Rust: Add a test case showing the lack of data flow on flag values.

Rust: Add test cases for xmlReadFd, xmlCtxtReadFile that were stubbed but not used.
Rust: Add MaD barriers, since we have that feature now.
2026-05-18 21:27:08 +02:00 · 2026-03-27 18:44:45 +00:00 · 2026-03-27 18:38:52 +00:00 · 2026-03-27 18:37:52 +00:00 · 2026-03-27 18:32:18 +00:00 · 2026-03-27 11:20:53 +00:00
1112 changed files with 14970 additions and 28991 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -45,3 +45,5 @@ updates:
    directory: "/"
    schedule:
      interval: weekly
+    exclude-paths:
+      - "misc/bazel/registry/**"
--- a/.github/workflows/compile-queries.yml
+++ b/.github/workflows/compile-queries.yml
@@ -1,78 +0,0 @@
-name: "Compile all queries using the latest stable CodeQL CLI"
-
-on:
-  push:
-    branches:  # makes sure the cache gets populated - running on the branches people tend to merge into.
-      - main
-      - "rc/*"
-      - "codeql-cli-*"
-  pull_request:
-    paths:
-      - '**.ql'
-      - '**.qll'
-      - '**/qlpack.yml'
-      - '**.dbscheme'
-
-permissions:
-  contents: read
-
-jobs:
-  detect-changes:
-    if: github.repository_owner == 'github'
-    runs-on: ubuntu-latest
-    outputs:
-      languages: ${{ steps.detect.outputs.languages }}
-    steps:
-      - uses: actions/checkout@v5
-      - name: Detect changed languages
-        id: detect
-        run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            # For PRs, detect which languages have changes
-            changed_files=$(gh pr view ${{ github.event.pull_request.number }} --json files --jq '.files.[].path')
-            languages=()
-            for lang in actions cpp csharp go java javascript python ql ruby rust swift; do
-              if echo "$changed_files" | grep -qE "^($lang/|shared/)" ; then
-                languages+=("$lang")
-              fi
-            done
-            echo "languages=$(jq -c -n '$ARGS.positional' --args "${languages[@]}")" >> $GITHUB_OUTPUT
-          else
-            # For pushes to main/rc branches, run all languages
-            echo 'languages=["actions","cpp","csharp","go","java","javascript","python","ql","ruby","rust","swift"]' >> $GITHUB_OUTPUT
-          fi
-        env:
-          GH_TOKEN: ${{ github.token }}
-
-  compile-queries:
-    needs: detect-changes
-    if: github.repository_owner == 'github' && needs.detect-changes.outputs.languages != '[]'
-    runs-on: ubuntu-latest-xl
-    strategy:
-      fail-fast: false
-      matrix:
-        language: ${{ fromJson(needs.detect-changes.outputs.languages) }}
-
-    steps:
-      - uses: actions/checkout@v5
-      - name: Setup CodeQL
-        uses: ./.github/actions/fetch-codeql
-        with:
-          channel: 'release'
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with: 
-          key: ${{ matrix.language }}-queries
-      - name: check formatting
-        run: find shared ${{ matrix.language }}/ql -type f \( -name "*.qll" -o -name "*.ql" \) -print0 | xargs -0 -n 3000 -P 10 codeql query format -q --check-only
-      - name: compile queries - check-only
-        # run with --check-only if running in a PR (github.sha != main)
-        if : ${{ github.event_name == 'pull_request' }}
-        shell: bash
-        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --check-only --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
-      - name: compile queries - full
-        # do full compile if running on main - this populates the cache
-        if : ${{ github.event_name != 'pull_request' }}
-        shell: bash
-        run: codeql query compile -q -j0 ${{ matrix.language }}/ql/{src,examples} --keep-going --warnings=error --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}" --compilation-cache-size=500 --ram=56000
--- a/.github/workflows/ruby-build.yml
+++ b/.github/workflows/ruby-build.yml
@@ -1,236 +0,0 @@
-name: "Ruby: Build"
-
-on:
-  push:
-    paths:
-      - "ruby/**"
-      - .github/workflows/ruby-build.yml
-      - .github/actions/fetch-codeql/action.yml
-      - codeql-workspace.yml
-      - "shared/tree-sitter-extractor/**"
-    branches:
-      - main
-      - "rc/*"
-  pull_request:
-    paths:
-      - "ruby/**"
-      - .github/workflows/ruby-build.yml
-      - .github/actions/fetch-codeql/action.yml
-      - codeql-workspace.yml
-      - "shared/tree-sitter-extractor/**"
-    branches:
-      - main
-      - "rc/*"
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "Version tag to create"
-        required: false
-
-env:
-  CARGO_TERM_COLOR: always
-
-defaults:
-  run:
-    working-directory: ruby
-
-permissions:
-  contents: read
-
-jobs:
-  build:
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-
-    runs-on: ${{ matrix.os }}
-
-    steps:
-      - uses: actions/checkout@v5
-      - name: Install GNU tar
-        if: runner.os == 'macOS'
-        run: |
-          brew install gnu-tar
-          echo "/usr/local/opt/gnu-tar/libexec/gnubin" >> $GITHUB_PATH
-      - name: Prepare Windows
-        if: runner.os == 'Windows'
-        shell: powershell
-        run: |
-          git config --global core.longpaths true
-      - uses: ./.github/actions/os-version
-        id: os_version
-      - name: Cache entire extractor
-        uses: actions/cache@v3
-        id: cache-extractor
-        with:
-          path: |
-            target/release/codeql-extractor-ruby
-            target/release/codeql-extractor-ruby.exe
-            ruby/extractor/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-extractor-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/Cargo.lock') }}-${{ hashFiles('shared/tree-sitter-extractor') }}-${{ hashFiles('ruby/extractor/**/*.rs') }}
-      - uses: actions/cache@v3
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            target
-          key: ${{ runner.os }}-${{ steps.os_version.outputs.version }}-ruby-rust-cargo-${{ hashFiles('ruby/extractor/rust-toolchain.toml', 'ruby/extractor/**/Cargo.lock') }}
-      - name: Check formatting
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd extractor && cargo fmt -- --check
-      - name: Build
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd extractor && cargo build --verbose
-      - name: Run tests
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd extractor && cargo test --verbose
-      - name: Release build
-        if: steps.cache-extractor.outputs.cache-hit != 'true'
-        run: cd extractor && cargo build --release
-      - name: Generate dbscheme
-        if: ${{ matrix.os == 'ubuntu-latest' && steps.cache-extractor.outputs.cache-hit != 'true'}}
-        run: ../target/release/codeql-extractor-ruby generate --dbscheme ql/lib/ruby.dbscheme --library ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v4
-        if: ${{ matrix.os == 'ubuntu-latest' }}
-        with:
-          name: ruby.dbscheme
-          path: ruby/ql/lib/ruby.dbscheme
-      - uses: actions/upload-artifact@v4
-        if: ${{ matrix.os == 'ubuntu-latest' }}
-        with:
-          name: TreeSitter.qll
-          path: ruby/ql/lib/codeql/ruby/ast/internal/TreeSitter.qll
-      - uses: actions/upload-artifact@v4
-        with:
-          name: extractor-${{ matrix.os }}
-          path: |
-            target/release/codeql-extractor-ruby
-            target/release/codeql-extractor-ruby.exe
-          retention-days: 1
-  compile-queries:
-    if: github.repository_owner == 'github'
-    runs-on: ubuntu-latest-xl
-    steps:
-      - uses: actions/checkout@v5
-      - name: Fetch CodeQL
-        uses: ./.github/actions/fetch-codeql
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: ruby-build
-      - name: Build Query Pack
-        run: |
-          PACKS=${{ runner.temp }}/query-packs
-          rm -rf $PACKS
-          codeql pack create ../misc/suite-helpers --output "$PACKS"
-          codeql pack create ../shared/regex --output "$PACKS"
-          codeql pack create ../shared/ssa --output "$PACKS"
-          codeql pack create ../shared/tutorial --output "$PACKS"
-          codeql pack create ql/lib --output "$PACKS"
-          codeql pack create -j0 ql/src --output "$PACKS" --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
-          PACK_FOLDER=$(readlink -f "$PACKS"/codeql/ruby-queries/*)
-          codeql generate query-help --format=sarifv2.1.0 --output="${PACK_FOLDER}/rules.sarif" ql/src
-          (cd ql/src; find queries \( -name '*.qhelp' -o -name '*.rb' -o -name '*.erb' \) -exec bash -c 'mkdir -p "'"${PACK_FOLDER}"'/$(dirname "{}")"' \; -exec cp "{}" "${PACK_FOLDER}/{}" \;)
-      - uses: actions/upload-artifact@v4
-        with:
-          name: codeql-ruby-queries
-          path: |
-            ${{ runner.temp }}/query-packs/*
-          retention-days: 1
-          include-hidden-files: true
-
-  package:
-    runs-on: ubuntu-latest
-    needs: [build, compile-queries]
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/download-artifact@v4
-        with:
-          name: ruby.dbscheme
-          path: ruby/ruby
-      - uses: actions/download-artifact@v4
-        with:
-          name: extractor-ubuntu-latest
-          path: ruby/linux64
-      - uses: actions/download-artifact@v4
-        with:
-          name: extractor-windows-latest
-          path: ruby/win64
-      - uses: actions/download-artifact@v4
-        with:
-          name: extractor-macos-latest
-          path: ruby/osx64
-      - run: |
-          mkdir -p ruby
-          cp -r codeql-extractor.yml tools ql/lib/ruby.dbscheme.stats ruby/
-          mkdir -p ruby/tools/{linux64,osx64,win64}
-          cp linux64/codeql-extractor-ruby ruby/tools/linux64/extractor
-          cp osx64/codeql-extractor-ruby ruby/tools/osx64/extractor
-          cp win64/codeql-extractor-ruby.exe ruby/tools/win64/extractor.exe
-          chmod +x ruby/tools/{linux64,osx64}/extractor
-          zip -rq codeql-ruby.zip ruby
-      - uses: actions/upload-artifact@v4
-        with:
-          name: codeql-ruby-pack
-          path: ruby/codeql-ruby.zip
-          retention-days: 1
-          include-hidden-files: true
-      - uses: actions/download-artifact@v4
-        with:
-          name: codeql-ruby-queries
-          path: ruby/qlpacks
-      - run: |
-          echo '{
-            "provide": [
-            "ruby/codeql-extractor.yml",
-            "qlpacks/*/*/*/qlpack.yml"
-            ]
-          }' > .codeqlmanifest.json
-          zip -rq codeql-ruby-bundle.zip .codeqlmanifest.json ruby qlpacks
-      - uses: actions/upload-artifact@v4
-        with:
-          name: codeql-ruby-bundle
-          path: ruby/codeql-ruby-bundle.zip
-          retention-days: 1
-          include-hidden-files: true
-
-  test:
-    defaults:
-      run:
-        working-directory: ${{ github.workspace }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-latest, macos-latest, windows-latest]
-
-    runs-on: ${{ matrix.os }}
-    needs: [package]
-    steps:
-      - uses: actions/checkout@v5
-      - name: Fetch CodeQL
-        uses: ./.github/actions/fetch-codeql
-
-      - name: Download Ruby bundle
-        uses: actions/download-artifact@v4
-        with:
-          name: codeql-ruby-bundle
-          path: ${{ runner.temp }}
-      - name: Unzip Ruby bundle
-        shell: bash
-        run: unzip -q -d "${{ runner.temp }}/ruby-bundle" "${{ runner.temp }}/codeql-ruby-bundle.zip"
-
-      - name: Run QL test
-        shell: bash
-        run: |
-          codeql test run --search-path "${{ runner.temp }}/ruby-bundle" --additional-packs "${{ runner.temp }}/ruby-bundle" ruby/ql/test/library-tests/ast/constants/
-      - name: Create database
-        shell: bash
-        run: |
-          codeql database create --search-path "${{ runner.temp }}/ruby-bundle" --language ruby --source-root ruby/ql/test/library-tests/ast/constants/ ../database
-      - name: Analyze database
-        shell: bash
-        run: |
-          codeql database analyze --search-path "${{ runner.temp }}/ruby-bundle" --format=sarifv2.1.0 --output=out.sarif ../database ruby-code-scanning.qls
--- a/.github/workflows/ruby-dataset-measure.yml
+++ b/.github/workflows/ruby-dataset-measure.yml
@@ -1,75 +0,0 @@
-name: "Ruby: Collect database stats"
-
-on:
-  push:
-    branches:
-      - main
-      - "rc/*"
-    paths:
-      - ruby/ql/lib/ruby.dbscheme
-      - .github/workflows/ruby-dataset-measure.yml
-  pull_request:
-    branches:
-      - main
-      - "rc/*"
-    paths:
-      - ruby/ql/lib/ruby.dbscheme
-      - .github/workflows/ruby-dataset-measure.yml
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  measure:
-    env:
-      CODEQL_THREADS: 4 # TODO: remove this once it's set by the CLI
-    strategy:
-      fail-fast: false
-      matrix:
-        repo: [rails/rails, discourse/discourse, spree/spree, ruby/ruby]
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-
-      - uses: ./.github/actions/fetch-codeql
-
-      - uses: ./ruby/actions/create-extractor-pack
-
-      - name: Checkout ${{ matrix.repo }}
-        uses: actions/checkout@v5
-        with:
-          repository: ${{ matrix.repo }}
-          path: ${{ github.workspace }}/repo
-      - name: Create database
-        run: |
-          codeql database create \
-            --search-path "${{ github.workspace }}" \
-            --threads 4 \
-            --language ruby --source-root "${{ github.workspace }}/repo" \
-            "${{ runner.temp }}/database"
-      - name: Measure database
-        run: |
-          mkdir -p "stats/${{ matrix.repo }}"
-          codeql dataset measure --threads 4 --output "stats/${{ matrix.repo }}/stats.xml" "${{ runner.temp }}/database/db-ruby"
-      - uses: actions/upload-artifact@v4
-        with:
-          name: measurements-${{ hashFiles('stats/**') }}
-          path: stats
-          retention-days: 1
-
-  merge:
-    runs-on: ubuntu-latest
-    needs: measure
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/download-artifact@v4
-        with:
-          path: stats
-      - run: |
-          python -m pip install --user lxml
-          find stats -name 'stats.xml' | sort | xargs python ruby/scripts/merge_stats.py --output ruby/ql/lib/ruby.dbscheme.stats --normalise ruby_tokeninfo
-      - uses: actions/upload-artifact@v4
-        with:
-          name: ruby.dbscheme.stats
-          path: ruby/ql/lib/ruby.dbscheme.stats
--- a/.github/workflows/ruby-qltest-rtjo.yml
+++ b/.github/workflows/ruby-qltest-rtjo.yml
@@ -1,40 +0,0 @@
-name: "Ruby: Run RTJO Language Tests"
-
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-      - labeled
-
-env:
-  CARGO_TERM_COLOR: always
-
-defaults:
-  run:
-    working-directory: ruby
-
-permissions:
-  contents: read
-
-jobs:
-  qltest-rtjo:
-    if: "github.repository_owner == 'github' && github.event.label.name == 'Run: RTJO Language Tests'"
-    runs-on: ubuntu-latest-xl
-    strategy:
-      fail-fast: false
-    steps:
-      - uses: actions/checkout@v5
-      - uses: ./.github/actions/fetch-codeql
-      - uses: ./ruby/actions/create-extractor-pack
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: ruby-qltest
-      - name: Run QL tests
-        run: |
-          codeql test run --dynamic-join-order-mode=all --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
--- a/.github/workflows/ruby-qltest.yml
+++ b/.github/workflows/ruby-qltest.yml
@@ -1,73 +0,0 @@
-name: "Ruby: Run QL Tests"
-
-on:
-  push:
-    paths:
-      - "ruby/**"
-      - "shared/**"
-      - .github/workflows/ruby-build.yml
-      - .github/actions/fetch-codeql/action.yml
-      - codeql-workspace.yml
-    branches:
-      - main
-      - "rc/*"
-  pull_request:
-    paths:
-      - "ruby/**"
-      - "shared/**"
-      - .github/workflows/ruby-qltest.yml
-      - .github/actions/fetch-codeql/action.yml
-      - codeql-workspace.yml
-    branches:
-      - main
-      - "rc/*"
-
-env:
-  CARGO_TERM_COLOR: always
-
-defaults:
-  run:
-    working-directory: ruby
-
-permissions:
-  contents: read
-
-jobs:
-  qlupgrade:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-      - uses: ./.github/actions/fetch-codeql
-      - name: Check DB upgrade scripts
-        run: |
-          echo >empty.trap
-          codeql dataset import -S ql/lib/upgrades/initial/ruby.dbscheme testdb empty.trap
-          codeql dataset upgrade testdb --additional-packs ql/lib
-          diff -q testdb/ruby.dbscheme ql/lib/ruby.dbscheme
-      - name: Check DB downgrade scripts
-        run: |
-          echo >empty.trap
-          rm -rf testdb; codeql dataset import -S ql/lib/ruby.dbscheme testdb empty.trap
-          codeql resolve upgrades --format=lines --allow-downgrades --additional-packs downgrades \
-           --dbscheme=ql/lib/ruby.dbscheme --target-dbscheme=downgrades/initial/ruby.dbscheme |
-           xargs codeql execute upgrades testdb
-          diff -q testdb/ruby.dbscheme downgrades/initial/ruby.dbscheme
-  qltest:
-    if: github.repository_owner == 'github'
-    runs-on: ubuntu-latest-xl
-    strategy:
-      fail-fast: false
-    steps:
-      - uses: actions/checkout@v5
-      - uses: ./.github/actions/fetch-codeql
-      - uses: ./ruby/actions/create-extractor-pack
-      - name: Cache compilation cache
-        id: query-cache
-        uses: ./.github/actions/cache-query-compilation
-        with:
-          key: ruby-qltest
-      - name: Run QL tests
-        run: |
-          codeql test run --threads=0 --ram 50000 --search-path "${{ github.workspace }}" --check-databases --check-diff-informed --check-undefined-labels --check-unused-labels --check-repeated-labels --check-redefined-labels --check-use-before-definition --consistency-queries ql/consistency-queries ql/test --compilation-cache "${{ steps.query-cache.outputs.cache-dir }}"
-        env:
-          GITHUB_TOKEN: ${{ github.token }}
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -15,14 +15,14 @@ local_path_override(
 # see https://registry.bazel.build/ for a list of available packages

 bazel_dep(name = "platforms", version = "1.0.0")
-bazel_dep(name = "rules_cc", version = "0.2.16")
-bazel_dep(name = "rules_go", version = "0.59.0")
-bazel_dep(name = "rules_java", version = "9.0.3")
-bazel_dep(name = "rules_pkg", version = "1.0.1")
+bazel_dep(name = "rules_cc", version = "0.2.17")
+bazel_dep(name = "rules_go", version = "0.60.0")
+bazel_dep(name = "rules_java", version = "9.6.1")
+bazel_dep(name = "rules_pkg", version = "1.2.0")
 bazel_dep(name = "rules_nodejs", version = "6.7.3")
 bazel_dep(name = "rules_python", version = "1.9.0")
-bazel_dep(name = "rules_shell", version = "0.6.1")
-bazel_dep(name = "bazel_skylib", version = "1.8.1")
+bazel_dep(name = "rules_shell", version = "0.7.1")
+bazel_dep(name = "bazel_skylib", version = "1.9.0")
 bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
@@ -30,7 +30,7 @@ bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
 bazel_dep(name = "gazelle", version = "0.47.0")
 bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
 bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
-bazel_dep(name = "rules_rust", version = "0.68.1.codeql.1")
+bazel_dep(name = "rules_rust", version = "0.69.0")
 bazel_dep(name = "zstd", version = "1.5.7.bcr.1")

 bazel_dep(name = "buildifier_prebuilt", version = "6.4.0", dev_dependency = True)
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.4.30
+
+No user-facing changes.
+
 ## 0.4.29

 No user-facing changes.
--- a/actions/ql/lib/change-notes/released/0.4.30.md
+++ b/actions/ql/lib/change-notes/released/0.4.30.md
@@ -0,0 +1,3 @@
+## 0.4.30
+
+No user-facing changes.
--- a/actions/ql/lib/codeql-pack.release.yml
+++ b/actions/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.29
+lastReleaseVersion: 0.4.30
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.30-dev
+version: 0.4.31-dev
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 0.6.22
+
+No user-facing changes.
+
 ## 0.6.21

 No user-facing changes.
--- a/actions/ql/src/change-notes/released/0.6.22.md
+++ b/actions/ql/src/change-notes/released/0.6.22.md
@@ -0,0 +1,3 @@
+## 0.6.22
+
+No user-facing changes.
--- a/actions/ql/src/codeql-pack.release.yml
+++ b/actions/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.21
+lastReleaseVersion: 0.6.22
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.22-dev
+version: 0.6.23-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/config/add-overlay-annotations.py
+++ b/config/add-overlay-annotations.py
@@ -199,6 +199,7 @@ def annotate_as_appropriate(filename, lines):
    # as overlay[local?].  It is not clear that these heuristics are exactly what we want,
    # but they seem to work well enough for now (as determined by speed and accuracy numbers).
    if (filename.endswith("Test.qll") or
+        re.search(r"go/ql/lib/semmle/go/security/[^/]+[.]qll$", filename.replace(os.sep, "/")) or
        ((filename.endswith("Query.qll") or filename.endswith("Config.qll")) and
         any("implements DataFlow::ConfigSig" in line for line in lines))):
        return None
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -172,10 +172,6 @@
    "cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/reachability/PrintDominance.qll",
    "cpp/ql/lib/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/reachability/PrintDominance.qll"
  ],
-  "C# ControlFlowReachability": [
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll"
-  ],
  "C++ ExternalAPIs": [
    "cpp/ql/src/Security/CWE/CWE-020/ExternalAPIs.qll",
    "cpp/ql/src/Security/CWE/CWE-020/ir/ExternalAPIs.qll"
--- a/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected
@@ -52,5 +52,6 @@ ql/cpp/ql/src/Summary/LinesOfUserCode.ql
 ql/cpp/ql/src/Telemetry/CompilerErrors.ql
 ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
 ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
+ql/cpp/ql/src/Telemetry/ExtractorInformation.ql
 ql/cpp/ql/src/Telemetry/MissingIncludes.ql
 ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
--- a/cpp/ql/integration-tests/query-suite/cpp-security-and-quality.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-security-and-quality.qls.expected
@@ -160,6 +160,7 @@ ql/cpp/ql/src/Summary/LinesOfUserCode.ql
 ql/cpp/ql/src/Telemetry/CompilerErrors.ql
 ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
 ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
+ql/cpp/ql/src/Telemetry/ExtractorInformation.ql
 ql/cpp/ql/src/Telemetry/MissingIncludes.ql
 ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
 ql/cpp/ql/src/jsf/4.06 Pre-Processing Directives/AV Rule 32.ql
--- a/cpp/ql/integration-tests/query-suite/cpp-security-extended.qls.expected
+++ b/cpp/ql/integration-tests/query-suite/cpp-security-extended.qls.expected
@@ -93,5 +93,6 @@ ql/cpp/ql/src/Summary/LinesOfUserCode.ql
 ql/cpp/ql/src/Telemetry/CompilerErrors.ql
 ql/cpp/ql/src/Telemetry/DatabaseQuality.ql
 ql/cpp/ql/src/Telemetry/ExtractionMetrics.ql
+ql/cpp/ql/src/Telemetry/ExtractorInformation.ql
 ql/cpp/ql/src/Telemetry/MissingIncludes.ql
 ql/cpp/ql/src/Telemetry/SucceededIncludes.ql
--- a/cpp/ql/lib/CHANGELOG.md
+++ b/cpp/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 8.0.1
+
+### Minor Analysis Improvements
+
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
+
 ## 8.0.0

 ### Breaking Changes
--- a/cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md
+++ b/cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md
@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
--- a/cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md
+++ b/cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md
@@ -0,0 +1,5 @@
+---
+category: feature
+---
+* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
+* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
--- a/cpp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/cpp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -1,4 +1,5 @@
---
-category: minorAnalysis
---
+## 8.0.1
+
+### Minor Analysis Improvements
+
 * Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/cpp/ql/lib/codeql-pack.release.yml
+++ b/cpp/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 8.0.0
+lastReleaseVersion: 8.0.1
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 8.0.1-dev
+version: 8.0.2-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/lib/semmle/code/cpp/Function.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Function.qll
@@ -524,6 +524,12 @@ class Function extends Declaration, ControlFlowNode, AccessHolder, @function {
      not exists(NewOrNewArrayExpr new | e = new.getAllocatorCall().getArgument(0))
    )
  }
+
+  /**
+   * Holds if this function has an ambiguous return type, meaning that zero or multiple return
+   * types for this function are present in the database (this can occur in `build-mode: none`).
+   */
+  predicate hasAmbiguousReturnType() { count(this.getType()) != 1 }
 }

 pragma[noinline]
--- a/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
+++ b/cpp/ql/lib/semmle/code/cpp/commons/Printf.qll
@@ -163,12 +163,23 @@ predicate primitiveVariadicFormatter(
  )
 }

+/**
+ * Gets a function call whose target is a variadic formatter with the given
+ * `type`, `format` parameter index and `output` parameter index.
+ *
+ * Join-order helper for `callsVariadicFormatter`.
+ */
+pragma[nomagic]
+private predicate callsVariadicFormatterCall(FunctionCall fc, string type, int format, int output) {
+  variadicFormatter(fc.getTarget(), type, format, output)
+}
+
 private predicate callsVariadicFormatter(
  Function f, string type, int formatParamIndex, int outputParamIndex
 ) {
  // calls a variadic formatter with `formatParamIndex`, `outputParamIndex` linked
  exists(FunctionCall fc, int format, int output |
-    variadicFormatter(pragma[only_bind_into](fc.getTarget()), type, format, output) and
+    callsVariadicFormatterCall(fc, type, format, output) and
    fc.getEnclosingFunction() = f and
    fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
    fc.getArgument(output) = f.getParameter(outputParamIndex).getAnAccess()
@@ -176,7 +187,7 @@ private predicate callsVariadicFormatter(
  or
  // calls a variadic formatter with only `formatParamIndex` linked
  exists(FunctionCall fc, string calledType, int format, int output |
-    variadicFormatter(pragma[only_bind_into](fc.getTarget()), calledType, format, output) and
+    callsVariadicFormatterCall(fc, calledType, format, output) and
    fc.getEnclosingFunction() = f and
    fc.getArgument(format) = f.getParameter(formatParamIndex).getAnAccess() and
    not fc.getArgument(output) = f.getParameter(_).getAnAccess() and
--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowDispatch.qll
@@ -238,7 +238,12 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {

  private import TypeTracking<Location, TtInput>::TypeTrack<qualifierSource/1>::Graph<qualifierOfVirtualCall/1>

-  private predicate edgePlus(PathNode n1, PathNode n2) = fastTC(edges/2)(n1, n2)
+  private predicate isSource(PathNode n) { n.isSource() }
+
+  private predicate isSink(PathNode n) { n.isSink() }
+
+  private predicate edgePlus(PathNode n1, PathNode n2) =
+    doublyBoundedFastTC(edges/2, isSource/1, isSink/1)(n1, n2)

  /**
   * Gets the most specific implementation of `mf` that may be called when the
@@ -255,6 +260,15 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
    )
  }

+  pragma[nomagic]
+  private MemberFunction mostSpecificForSource(PathNode p1, MemberFunction mf) {
+    p1.isSource() and
+    exists(Class derived |
+      qualifierSourceImpl(p1.getNode(), derived) and
+      result = mostSpecific(mf, derived)
+    )
+  }
+
  /**
   * Gets a possible pair of end-points `(p1, p2)` where:
   * - `p1` is a derived-to-base conversion that converts from some
@@ -264,16 +278,16 @@ private module TrackVirtualDispatch<methodDispatchSig/1 virtualDispatch0> {
   * - `callable` is the most specific implementation that may be called when
   * the qualifier has type `derived`.
   */
+  bindingset[p1, p2]
+  pragma[inline_late]
  private predicate pairCand(
    PathNode p1, PathNode p2, DataFlowPrivate::DataFlowCallable callable,
    DataFlowPrivate::DataFlowCall call
  ) {
-    exists(Class derived, MemberFunction mf |
-      qualifierSourceImpl(p1.getNode(), derived) and
+    p2.isSink() and
+    exists(MemberFunction mf |
      qualifierOfVirtualCallImpl(p2.getNode(), call.asCallInstruction(), mf) and
-      p1.isSource() and
-      p2.isSink() and
-      callable.asSourceCallable() = mostSpecific(mf, derived)
+      callable.asSourceCallable() = mostSpecificForSource(p1, mf)
    )
  }

--- a/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll
+++ b/cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/DataFlowNodes.qll
@@ -321,6 +321,12 @@ module Public {
     */
    Operand asIndirectOperand(int index) { hasOperandAndIndex(this, result, index) }

+    /**
+     * Gets the instruction that is indirectly tracked by this node behind
+     * `index` number of indirections.
+     */
+    Instruction asIndirectInstruction(int index) { hasInstructionAndIndex(this, result, index) }
+
    /**
     * Holds if this node is at index `i` in basic block `block`.
     *
@@ -617,6 +623,25 @@ module Public {
     */
    LocalVariable asUninitialized() { result = this.(UninitializedNode).getLocalVariable() }

+    /**
+     * Gets the uninitialized local variable corresponding to this node behind
+     * `index` number of indirections, if any.
+     */
+    LocalVariable asIndirectUninitialized(int index) {
+      exists(IndirectUninitializedNode indirectUninitializedNode |
+        this = indirectUninitializedNode and
+        indirectUninitializedNode.getIndirectionIndex() = index
+      |
+        result = indirectUninitializedNode.getLocalVariable()
+      )
+    }
+
+    /**
+     * Gets the uninitialized local variable corresponding to this node behind
+     * a number indirections, if any.
+     */
+    LocalVariable asIndirectUninitialized() { result = this.asIndirectUninitialized(_) }
+
    /**
     * Gets the positional parameter corresponding to the node that represents
     * the value of the parameter after `index` number of loads, if any. For
@@ -761,16 +786,13 @@ module Public {
    final override Type getType() { result = this.getPreUpdateNode().getType() }
  }

-  /**
-   * The value of an uninitialized local variable, viewed as a node in a data
-   * flow graph.
-   */
-  class UninitializedNode extends Node {
+  abstract private class AbstractUninitializedNode extends Node {
    LocalVariable v;
+    int indirectionIndex;

-    UninitializedNode() {
+    AbstractUninitializedNode() {
      exists(SsaImpl::Definition def, SsaImpl::SourceVariable sv |
-        def.getIndirectionIndex() = 0 and
+        def.getIndirectionIndex() = indirectionIndex and
        def.getValue().asInstruction() instanceof UninitializedInstruction and
        SsaImpl::defToNode(this, def, sv) and
        v = sv.getBaseVariable().(SsaImpl::BaseIRVariable).getIRVariable().getAst()
@@ -781,6 +803,25 @@ module Public {
    LocalVariable getLocalVariable() { result = v }
  }

+  /**
+   * The value of an uninitialized local variable, viewed as a node in a data
+   * flow graph.
+   */
+  class UninitializedNode extends AbstractUninitializedNode {
+    UninitializedNode() { indirectionIndex = 0 }
+  }
+
+  /**
+   * The value of an uninitialized local variable behind one or more levels of
+   * indirection, viewed as a node in a data flow graph.
+   */
+  class IndirectUninitializedNode extends AbstractUninitializedNode {
+    IndirectUninitializedNode() { indirectionIndex > 0 }
+
+    /** Gets the indirection index of this node. */
+    int getIndirectionIndex() { result = indirectionIndex }
+  }
+
  /**
   * The value of a parameter at function entry, viewed as a node in a data
   * flow graph. This includes both explicit parameters such as `x` in `f(x)`
@@ -795,6 +836,12 @@ module Public {
  /** An explicit positional parameter, including `this`, but not `...`. */
  final class DirectParameterNode = AbstractDirectParameterNode;

+  /**
+   * A node representing an indirection of a positional parameter,
+   * including `*this`, but not `*...`.
+   */
+  final class IndirectParameterNode = AbstractIndirectParameterNode;
+
  final class ExplicitParameterNode = AbstractExplicitParameterNode;

  /** An implicit `this` parameter. */
@@ -954,11 +1001,6 @@ module Public {

 private import Public

-/**
- * A node representing an indirection of a parameter.
- */
-final class IndirectParameterNode = AbstractIndirectParameterNode;
-
 /**
 * A class that lifts pre-SSA dataflow nodes to regular dataflow nodes.
 */
--- a/cpp/ql/src/CHANGELOG.md
+++ b/cpp/ql/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.5.13
+
+No user-facing changes.
+
 ## 1.5.12

 No user-facing changes.
--- a/Bugs/Arithmetic/IntMultToLong.ql
+++ b/Bugs/Arithmetic/IntMultToLong.ql
@@ -218,7 +218,9 @@ where
  // only report if we cannot prove that the result of the
  // multiplication will be less (resp. greater) than the
  // maximum (resp. minimum) number we can compute.
-  overflows(me, t1)
+  overflows(me, t1) and
+  // exclude cases where the expression type may not have been extracted accurately
+  not me.getParent().(Call).getTarget().hasAmbiguousReturnType()
 select me,
  "Multiplication result may overflow '" + me.getType().toString() + "' before it is converted to '"
    + me.getFullyConverted().getType().toString() + "'."
--- a/Bugs/Format/WrongTypeFormatArguments.ql
+++ b/Bugs/Format/WrongTypeFormatArguments.ql
@@ -168,9 +168,11 @@ where
    formatOtherArgType(ffc, n, expected, arg, actual) and
    not actual.getUnspecifiedType().(IntegralType).getSize() = sizeof_IntType()
  ) and
+  // Exclude some cases where we're less confident the result is correct / clear / valuable
  not arg.isAffectedByMacro() and
  not arg.isFromUninstantiatedTemplate(_) and
  not actual.stripType() instanceof ErroneousType and
+  not arg.getType().stripType().(RoutineType).getReturnType() instanceof ErroneousType and
  not arg.(Call).mayBeFromImplicitlyDeclaredFunction() and
  // Make sure that the format function definition is consistent
  count(ffc.getTarget().getFormatParameterIndex()) = 1
--- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 7.8
 * @precision high
 * @id cpp/cgi-xss
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -23,13 +23,31 @@ import Flow::PathGraph

 predicate isSource(FlowSource source, string sourceType) { sourceType = source.getSourceType() }

+/**
+ * Holds if `f` is a printf-like function or a (possibly nested) wrapper
+ * that forwards a format-string parameter to one.
+ *
+ * Functions that *implement* printf-like behavior (e.g. a custom
+ * `vsnprintf` variant) internally parse the caller-supplied format string
+ * and build small, bounded, local format strings such as `"%d"` or `"%ld"`
+ * for inner `sprintf` calls.  Taint that reaches those inner calls via the
+ * parsed format specifier is not exploitable, so sinks inside such
+ * functions should be excluded.
+ */
+private predicate isPrintfImplementation(Function f) {
+  f instanceof PrintfLikeFunction
+  or
+  exists(PrintfLikeFunction printf | printf.wrapperFunction(f, _, _))
+}
+
 module Config implements DataFlow::ConfigSig {
  predicate isSource(DataFlow::Node node) { isSource(node, _) }

  predicate isSink(DataFlow::Node node) {
    exists(PrintfLikeFunction printf |
      printf.outermostWrapperFunctionCall([node.asExpr(), node.asIndirectExpr()], _)
-    )
+    ) and
+    not isPrintfImplementation([node.asExpr(), node.asIndirectExpr()].getEnclosingFunction())
  }

  private predicate isArithmeticNonCharType(ArithmeticType type) {
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -18,7 +18,8 @@ import IncorrectPointerScalingCommon
 private predicate isCharSzPtrExpr(Expr e) {
  exists(PointerType pt | pt = e.getFullyConverted().getUnspecifiedType() |
    pt.getBaseType() instanceof CharType or
-    pt.getBaseType() instanceof VoidType
+    pt.getBaseType() instanceof VoidType or
+    pt.getBaseType() instanceof ErroneousType // this could be char / void type in a successful compilation
  )
 }

--- a/cpp/ql/src/Telemetry/DatabaseQuality.qll
+++ b/cpp/ql/src/Telemetry/DatabaseQuality.qll
@@ -0,0 +1,48 @@
+import cpp
+import codeql.util.ReportStats
+
+/** A file that is included in the quality statistics. */
+private class RelevantFile extends File {
+  RelevantFile() { this.fromSource() and exists(this.getRelativePath()) }
+}
+
+module CallTargetStats implements StatsSig {
+  private class RelevantCall extends Call {
+    RelevantCall() { this.getFile() instanceof RelevantFile }
+  }
+
+  // We assume that calls with an implicit target are calls that could not be
+  // resolved. This is accurate in the vast majority of cases, but is inaccurate
+  // for calls that deliberately rely on implicitly declared functions.
+  private predicate hasImplicitTarget(RelevantCall call) {
+    call.getTarget().getADeclarationEntry().isImplicit()
+  }
+
+  int getNumberOfOk() { result = count(RelevantCall call | not hasImplicitTarget(call)) }
+
+  int getNumberOfNotOk() { result = count(RelevantCall call | hasImplicitTarget(call)) }
+
+  string getOkText() { result = "calls with call target" }
+
+  string getNotOkText() { result = "calls with missing call target" }
+}
+
+private class SourceExpr extends Expr {
+  SourceExpr() { this.getFile() instanceof RelevantFile }
+}
+
+private predicate hasGoodType(Expr e) { not e.getType() instanceof ErroneousType }
+
+module ExprTypeStats implements StatsSig {
+  int getNumberOfOk() { result = count(SourceExpr e | hasGoodType(e)) }
+
+  int getNumberOfNotOk() { result = count(SourceExpr e | not hasGoodType(e)) }
+
+  string getOkText() { result = "expressions with known type" }
+
+  string getNotOkText() { result = "expressions with unknown type" }
+}
+
+module CallTargetStatsReport = ReportStats<CallTargetStats>;
+
+module ExprTypeStatsReport = ReportStats<ExprTypeStats>;
--- a/cpp/ql/src/Telemetry/ExtractorInformation.ql
+++ b/cpp/ql/src/Telemetry/ExtractorInformation.ql
@@ -0,0 +1,28 @@
+/**
+ * @name C/C++ extraction information
+ * @description Information about the extraction for a C/C++ database
+ * @kind metric
+ * @tags summary telemetry
+ * @id cpp/telemetry/extraction-information
+ */
+
+import cpp
+import DatabaseQuality
+
+from string key, float value
+where
+  (
+    CallTargetStatsReport::numberOfOk(key, value) or
+    CallTargetStatsReport::numberOfNotOk(key, value) or
+    CallTargetStatsReport::percentageOfOk(key, value) or
+    ExprTypeStatsReport::numberOfOk(key, value) or
+    ExprTypeStatsReport::numberOfNotOk(key, value) or
+    ExprTypeStatsReport::percentageOfOk(key, value)
+  ) and
+  /* Infinity */
+  value != 1.0 / 0.0 and
+  /* -Infinity */
+  value != -1.0 / 0.0 and
+  /* NaN */
+  value != 0.0 / 0.0
+select key, value
--- a/cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md
+++ b/cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
+++ b/cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md
@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
--- a/cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md
+++ b/cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md
+++ b/cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
--- a/cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md
+++ b/cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
--- a/cpp/ql/src/change-notes/released/1.5.13.md
+++ b/cpp/ql/src/change-notes/released/1.5.13.md
@@ -0,0 +1,3 @@
+## 1.5.13
+
+No user-facing changes.
--- a/cpp/ql/src/codeql-pack.release.yml
+++ b/cpp/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.12
+lastReleaseVersion: 1.5.13
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.13-dev
+version: 1.5.14-dev
 groups:
  - cpp
  - queries
--- a/Bugs/Arithmetic/IntMultToLong/Buildless.c
+++ b/Bugs/Arithmetic/IntMultToLong/Buildless.c
@@ -0,0 +1,28 @@
+// semmle-extractor-options: --expect_errors
+
+void test_float_double1(float f, double d) {
+    float r1 = f * f; // GOOD
+    float r2 = f * d; // GOOD
+    double r3 = f * f; // BAD
+    double r4 = f * d; // GOOD
+
+    float f1 = fabsf(f * f); // GOOD
+    float f2 = fabsf(f * d); // GOOD
+    double f3 = fabs(f * f); // BAD [NOT DETECTED]
+    double f4 = fabs(f * d); // GOOD
+}
+
+double fabs(double f);
+float fabsf(float f);
+
+void test_float_double2(float f, double d) {
+    float r1 = f * f; // GOOD
+    float r2 = f * d; // GOOD
+    double r3 = f * f; // BAD
+    double r4 = f * d; // GOOD
+
+    float f1 = fabsf(f * f); // GOOD
+    float f2 = fabsf(f * d); // GOOD
+    double f3 = fabs(f * f); // BAD [NOT DETECTED]
+    double f4 = fabs(f * d); // GOOD
+}
--- a/Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected
+++ b/Bugs/Arithmetic/IntMultToLong/IntMultToLong.expected
@@ -1,3 +1,5 @@
+| Buildless.c:6:17:6:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |
+| Buildless.c:21:17:21:21 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |
 | IntMultToLong.c:4:10:4:14 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. |
 | IntMultToLong.c:7:16:7:20 | ... * ... | Multiplication result may overflow 'int' before it is converted to 'long long'. |
 | IntMultToLong.c:18:19:18:23 | ... * ... | Multiplication result may overflow 'float' before it is converted to 'double'. |
--- a/Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected
+++ b/Bugs/Format/WrongTypeFormatArguments/Buildless/WrongTypeFormatArguments.expected
@@ -1 +1,3 @@
+| second.cpp:26:18:26:39 | ... - ... | This format specifier for type 'int' does not match the argument type 'long'. |
+| second.cpp:29:18:29:39 | ... - ... | This format specifier for type 'unsigned int' does not match the argument type 'long'. |
 | tests.c:7:18:7:18 | 1 | This format specifier for type 'char *' does not match the argument type 'int'. |
--- a/Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp
+++ b/Bugs/Format/WrongTypeFormatArguments/Buildless/first.cpp
@@ -0,0 +1,3 @@
+
+// defines type size_t plausibly
+typedef unsigned long size_t;
--- a/Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp
+++ b/Bugs/Format/WrongTypeFormatArguments/Buildless/second.cpp
@@ -0,0 +1,32 @@
+// semmle-extractor-options: --expect_errors
+
+int printf(const char * format, ...);
+
+// defines type `myFunctionPointerType`, referencing `size_t`
+typedef size_t (*myFunctionPointerType) ();
+
+void test_size_t() {
+    size_t s = 0;
+
+    printf("%zd", s); // GOOD
+    printf("%zi", s); // GOOD
+    printf("%zu", s); // GOOD (we generally permit signedness changes)
+    printf("%zx", s); // GOOD (we generally permit signedness changes)
+    printf("%d", s); // BAD [NOT DETECTED]
+    printf("%ld", s); // DUBIOUS [NOT DETECTED]
+    printf("%lld", s); // DUBIOUS [NOT DETECTED]
+    printf("%u", s); // BAD [NOT DETECTED]
+
+    char buffer[1024];
+
+    printf("%zd", &buffer[1023] - buffer); // GOOD
+    printf("%zi", &buffer[1023] - buffer); // GOOD
+    printf("%zu", &buffer[1023] - buffer); // GOOD
+    printf("%zx", &buffer[1023] - buffer); // GOOD
+    printf("%d", &buffer[1023] - buffer); // BAD
+    printf("%ld", &buffer[1023] - buffer); // DUBIOUS [NOT DETECTED]
+    printf("%lld", &buffer[1023] - buffer); // DUBIOUS [NOT DETECTED]
+    printf("%u", &buffer[1023] - buffer); // BAD
+    // (for the `%ld` and `%lld` cases, the signedness and type sizes match, `%zd` would be most correct
+    //  and robust but the developer may know enough to make this safe)
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/SuspiciousAddWithSizeof.expected
@@ -1,3 +1,5 @@
+| buildless.cpp:5:15:5:25 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const short * | const short * |
+| buildless.cpp:6:13:6:23 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | const int * | const int * |
 | test.cpp:6:30:6:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
 | test.cpp:14:30:14:40 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
 | test.cpp:22:25:22:35 | sizeof(int) | Suspicious sizeof offset in a pointer arithmetic expression. The type of the pointer is $@. | file://:0:0:0:0 | int * | int * |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/buildless.cpp
@@ -0,0 +1,10 @@
+// semmle-extractor-options: --expect_errors
+
+void test_buildless(const char *p_c, const short *p_short, const int *p_int, const uint8_t *p_8, const uint16_t *p_16, const uint32_t *p_32) {
+  *(p_c + sizeof(int)); // GOOD (`sizeof(char)` is 1)
+  *(p_short + sizeof(int)); // BAD
+  *(p_int + sizeof(int)); // BAD
+  *(p_8 + sizeof(int)); // GOOD (`sizeof(uint8_t)` is 1, but there's an error in the type)
+  *(p_16 + sizeof(int)); // BAD [NOT DETECTED]
+  *(p_32 + sizeof(int)); // BAD [NOT DETECTED]
+}
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-468/semmle/SuspiciousAddWithSizeof/test.cpp
@@ -93,3 +93,9 @@ private:
  myChar * const myCharsPointer;
  myInt * const myIntsPointer;
 };
+
+typedef unsigned char uint8_t;
+typedef unsigned short uint16_t;
+typedef unsigned int uint32_t;
+
+void test_buildless(const char *p_c, const short *p_short, const int *p_int, const uint8_t *p_8, const uint16_t *p_16, const uint32_t *p_32);
--- a/csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/assignments.ql
+++ b/csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/assignments.ql
@@ -0,0 +1,177 @@
+class Expr extends @expr {
+  string toString() { none() }
+}
+
+class Location extends @location {
+  string toString() { none() }
+}
+
+newtype TAddedElement =
+  TAssignment(CompoundAssignmentExpr e) or
+  TLhs(CompoundAssignmentExpr e) or
+  TRhs(CompoundAssignmentExpr e)
+
+module Fresh = QlBuiltins::NewEntity<TAddedElement>;
+
+class TNewExpr = @expr or Fresh::EntityId;
+
+class NewExpr extends TNewExpr {
+  string toString() { none() }
+}
+
+class TNewControlFlowElement = @control_flow_element or Fresh::EntityId;
+
+class NewControlFlowElement extends TNewControlFlowElement {
+  string toString() { none() }
+}
+
+class TypeOrRef extends @type_or_ref {
+  string toString() { none() }
+}
+
+class Callable extends @callable {
+  string toString() { none() }
+}
+
+class Accessible extends @accessible {
+  string toString() { none() }
+}
+
+predicate assignmentKind(int kind) {
+  // | 63 = @simple_assign_expr
+  // | 80 = @add_event_expr
+  // | 81 = @remove_event_expr
+  // | 83 = @local_var_decl_expr
+  kind = [63, 80, 81, 83]
+}
+
+predicate compoundAssignmentKind(int kind) {
+  // | 64 = @assign_add_expr
+  // | 65 = @assign_sub_expr
+  // | 66 = @assign_mul_expr
+  // | 67 = @assign_div_expr
+  // | 68 = @assign_rem_expr
+  // | 69 = @assign_and_expr
+  // | 70 = @assign_xor_expr
+  // | 71 = @assign_or_expr
+  // | 72 = @assign_lshift_expr
+  // | 73 = @assign_rshift_expr
+  // | 119 = @assign_coalesce_expr
+  // | 134 = @assign_urshift_expr
+  kind = [64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 119, 134]
+}
+
+int getOperatorKindFromAssignmentKind(int kind) {
+  kind = 64 and result = 44 // @assign_add_expr -> @add_expr
+  or
+  kind = 65 and result = 45 // @assign_sub_expr -> @sub_expr
+  or
+  kind = 66 and result = 41 // @assign_mul_expr -> @mul_expr
+  or
+  kind = 67 and result = 42 // @assign_div_expr -> @div_expr
+  or
+  kind = 68 and result = 43 // @assign_rem_expr -> @rem_expr
+  or
+  kind = 69 and result = 54 // @assign_and_expr -> @bit_and_expr
+  or
+  kind = 70 and result = 55 // @assign_xor_expr -> @bit_xor_expr
+  or
+  kind = 71 and result = 56 // @assign_or_expr -> @bit_or_expr
+  or
+  kind = 72 and result = 46 // @assign_lshift_expr -> @lshift_expr
+  or
+  kind = 73 and result = 47 // @assign_rshift_expr -> @rshift_expr
+  or
+  kind = 119 and result = 61 // @assign_coalesce_expr -> @coalesce_expr
+  or
+  kind = 134 and result = 133 // @assign_urshift_expr -> @urshift_expr
+}
+
+predicate isAssignment(Expr ass) {
+  exists(int kind | assignmentKind(kind) | expressions(ass, kind, _))
+}
+
+class CompoundAssignmentExpr extends Expr {
+  CompoundAssignmentExpr() {
+    exists(int kind | compoundAssignmentKind(kind) | expressions(this, kind, _))
+  }
+}
+
+query predicate new_expressions(NewExpr e, int kind, TypeOrRef t) {
+  expressions(e, kind, t)
+  or
+  // Introduce expanded expression nodes.
+  exists(CompoundAssignmentExpr compound, int kind0, Expr e1, int kind1 |
+    expressions(compound, kind0, t) and
+    expressions(e1, kind1, _) and
+    expr_parent(e1, 0, compound)
+  |
+    Fresh::map(TAssignment(compound)) = e and kind = 63
+    or
+    Fresh::map(TLhs(compound)) = e and kind = kind1
+    or
+    Fresh::map(TRhs(compound)) = e and kind = getOperatorKindFromAssignmentKind(kind0)
+  )
+}
+
+query predicate new_expr_parent(NewExpr e, int child, NewControlFlowElement parent) {
+  if isAssignment(parent)
+  then
+    // Swap children for assignments, local variable declarations and add/remove event.
+    child = 0 and expr_parent(e, 1, parent)
+    or
+    child = 1 and expr_parent(e, 0, parent)
+  else (
+    exists(CompoundAssignmentExpr compound |
+      Fresh::map(TAssignment(compound)) = e and child = 2 and parent = compound
+      or
+      Fresh::map(TLhs(compound)) = e and child = 1 and parent = Fresh::map(TAssignment(compound))
+      or
+      Fresh::map(TRhs(compound)) = e and child = 0 and parent = Fresh::map(TAssignment(compound))
+      or
+      expr_parent(e, child, compound) and parent = Fresh::map(TRhs(compound))
+    )
+    or
+    // Copy the expr_parent relation except for compound assignment edges.
+    expr_parent(e, child, parent) and not parent instanceof CompoundAssignmentExpr
+  )
+}
+
+query predicate new_expr_location(NewExpr e, Location loc) {
+  expr_location(e, loc)
+  or
+  exists(CompoundAssignmentExpr compound |
+    Fresh::map(TAssignment(compound)) = e and expr_location(compound, loc)
+    or
+    Fresh::map(TLhs(compound)) = e and
+    exists(Expr child | expr_location(child, loc) and expr_parent(child, 0, compound))
+    or
+    Fresh::map(TRhs(compound)) = e and expr_location(compound, loc)
+  )
+}
+
+query predicate new_expr_call(NewExpr e, Callable c) {
+  expr_call(e, c) and not e instanceof CompoundAssignmentExpr
+  or
+  exists(CompoundAssignmentExpr compound |
+    Fresh::map(TRhs(compound)) = e and expr_call(compound, c)
+  )
+}
+
+query predicate new_dynamic_member_name(NewExpr e, string name) {
+  dynamic_member_name(e, name) and not e instanceof CompoundAssignmentExpr
+  or
+  exists(CompoundAssignmentExpr compound |
+    Fresh::map(TRhs(compound)) = e and dynamic_member_name(compound, name)
+  )
+}
+
+query predicate new_expr_access(NewExpr e, Accessible a) {
+  expr_access(e, a)
+  or
+  exists(CompoundAssignmentExpr compound, Expr access |
+    expr_parent(access, 0, compound) and
+    expr_access(access, a) and
+    Fresh::map(TLhs(compound)) = e
+  )
+}
--- a/csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/old.dbscheme
+++ b/csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/old.dbscheme
--- a/csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/semmlecode.csharp.dbscheme
+++ b/csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/semmlecode.csharp.dbscheme
--- a/csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/upgrade.properties
+++ b/csharp/downgrades/19b8cc3e2dc768d4cbc03d6e3773b709bbebd036/upgrade.properties
@@ -0,0 +1,8 @@
+description: Remove operation kinds for operations, introduce expanded assignments and rotate assignment child expressions.
+compatibility: partial
+expr_parent.rel: run assignments.ql new_expr_parent
+expressions.rel: run assignments.ql new_expressions
+expr_location.rel: run assignments.ql new_expr_location
+expr_call.rel: run assignments.ql new_expr_call
+dynamic_member_name.rel: run assignments.ql new_dynamic_member_name
+expr_access.rel: run assignments.ql new_expr_access
--- a/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/IDotNetCliInvoker.cs
@@ -12,16 +12,18 @@ namespace Semmle.Extraction.CSharp.DependencyFetching

        /// <summary>
        /// A minimal environment for running the .NET CLI.
-        /// 
+        ///
        /// DOTNET_CLI_UI_LANGUAGE: The .NET CLI language is set to English to avoid localized output.
        /// MSBUILDDISABLENODEREUSE: To ensure clean environment for each build.
        /// DOTNET_SKIP_FIRST_TIME_EXPERIENCE: To skip first time experience messages.
+        /// DOTNET_CLI_TELEMETRY_OPTOUT: To skip any dotnet telemetry: it's unnecessary and can even cause issues.
        /// </summary>
        static ReadOnlyDictionary<string, string> MinimalEnvironment { get; } = new(new Dictionary<string, string>
        {
            {"DOTNET_CLI_UI_LANGUAGE", "en"},
            {"MSBUILDDISABLENODEREUSE", "1"},
-            {"DOTNET_SKIP_FIRST_TIME_EXPERIENCE", "true"}
+            {"DOTNET_SKIP_FIRST_TIME_EXPERIENCE", "true"},
+            {"DOTNET_CLI_TELEMETRY_OPTOUT", "1"}
        });

        /// <summary>
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Assignment.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Assignment.cs
@@ -22,26 +22,12 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions

        protected override void PopulateExpression(TextWriter trapFile)
        {
-            var operatorKind = OperatorKind;
-            if (operatorKind.HasValue)
-            {
-                // Convert assignment such as `a += b` into `a = a + b`.
-                var simpleAssignExpr = new Expression(new ExpressionInfo(Context, Type, Location, ExprKind.SIMPLE_ASSIGN, this, 2, isCompilerGenerated: true, null));
-                Create(Context, Syntax.Left, simpleAssignExpr, 1);
-                var opexpr = new Expression(new ExpressionInfo(Context, Type, Location, operatorKind.Value, simpleAssignExpr, 0, isCompilerGenerated: true, null));
-                Create(Context, Syntax.Left, opexpr, 0, isCompilerGenerated: true);
-                Create(Context, Syntax.Right, opexpr, 1);
-                opexpr.OperatorCall(trapFile, Syntax);
-            }
-            else
-            {
-                Create(Context, Syntax.Left, this, 1);
-                Create(Context, Syntax.Right, this, 0);
+            Create(Context, Syntax.Left, this, 0);
+            Create(Context, Syntax.Right, this, 1);

-                if (Kind == ExprKind.ADD_EVENT || Kind == ExprKind.REMOVE_EVENT)
-                {
-                    OperatorCall(trapFile, Syntax);
-                }
+            if (Kind != ExprKind.SIMPLE_ASSIGN && Kind != ExprKind.ASSIGN_COALESCE)
+            {
+                OperatorCall(trapFile, Syntax);
            }
        }

@@ -108,56 +94,5 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions

            return kind;
        }
-
-        /// <summary>
-        /// Gets the kind of this assignment operator (<code>null</code> if the
-        /// assignment is not an assignment operator). For example, the operator
-        /// kind of `*=` is `*`.
-        /// </summary>
-        private ExprKind? OperatorKind
-        {
-            get
-            {
-                var kind = Kind;
-                if (kind == ExprKind.REMOVE_EVENT || kind == ExprKind.ADD_EVENT || kind == ExprKind.SIMPLE_ASSIGN)
-                    return null;
-
-                if (CallType.AdjustKind(kind) == ExprKind.OPERATOR_INVOCATION)
-                    return ExprKind.OPERATOR_INVOCATION;
-
-                switch (kind)
-                {
-                    case ExprKind.ASSIGN_ADD:
-                        return ExprKind.ADD;
-                    case ExprKind.ASSIGN_AND:
-                        return ExprKind.BIT_AND;
-                    case ExprKind.ASSIGN_DIV:
-                        return ExprKind.DIV;
-                    case ExprKind.ASSIGN_LSHIFT:
-                        return ExprKind.LSHIFT;
-                    case ExprKind.ASSIGN_MUL:
-                        return ExprKind.MUL;
-                    case ExprKind.ASSIGN_OR:
-                        return ExprKind.BIT_OR;
-                    case ExprKind.ASSIGN_REM:
-                        return ExprKind.REM;
-                    case ExprKind.ASSIGN_RSHIFT:
-                        return ExprKind.RSHIFT;
-                    case ExprKind.ASSIGN_URSHIFT:
-                        return ExprKind.URSHIFT;
-                    case ExprKind.ASSIGN_SUB:
-                        return ExprKind.SUB;
-                    case ExprKind.ASSIGN_XOR:
-                        return ExprKind.BIT_XOR;
-                    case ExprKind.ASSIGN_COALESCE:
-                        return ExprKind.NULL_COALESCING;
-                    default:
-                        Context.ModelError(Syntax, $"Couldn't unfold assignment of type {kind}");
-                        return ExprKind.UNKNOWN;
-                }
-            }
-        }
-
-        public new CallType CallType => GetCallType(Context, Syntax);
    }
 }
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Initializer.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Initializer.cs
@@ -83,8 +83,22 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                {
                    var assignmentInfo = new ExpressionNodeInfo(Context, init, this, child++).SetKind(ExprKind.SIMPLE_ASSIGN);
                    var assignmentEntity = new Expression(assignmentInfo);
+                    var target = Context.GetSymbolInfo(assignment.Left);
+
+                    // If the target is null, then assume that this is an array initializer (of the form `[...] = ...`)
+                    var access = target.Symbol is null ?
+                        new Expression(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 0).SetKind(ExprKind.ARRAY_ACCESS)) :
+                        Access.Create(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 0), target.Symbol, false, Context.CreateEntity(target.Symbol));
+
+                    if (assignment.Left is ImplicitElementAccessSyntax iea)
+                    {
+                        // An array/indexer initializer of the form `[...] = ...`
+                        access.PopulateArguments(trapFile, iea.ArgumentList.Arguments, 0);
+                    }
+
                    var typeInfoRight = Context.GetTypeInfo(assignment.Right);
                    if (typeInfoRight.Type is null)
+                    {
                        // The type may be null for nested initializers such as
                        // ```csharp
                        // new ClassWithArrayField() { As = { [0] = a } }
@@ -92,21 +106,8 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                        // In this case we take the type from the assignment
                        // `As = { [0] = a }` instead
                        typeInfoRight = assignmentInfo.TypeInfo;
-                    CreateFromNode(new ExpressionNodeInfo(Context, assignment.Right, assignmentEntity, 0, typeInfoRight));
-
-                    var target = Context.GetSymbolInfo(assignment.Left);
-
-                    // If the target is null, then assume that this is an array initializer (of the form `[...] = ...`)
-
-                    var access = target.Symbol is null ?
-                        new Expression(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 1).SetKind(ExprKind.ARRAY_ACCESS)) :
-                        Access.Create(new ExpressionNodeInfo(Context, assignment.Left, assignmentEntity, 1), target.Symbol, false, Context.CreateEntity(target.Symbol));
-
-                    if (assignment.Left is ImplicitElementAccessSyntax iea)
-                    {
-                        // An array/indexer initializer of the form `[...] = ...`
-                        access.PopulateArguments(trapFile, iea.ArgumentList.Arguments, 0);
                    }
+                    CreateFromNode(new ExpressionNodeInfo(Context, assignment.Right, assignmentEntity, 1, typeInfoRight));
                }
                else
                {
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/AnonymousObjectCreation.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ObjectCreation/AnonymousObjectCreation.cs
@@ -41,11 +41,11 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                var loc = Context.CreateLocation(init.GetLocation());

                var assignment = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.SIMPLE_ASSIGN, objectInitializer, child++, isCompilerGenerated: false, null));
-                Create(Context, init.Expression, assignment, 0);
                Property.Create(Context, property);
-
-                var access = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.PROPERTY_ACCESS, assignment, 1, isCompilerGenerated: false, null));
+                var access = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.PROPERTY_ACCESS, assignment, 0, isCompilerGenerated: false, null));
                trapFile.expr_access(access, propEntity);
+
+                Create(Context, init.Expression, assignment, 1);
            }
        }
    }
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Query.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Query.cs
@@ -94,12 +94,12 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                    child
                    );

-                Expression.Create(cx, Expr, decl, 0);
-
                var nameLoc = cx.CreateLocation(name.GetLocation());
-                var access = new Expression(new ExpressionInfo(cx, type, nameLoc, ExprKind.LOCAL_VARIABLE_ACCESS, decl, 1, isCompilerGenerated: false, null));
+                var access = new Expression(new ExpressionInfo(cx, type, nameLoc, ExprKind.LOCAL_VARIABLE_ACCESS, decl, 0, isCompilerGenerated: false, null));
                cx.TrapWriter.Writer.expr_access(access, LocalVariable.Create(cx, variableSymbol));

+                Expression.Create(cx, Expr, decl, 1);
+
                return decl;
            }

--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/VariableDeclaration.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/VariableDeclaration.cs
@@ -176,11 +176,11 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions

                if (d.Initializer is not null)
                {
-                    Create(cx, d.Initializer.Value, ret, 0);
-
                    // Create an access
-                    var access = new Expression(new ExpressionInfo(cx, type, localVar.Location, ExprKind.LOCAL_VARIABLE_ACCESS, ret, 1, isCompilerGenerated: false, null));
+                    var access = new Expression(new ExpressionInfo(cx, type, localVar.Location, ExprKind.LOCAL_VARIABLE_ACCESS, ret, 0, isCompilerGenerated: false, null));
                    cx.TrapWriter.Writer.expr_access(access, localVar);
+
+                    Create(cx, d.Initializer.Value, ret, 1);
                }

                if (d.Parent is VariableDeclarationSyntax decl)
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Field.cs
@@ -116,9 +116,9 @@ namespace Semmle.Extraction.CSharp.Entities
        {
            var type = Symbol.GetAnnotatedType();
            var simpleAssignExpr = new Expression(new ExpressionInfo(Context, type, loc, ExprKind.SIMPLE_ASSIGN, this, child++, isCompilerGenerated: true, constValue));
-            Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer, simpleAssignExpr, 0));
-            var access = new Expression(new ExpressionInfo(Context, type, Location, ExprKind.FIELD_ACCESS, simpleAssignExpr, 1, isCompilerGenerated: true, constValue));
+            var access = new Expression(new ExpressionInfo(Context, type, Location, ExprKind.FIELD_ACCESS, simpleAssignExpr, 0, isCompilerGenerated: true, constValue));
            trapFile.expr_access(access, this);
+            Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer, simpleAssignExpr, 1));
            return access;
        }

--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Property.cs
@@ -94,9 +94,9 @@ namespace Semmle.Extraction.CSharp.Entities
                        var loc = Context.CreateLocation(initializer!.GetLocation());
                        var annotatedType = AnnotatedTypeSymbol.CreateNotAnnotated(Symbol.Type);
                        var simpleAssignExpr = new Expression(new ExpressionInfo(Context, annotatedType, loc, ExprKind.SIMPLE_ASSIGN, this, child++, isCompilerGenerated: true, null));
-                        Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer.Value, simpleAssignExpr, 0));
-                        var access = new Expression(new ExpressionInfo(Context, annotatedType, Location, ExprKind.PROPERTY_ACCESS, simpleAssignExpr, 1, isCompilerGenerated: true, null));
+                        var access = new Expression(new ExpressionInfo(Context, annotatedType, Location, ExprKind.PROPERTY_ACCESS, simpleAssignExpr, 0, isCompilerGenerated: true, null));
                        trapFile.expr_access(access, this);
+                        Expression.CreateFromNode(new ExpressionNodeInfo(Context, initializer.Value, simpleAssignExpr, 1));
                        if (!Symbol.IsStatic)
                        {
                            This.CreateImplicit(Context, Symbol.ContainingType, Location, access, -1);
--- a/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.61
+
+No user-facing changes.
+
 ## 1.7.60

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.61.md
+++ b/csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.61.md
@@ -0,0 +1,3 @@
+## 1.7.61
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.60
+lastReleaseVersion: 1.7.61
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.61-dev
+version: 1.7.62-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
+++ b/csharp/ql/campaigns/Solorigate/src/CHANGELOG.md
@@ -1,3 +1,7 @@
+## 1.7.61
+
+No user-facing changes.
+
 ## 1.7.60

 No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/ModifiedFnvFunctionDetection.ql
+++ b/csharp/ql/campaigns/Solorigate/src/ModifiedFnvFunctionDetection.ql
@@ -16,16 +16,9 @@ import experimental.code.csharp.Cryptography.NonCryptographicHashes
 from Variable v, Literal l, LoopStmt loop, Expr additional_xor
 where
  maybeUsedInFnvFunction(v, _, _, loop) and
-  (
-    exists(BitwiseXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
-      loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
-      xor2.getAnOperand() = v.getAnAccess()
-    )
-    or
-    exists(AssignXorExpr xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
-      loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
-      xor2.getAnOperand() = v.getAnAccess()
-    )
+  exists(BitwiseXorOperation xor2 | xor2.getAnOperand() = l and additional_xor = xor2 |
+    loop.getAControlFlowExitNode().getASuccessor*() = xor2.getAControlFlowNode() and
+    xor2.getAnOperand() = v.getAnAccess()
  )
 select l, "This literal is used in an $@ after an FNV-like hash calculation with variable $@.",
  additional_xor, "additional xor", v, v.toString()
--- a/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.61.md
+++ b/csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.61.md
@@ -0,0 +1,3 @@
+## 1.7.61
+
+No user-facing changes.
--- a/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
+++ b/csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.60
+lastReleaseVersion: 1.7.61
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.61-dev
+version: 1.7.62-dev
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/consistency-queries/CfgConsistency.ql
+++ b/csharp/ql/consistency-queries/CfgConsistency.ql
@@ -1,63 +1,5 @@
 import csharp
 import semmle.code.csharp.controlflow.internal.Completion
-import semmle.code.csharp.controlflow.internal.PreBasicBlocks
 import ControlFlow
 import semmle.code.csharp.controlflow.internal.ControlFlowGraphImpl::Consistency
 import semmle.code.csharp.controlflow.internal.Splitting
-
-private predicate splitBB(ControlFlow::BasicBlock bb) {
-  exists(ControlFlow::Node first |
-    first = bb.getFirstNode() and
-    first.isJoin() and
-    strictcount(first.getAPredecessor().getAstNode()) = 1
-  )
-}
-
-private class RelevantBasicBlock extends ControlFlow::BasicBlock {
-  RelevantBasicBlock() { not splitBB(this) }
-}
-
-predicate bbStartInconsistency(ControlFlowElement cfe) {
-  exists(RelevantBasicBlock bb | bb.getFirstNode() = cfe.getAControlFlowNode()) and
-  not cfe = any(PreBasicBlock bb).getFirstElement()
-}
-
-predicate bbSuccInconsistency(ControlFlowElement pred, ControlFlowElement succ) {
-  exists(RelevantBasicBlock predBB, RelevantBasicBlock succBB |
-    predBB.getLastNode() = pred.getAControlFlowNode() and
-    succBB = predBB.getASuccessor() and
-    succBB.getFirstNode() = succ.getAControlFlowNode()
-  ) and
-  not exists(PreBasicBlock predBB, PreBasicBlock succBB |
-    predBB.getLastNode() = pred and
-    succBB = predBB.getASuccessor() and
-    succBB.getFirstElement() = succ
-  )
-}
-
-predicate bbIntraSuccInconsistency(ControlFlowElement pred, ControlFlowElement succ) {
-  exists(ControlFlow::BasicBlock bb, int i |
-    pred.getAControlFlowNode() = bb.getNode(i) and
-    succ.getAControlFlowNode() = bb.getNode(i + 1)
-  ) and
-  not exists(PreBasicBlock bb |
-    bb.getLastNode() = pred and
-    bb.getASuccessor().getFirstElement() = succ
-  ) and
-  not exists(PreBasicBlock bb, int i |
-    bb.getNode(i) = pred and
-    bb.getNode(i + 1) = succ
-  )
-}
-
-query predicate preBasicBlockConsistency(ControlFlowElement cfe1, ControlFlowElement cfe2, string s) {
-  bbStartInconsistency(cfe1) and
-  cfe2 = cfe1 and
-  s = "start inconsistency"
-  or
-  bbSuccInconsistency(cfe1, cfe2) and
-  s = "succ inconsistency"
-  or
-  bbIntraSuccInconsistency(cfe1, cfe2) and
-  s = "intra succ inconsistency"
-}
--- a/csharp/ql/consistency-queries/DataFlowConsistency.ql
+++ b/csharp/ql/consistency-queries/DataFlowConsistency.ql
@@ -35,9 +35,7 @@ private module Input implements InputSig<Location, CsharpDataFlow> {
    or
    n.asExpr().(ObjectCreation).hasInitializer()
    or
-    exists(
-      n.(PostUpdateNode).getPreUpdateNode().asExprAtNode(LocalFlow::getPostUpdateReverseStep(_))
-    )
+    n.(PostUpdateNode).getPreUpdateNode().asExpr() = LocalFlow::getPostUpdateReverseStep(_)
  }

  predicate argHasPostUpdateExclude(ArgumentNode n) {
--- a/csharp/ql/integration-tests/all-platforms/autobuild/global.json
+++ b/csharp/ql/integration-tests/all-platforms/autobuild/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/autobuild_slnx/global.json
+++ b/csharp/ql/integration-tests/all-platforms/autobuild_slnx/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/binlog/global.json
+++ b/csharp/ql/integration-tests/all-platforms/binlog/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/binlog_multiple/global.json
+++ b/csharp/ql/integration-tests/all-platforms/binlog_multiple/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/global.json
+++ b/csharp/ql/integration-tests/all-platforms/blazor/BlazorTest/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/blazor/Files.expected
+++ b/csharp/ql/integration-tests/all-platforms/blazor/Files.expected
@@ -14,12 +14,12 @@
 | BlazorTest/obj/Debug/net10.0/EmbeddedAttribute.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/EmbeddedAttribute.cs |
 | BlazorTest/obj/Debug/net10.0/ValidatableTypeAttribute.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/ValidatableTypeAttribute.cs |
 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.AspNetCore.App.SourceGenerators/Microsoft.AspNetCore.SourceGenerators.PublicProgramSourceGenerator/PublicTopLevelProgram.Generated.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.AspNetCore.App.SourceGenerators/Microsoft.AspNetCore.SourceGenerators.PublicProgramSourceGenerator/PublicTopLevelProgram.Generated.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_App_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_App_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_MainLayout_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_MainLayout_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_NavMenu_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_NavMenu_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyInput_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyInput_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyOutput_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyOutput_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_Error_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_Error_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Routes_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Routes_razor.g.cs |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components__Imports_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components__Imports_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/App_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/App_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/MainLayout_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/MainLayout_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/NavMenu_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/NavMenu_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyInput_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyInput_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyOutput_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyOutput_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/Error_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/Error_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Routes_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Routes_razor.g.cs |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/_Imports_razor.g.cs:0:0:0:0 | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/_Imports_razor.g.cs |
--- a/csharp/ql/integration-tests/all-platforms/blazor/XSS.expected
+++ b/csharp/ql/integration-tests/all-platforms/blazor/XSS.expected
@@ -3,8 +3,8 @@
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | User-provided value |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | User-provided value |
 edges
-| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
+| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
 models
 | 1 | Sink: Microsoft.AspNetCore.Components; MarkupString; false; MarkupString; (System.String); ; Argument[0]; html-injection; manual |
 | 2 | Source: Microsoft.AspNetCore.Components; SupplyParameterFromQueryAttribute; false; ; ; Attribute.Getter; ReturnValue; remote; manual |
@@ -14,5 +14,5 @@ nodes
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | semmle.label | access to property UrlParam |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | semmle.label | access to property QueryParam |
 | BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | semmle.label | access to property QueryParam : String |
-| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
+| BlazorTest/obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
 subpaths
--- a/csharp/ql/integration-tests/all-platforms/blazor/global.json
+++ b/csharp/ql/integration-tests/all-platforms/blazor/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/global.json
+++ b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/BlazorTest/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/Files.expected
+++ b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/Files.expected
@@ -8,13 +8,13 @@
 | BlazorTest/Components/Routes.razor |
 | BlazorTest/Components/_Imports.razor |
 | BlazorTest/Program.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_App_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_MainLayout_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Layout_NavMenu_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyInput_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_MyOutput_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_Error_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Routes_razor.g.cs |
-| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components__Imports_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/App_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/MainLayout_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Layout/NavMenu_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyInput_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/MyOutput_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/Error_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Routes_razor.g.cs |
+| [...]/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/_Imports_razor.g.cs |
 | test-db/working/implicitUsings/GlobalUsings.g.cs |
--- a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.expected
+++ b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/XSS.expected
@@ -3,8 +3,8 @@
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | User-provided value |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | User-provided value |
 edges
-| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
-| test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
+| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
+| test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
 models
 | 1 | Sink: Microsoft.AspNetCore.Components; MarkupString; false; MarkupString; (System.String); ; Argument[0]; html-injection; manual |
 | 2 | Source: Microsoft.AspNetCore.Components; SupplyParameterFromQueryAttribute; false; ; ; Attribute.Getter; ReturnValue; remote; manual |
@@ -14,5 +14,5 @@ nodes
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | semmle.label | access to property UrlParam |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | semmle.label | access to property QueryParam |
 | BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | semmle.label | access to property QueryParam : String |
-| test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
+| test-db/working/razor/AC613014E59A413B9538FF8068364499/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components/Pages/TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
 subpaths
--- a/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/global.json
+++ b/csharp/ql/integration-tests/all-platforms/blazor_build_mode_none/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/conditional_compilation/global.json
+++ b/csharp/ql/integration-tests/all-platforms/conditional_compilation/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/cshtml/Files.expected
+++ b/csharp/ql/integration-tests/all-platforms/cshtml/Files.expected
@@ -5,4 +5,4 @@
 | obj/Debug/net10.0/cshtml.GlobalUsings.g.cs:0:0:0:0 | obj/Debug/net10.0/cshtml.GlobalUsings.g.cs |
 | obj/Debug/net10.0/cshtml.RazorAssemblyInfo.cs:0:0:0:0 | obj/Debug/net10.0/cshtml.RazorAssemblyInfo.cs |
 | obj/Debug/net10.0/generated/Microsoft.AspNetCore.App.SourceGenerators/Microsoft.AspNetCore.SourceGenerators.PublicProgramSourceGenerator/PublicTopLevelProgram.Generated.g.cs:0:0:0:0 | obj/Debug/net10.0/generated/Microsoft.AspNetCore.App.SourceGenerators/Microsoft.AspNetCore.SourceGenerators.PublicProgramSourceGenerator/PublicTopLevelProgram.Generated.g.cs |
-| obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs:0:0:0:0 | obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs |
+| obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views/Home/Index_cshtml.g.cs:0:0:0:0 | obj/Debug/net10.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views/Home/Index_cshtml.g.cs |
--- a/csharp/ql/integration-tests/all-platforms/cshtml/global.json
+++ b/csharp/ql/integration-tests/all-platforms/cshtml/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/cshtml_standalone/Files.expected
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone/Files.expected
@@ -1,4 +1,4 @@
 | Program.cs |
 | Views/Home/Index.cshtml |
 | test-db/working/implicitUsings/GlobalUsings.g.cs |
-| test-db/working/razor/EC52D77FE9BF67AD10C5C3F248392316/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs |
+| test-db/working/razor/EC52D77FE9BF67AD10C5C3F248392316/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views/Home/Index_cshtml.g.cs |
--- a/csharp/ql/integration-tests/all-platforms/cshtml_standalone/global.json
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_disabled/global.json
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_disabled/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/global.json
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_flowsteps/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_net6/Files.expected
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_net6/Files.expected
@@ -1,4 +1,4 @@
 | Program.cs |
 | Views/Home/Index.cshtml |
 | test-db/working/implicitUsings/GlobalUsings.g.cs |
-| test-db/working/razor/EC52D77FE9BF67AD10C5C3F248392316/[...]/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views_Home_Index_cshtml.g.cs |
+| test-db/working/razor/EC52D77FE9BF67AD10C5C3F248392316/[...]/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Views/Home/Index_cshtml.g.cs |
--- a/csharp/ql/integration-tests/all-platforms/cshtml_standalone_net6/global.json
+++ b/csharp/ql/integration-tests/all-platforms/cshtml_standalone_net6/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "6.0.418"
+        "version": "10.0.201"
    }
-}
+}
--- a/csharp/ql/integration-tests/all-platforms/diag_dotnet_incompatible/global.json
+++ b/csharp/ql/integration-tests/all-platforms/diag_dotnet_incompatible/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/csharp/ql/integration-tests/all-platforms/diag_missing_project_files/global.json
+++ b/csharp/ql/integration-tests/all-platforms/diag_missing_project_files/global.json
@@ -1,5 +1,5 @@
 {
    "sdk": {
-        "version": "10.0.100"
+        "version": "10.0.201"
    }
 }
--- a/Show More
+++ b/Show More