio.file.Paths.get`.
+* Deleted the deprecated `LocalClassDeclStmtNode` and `LocalClassDeclStmt` classes from `PrintAst.qll` and `Statement.qll` respectively.
+* Deleted the deprecated `getLocalClass` predicate from `LocalTypeDeclStmt`, and the deprecated `getLocalClassDeclStmt` predicate from `LocalClassOrInterface`.
+* Added support for Android Manifest `<activity-aliases>` elements in data flow sources. 
+
+### Bug Fixes
+
+* We now correctly handle empty block comments, like `/**/`. Previously these could be mistaken for Javadoc comments and led to attribution of Javadoc tags to the wrong declaration.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.6
+lastReleaseVersion: 0.5.0

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 0.5.0-dev
+version: 0.5.0
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
@@ -7,6 +7,7 @@ library: true
 upgrades: upgrades
 dependencies:
   codeql/regex: ${workspace}
+  codeql/tutorial: ${workspace}
   codeql/typetracking: ${workspace}
   codeql/util: ${workspace}
 dataExtensions:

java/ql/src/CHANGELOG.md

@@ -1,3 +1,24 @@
+## 0.5.0
+
+### New Queries
+
+* Added a new query, `java/summary/generated-vs-manual-coverage`, to expose metrics for the number of API endpoints covered by generated versus manual MaD models.
+* Added a new query, `java/telemetry/supported-external-api`, to detect supported 3rd party APIs used in a codebase.
+* Added a new query, `java/android/missing-certificate-pinning`, to find network calls where certificate pinning is not implemented.
+* Added a new query, `java/android-webview-addjavascriptinterface`, to detect the use of `addJavascriptInterface`, which can lead to cross-site scripting.
+* Added a new query, `java/android-websettings-file-access`, to detect configurations that enable file system access in Android WebViews.
+* Added a new query, `java/android-websettings-javascript-enabled`, to detect if JavaScript execution is enabled in an Android WebView.
+* The query `java/regex-injection` has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @edvraa](https://github.com/github/codeql/pull/5704).
+
+### Minor Analysis Improvements
+
+* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be placed on the line before an alert.
+* The extensible predicates for Models as Data have been renamed (the `ext` prefix has been removed). As an example, `extSummaryModel` has been renamed to `summaryModel`.
+* The query `java/misnamed-type` is now enabled for Kotlin.
+* The query `java/non-serializable-field` is now enabled for Kotlin.
+* Fixed an issue in the query `java/android/implicit-pendingintents` by which an implicit Pending Intent marked as immutable was not correctly recognized as such.
+* The query `java/maven/non-https-url` no longer alerts about disabled repositories.
+
 ## 0.4.6
 
 ### Minor Analysis Improvements

java/ql/src/change-notes/2022-11-03-regex-injection.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* The query, `java/regex-injection`, has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @edvraa](https://github.com/github/codeql/pull/5704).

java/ql/src/change-notes/2022-11-12-android-webview-file-access.md

@@ -1,5 +0,0 @@
----
-category: newQuery
----
-* Added a new query `java/android-websettings-file-access` to detect configurations that enable file system access in Android WebViews.
-

java/ql/src/change-notes/2022-11-12-websettings-setjavascript-enabled.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* Added a new query, `java/android-websettings-javascript-enabled`, to detect if JavaScript execution is enabled in an Android WebView.

java/ql/src/change-notes/2022-11-15-android-webview-addjavascript-interface.md

@@ -1,5 +0,0 @@
----
-category: newQuery
----
-* Added a new query `java/android-webview-addjavascriptinterface` to detect the use of `addJavascriptInterface`, which can lead to cross-site scripting.
-

java/ql/src/change-notes/2022-11-21-disabled-maven-repositories.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The query `java/maven/non-https-url` no longer alerts about disabled repositories.

java/ql/src/change-notes/2022-11-22-bitwise-implicit-intent-flags.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed an issue in the query `java/android/implicit-pendingintents` by which an implicit Pending Intent marked as immutable was not correctly recognized as such.

java/ql/src/change-notes/2022-11-25-NamingConventionsRefTypes-kotlin.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The query `java/misnamed-type` is now enabled for Kotlin.

java/ql/src/change-notes/2022-11-25-NonSerializableField-kotlin.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The query `java/non-serializable-field` is now enabled for Kotlin.

java/ql/src/change-notes/2022-11-30-android-certificate-pinning.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* Added a new query, `java/android/missing-certificate-pinning`, to find network calls where certificate pinning is not implemented.

java/ql/src/change-notes/2022-12-01-supported-external-apis-query.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* Added a new query, `java/telemetry/supported-external-api`, to detect supported 3rd party APIs used in a codebase.

java/ql/src/change-notes/2022-12-12-java-mad-metrics-query.md

@@ -1,4 +0,0 @@
----
-category: newQuery
----
-* Added a new query, `java/summary/generated-vs-manual-coverage`, to expose metrics for the number of API endpoints covered by generated versus manual MaD models.

java/ql/src/change-notes/2022-12-15-rename-mad-extensibles.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The extensible predicates for Models as Data have been renamed (the `ext` prefix has been removed). As an example `extSummaryModel` has been renamed to `summaryModel`.

java/ql/src/change-notes/released/0.5.0.md

@@ -0,0 +1,20 @@
+## 0.5.0
+
+### New Queries
+
+* Added a new query, `java/summary/generated-vs-manual-coverage`, to expose metrics for the number of API endpoints covered by generated versus manual MaD models.
+* Added a new query, `java/telemetry/supported-external-api`, to detect supported 3rd party APIs used in a codebase.
+* Added a new query, `java/android/missing-certificate-pinning`, to find network calls where certificate pinning is not implemented.
+* Added a new query, `java/android-webview-addjavascriptinterface`, to detect the use of `addJavascriptInterface`, which can lead to cross-site scripting.
+* Added a new query, `java/android-websettings-file-access`, to detect configurations that enable file system access in Android WebViews.
+* Added a new query, `java/android-websettings-javascript-enabled`, to detect if JavaScript execution is enabled in an Android WebView.
+* The query `java/regex-injection` has been promoted from experimental to the main query pack. Its results will now appear by default. This query was originally [submitted as an experimental query by @edvraa](https://github.com/github/codeql/pull/5704).
+
+### Minor Analysis Improvements
+
+* The `AlertSuppression.ql` query has been updated to support the new `// codeql[query-id]` supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy `// lgtm` and `// lgtm[query-id]` comments can now also be placed on the line before an alert.
+* The extensible predicates for Models as Data have been renamed (the `ext` prefix has been removed). As an example, `extSummaryModel` has been renamed to `summaryModel`.
+* The query `java/misnamed-type` is now enabled for Kotlin.
+* The query `java/non-serializable-field` is now enabled for Kotlin.
+* Fixed an issue in the query `java/android/implicit-pendingintents` by which an implicit Pending Intent marked as immutable was not correctly recognized as such.
+* The query `java/maven/non-https-url` no longer alerts about disabled repositories.