Python: Address Copilot's comments

This one is potentially a bit iffy -- it checks for a very powerful
property (that implies many of the other queries), but as the test
results show, it can produce false positives when there is in fact no
problem. We may want to get rid of it entirely, if it becomes too noisy.

Cargo.toml

@@ -8,7 +8,6 @@ members = [
     "shared/yeast-macros",
     "ruby/extractor",
     "unified/extractor",
-    "unified/extractor/tree-sitter-swift",
     "rust/extractor",
     "rust/extractor/macros",
     "rust/ast-generator",

MODULE.bazel

@@ -100,63 +100,61 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.102",
-    "vendor_ts__argfile-1.0.0",
-    "vendor_ts__cc-1.2.62",
+    "vendor_ts__anyhow-1.0.100",
+    "vendor_ts__argfile-0.2.1",
     "vendor_ts__chalk-ir-0.104.0",
-    "vendor_ts__chrono-0.4.44",
-    "vendor_ts__clap-4.6.1",
+    "vendor_ts__chrono-0.4.42",
+    "vendor_ts__clap-4.5.48",
     "vendor_ts__dunce-1.0.5",
-    "vendor_ts__either-1.16.0",
+    "vendor_ts__either-1.15.0",
     "vendor_ts__encoding-0.2.33",
     "vendor_ts__figment-0.10.19",
-    "vendor_ts__flate2-1.1.9",
+    "vendor_ts__flate2-1.1.2",
     "vendor_ts__glob-0.3.3",
-    "vendor_ts__globset-0.4.18",
+    "vendor_ts__globset-0.4.16",
     "vendor_ts__itertools-0.14.0",
     "vendor_ts__lazy_static-1.5.0",
     "vendor_ts__mustache-0.9.0",
     "vendor_ts__num-traits-0.2.19",
     "vendor_ts__num_cpus-1.17.0",
-    "vendor_ts__proc-macro2-1.0.106",
-    "vendor_ts__quote-1.0.45",
-    "vendor_ts__ra_ap_base_db-0.0.328",
-    "vendor_ts__ra_ap_cfg-0.0.328",
-    "vendor_ts__ra_ap_hir-0.0.328",
-    "vendor_ts__ra_ap_hir_def-0.0.328",
-    "vendor_ts__ra_ap_hir_expand-0.0.328",
-    "vendor_ts__ra_ap_hir_ty-0.0.328",
-    "vendor_ts__ra_ap_ide_db-0.0.328",
-    "vendor_ts__ra_ap_intern-0.0.328",
-    "vendor_ts__ra_ap_load-cargo-0.0.328",
-    "vendor_ts__ra_ap_parser-0.0.328",
-    "vendor_ts__ra_ap_paths-0.0.328",
-    "vendor_ts__ra_ap_project_model-0.0.328",
-    "vendor_ts__ra_ap_span-0.0.328",
-    "vendor_ts__ra_ap_stdx-0.0.328",
-    "vendor_ts__ra_ap_syntax-0.0.328",
-    "vendor_ts__ra_ap_vfs-0.0.328",
-    "vendor_ts__rand-0.10.1",
-    "vendor_ts__rayon-1.12.0",
-    "vendor_ts__regex-1.12.3",
+    "vendor_ts__proc-macro2-1.0.101",
+    "vendor_ts__quote-1.0.41",
+    "vendor_ts__ra_ap_base_db-0.0.301",
+    "vendor_ts__ra_ap_cfg-0.0.301",
+    "vendor_ts__ra_ap_hir-0.0.301",
+    "vendor_ts__ra_ap_hir_def-0.0.301",
+    "vendor_ts__ra_ap_hir_expand-0.0.301",
+    "vendor_ts__ra_ap_hir_ty-0.0.301",
+    "vendor_ts__ra_ap_ide_db-0.0.301",
+    "vendor_ts__ra_ap_intern-0.0.301",
+    "vendor_ts__ra_ap_load-cargo-0.0.301",
+    "vendor_ts__ra_ap_parser-0.0.301",
+    "vendor_ts__ra_ap_paths-0.0.301",
+    "vendor_ts__ra_ap_project_model-0.0.301",
+    "vendor_ts__ra_ap_span-0.0.301",
+    "vendor_ts__ra_ap_stdx-0.0.301",
+    "vendor_ts__ra_ap_syntax-0.0.301",
+    "vendor_ts__ra_ap_vfs-0.0.301",
+    "vendor_ts__rand-0.9.2",
+    "vendor_ts__rayon-1.11.0",
+    "vendor_ts__regex-1.11.3",
     "vendor_ts__serde-1.0.228",
-    "vendor_ts__serde_json-1.0.150",
-    "vendor_ts__serde_with-3.20.0",
+    "vendor_ts__serde_json-1.0.145",
+    "vendor_ts__serde_with-3.14.1",
     "vendor_ts__serde_yaml-0.9.34-deprecated",
-    "vendor_ts__syn-2.0.117",
-    "vendor_ts__toml-1.1.2-spec-1.1.0",
-    "vendor_ts__tracing-0.1.44",
+    "vendor_ts__syn-2.0.106",
+    "vendor_ts__toml-0.9.7",
+    "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
-    "vendor_ts__tracing-subscriber-0.3.23",
-    "vendor_ts__tree-sitter-0.26.9",
+    "vendor_ts__tracing-subscriber-0.3.20",
+    "vendor_ts__tree-sitter-0.26.8",
     "vendor_ts__tree-sitter-embedded-template-0.25.0",
-    "vendor_ts__tree-sitter-generate-0.26.9",
     "vendor_ts__tree-sitter-json-0.24.8",
-    "vendor_ts__tree-sitter-language-0.1.7",
     "vendor_ts__tree-sitter-python-0.23.6",
     "vendor_ts__tree-sitter-ql-0.23.1",
     "vendor_ts__tree-sitter-ruby-0.23.1",
-    "vendor_ts__triomphe-0.1.15",
+    "vendor_ts__tree-sitter-swift-0.7.2",
+    "vendor_ts__triomphe-0.1.14",
     "vendor_ts__ungrammar-1.16.1",
     "vendor_ts__zstd-0.13.3",
 )
@@ -164,12 +162,12 @@ use_repo(
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
 # rust-analyzer sources needed by the rust ast-generator (see `rust/ast-generator/README.md`)
-RUST_ANALYZER_SRC_TAG = "2026-04-13"
+RUST_ANALYZER_SRC_TAG = "2025-01-07"
 
 http_archive(
     name = "rust-analyzer-src",
     build_file = "//rust/ast-generator:BUILD.rust-analyzer-src.bazel",
-    integrity = "sha256-UB/+EVx/6j4VGvnb7jfRqPaoc7Uwci3rEt6il+2J1Ds=",
+    integrity = "sha256-eo8mIaUafZL8LOM65bDIIIXw1rNQ/P/x5RK/XUtgo5g=",
     patch_args = ["-p1"],
     patches = [
         "//rust/ast-generator:patches/rust-analyzer.patch",

actions/ql/examples/snippets/uses_pinned_sha.ql

@@ -8,5 +8,5 @@
 import actions
 
 from UsesStep uses
-where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}([A-Fa-f0-9]{24})?$")
+where uses.getVersion().regexpMatch("^[A-Fa-f0-9]{40}$")
 select uses, "This 'uses' step has a pinned SHA version."

actions/ql/lib/CHANGELOG.md

@@ -1,9 +1,3 @@
-## 0.4.36
-
-### Minor Analysis Improvements
-
-* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
-
 ## 0.4.35
 
 No user-facing changes.

actions/ql/lib/change-notes/2026-04-15-poisonable-steps-additions-alterations.md

@@ -1,5 +1,4 @@
-## 0.4.36
-
-### Minor Analysis Improvements
-
-* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.
+---
+category: minorAnalysis
+---
+* Altered 2 patterns in the `poisonable_steps` modelling. Extra sinks are detected in the following cases: scripts executed via python modules and `go run` in directories are detected as potential mechanisms of injection. For the go execution pattern, the pattern is updated to now ignore flags that occur between go and the specific command. This change may lead to more results being detected by the following queries: `actions/untrusted-checkout/high`, `actions/untrusted-checkout/critical`, `actions/untrusted-checkout-toctou/high`, `actions/untrusted-checkout-toctou/critical`, `actions/cache-poisoning/poisonable-step`, `actions/cache-poisoning/direct-cache` and `actions/artifact-poisoning/path-traversal`.

actions/ql/lib/change-notes/2026-05-12-improved-alphanumeric-regex.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.36
+lastReleaseVersion: 0.4.35

actions/ql/lib/codeql/actions/Bash.qll

@@ -785,22 +785,7 @@ module Bash {
 
   /**
    * Holds if the given regex is used to match an alphanumeric string
-   * eg: `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$`, `^[0-9]+$` or `^[a-zA-Z0-9_]+$`
+   * eg: `^[0-9a-zA-Z]{40}$`, `^[0-9]+$` or `^[a-zA-Z0-9_]+$`
    */
-  string alphaNumericRegex() {
-    exists(string r1, string r2, string r3, string r4 |
-      // An alphanumeric character class
-      r1 = "\\[([09azAZ_-]+)\\]" and
-      // The same as above, followed by a quantifier like `+` or `{20}`
-      r2 = r1 + "(\\+|\\{\\d+\\})" and
-      // The same as above, possibly with parentheses around it
-      r3 = "\\(?" + r2 + "\\)?" and
-      // The same as above, possibly with a `?` after it
-      r4 = r3 + "\\??"
-    |
-      // The same as above, repeated one or more times, and with `^` at the
-      // beginning and `$` at the end
-      result = "^\\^(" + r4 + ")+\\$$"
-    )
-  }
+  string alphaNumericRegex() { result = "^\\^\\[([09azAZ_-]+)\\](\\+|\\{\\d+\\})\\$$" }
 }

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.37-dev
+version: 0.4.36-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,17 +1,3 @@
-## 0.6.28
-
-### Query Metadata Changes
-
-* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
-
-### Minor Analysis Improvements
-
-* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
-
-### Bug Fixes
-
-* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 
-
 ## 0.6.27
 
 No user-facing changes.

actions/ql/src/Security/CWE-829/UnpinnedActionsTag.ql

@@ -1,5 +1,5 @@
 /**
- * @name Unpinned tag for a non-immutable Action in workflow or composite action
+ * @name Unpinned tag for a non-immutable Action in workflow
  * @description Using a tag for a non-immutable Action that is not pinned to a commit can lead to executing an untrusted Action through a supply chain attack.
  * @kind problem
  * @security-severity 5.0
@@ -15,9 +15,7 @@ import actions
 import codeql.actions.security.UseOfUnversionedImmutableAction
 
 bindingset[version]
-private predicate isPinnedCommit(string version) {
-  version.regexpMatch("^[A-Fa-f0-9]{40}([A-Fa-f0-9]{24})?$")
-}
+private predicate isPinnedCommit(string version) { version.regexpMatch("^[A-Fa-f0-9]{40}$") }
 
 bindingset[nwo]
 private predicate isTrustedOwner(string nwo) {
@@ -33,26 +31,15 @@ private predicate isPinnedContainer(string version) {
 bindingset[nwo]
 private predicate isContainerImage(string nwo) { nwo.regexpMatch("^docker://.+") }
 
-private predicate getStepContainerName(UsesStep uses, string name) {
-  exists(Workflow workflow |
-    uses.getEnclosingWorkflow() = workflow and
-    (
-      workflow.getName() = name
-      or
-      not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
-    )
-  )
-  or
-  exists(CompositeAction action |
-    uses.getEnclosingCompositeAction() = action and
-    name = action.getLocation().getFile().getBaseName()
-  )
-}
-
-from UsesStep uses, string nwo, string version, string name
+from UsesStep uses, string nwo, string version, Workflow workflow, string name
 where
   uses.getCallee() = nwo and
-  getStepContainerName(uses, name) and
+  uses.getEnclosingWorkflow() = workflow and
+  (
+    workflow.getName() = name
+    or
+    not exists(workflow.getName()) and workflow.getLocation().getFile().getBaseName() = name
+  ) and
   uses.getVersion() = version and
   not isTrustedOwner(nwo) and
   not (if isContainerImage(nwo) then isPinnedContainer(version) else isPinnedCommit(version)) and

actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.md

@@ -27,7 +27,7 @@ Certain triggers automatically grant a workflow elevated privileges:
   * An attacker forks the repository and adds malicious code (e.g., in the build script)
   * The attacker opens a PR from the fork, and, if needed, comments on the PR
   * The workflow in the base repository checks out the forked code
-  * The workflow runs the malicious code
+  * The workflow runs, (e.g. the build script etc.), which contains the malicious code
 
 Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 
@@ -41,8 +41,6 @@ The best practice is to handle the potentially untrusted pull request via the **
 
 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
 
-Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
-
 ## Example
 
 ### Incorrect Usage
@@ -165,5 +163,4 @@ jobs:
 
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 - Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
-- Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
 - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).

actions/ql/src/Security/CWE-829/UntrustedCheckoutCritical.ql

@@ -51,6 +51,5 @@ where
   event.getName() = checkoutTriggers() and
   not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout")) and
   not exists(ControlCheck check | check.protects(poisonable, event, "untrusted-checkout"))
-select checkout, checkout, poisonable,
-  "Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@).",
-  event, event.getName()
+select poisonable, checkout, poisonable,
+  "Potential execution of untrusted code on a privileged workflow ($@)", event, event.getName()

actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.md

@@ -27,7 +27,7 @@ Certain triggers automatically grant a workflow elevated privileges:
   * An attacker forks the repository and adds malicious code (e.g., in the build script)
   * The attacker opens a PR from the fork, and, if needed, comments on the PR
   * The workflow in the base repository checks out the forked code
-  * The workflow runs the malicious code
+  * The workflow runs, (e.g. the build script etc.), which contains the malicious code
 
 Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 
@@ -41,8 +41,6 @@ The best practice is to handle the potentially untrusted pull request via the **
 
 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
 
-Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
-
 ## Example
 
 ### Incorrect Usage
@@ -165,5 +163,4 @@ jobs:
 
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 - Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
-- Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
 - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).

actions/ql/src/Security/CWE-829/UntrustedCheckoutHigh.ql

@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in a privileged context
+ * @name Checkout of untrusted code in privileged context without privileged context use
  * @description Privileged workflows have read/write access to the base repository and access to secrets.
  *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
  *              that is able to push to the base repository and to access secrets.
@@ -42,6 +42,5 @@ where
     not event.getName() = "issue_comment" and
     not exists(ControlCheck check | check.protects(checkout, event, "untrusted-checkout"))
   )
-select checkout,
-  "Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@).",
-  event, event.getName()
+select checkout, "Potential execution of untrusted code on a privileged workflow ($@)", event,
+  event.getName()

actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.md

@@ -27,7 +27,7 @@ Certain triggers automatically grant a workflow elevated privileges:
   * An attacker forks the repository and adds malicious code (e.g., in the build script)
   * The attacker opens a PR from the fork, and, if needed, comments on the PR
   * The workflow in the base repository checks out the forked code
-  * The workflow runs the malicious code
+  * The workflow runs, (e.g. the build script etc.), which contains the malicious code
 
 Please note that not only build scripts can be malicious code vectors. There is a large number of other possibilities. Some of them are listed in the [LOTP](https://boostsecurityio.github.io/lotp/) catalog.
 
@@ -41,8 +41,6 @@ The best practice is to handle the potentially untrusted pull request via the **
 
 The artifacts downloaded from the first workflow should be considered untrusted and must be verified.
 
-Additionally, ensure that least privilege are used both at the workflow level (through event triggers and workflow permissions) and job level (through job permissions).
-
 ## Example
 
 ### Incorrect Usage
@@ -165,5 +163,4 @@ jobs:
 
 - GitHub Security Lab Research: [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/).
 - Mitigating risks of untrusted checkout: [GitHub Docs](https://docs.github.com/en/enterprise-cloud@latest/actions/reference/security/secure-use#mitigating-the-risks-of-untrusted-code-checkout).
-- Securing with least privilege: [Workflow secure use](https://docs.github.com/en/actions/reference/security/secure-use).
 - Living Off the Pipeline: [LOTP](https://boostsecurityio.github.io/lotp/).

actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql

@@ -1,5 +1,5 @@
 /**
- * @name Checkout of untrusted code in a trusted context
+ * @name Checkout of untrusted code in trusted context
  * @description Privileged workflows have read/write access to the base repository and access to secrets.
  *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
  *              that is able to push to the base repository and to access secrets.

actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-helpfile.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 

actions/ql/src/change-notes/2026-04-15-untrusted-checkout-improvements-metadata.md

@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.

actions/ql/src/change-notes/2026-05-05-untrusted-checkout-high.md

@@ -1,4 +0,0 @@
----
-category: majorAnalysis
----
-* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.

actions/ql/src/change-notes/2026-05-12-sha256-pinned-actions.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.

actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-alert.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.

actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-helpfile.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.

actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-metadata.md

@@ -1,4 +0,0 @@
----
-category: queryMetadata
----
-* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.

actions/ql/src/change-notes/released/0.6.28.md

@@ -1,13 +0,0 @@
-## 0.6.28
-
-### Query Metadata Changes
-
-* Adjusted the name of `actions/untrusted-checkout/high` to more clearly describe which parts of the scenario are in a privileged context.
-
-### Minor Analysis Improvements
-
-* The `actions/unpinned-tag` query now analyzes composite action metadata (`action.yml`/`action.yaml` files) in addition to workflow files, providing more comprehensive detection of unpinned action references across the entire Actions ecosystem.
-
-### Bug Fixes
-
-* Fixed help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Previously the messages were unclear as to why and how the vulnerabilities could occur. 

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.28
+lastReleaseVersion: 0.6.27

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.29-dev
+version: 0.6.28-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-829/.github/actions/unpinned-tag/action.yml

@@ -1,6 +0,0 @@
-name: Composite unpinned tag test
-runs:
-  using: "composite"
-  steps:
-    - uses: foo/bar@v2
-    - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb

actions/ql/test/query-tests/Security/CWE-829/.github/workflows/unpinned_tags.yml

@@ -11,9 +11,3 @@ jobs:
     - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb
     - uses: docker://foo/bar@latest
     - uses: docker://foo/bar@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9
-    # SHA-256 pinned (64 hex chars) - should NOT be flagged
-    - uses: foo/bar@25b062c917b0c75f8b47d8469aff6c94ffd89abb25b062c917b0c75f8b47d84d
-    # SHA-1 pinned (40 hex chars) regression - should NOT be flagged
-    - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2
-    # Invalid 50-char hex string - should be flagged
-    - uses: foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2a1b2c3d4e5

actions/ql/test/query-tests/Security/CWE-829/UnpinnedActionsTag.expected

@@ -1,4 +1,3 @@
-| .github/actions/unpinned-tag/action.yml:5:13:5:22 | foo/bar@v2 | Unpinned 3rd party Action 'action.yml' step $@ uses 'foo/bar' with ref 'v2', not a pinned commit hash | .github/actions/unpinned-tag/action.yml:5:7:6:4 | Uses Step | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:19:13:19:36 | completely/fakeaction@v2 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'completely/fakeaction' with ref 'v2', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:23:13:23:37 | fakerepo/comment-on-pr@v1 | Unpinned 3rd party Action 'actor_trusted_checkout.yml' step $@ uses 'fakerepo/comment-on-pr' with ref 'v1', not a pinned commit hash | .github/workflows/actor_trusted_checkout.yml:23:7:26:21 | Uses Step | Uses Step |
 | .github/workflows/artifactpoisoning21.yml:13:15:13:49 | dawidd6/action-download-artifact@v2 | Unpinned 3rd party Action 'Pull Request Open' step $@ uses 'dawidd6/action-download-artifact' with ref 'v2', not a pinned commit hash | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | Uses Step |
@@ -34,4 +33,3 @@
 | .github/workflows/test18.yml:37:21:37:63 | sonarsource/sonarcloud-github-action@master | Unpinned 3rd party Action 'Sonar' step $@ uses 'sonarsource/sonarcloud-github-action' with ref 'master', not a pinned commit hash | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step |
 | .github/workflows/unpinned_tags.yml:10:13:10:22 | foo/bar@v1 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'v1', not a pinned commit hash | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | Uses Step |
 | .github/workflows/unpinned_tags.yml:12:13:12:35 | docker://foo/bar@latest | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'docker://foo/bar' with ref 'latest', not a pinned commit hash | .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | Uses Step |
-| .github/workflows/unpinned_tags.yml:19:13:19:70 | foo/bar@a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2a1b2c3d4e5 | Unpinned 3rd party Action 'unpinned_tags.yml' step $@ uses 'foo/bar' with ref 'a1b2c3d4e5f6a1b2c3d4e5f6a1b2c3d4e5f6a1b2a1b2c3d4e5', not a pinned commit hash | .github/workflows/unpinned_tags.yml:19:7:19:71 | Uses Step | Uses Step |

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutCritical.expected

@@ -8,7 +8,6 @@ edges
 | .github/actions/download-artifact/action.yaml:25:7:29:4 | Run Step | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step |
 | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/artifactpoisoning91.yml:19:9:25:6 | Run Step: metadata |
 | .github/actions/download-artifact/action.yaml:29:7:32:18 | Run Step | .github/workflows/resolve-args.yml:22:9:36:13 | Run Step: resolve-step |
-| .github/actions/unpinned-tag/action.yml:5:7:6:4 | Uses Step | .github/actions/unpinned-tag/action.yml:6:7:6:61 | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:9:7:14:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step |
 | .github/workflows/actor_trusted_checkout.yml:14:7:15:4 | Uses Step | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step |
 | .github/workflows/actor_trusted_checkout.yml:15:7:19:4 | Run Step | .github/workflows/actor_trusted_checkout.yml:19:7:23:4 | Uses Step |
@@ -312,10 +311,7 @@ edges
 | .github/workflows/unpinned_tags.yml:9:7:10:4 | Uses Step | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step |
 | .github/workflows/unpinned_tags.yml:10:7:11:4 | Uses Step | .github/workflows/unpinned_tags.yml:11:7:12:4 | Uses Step |
 | .github/workflows/unpinned_tags.yml:11:7:12:4 | Uses Step | .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | .github/workflows/unpinned_tags.yml:13:7:15:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:13:7:15:4 | Uses Step | .github/workflows/unpinned_tags.yml:15:7:17:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:15:7:17:4 | Uses Step | .github/workflows/unpinned_tags.yml:17:7:19:4 | Uses Step |
-| .github/workflows/unpinned_tags.yml:17:7:19:4 | Uses Step | .github/workflows/unpinned_tags.yml:19:7:19:71 | Uses Step |
+| .github/workflows/unpinned_tags.yml:12:7:13:4 | Uses Step | .github/workflows/unpinned_tags.yml:13:7:13:101 | Uses Step |
 | .github/workflows/untrusted_checkout2.yml:7:9:14:6 | Run Step: pr_number | .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step |
 | .github/workflows/untrusted_checkout3.yml:11:9:12:6 | Uses Step | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step |
 | .github/workflows/untrusted_checkout3.yml:12:9:13:6 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step |
@@ -338,42 +334,42 @@ edges
 | .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step |
 | .github/workflows/workflow_run_untrusted_checkout_3.yml:13:9:16:6 | Uses Step | .github/workflows/workflow_run_untrusted_checkout_3.yml:16:9:18:31 | Uses Step |
 #select
-| .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
-| .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
-| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
-| .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
-| .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
-| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
-| .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
-| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
-| .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
-| .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target |
-| .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment |
-| .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run |
-| .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target |
-| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
-| .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:32:9:37:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
+| .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | .github/workflows/auto_ci.yml:20:9:27:6 | Uses Step | .github/workflows/auto_ci.yml:48:9:52:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
+| .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:79:9:84:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
+| .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | .github/workflows/auto_ci.yml:67:9:74:6 | Uses Step | .github/workflows/auto_ci.yml:84:9:93:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/auto_ci.yml:6:3:6:21 | pull_request_target | pull_request_target |
+| .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | .github/workflows/dependabot3.yml:15:9:20:6 | Uses Step | .github/workflows/dependabot3.yml:25:9:48:6 | Run Step: set-milestone | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/dependabot3.yml:3:5:3:23 | pull_request_target | pull_request_target |
+| .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:23:9:26:6 | Uses Step | .github/workflows/external/TestOrg/TestRepo/.github/workflows/reusable.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller1.yaml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | .github/workflows/gitcheckout.yml:10:11:18:8 | Run Step | .github/workflows/gitcheckout.yml:21:11:23:22 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/gitcheckout.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | .github/workflows/label_trusted_checkout2.yml:12:7:16:4 | Uses Step | .github/workflows/label_trusted_checkout2.yml:17:7:21:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/label_trusted_checkout2.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
+| .github/workflows/level0.yml:107:9:112:2 | Run Step | .github/workflows/level0.yml:99:9:103:6 | Uses Step | .github/workflows/level0.yml:107:9:112:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:5:3:5:15 | issue_comment | issue_comment |
+| .github/workflows/level0.yml:133:9:135:23 | Run Step | .github/workflows/level0.yml:125:9:129:6 | Uses Step | .github/workflows/level0.yml:133:9:135:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/level0.yml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/poc2.yml:42:9:47:6 | Uses Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:42:9:47:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/poc2.yml:52:9:58:24 | Run Step | .github/workflows/poc2.yml:37:9:42:6 | Uses Step | .github/workflows/poc2.yml:52:9:58:24 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/poc2.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | .github/workflows/pr-workflow.yml:216:9:222:6 | Uses Step | .github/workflows/pr-workflow.yml:222:9:227:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | .github/workflows/pr-workflow.yml:250:9:256:6 | Uses Step | .github/workflows/pr-workflow.yml:256:9:261:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | .github/workflows/pr-workflow.yml:284:9:290:6 | Uses Step | .github/workflows/pr-workflow.yml:290:9:295:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:391:9:395:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:395:9:404:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:404:9:414:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:414:9:423:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | .github/workflows/pr-workflow.yml:386:9:391:6 | Uses Step | .github/workflows/pr-workflow.yml:423:9:432:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | .github/workflows/reusable_local.yml:23:9:26:6 | Uses Step | .github/workflows/reusable_local.yml:26:9:29:7 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/reusable_caller3.yaml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test7.yml:33:9:36:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:33:9:36:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:36:9:39:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:36:9:39:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:49:9:59:6 | Run Step: benchmark-pr | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:59:9:60:6 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:59:9:60:6 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test7.yml:60:9:60:37 | Run Step | .github/workflows/test7.yml:19:9:24:6 | Uses Step | .github/workflows/test7.yml:60:9:60:37 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test7.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/test10.yml:25:9:30:2 | Run Step | .github/workflows/test10.yml:20:9:25:6 | Uses Step | .github/workflows/test10.yml:25:9:30:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test10.yml:8:3:8:21 | pull_request_target | pull_request_target |
+| .github/workflows/test11.yml:90:7:93:54 | Uses Step | .github/workflows/test11.yml:84:7:90:4 | Uses Step | .github/workflows/test11.yml:90:7:93:54 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test11.yml:5:3:5:15 | issue_comment | issue_comment |
+| .github/workflows/test17.yml:19:15:23:58 | Uses Step | .github/workflows/test17.yml:12:15:19:12 | Uses Step | .github/workflows/test17.yml:19:15:23:58 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test17.yml:3:5:3:16 | workflow_run | workflow_run |
+| .github/workflows/test27.yml:21:9:22:16 | Run Step | .github/workflows/test27.yml:18:9:21:6 | Uses Step | .github/workflows/test27.yml:21:9:22:16 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test26.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/test29.yml:14:7:21:11 | Uses Step | .github/workflows/test29.yml:8:7:14:4 | Uses Step | .github/workflows/test29.yml:14:7:21:11 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test29.yml:1:5:1:23 | pull_request_target | pull_request_target |
+| .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | .github/actions/dangerous-git-checkout/action.yml:6:7:11:4 | Uses Step | .github/workflows/untrusted_checkout3.yml:13:9:13:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout3.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:35:7:41:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:41:7:47:4 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | .github/workflows/untrusted_checkout4.yml:29:7:35:4 | Uses Step | .github/workflows/untrusted_checkout4.yml:47:7:51:46 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout4.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | .github/workflows/untrusted_checkout.yml:8:9:11:6 | Uses Step | .github/workflows/untrusted_checkout.yml:15:9:18:2 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |
+| .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | .github/workflows/untrusted_checkout.yml:23:9:26:6 | Uses Step | .github/workflows/untrusted_checkout.yml:30:9:32:23 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout.yml:2:3:2:21 | pull_request_target | pull_request_target |

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutHigh.expected

@@ -1,23 +1,23 @@
-| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit2.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
-| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
-| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/test13.yml:2:3:2:15 | issue_comment | issue_comment |
-| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/untrusted_checkout2.yml:1:5:1:17 | issue_comment | issue_comment |
-| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Checkout of untrusted code in a privileged workflow with later potential execution (event trigger: $@). | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/issue_comment_direct.yml:12:9:16:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:20:9:24:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:28:9:32:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:35:9:40:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_direct.yml:43:9:46:126 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_direct.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_heuristic.yml:28:9:33:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_heuristic.yml:48:7:50:46 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_heuristic.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit2.yml:27:9:31:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit2.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:26:9:30:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:30:9:35:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:57:9:62:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:79:9:83:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:95:9:100:2 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/issue_comment_octokit.yml:109:9:114:66 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/issue_comment_octokit.yml:4:3:4:15 | issue_comment | issue_comment |
+| .github/workflows/pr-workflow.yml:103:9:109:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:139:9:144:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/pr-workflow.yml:444:9:449:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/pr-workflow-fork.yaml:7:3:7:21 | pull_request_target | pull_request_target |
+| .github/workflows/test13.yml:20:7:25:4 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/test13.yml:2:3:2:15 | issue_comment | issue_comment |
+| .github/workflows/untrusted_checkout2.yml:14:9:19:72 | Run Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/untrusted_checkout2.yml:1:5:1:17 | issue_comment | issue_comment |
+| .github/workflows/workflow_run_untrusted_checkout.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/workflow_run_untrusted_checkout.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/workflow_run_untrusted_checkout_2.yml:13:9:16:6 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/workflow_run_untrusted_checkout_2.yml:16:9:18:31 | Uses Step | Potential execution of untrusted code on a privileged workflow ($@) | .github/workflows/workflow_run_untrusted_checkout_2.yml:2:3:2:14 | workflow_run | workflow_run |

codeql-workspace.yml

@@ -2,7 +2,6 @@ provide:
   - "*/ql/src/qlpack.yml"
   - "*/ql/lib/qlpack.yml"
   - "*/ql/test*/qlpack.yml"
-  - "*/ql/upgrade-tests/qlpack.yml"
   - "*/ql/examples/qlpack.yml"
   - "*/ql/consistency-queries/qlpack.yml"
   - "*/ql/automodel/src/qlpack.yml"

cpp/downgrades/837c4e02326aee4582405d069263092e80a15d82/upgrade.properties

@@ -1,6 +0,0 @@
-description: Support alias templates
-compatibility: full
-is_alias_template.rel: delete
-alias_instantiation.rel: delete
-alias_template_argument.rel: delete
-alias_template_argument_value.rel: delete

cpp/downgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties

@@ -1,6 +0,0 @@
-description: Capture information about one template being generated from another
-compatibility: full
-class_template_generated_from.rel: delete
-function_template_generated_from.rel: delete
-variable_template_generated_from.rel: delete
-alias_template_generated_from.rel: delete

cpp/ql/lib/CHANGELOG.md

@@ -1,9 +1,3 @@
-## 10.1.1
-
-### Minor Analysis Improvements
-
-* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.
-
 ## 10.1.0
 
 ### New Features

cpp/ql/lib/change-notes/2026-05-15-secure-scanf.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Added flow source models for `scanf_s` and related functions.
-* Added a `Call` column to `LocalFlowSourceFunction::hasLocalFlowSource` and `RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a `Call` column continue to be supported.

cpp/ql/lib/change-notes/2026-05-16-alias-template.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added `AliasTemplateType` and `AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.

cpp/ql/lib/change-notes/2026-05-18-alias-type.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* The `UsingAliasTypedefType` class has been deprecated. Use `TypeAliasType` instead.

cpp/ql/lib/change-notes/2026-05-21-generated-from.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a `getOriginalTemplate` predicate to `TemplateClass`, `TemplateFunction`, `TemplateVariable`, and `AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.

cpp/ql/lib/change-notes/released/10.1.1.md

@@ -1,5 +0,0 @@
-## 10.1.1
-
-### Minor Analysis Improvements
-
-* The `RemoteFlowSourceFunction` model for `fscanf` (and variants) now implements `hasSocketInput` to reflect that these functions may read from a socket.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 10.1.1
+lastReleaseVersion: 10.1.0

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.1.2-dev
+version: 10.1.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Class.qll

@@ -856,10 +856,8 @@ class AbstractClass extends Class {
 
 /**
  * A class template (this class also finds partial specializations
- * of class templates).
- *
- * For example in the following code there is a `MyTemplateClass<T>`
- * template:
+ * of class templates).  For example in the following code there is a
+ * `MyTemplateClass<T>` template:
  * ```
  * template<class T>
  * class MyTemplateClass {
@@ -895,29 +893,6 @@ class TemplateClass extends Class {
   }
 
   override string getAPrimaryQlClass() { result = "TemplateClass" }
-
-  /**
-   * Gets the class member template this template was generated from.
-   *
-   * This predicate only has results for templates that are members of class
-   * template instantiations. For example, for `MyTemplateClass<int>::C<S>`
-   * in the following code, the result is `MyTemplateClass<T>::C<S>`.
-   * ```cpp
-   * template<class T>
-   * class MyTemplateClass {
-   *   template<class S>
-   *   class C {
-   *     ...
-   *   };
-   * };
-   *
-   * template
-   * class MyTemplateClass<int>;
-   * ```
-   */
-  TemplateClass getOriginalTemplate() {
-    class_template_generated_from(underlyingElement(this), unresolveElement(result))
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/Declaration.qll

@@ -278,8 +278,6 @@ class Declaration extends Locatable, @declaration {
     or
     variable_template_argument(underlyingElement(this), index, unresolveElement(result))
     or
-    alias_template_argument(underlyingElement(this), index, unresolveElement(result))
-    or
     template_template_argument(underlyingElement(this), index, unresolveElement(result))
     or
     concept_template_argument(underlyingElement(this), index, unresolveElement(result))
@@ -292,8 +290,6 @@ class Declaration extends Locatable, @declaration {
     or
     variable_template_argument_value(underlyingElement(this), index, unresolveElement(result))
     or
-    alias_template_argument_value(underlyingElement(this), index, unresolveElement(result))
-    or
     template_template_argument_value(underlyingElement(this), index, unresolveElement(result))
     or
     concept_template_argument_value(underlyingElement(this), index, unresolveElement(result))

cpp/ql/lib/semmle/code/cpp/Element.qll

@@ -278,15 +278,6 @@ private predicate isFromTemplateInstantiationRec(Element e, Element instantiatio
   instantiation.(Variable).isConstructedFrom(_) and
   e = instantiation
   or
-  instantiation.(TypeAliasType).isConstructedFrom(_) and
-  e = instantiation
-  or
-  instantiation.(TemplateTemplateParameterInstantiation).isConstructedFrom(_) and
-  e = instantiation
-  or
-  exists(instantiation.(ConceptIdExpr).getConcept()) and
-  e = instantiation
-  or
   isFromTemplateInstantiationRec(e.getEnclosingElement(), instantiation)
 }
 
@@ -300,15 +291,6 @@ private predicate isFromUninstantiatedTemplateRec(Element e, Element template) {
   is_variable_template(unresolveElement(template)) and
   e = template
   or
-  is_alias_template(unresolveElement(template)) and
-  e = template
-  or
-  usertypes(unresolveElement(template), _, 8) and // template template parameter
-  e = template
-  or
-  template instanceof @concept_template and
-  e = template
-  or
   isFromUninstantiatedTemplateRec(e.getEnclosingElement(), template)
 }
 

cpp/ql/lib/semmle/code/cpp/Function.qll

@@ -828,27 +828,6 @@ class TemplateFunction extends Function {
    * such things -- see FunctionTemplateSpecialization for further details.
    */
   FunctionTemplateSpecialization getASpecialization() { result.getPrimaryTemplate() = this }
-
-  /**
-   * Gets the class member template this template was generated from.
-   *
-   * This predicate only has results for templates that are members of class
-   * template instantiations. For example, for `MyTemplateClass<int>::f<S>`
-   * in the following code, the result is `MyTemplateClass<T>::f<S>`.
-   * ```cpp
-   * template<class T>
-   * class MyTemplateClass {
-   *   template<class S>
-   *   S f();
-   * };
-   *
-   * template
-   * class MyTemplateClass<int>;
-   * ```
-   */
-  TemplateFunction getOriginalTemplate() {
-    function_template_generated_from(underlyingElement(this), unresolveElement(result))
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/TypedefType.qll

@@ -64,123 +64,23 @@ class CTypedefType extends TypedefType {
 }
 
 /**
- * DEPRECATED: Use `TypeAlias` instead.
- *
- * A C++ type alias or alias template.
- *
- * For example the type declared in the following code:
+ * A using alias C++ typedef type.  For example the type declared in the following code:
  * ```
  * using my_int2 = int;
  * ```
  */
-deprecated class UsingAliasTypedefType = TypeAliasType;
+class UsingAliasTypedefType extends TypedefType {
+  UsingAliasTypedefType() { usertype_alias_kind(underlyingElement(this), 1) }
 
-/**
- * A C++ type alias or alias template.
- *
- * For example the type declared in the following code:
- * ```
- * using my_int2 = int;
- * ```
- */
-class TypeAliasType extends TypedefType {
-  TypeAliasType() { usertype_alias_kind(underlyingElement(this), 1) }
-
-  override string getAPrimaryQlClass() { result = "TypeAliasType" }
+  override string getAPrimaryQlClass() { result = "UsingAliasTypedefType" }
 
   override string explain() {
     result = "using {" + this.getBaseType().explain() + "} as \"" + this.getName() + "\""
   }
-
-  /**
-   * Holds if this alias is constructed from another alias as a result of
-   * template instantiation.
-   */
-  predicate isConstructedFrom(TypeAliasType t) {
-    alias_instantiation(underlyingElement(this), unresolveElement(t))
-  }
 }
 
 /**
- * A C++ alias template.
- *
- * For example the type declared in the following code:
- * ```
- * template <typename T>
- * using my_type = T;
- * ```
- */
-class AliasTemplateType extends TypeAliasType {
-  AliasTemplateType() { is_alias_template(underlyingElement(this)) }
-
-  override string getAPrimaryQlClass() { result = "AliasTemplateType" }
-
-  /**
-   * Gets an alias instantiated from this template.
-   *
-   * For example for `MyAliasTemplate<T>` in the following code, the results are
-   * `MyAliasTemplate<int>` and `MyAliasTemplate<long>`:
-   * ```
-   * template<typename T>
-   * using MyAliasTemplate = ...;
-   *
-   * MyAliasTemplate<int> instance1;
-   *
-   * MyAliasTemplate<long> instance2;
-   * ```
-   */
-  TypeAliasType getAnInstantiation() { result.isConstructedFrom(this) }
-
-  /**
-   * Gets the class member template this template was generated from.
-   *
-   * This predicate only has results for templates that are members of class
-   * template instantiations. For example, for `MyTemplateClass<int>::t<S>`
-   * in the following code, the result is `MyTemplateClass<T>::t<S>`.
-   * ```cpp
-   * template<class T>
-   * class MyTemplateClass {
-   *   template<class S>
-   *   using t = S;
-   * };
-   *
-   * template
-   * class MyTemplateClass<int>;
-   * ```
-   */
-  AliasTemplateType getOriginalTemplate() {
-    alias_template_generated_from(underlyingElement(this), unresolveElement(result))
-  }
-}
-
-/**
- * A C++ alias template instantiation.
- *
- * For example the `my_int_type` type declared in the following code:
- * ```
- * template <typename T>
- * using my_type = T;
- *
- * using my_int_type = my_type<int>;
- * ```
- */
-class AliasTemplateInstantiationType extends TypeAliasType {
-  AliasTemplateType at;
-
-  AliasTemplateInstantiationType() { at.getAnInstantiation() = this }
-
-  override string getAPrimaryQlClass() { result = "AliasTemplateInstantiationType" }
-
-  /**
-   * Gets the alias template from which this instantiation was instantiated.
-   */
-  AliasTemplateType getTemplate() { result = at }
-}
-
-/**
- * A C++ `typedef` type that is directly enclosed by a function.
- *
- * For example the type declared inside the function `foo` in
+ * A C++ `typedef` type that is directly enclosed by a function.  For example the type declared inside the function `foo` in
  * the following code:
  * ```
  * int foo(void) { typedef int local; }

cpp/ql/lib/semmle/code/cpp/Variable.qll

@@ -614,27 +614,6 @@ class TemplateVariable extends Variable {
     result.isConstructedFrom(this) and
     not result.isSpecialization()
   }
-
-  /**
-   * Gets the class member template this template was generated from.
-   *
-   * This predicate only has results for templates that are members of class
-   * template instantiations. For example, for `MyTemplateClass<int>::x<S>`
-   * in the following code, the result is `MyTemplateClass<T>::x<S>`.
-   * ```cpp
-   * template<class T>
-   * class MyTemplateClass {
-   *   template<class S>
-   *   static S x;
-   * };
-   *
-   * template
-   * class MyTemplateClass<int>;
-   * ```
-   */
-  TemplateVariable getOriginalTemplate() {
-    variable_template_generated_from(underlyingElement(this), unresolveElement(result))
-  }
 }
 
 /**

cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll

@@ -25,15 +25,6 @@ abstract class ScanfFunction extends Function {
    * (rather than a `char*`).
    */
   predicate isWideCharDefault() { exists(this.getName().indexOf("wscanf")) }
-
-  /** Holds if this is one of the `scanf_s` variants. */
-  predicate isSVariant() {
-    exists(string name | name = this.getName() |
-      name.matches("%\\_s")
-      or
-      name.matches("%\\_s\\_l")
-    )
-  }
 }
 
 /**
@@ -43,12 +34,8 @@ class Scanf extends ScanfFunction instanceof TopLevelFunction {
   Scanf() {
     this.hasGlobalOrStdOrBslName("scanf") or // scanf(format, args...)
     this.hasGlobalOrStdOrBslName("wscanf") or // wscanf(format, args...)
-    this.hasGlobalOrStdOrBslName("scanf_s") or // scanf_s(format, args...)
-    this.hasGlobalOrStdOrBslName("wscanf_s") or // wscanf_s(format, args...)
     this.hasGlobalName("_scanf_l") or // _scanf_l(format, locale, args...)
-    this.hasGlobalName("_wscanf_l") or // _wscanf_l(format, locale, args...)
-    this.hasGlobalName("_scanf_s_l") or // _scanf_s_l(format, locale, args...)
-    this.hasGlobalName("_wscanf_s_l") // _wscanf_s_l(format, locale, args...)
+    this.hasGlobalName("_wscanf_l")
   }
 
   override int getInputParameterIndex() { none() }
@@ -63,12 +50,8 @@ class Fscanf extends ScanfFunction instanceof TopLevelFunction {
   Fscanf() {
     this.hasGlobalOrStdOrBslName("fscanf") or // fscanf(src_stream, format, args...)
     this.hasGlobalOrStdOrBslName("fwscanf") or // fwscanf(src_stream, format, args...)
-    this.hasGlobalOrStdOrBslName("fscanf_s") or // fscanf_s(src_stream, format, args...)
-    this.hasGlobalOrStdOrBslName("fwscanf_s") or // fwscanf_s(src_stream, format, args...)
     this.hasGlobalName("_fscanf_l") or // _fscanf_l(src_stream, format, locale, args...)
-    this.hasGlobalName("_fwscanf_l") or // _fwscanf_l(src_stream, format, locale, args...)
-    this.hasGlobalName("_fscanf_s_l") or // _fscanf_s_l(src_stream, format, locale, args...)
-    this.hasGlobalName("_fwscanf_s_l") // _fwscanf_s_l(src_stream, format, locale, args...)
+    this.hasGlobalName("_fwscanf_l")
   }
 
   override int getInputParameterIndex() { result = 0 }
@@ -83,12 +66,8 @@ class Sscanf extends ScanfFunction instanceof TopLevelFunction {
   Sscanf() {
     this.hasGlobalOrStdOrBslName("sscanf") or // sscanf(src_stream, format, args...)
     this.hasGlobalOrStdOrBslName("swscanf") or // swscanf(src, format, args...)
-    this.hasGlobalOrStdOrBslName("sscanf_s") or // sscanf_s(src, format, args...)
-    this.hasGlobalOrStdOrBslName("swscanf_s") or // swscanf_s(src, format, args...)
     this.hasGlobalName("_sscanf_l") or // _sscanf_l(src, format, locale, args...)
-    this.hasGlobalName("_swscanf_l") or // _swscanf_l(src, format, locale, args...)
-    this.hasGlobalName("_sscanf_s_l") or // _sscanf_s_l(src, format, locale, args...)
-    this.hasGlobalName("_swscanf_s_l") // _swscanf_s_l(src, format, locale, args...)
+    this.hasGlobalName("_swscanf_l")
   }
 
   override int getInputParameterIndex() { result = 0 }
@@ -118,14 +97,6 @@ class Snscanf extends ScanfFunction instanceof TopLevelFunction {
   int getInputLengthParameterIndex() { result = 1 }
 }
 
-private predicate isCharLike(Type t) { t instanceof CharType or t instanceof Wchar_t }
-
-private predicate isStringLike(Type t) {
-  isCharLike(t.(PointerType).getBaseType())
-  or
-  isCharLike(t.(ArrayType).getBaseType())
-}
-
 /**
  * A call to one of the `scanf` functions.
  */
@@ -159,40 +130,14 @@ class ScanfFunctionCall extends FunctionCall {
    */
   predicate isWideCharDefault() { this.getScanfFunction().isWideCharDefault() }
 
-  bindingset[this, k]
-  pragma[inline_late]
-  private predicate isSizeArgument(int k) {
-    // The first vararg is never the size argument since a size argument must
-    // always follow a string buffer argument.
-    k > 0 and
-    isStringLike(this.getArgument(this.getScanfFunction().getNumberOfParameters() + k - 1)
-          .getUnspecifiedType())
-  }
-
   /**
    * Gets the output argument at position `n` in the vararg list of this call.
    *
    * The range of `n` is from `0` to `this.getNumberOfOutputArguments() - 1`.
    */
   Expr getOutputArgument(int n) {
-    exists(ScanfFunction target | target = this.getScanfFunction() |
-      // If this is an S variant then every string buffer argument has a
-      // corresponding size argument immediately following it, so we need to
-      // skip over those size arguments when counting the output arguments.
-      if target.isSVariant()
-      then
-        result =
-          rank[n + 1](Expr arg, int k |
-            k >= 0 and
-            arg = this.getArgument(target.getNumberOfParameters() + k) and
-            not this.isSizeArgument(k)
-          |
-            arg order by k
-          )
-      else (
-        n >= 0 and result = this.getArgument(target.getNumberOfParameters() + n)
-      )
-    )
+    result = this.getArgument(this.getTarget().getNumberOfParameters() + n) and
+    n >= 0
   }
 
   /**

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImpl.qll

@@ -136,9 +136,7 @@ private module SourceVariables {
     NormalSourceVariable() { this = TNormalSourceVariable(base, ind) }
 
     final override string toString() {
-      if this.getIndirection() = 0
-      then result = "&" + base.toString()
-      else result = repeatStars(this.getIndirection() - 1) + base.toString()
+      result = repeatStars(this.getIndirection()) + base.toString()
     }
   }
 
@@ -159,9 +157,7 @@ private module SourceVariables {
     }
 
     final override string toString() {
-      if this.getIndirection() = 0
-      then result = "&" + base.toString() + " [before crement]"
-      else result = repeatStars(this.getIndirection() - 1) + base.toString() + " [before crement]"
+      result = repeatStars(this.getIndirection()) + base.toString() + " [before crement]"
     }
 
     /**
@@ -1357,52 +1353,6 @@ class PhiNode extends Definition instanceof SsaImpl::PhiNode {
   final predicate hasInputFromBlock(Definition input, IRBlock bb) {
     phiHasInputFromBlock(this, input, bb)
   }
-
-  override int getIndirection() { result = this.getSourceVariable().getIndirection() }
-
-  override predicate isCertain() {
-    // If this phi node is part of a phi cycle of phi nodes the least
-    // fixed-point semantics of datalog means we don't get the right answer.
-    // So we perform an SCC reduction to simulate greatest fixed-point semantics.
-    getCycle(this).isCertain()
-    or
-    // If there is no cycle we get the right semantics through traditional
-    // recursion.
-    not exists(getCycle(this)) and
-    forex(Definition inp | inp = this.getAnInput() | inp.isCertain())
-  }
-
-  final override Declaration getFunction() {
-    result = SsaImpl::PhiNode.super.getBasicBlock().getEnclosingFunction()
-  }
-}
-
-private PhiNode getAnInput(PhiNode phi) { result = phi.getAnInput() }
-
-private predicate sccEdge(PhiNode phi1, PhiNode phi2) {
-  getAnInput(phi1) = phi2 and getAnInput+(phi2) = phi1
-}
-
-private module PhiCycleEquivalence = QlBuiltins::EquivalenceRelation<PhiNode, sccEdge/2>;
-
-private PhiCycle getCycle(PhiNode phi) { result.getAPhiNode() = phi }
-
-private class PhiCycle extends PhiCycleEquivalence::EquivalenceClass {
-  PhiNode getAPhiNode() { PhiCycleEquivalence::getEquivalenceClass(result) = this }
-
-  predicate hasPhiNode(PhiNode phi) { this.getAPhiNode() = phi }
-
-  pragma[nomagic]
-  Definition getAnInput() {
-    result = this.getAPhiNode().getAnInput() and not this.hasPhiNode(result)
-  }
-
-  string toString() { result = strictconcat(this.getAPhiNode().toString(), ", ") }
-
-  predicate isCertain() {
-    // A phi cycle is certain if all of the inputs into the phi cycle is certain.
-    forex(Definition inp | inp = this.getAnInput() | inp.isCertain())
-  }
 }
 
 /** An static single assignment (SSA) definition. */

cpp/ql/lib/semmle/code/cpp/ir/dataflow/internal/SsaImplCommon.qll

@@ -147,7 +147,7 @@ abstract class Indirection extends Type {
    *
    * `certain` is `true` if this write is guaranteed to write to the address.
    */
-  predicate isAdditionalWrite(Node0Impl value, Operand address, Certainty certain) { none() }
+  predicate isAdditionalWrite(Node0Impl value, Operand address, boolean certain) { none() }
 
   /**
    * Gets the base type of this indirection, after specifiers have been deeply
@@ -198,11 +198,11 @@ private module IteratorIndirections {
       baseType = super.getValueType()
     }
 
-    override predicate isAdditionalWrite(Node0Impl value, Operand address, Certainty certain) {
+    override predicate isAdditionalWrite(Node0Impl value, Operand address, boolean certain) {
       exists(CallInstruction call | call.getArgumentOperand(0) = value.asOperand() |
         this = call.getStaticCallTarget().(Function).getClassAndName("operator=") and
         address = call.getThisArgumentOperand() and
-        certain instanceof AlwaysUncertain
+        certain = false
       )
     }
 
@@ -271,62 +271,30 @@ predicate isDereference(Instruction deref, Operand address, boolean additional)
   additional = false
 }
 
-private newtype TCertainty =
-  TCertainWhenAddressIsCertain() or
-  TAlwaysCertain() or
-  TAlwaysUncertain()
-
-abstract private class Certainty extends TCertainty {
-  abstract predicate isCertain(boolean addressIsCertain);
-
-  abstract string toString();
-}
-
-private class CertainWhenAddressIsCertain extends Certainty, TCertainWhenAddressIsCertain {
-  override predicate isCertain(boolean addressIsCertain) { addressIsCertain = true }
-
-  override string toString() { result = "CertainWhenAddressIsCertain" }
-}
-
-private class AlwaysCertain extends Certainty, TAlwaysCertain {
-  override predicate isCertain(boolean addressIsCertain) {
-    addressIsCertain = true or addressIsCertain = false
-  }
-
-  override string toString() { result = "AlwaysCertain" }
-}
-
-private class AlwaysUncertain extends Certainty, TAlwaysUncertain {
-  override predicate isCertain(boolean addressIsCertain) { none() }
-
-  override string toString() { result = "AlwaysUncertain" }
-}
-
-predicate isWrite(Node0Impl value, Operand address, Certainty certain) {
+predicate isWrite(Node0Impl value, Operand address, boolean certain) {
   any(Indirection ind).isAdditionalWrite(value, address, certain)
   or
-  exists(StoreInstruction store |
-    value.asInstruction() = store and
-    address = store.getDestinationAddressOperand() and
-    certain instanceof CertainWhenAddressIsCertain
-  )
-  or
-  exists(InitializeParameterInstruction init |
-    value.asInstruction() = init and
-    address = init.getAnOperand() and
-    certain instanceof AlwaysCertain
-  )
-  or
-  exists(InitializeDynamicAllocationInstruction init |
-    value.asInstruction() = init and
-    address = init.getAllocationAddressOperand() and
-    certain instanceof AlwaysCertain
-  )
-  or
-  exists(UninitializedInstruction uninitialized |
-    value.asInstruction() = uninitialized and
-    address = uninitialized.getAnOperand() and
-    certain instanceof AlwaysCertain
+  certain = true and
+  (
+    exists(StoreInstruction store |
+      value.asInstruction() = store and
+      address = store.getDestinationAddressOperand()
+    )
+    or
+    exists(InitializeParameterInstruction init |
+      value.asInstruction() = init and
+      address = init.getAnOperand()
+    )
+    or
+    exists(InitializeDynamicAllocationInstruction init |
+      value.asInstruction() = init and
+      address = init.getAllocationAddressOperand()
+    )
+    or
+    exists(UninitializedInstruction uninitialized |
+      value.asInstruction() = uninitialized and
+      address = uninitialized.getAnOperand()
+    )
   )
 }
 
@@ -750,18 +718,16 @@ private module Cached {
     int indirectionIndex
   ) {
     exists(
-      Certainty writeIsCertain, boolean addressIsCertain, int ind0, CppType type, int lower,
-      int upper
+      boolean writeIsCertain, boolean addressIsCertain, int ind0, CppType type, int lower, int upper
     |
       isWrite(value, address, writeIsCertain) and
       isDefImpl(address, base, ind0, addressIsCertain) and
+      certain = writeIsCertain.booleanAnd(addressIsCertain) and
       type = getLanguageType(address) and
       upper = countIndirectionsForCppType(type) and
       ind = ind0 + [lower .. upper] and
       indirectionIndex = ind - (ind0 + lower) and
       lower = getMinIndirectionsForType(any(Type t | type.hasUnspecifiedType(t, _)))
-    |
-      if writeIsCertain.isCertain(addressIsCertain) then certain = true else certain = false
     )
   }
 

cpp/ql/lib/semmle/code/cpp/models/implementations/Fopen.qll

@@ -11,9 +11,7 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFu
   Fopen() {
     this.hasGlobalOrStdName(["fopen", "fopen_s", "freopen"])
     or
-    this.hasGlobalName([
-        "_open", "_wfopen", "_fsopen", "_wfsopen", "_wopen", "_sopen_s", "_wsopen_s"
-      ])
+    this.hasGlobalName(["_open", "_wfopen", "_fsopen", "_wfsopen", "_wopen"])
   }
 
   override predicate hasOnlySpecificWriteSideEffects() { any() }
@@ -48,10 +46,6 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFu
     this.hasGlobalName(["_open", "_wopen"]) and
     i = 0 and
     buffer = true
-    or
-    this.hasGlobalName(["_sopen_s", "_wsopen_s"]) and
-    i = 1 and
-    buffer = true
   }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
@@ -70,9 +64,5 @@ private class Fopen extends Function, AliasFunction, SideEffectFunction, TaintFu
     this.hasGlobalName(["_open", "_wopen"]) and
     input.isParameterDeref(0) and
     output.isReturnValue()
-    or
-    this.hasGlobalName(["_sopen_s", "_wsopen_s"]) and
-    input.isParameterDeref(1) and
-    output.isParameterDeref(0)
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll

@@ -30,10 +30,7 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
     (
       if exists(this.getLengthParameterIndex())
       then result = this.getLengthParameterIndex() + 2
-      else
-        if exists(this.(ScanfFunction).getInputParameterIndex())
-        then result = 2
-        else result = 1
+      else result = 2
     )
   }
 
@@ -72,24 +69,13 @@ abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction,
   }
 }
 
-private predicate hasFlowSource(
-  ScanfFunction func, ScanfFunctionCall call, FunctionOutput output, string description
-) {
-  exists(int n, Expr arg |
-    call.getScanfFunction() = func and
-    call.getOutputArgument(_) = arg and
-    call.getArgument(n) = arg and
-    output.isParameterDeref(n) and
-    description = "value read by " + func.getName()
-  )
-}
-
 /**
  * The standard function `scanf` and its assorted variants
  */
 private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction instanceof Scanf {
-  override predicate hasLocalFlowSource(Call call, FunctionOutput output, string description) {
-    hasFlowSource(this, call, output, description)
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
+    description = "value read by " + this.getName()
   }
 }
 
@@ -97,12 +83,9 @@ private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction ins
  * The standard function `fscanf` and its assorted variants
  */
 private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction instanceof Fscanf {
-  override predicate hasRemoteFlowSource(Call call, FunctionOutput output, string description) {
-    hasFlowSource(this, call, output, description)
-  }
-
-  override predicate hasSocketInput(FunctionInput input) {
-    input.isParameterDeref(super.getInputParameterIndex())
+  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
+    description = "value read by " + this.getName()
   }
 }
 

cpp/ql/lib/semmle/code/cpp/models/interfaces/FlowSource.qll

@@ -18,17 +18,7 @@ abstract class RemoteFlowSourceFunction extends Function {
   /**
    * Holds if remote data described by `description` flows from `output` of a call to this function.
    */
-  predicate hasRemoteFlowSource(FunctionOutput output, string description) {
-    this.hasRemoteFlowSource(_, output, description)
-  }
-
-  /**
-   * Holds if remote data described by `description` flows from `output` of `call` to this function.
-   */
-  predicate hasRemoteFlowSource(Call call, FunctionOutput output, string description) {
-    call.getTarget() = this and
-    this.hasRemoteFlowSource(output, description)
-  }
+  abstract predicate hasRemoteFlowSource(FunctionOutput output, string description);
 
   /**
    * Holds if remote data from this source comes from a socket or stream
@@ -45,17 +35,7 @@ abstract class LocalFlowSourceFunction extends Function {
   /**
    * Holds if data described by `description` flows from `output` of a call to this function.
    */
-  predicate hasLocalFlowSource(FunctionOutput output, string description) {
-    this.hasLocalFlowSource(_, output, description)
-  }
-
-  /**
-   * Holds if data described by `description` flows from `output` of `call` to this function.
-   */
-  predicate hasLocalFlowSource(Call call, FunctionOutput output, string description) {
-    call.getTarget() = this and
-    this.hasLocalFlowSource(output, description)
-  }
+  abstract predicate hasLocalFlowSource(FunctionOutput output, string description);
 }
 
 /** A library function that sends data over a network connection. */

cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll

@@ -28,7 +28,8 @@ private class RemoteModelSource extends RemoteFlowSource {
 
   RemoteModelSource() {
     exists(CallInstruction call, RemoteFlowSourceFunction func, FunctionOutput output |
-      func.hasRemoteFlowSource(call.getConvertedResultExpression(), output, sourceType) and
+      call.getStaticCallTarget() = func and
+      func.hasRemoteFlowSource(output, sourceType) and
       this = callOutput(call, output)
     )
   }
@@ -45,7 +46,7 @@ private class LocalModelSource extends LocalFlowSource {
   LocalModelSource() {
     exists(CallInstruction call, LocalFlowSourceFunction func, FunctionOutput output |
       call.getStaticCallTarget() = func and
-      func.hasLocalFlowSource(call.getConvertedResultExpression(), output, sourceType) and
+      func.hasLocalFlowSource(output, sourceType) and
       this = callOutput(call, output)
     )
   }

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -912,10 +912,6 @@ class_template_argument_value(
     int index: int ref,
     int arg_value: @expr ref
 );
-class_template_generated_from(
-    unique int template: @usertype ref,
-    int from: @usertype ref
-)
 
 @user_or_decltype = @usertype | @decltype;
 
@@ -947,10 +943,6 @@ function_template_argument_value(
     int index: int ref,
     int arg_value: @expr ref
 );
-function_template_generated_from(
-    unique int template: @function ref,
-    int from: @function ref
-);
 
 is_variable_template(unique int id: @variable ref);
 variable_instantiation(
@@ -967,30 +959,6 @@ variable_template_argument_value(
     int index: int ref,
     int arg_value: @expr ref
 );
-variable_template_generated_from(
-    unique int template: @variable ref,
-    int from: @variable ref
-);
-
-is_alias_template(unique int id: @usertype ref);
-alias_instantiation(
-    unique int to: @usertype ref,
-    int from: @usertype ref
-);
-alias_template_argument(
-    int type_id: @usertype ref,
-    int index: int ref,
-    int arg_type: @type ref
-);
-alias_template_argument_value(
-    int type_id: @usertype ref,
-    int index: int ref,
-    int arg_value: @expr ref
-);
-alias_template_generated_from(
-    unique int template: @usertype ref,
-    int from: @usertype ref
-);
 
 template_template_instantiation(
     int to: @usertype ref,

cpp/ql/lib/upgrades/770002bb02322e04fa25345838ce6e82af285a0b/upgrade.properties

@@ -1,2 +0,0 @@
-description: Support alias templates
-compatibility: backwards

cpp/ql/lib/upgrades/837c4e02326aee4582405d069263092e80a15d82/upgrade.properties

@@ -1,2 +0,0 @@
-description: Capture information about one template being generated from another
-compatibility: backwards

cpp/ql/src/CHANGELOG.md

@@ -1,9 +1,3 @@
-## 1.6.3
-
-### Minor Analysis Improvements
-
-* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.
-
 ## 1.6.2
 
 No user-facing changes.

cpp/ql/src/Security/CWE/CWE-020/ExternalAPIsSpecific.qll

@@ -44,7 +44,10 @@ class ExternalApiDataNode extends DataFlow::Node {
 /** A configuration for tracking flow from `RemoteFlowSource`s to `ExternalApiDataNode`s. */
 private module UntrustedDataToExternalApiConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    any(RemoteFlowSourceFunction remoteFlow).hasRemoteFlowSource(source.asExpr(), _, _)
+    exists(RemoteFlowSourceFunction remoteFlow |
+      remoteFlow = source.asExpr().(Call).getTarget() and
+      remoteFlow.hasRemoteFlowSource(_, _)
+    )
   }
 
   predicate isSink(DataFlow::Node sink) { sink instanceof ExternalApiDataNode }

cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql

@@ -94,8 +94,9 @@ class Recv extends SendRecv instanceof RemoteFlowSourceFunction {
   }
 
   override Expr getDataExpr(Call call) {
+    call.getTarget() = this and
     exists(FunctionOutput output, int arg |
-      super.hasRemoteFlowSource(call, output, _) and
+      super.hasRemoteFlowSource(output, _) and
       output.isParameterDeref(arg) and
       result = call.getArgument(arg)
     )

cpp/ql/src/change-notes/released/1.6.3.md

@@ -1,5 +0,0 @@
-## 1.6.3
-
-### Minor Analysis Improvements
-
-* The 'Cleartext transmission of sensitive information' query (`cpp/cleartext-transmission`) no longer raises an alert on calls to `fscanf` (and variants) when the call reads from an "obviously local" `FILE` stream such as `stdin`.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.3
+lastReleaseVersion: 1.6.2

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.4-dev
+version: 1.6.3-dev
 groups:
   - cpp
   - queries

cpp/ql/test/experimental/query-tests/Security/CWE/CWE-193/constant-size/ConstantSizeArrayOffByOne.expected

@@ -21,7 +21,11 @@ edges
 | test.cpp:85:21:85:36 | buf | test.cpp:87:5:87:31 | access to array | provenance | Config |
 | test.cpp:85:21:85:36 | buf | test.cpp:88:5:88:27 | access to array | provenance | Config |
 | test.cpp:85:34:85:36 | buf | test.cpp:85:21:85:36 | buf | provenance |  |
+| test.cpp:92:9:92:11 | definition of arr | test.cpp:96:13:96:18 | access to array | provenance | Config |
 | test.cpp:96:13:96:15 | arr | test.cpp:96:13:96:18 | access to array | provenance | Config |
+| test.cpp:102:9:102:11 | definition of arr | test.cpp:111:17:111:22 | access to array | provenance | Config |
+| test.cpp:102:9:102:11 | definition of arr | test.cpp:115:35:115:40 | access to array | provenance | Config |
+| test.cpp:102:9:102:11 | definition of arr | test.cpp:119:17:119:22 | access to array | provenance | Config |
 | test.cpp:111:17:111:19 | arr | test.cpp:111:17:111:22 | access to array | provenance | Config |
 | test.cpp:111:17:111:19 | arr | test.cpp:115:35:115:40 | access to array | provenance | Config |
 | test.cpp:111:17:111:19 | arr | test.cpp:119:17:119:22 | access to array | provenance | Config |
@@ -31,41 +35,55 @@ edges
 | test.cpp:119:17:119:19 | arr | test.cpp:111:17:111:22 | access to array | provenance | Config |
 | test.cpp:119:17:119:19 | arr | test.cpp:115:35:115:40 | access to array | provenance | Config |
 | test.cpp:119:17:119:19 | arr | test.cpp:119:17:119:22 | access to array | provenance | Config |
+| test.cpp:125:11:125:13 | definition of arr | test.cpp:128:9:128:14 | access to array | provenance | Config |
 | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | provenance | Config |
 | test.cpp:134:25:134:27 | arr | test.cpp:136:9:136:16 | ... += ... | provenance | Config |
 | test.cpp:136:9:136:16 | ... += ... | test.cpp:136:9:136:16 | ... += ... | provenance |  |
 | test.cpp:136:9:136:16 | ... += ... | test.cpp:138:13:138:15 | arr | provenance |  |
+| test.cpp:142:10:142:13 | definition of asdf | test.cpp:143:18:143:21 | asdf | provenance |  |
 | test.cpp:143:18:143:21 | asdf | test.cpp:134:25:134:27 | arr | provenance |  |
 | test.cpp:143:18:143:21 | asdf | test.cpp:143:18:143:21 | asdf | provenance |  |
 | test.cpp:146:26:146:26 | *p | test.cpp:147:4:147:9 | -- ... | provenance |  |
 | test.cpp:146:26:146:26 | *p | test.cpp:147:4:147:9 | -- ... | provenance |  |
+| test.cpp:154:7:154:9 | definition of buf | test.cpp:156:12:156:18 | ... + ... | provenance | Config |
 | test.cpp:156:12:156:14 | buf | test.cpp:156:12:156:18 | ... + ... | provenance | Config |
 | test.cpp:156:12:156:18 | ... + ... | test.cpp:156:12:156:18 | ... + ... | provenance |  |
 | test.cpp:156:12:156:18 | ... + ... | test.cpp:158:17:158:18 | *& ... | provenance |  |
 | test.cpp:158:17:158:18 | *& ... | test.cpp:146:26:146:26 | *p | provenance |  |
+| test.cpp:217:19:217:24 | definition of buffer | test.cpp:218:16:218:28 | buffer | provenance |  |
 | test.cpp:218:16:218:28 | buffer | test.cpp:220:5:220:11 | access to array | provenance | Config |
 | test.cpp:218:16:218:28 | buffer | test.cpp:221:5:221:11 | access to array | provenance | Config |
 | test.cpp:218:23:218:28 | buffer | test.cpp:218:16:218:28 | buffer | provenance |  |
+| test.cpp:228:10:228:14 | definition of array | test.cpp:229:17:229:29 | array | provenance |  |
 | test.cpp:229:17:229:29 | array | test.cpp:231:5:231:10 | access to array | provenance | Config |
 | test.cpp:229:17:229:29 | array | test.cpp:232:5:232:10 | access to array | provenance | Config |
 | test.cpp:229:25:229:29 | array | test.cpp:229:17:229:29 | array | provenance |  |
 | test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance | Config |
 | test.cpp:245:30:245:30 | p | test.cpp:261:27:261:30 | access to array | provenance | Config |
+| test.cpp:273:19:273:25 | definition of buffer3 | test.cpp:274:14:274:20 | buffer3 | provenance |  |
 | test.cpp:274:14:274:20 | buffer3 | test.cpp:245:30:245:30 | p | provenance |  |
 | test.cpp:274:14:274:20 | buffer3 | test.cpp:274:14:274:20 | buffer3 | provenance |  |
 | test.cpp:277:35:277:35 | p | test.cpp:278:14:278:14 | p | provenance |  |
 | test.cpp:278:14:278:14 | p | test.cpp:245:30:245:30 | p | provenance |  |
+| test.cpp:282:19:282:25 | definition of buffer1 | test.cpp:283:19:283:25 | buffer1 | provenance |  |
 | test.cpp:283:19:283:25 | buffer1 | test.cpp:277:35:277:35 | p | provenance |  |
 | test.cpp:283:19:283:25 | buffer1 | test.cpp:283:19:283:25 | buffer1 | provenance |  |
+| test.cpp:285:19:285:25 | definition of buffer2 | test.cpp:286:19:286:25 | buffer2 | provenance |  |
 | test.cpp:286:19:286:25 | buffer2 | test.cpp:277:35:277:35 | p | provenance |  |
 | test.cpp:286:19:286:25 | buffer2 | test.cpp:286:19:286:25 | buffer2 | provenance |  |
+| test.cpp:288:19:288:25 | definition of buffer3 | test.cpp:289:19:289:25 | buffer3 | provenance |  |
 | test.cpp:289:19:289:25 | buffer3 | test.cpp:277:35:277:35 | p | provenance |  |
 | test.cpp:289:19:289:25 | buffer3 | test.cpp:289:19:289:25 | buffer3 | provenance |  |
 | test.cpp:292:25:292:27 | arr | test.cpp:299:16:299:21 | access to array | provenance | Config |
+| test.cpp:305:9:305:12 | definition of arr1 | test.cpp:306:20:306:23 | arr1 | provenance |  |
 | test.cpp:306:20:306:23 | arr1 | test.cpp:292:25:292:27 | arr | provenance |  |
 | test.cpp:306:20:306:23 | arr1 | test.cpp:306:20:306:23 | arr1 | provenance |  |
+| test.cpp:308:9:308:12 | definition of arr2 | test.cpp:309:20:309:23 | arr2 | provenance |  |
 | test.cpp:309:20:309:23 | arr2 | test.cpp:292:25:292:27 | arr | provenance |  |
 | test.cpp:309:20:309:23 | arr2 | test.cpp:309:20:309:23 | arr2 | provenance |  |
+| test.cpp:314:10:314:13 | definition of temp | test.cpp:319:19:319:27 | ... + ... | provenance | Config |
+| test.cpp:314:10:314:13 | definition of temp | test.cpp:322:19:322:27 | ... + ... | provenance | Config |
+| test.cpp:314:10:314:13 | definition of temp | test.cpp:324:23:324:32 | ... + ... | provenance | Config |
 | test.cpp:319:13:319:27 | ... = ... | test.cpp:325:24:325:26 | end | provenance |  |
 | test.cpp:319:19:319:22 | temp | test.cpp:319:19:319:27 | ... + ... | provenance | Config |
 | test.cpp:319:19:319:22 | temp | test.cpp:324:23:324:32 | ... + ... | provenance | Config |
@@ -115,33 +133,40 @@ nodes
 | test.cpp:85:34:85:36 | buf | semmle.label | buf |
 | test.cpp:87:5:87:31 | access to array | semmle.label | access to array |
 | test.cpp:88:5:88:27 | access to array | semmle.label | access to array |
+| test.cpp:92:9:92:11 | definition of arr | semmle.label | definition of arr |
 | test.cpp:96:13:96:15 | arr | semmle.label | arr |
 | test.cpp:96:13:96:18 | access to array | semmle.label | access to array |
+| test.cpp:102:9:102:11 | definition of arr | semmle.label | definition of arr |
 | test.cpp:111:17:111:19 | arr | semmle.label | arr |
 | test.cpp:111:17:111:22 | access to array | semmle.label | access to array |
 | test.cpp:115:35:115:37 | arr | semmle.label | arr |
 | test.cpp:115:35:115:40 | access to array | semmle.label | access to array |
 | test.cpp:119:17:119:19 | arr | semmle.label | arr |
 | test.cpp:119:17:119:22 | access to array | semmle.label | access to array |
+| test.cpp:125:11:125:13 | definition of arr | semmle.label | definition of arr |
 | test.cpp:128:9:128:11 | arr | semmle.label | arr |
 | test.cpp:128:9:128:14 | access to array | semmle.label | access to array |
 | test.cpp:134:25:134:27 | arr | semmle.label | arr |
 | test.cpp:136:9:136:16 | ... += ... | semmle.label | ... += ... |
 | test.cpp:136:9:136:16 | ... += ... | semmle.label | ... += ... |
 | test.cpp:138:13:138:15 | arr | semmle.label | arr |
+| test.cpp:142:10:142:13 | definition of asdf | semmle.label | definition of asdf |
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 | test.cpp:143:18:143:21 | asdf | semmle.label | asdf |
 | test.cpp:146:26:146:26 | *p | semmle.label | *p |
 | test.cpp:147:4:147:9 | -- ... | semmle.label | -- ... |
 | test.cpp:147:4:147:9 | -- ... | semmle.label | -- ... |
+| test.cpp:154:7:154:9 | definition of buf | semmle.label | definition of buf |
 | test.cpp:156:12:156:14 | buf | semmle.label | buf |
 | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
 | test.cpp:156:12:156:18 | ... + ... | semmle.label | ... + ... |
 | test.cpp:158:17:158:18 | *& ... | semmle.label | *& ... |
+| test.cpp:217:19:217:24 | definition of buffer | semmle.label | definition of buffer |
 | test.cpp:218:16:218:28 | buffer | semmle.label | buffer |
 | test.cpp:218:23:218:28 | buffer | semmle.label | buffer |
 | test.cpp:220:5:220:11 | access to array | semmle.label | access to array |
 | test.cpp:221:5:221:11 | access to array | semmle.label | access to array |
+| test.cpp:228:10:228:14 | definition of array | semmle.label | definition of array |
 | test.cpp:229:17:229:29 | array | semmle.label | array |
 | test.cpp:229:25:229:29 | array | semmle.label | array |
 | test.cpp:231:5:231:10 | access to array | semmle.label | access to array |
@@ -149,22 +174,29 @@ nodes
 | test.cpp:245:30:245:30 | p | semmle.label | p |
 | test.cpp:245:30:245:30 | p | semmle.label | p |
 | test.cpp:261:27:261:30 | access to array | semmle.label | access to array |
+| test.cpp:273:19:273:25 | definition of buffer3 | semmle.label | definition of buffer3 |
 | test.cpp:274:14:274:20 | buffer3 | semmle.label | buffer3 |
 | test.cpp:274:14:274:20 | buffer3 | semmle.label | buffer3 |
 | test.cpp:277:35:277:35 | p | semmle.label | p |
 | test.cpp:278:14:278:14 | p | semmle.label | p |
+| test.cpp:282:19:282:25 | definition of buffer1 | semmle.label | definition of buffer1 |
 | test.cpp:283:19:283:25 | buffer1 | semmle.label | buffer1 |
 | test.cpp:283:19:283:25 | buffer1 | semmle.label | buffer1 |
+| test.cpp:285:19:285:25 | definition of buffer2 | semmle.label | definition of buffer2 |
 | test.cpp:286:19:286:25 | buffer2 | semmle.label | buffer2 |
 | test.cpp:286:19:286:25 | buffer2 | semmle.label | buffer2 |
+| test.cpp:288:19:288:25 | definition of buffer3 | semmle.label | definition of buffer3 |
 | test.cpp:289:19:289:25 | buffer3 | semmle.label | buffer3 |
 | test.cpp:289:19:289:25 | buffer3 | semmle.label | buffer3 |
 | test.cpp:292:25:292:27 | arr | semmle.label | arr |
 | test.cpp:299:16:299:21 | access to array | semmle.label | access to array |
+| test.cpp:305:9:305:12 | definition of arr1 | semmle.label | definition of arr1 |
 | test.cpp:306:20:306:23 | arr1 | semmle.label | arr1 |
 | test.cpp:306:20:306:23 | arr1 | semmle.label | arr1 |
+| test.cpp:308:9:308:12 | definition of arr2 | semmle.label | definition of arr2 |
 | test.cpp:309:20:309:23 | arr2 | semmle.label | arr2 |
 | test.cpp:309:20:309:23 | arr2 | semmle.label | arr2 |
+| test.cpp:314:10:314:13 | definition of temp | semmle.label | definition of temp |
 | test.cpp:319:13:319:27 | ... = ... | semmle.label | ... = ... |
 | test.cpp:319:19:319:22 | temp | semmle.label | temp |
 | test.cpp:319:19:319:27 | ... + ... | semmle.label | ... + ... |
@@ -189,14 +221,25 @@ subpaths
 | test.cpp:72:5:72:15 | PointerAdd: access to array | test.cpp:79:32:79:34 | buf | test.cpp:72:5:72:15 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:72:5:72:19 | Store: ... = ... | write |
 | test.cpp:77:27:77:44 | PointerAdd: access to array | test.cpp:77:32:77:34 | buf | test.cpp:66:32:66:32 | p | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:67:5:67:10 | Store: ... = ... | write |
 | test.cpp:88:5:88:27 | PointerAdd: access to array | test.cpp:85:34:85:36 | buf | test.cpp:88:5:88:27 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:15:9:15:11 | buf | buf | test.cpp:88:5:88:31 | Store: ... = ... | write |
+| test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:125:11:125:13 | definition of arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
 | test.cpp:128:9:128:14 | PointerAdd: access to array | test.cpp:128:9:128:11 | arr | test.cpp:128:9:128:14 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:125:11:125:13 | arr | arr | test.cpp:128:9:128:18 | Store: ... = ... | write |
+| test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:142:10:142:13 | definition of asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
 | test.cpp:136:9:136:16 | PointerAdd: ... += ... | test.cpp:143:18:143:21 | asdf | test.cpp:138:13:138:15 | arr | This pointer arithmetic may have an off-by-2 error allowing it to overrun $@ at this $@. | test.cpp:142:10:142:13 | asdf | asdf | test.cpp:138:12:138:15 | Load: * ... | read |
+| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:154:7:154:9 | definition of buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
+| test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:154:7:154:9 | definition of buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
 | test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
 | test.cpp:156:12:156:18 | PointerAdd: ... + ... | test.cpp:156:12:156:14 | buf | test.cpp:147:4:147:9 | -- ... | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:154:7:154:9 | buf | buf | test.cpp:147:3:147:13 | Store: ... = ... | write |
+| test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:217:19:217:24 | definition of buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write |
 | test.cpp:221:5:221:11 | PointerAdd: access to array | test.cpp:218:23:218:28 | buffer | test.cpp:221:5:221:11 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:217:19:217:24 | buffer | buffer | test.cpp:221:5:221:15 | Store: ... = ... | write |
+| test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:228:10:228:14 | definition of array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write |
 | test.cpp:232:5:232:10 | PointerAdd: access to array | test.cpp:229:25:229:29 | array | test.cpp:232:5:232:10 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:228:10:228:14 | array | array | test.cpp:232:5:232:19 | Store: ... = ... | write |
+| test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:285:19:285:25 | definition of buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read |
 | test.cpp:261:27:261:30 | PointerAdd: access to array | test.cpp:286:19:286:25 | buffer2 | test.cpp:261:27:261:30 | access to array | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:285:19:285:25 | buffer2 | buffer2 | test.cpp:261:27:261:30 | Load: access to array | read |
+| test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:308:9:308:12 | definition of arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read |
 | test.cpp:299:16:299:21 | PointerAdd: access to array | test.cpp:309:20:309:23 | arr2 | test.cpp:299:16:299:21 | access to array | This pointer arithmetic may have an off-by-1014 error allowing it to overrun $@ at this $@. | test.cpp:308:9:308:12 | arr2 | arr2 | test.cpp:299:16:299:21 | Load: access to array | read |
+| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:314:10:314:13 | definition of temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write |
+| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:314:10:314:13 | definition of temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write |
+| test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:314:10:314:13 | definition of temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write |
 | test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:330:13:330:24 | Store: ... = ... | write |
 | test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:331:13:331:24 | Store: ... = ... | write |
 | test.cpp:322:19:322:27 | PointerAdd: ... + ... | test.cpp:322:19:322:22 | temp | test.cpp:325:24:325:26 | end | This pointer arithmetic may have an off-by-1 error allowing it to overrun $@ at this $@. | test.cpp:314:10:314:13 | temp | temp | test.cpp:333:13:333:24 | Store: ... = ... | write |

cpp/ql/test/library-tests/dataflow/certain/test.cpp

@@ -1,82 +0,0 @@
-void use(...);
-
-void test1() {
-  int x = 0; // $ certain="SSA def(&x)" certain="SSA def(x)"
-  use(x);
-
-  x = 1; // $ certain="SSA def(x)"
-  use(x);
-
-  int* p = &x; // $ certain="SSA def(&p)" certain="SSA def(p)" certain="SSA def(*p)"
-  use(p);
-
-  *p = 2; // $ certain="SSA def(*p)"
-  use(p);
-
-  p = nullptr; // $ certain="SSA def(p)" certain="SSA def(*p)"
-  use(p);
-
-  *p = 2; // $ uncertain="SSA def(*p)"
-  use(p);
-}
-
-void test2(bool b) { // $ certain="SSA def(&b)" certain="SSA def(b)"
-  {
-  int x; // $ certain="SSA def(&x)" 
-  if(b) {
-    x = 0; // $ certain="SSA def(x)"
-  } else {
-    x = 1; // $ certain="SSA def(x)"
-  }
-  use(x); // $ certain="SSA phi(x)"
-  }
-
-  {
-  int x; // $ certain="SSA def(&x)" certain="SSA def(x)"
-  if(b) {
-    x = 0; // $ certain="SSA def(x)"
-  } else {
-  
-  }
-  use(x); // $ certain="SSA phi(x)"
-  }
-
-  {
-  int x; // $ certain="SSA def(&x)" certain="SSA def(x)"
-  int* p = &x; // $ certain="SSA def(&p)" certain="SSA def(p)" certain="SSA def(*p)"
-  if(b) {
-    *p = 0; // $ certain="SSA def(*p)"
-  } else {
-    *(p + 1) = 1; // $ uncertain="SSA def(*p)"
-  }
-  use(p); // $ uncertain="SSA phi(*p)"
-  }
-  
-}
-
-void test3(bool b) { // $ certain="SSA def(&b)" certain="SSA def(b)"
-  for(int i = 0; i < 10;) { // $ certain="SSA def(&i)" certain="SSA def(i)" certain="SSA phi(i)"
-    if(b) {
-      ++i; // $ certain="SSA def(i)"
-    }
-    use(i); // $ certain="SSA phi(i)"
-  }
-}
-
-void test(int x, bool b1, bool b2) { // $ certain="SSA def(&x)" certain="SSA def(x)" certain="SSA def(&b1)" certain="SSA def(b1)" certain="SSA def(&b2)" certain="SSA def(b2)"
-  int* p = &x; // $ certain="SSA def(&p)" certain="SSA def(p)" certain="SSA def(*p)" 
-  int i = 0; // $ certain="SSA def(&i)" certain="SSA def(i)"
-  int j = 0; // $ certain="SSA def(&j)" certain="SSA def(j)"
-  while (i < 10) { // $ certain="SSA phi(i)" certain="SSA phi(*p)"
-  if (b1) {
-    *p = 0; // $ certain="SSA def(*p)" 
-  }
-  ++i; // $ certain="SSA def(i)" certain="SSA phi(*p)"
-  }
-  while (j < 10) { // $ uncertain="SSA phi(*p)" certain="SSA phi(j)"
-    if (b2) {
-      *(p + j) = 0; // $ uncertain="SSA def(*p)"
-    }
-    ++j; // $ certain="SSA def(j)" uncertain="SSA phi(*p)"
-  }
-}

cpp/ql/test/library-tests/dataflow/certain/test.ql

@@ -1,22 +0,0 @@
-import cpp
-import utils.test.InlineExpectationsTest
-import semmle.code.cpp.dataflow.new.DataFlow::DataFlow
-
-bindingset[s]
-string quote(string s) { if s.matches("% %") then result = "\"" + s + "\"" else result = s }
-
-module AsDefinitionTest implements TestSig {
-  string getARelevantTag() { result = ["certain", "uncertain"] }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(Ssa::Definition d |
-      location = d.getLocation() and
-      element = d.toString() and
-      value = quote(d.toString())
-    |
-      if d.isCertain() then tag = "certain" else tag = "uncertain"
-    )
-  }
-}
-
-import MakeTest<AsDefinitionTest>

cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-consistency.expected

@@ -143,7 +143,6 @@ postWithInFlow
 | test.cpp:1153:5:1153:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:1165:5:1165:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
 | test.cpp:1195:5:1195:6 | * ... [post update] | PostUpdateNode should not be the target of local flow. |
-| test.cpp:1337:5:1337:13 | access to array [post update] | PostUpdateNode should not be the target of local flow. |
 viableImplInCallContextTooLarge
 uniqueParameterNodeAtPosition
 uniqueParameterNodePosition

cpp/ql/test/library-tests/dataflow/dataflow-tests/localFlow-ir.expected

@@ -65,52 +65,52 @@
 | test.cpp:8:8:8:9 | t1 | test.cpp:9:8:9:9 | t1 |
 | test.cpp:9:8:9:9 | t1 | test.cpp:11:7:11:8 | t1 |
 | test.cpp:9:8:9:9 | t1 | test.cpp:11:7:11:8 | t1 |
-| test.cpp:10:8:10:9 | t2 | test.cpp:11:7:11:8 | [input] SSA phi read(&t2) |
-| test.cpp:10:8:10:9 | t2 | test.cpp:11:7:11:8 | [input] SSA phi(t2) |
+| test.cpp:10:8:10:9 | t2 | test.cpp:11:7:11:8 | [input] SSA phi read(t2) |
+| test.cpp:10:8:10:9 | t2 | test.cpp:11:7:11:8 | [input] SSA phi(*t2) |
 | test.cpp:10:8:10:9 | t2 | test.cpp:13:10:13:11 | t2 |
-| test.cpp:11:7:11:8 | [input] SSA phi read(&t2) | test.cpp:15:8:15:9 | t2 |
-| test.cpp:11:7:11:8 | [input] SSA phi(t2) | test.cpp:15:8:15:9 | t2 |
+| test.cpp:11:7:11:8 | [input] SSA phi read(t2) | test.cpp:15:8:15:9 | t2 |
+| test.cpp:11:7:11:8 | [input] SSA phi(*t2) | test.cpp:15:8:15:9 | t2 |
 | test.cpp:11:7:11:8 | t1 | test.cpp:21:8:21:9 | t1 |
 | test.cpp:12:5:12:10 | ... = ... | test.cpp:13:10:13:11 | t2 |
 | test.cpp:12:10:12:10 | 0 | test.cpp:12:5:12:10 | ... = ... |
 | test.cpp:13:10:13:11 | t2 | test.cpp:15:8:15:9 | t2 |
 | test.cpp:13:10:13:11 | t2 | test.cpp:15:8:15:9 | t2 |
-| test.cpp:15:8:15:9 | t2 | test.cpp:23:15:23:16 | [input] SSA phi read(&t2) |
+| test.cpp:15:8:15:9 | t2 | test.cpp:23:15:23:16 | [input] SSA phi read(*t2) |
 | test.cpp:15:8:15:9 | t2 | test.cpp:23:15:23:16 | [input] SSA phi read(t2) |
 | test.cpp:17:3:17:8 | ... = ... | test.cpp:21:8:21:9 | t1 |
 | test.cpp:17:8:17:8 | 0 | test.cpp:17:3:17:8 | ... = ... |
-| test.cpp:21:8:21:9 | t1 | test.cpp:23:19:23:19 | SSA phi read(&t1) |
-| test.cpp:21:8:21:9 | t1 | test.cpp:23:19:23:19 | SSA phi(t1) |
+| test.cpp:21:8:21:9 | t1 | test.cpp:23:19:23:19 | SSA phi read(t1) |
+| test.cpp:21:8:21:9 | t1 | test.cpp:23:19:23:19 | SSA phi(*t1) |
 | test.cpp:23:15:23:16 | 0 | test.cpp:23:15:23:16 | 0 |
-| test.cpp:23:15:23:16 | 0 | test.cpp:23:19:23:19 | SSA phi(i) |
-| test.cpp:23:15:23:16 | [input] SSA phi read(&t2) | test.cpp:23:19:23:19 | SSA phi read(&t2) |
+| test.cpp:23:15:23:16 | 0 | test.cpp:23:19:23:19 | SSA phi(*i) |
+| test.cpp:23:15:23:16 | [input] SSA phi read(*t2) | test.cpp:23:19:23:19 | SSA phi read(*t2) |
 | test.cpp:23:15:23:16 | [input] SSA phi read(t2) | test.cpp:23:19:23:19 | SSA phi read(t2) |
-| test.cpp:23:19:23:19 | SSA phi read(&i) | test.cpp:23:19:23:19 | i |
-| test.cpp:23:19:23:19 | SSA phi read(&t1) | test.cpp:23:23:23:24 | t1 |
-| test.cpp:23:19:23:19 | SSA phi read(&t2) | test.cpp:24:10:24:11 | t2 |
+| test.cpp:23:19:23:19 | SSA phi read(*t2) | test.cpp:24:10:24:11 | t2 |
+| test.cpp:23:19:23:19 | SSA phi read(i) | test.cpp:23:19:23:19 | i |
+| test.cpp:23:19:23:19 | SSA phi read(t1) | test.cpp:23:23:23:24 | t1 |
 | test.cpp:23:19:23:19 | SSA phi read(t2) | test.cpp:24:10:24:11 | t2 |
-| test.cpp:23:19:23:19 | SSA phi(i) | test.cpp:23:19:23:19 | i |
-| test.cpp:23:19:23:19 | SSA phi(t1) | test.cpp:23:23:23:24 | t1 |
+| test.cpp:23:19:23:19 | SSA phi(*i) | test.cpp:23:19:23:19 | i |
+| test.cpp:23:19:23:19 | SSA phi(*t1) | test.cpp:23:23:23:24 | t1 |
 | test.cpp:23:19:23:19 | i | test.cpp:23:27:23:27 | i |
 | test.cpp:23:19:23:19 | i | test.cpp:23:27:23:27 | i |
-| test.cpp:23:23:23:24 | t1 | test.cpp:23:27:23:29 | [input] SSA phi read(&t1) |
+| test.cpp:23:23:23:24 | t1 | test.cpp:23:27:23:29 | [input] SSA phi read(t1) |
 | test.cpp:23:23:23:24 | t1 | test.cpp:26:8:26:9 | t1 |
 | test.cpp:23:23:23:24 | t1 | test.cpp:26:8:26:9 | t1 |
 | test.cpp:23:27:23:27 | *i | test.cpp:23:27:23:27 | *i |
 | test.cpp:23:27:23:27 | *i | test.cpp:23:27:23:27 | i |
 | test.cpp:23:27:23:27 | i | test.cpp:23:27:23:27 | i |
 | test.cpp:23:27:23:27 | i | test.cpp:23:27:23:27 | i |
-| test.cpp:23:27:23:27 | i | test.cpp:23:27:23:29 | [input] SSA phi read(&i) |
+| test.cpp:23:27:23:27 | i | test.cpp:23:27:23:29 | [input] SSA phi read(i) |
 | test.cpp:23:27:23:29 | ... ++ | test.cpp:23:27:23:29 | ... ++ |
-| test.cpp:23:27:23:29 | ... ++ | test.cpp:23:27:23:29 | [input] SSA phi(i) |
-| test.cpp:23:27:23:29 | [input] SSA phi read(&i) | test.cpp:23:19:23:19 | SSA phi read(&i) |
-| test.cpp:23:27:23:29 | [input] SSA phi read(&t1) | test.cpp:23:19:23:19 | SSA phi read(&t1) |
-| test.cpp:23:27:23:29 | [input] SSA phi read(&t2) | test.cpp:23:19:23:19 | SSA phi read(&t2) |
+| test.cpp:23:27:23:29 | ... ++ | test.cpp:23:27:23:29 | [input] SSA phi(*i) |
+| test.cpp:23:27:23:29 | [input] SSA phi read(*t2) | test.cpp:23:19:23:19 | SSA phi read(*t2) |
+| test.cpp:23:27:23:29 | [input] SSA phi read(i) | test.cpp:23:19:23:19 | SSA phi read(i) |
+| test.cpp:23:27:23:29 | [input] SSA phi read(t1) | test.cpp:23:19:23:19 | SSA phi read(t1) |
 | test.cpp:23:27:23:29 | [input] SSA phi read(t2) | test.cpp:23:19:23:19 | SSA phi read(t2) |
-| test.cpp:23:27:23:29 | [input] SSA phi(i) | test.cpp:23:19:23:19 | SSA phi(i) |
-| test.cpp:23:27:23:29 | [input] SSA phi(t1) | test.cpp:23:19:23:19 | SSA phi(t1) |
-| test.cpp:24:5:24:11 | ... = ... | test.cpp:23:27:23:29 | [input] SSA phi(t1) |
-| test.cpp:24:10:24:11 | t2 | test.cpp:23:27:23:29 | [input] SSA phi read(&t2) |
+| test.cpp:23:27:23:29 | [input] SSA phi(*i) | test.cpp:23:19:23:19 | SSA phi(*i) |
+| test.cpp:23:27:23:29 | [input] SSA phi(*t1) | test.cpp:23:19:23:19 | SSA phi(*t1) |
+| test.cpp:24:5:24:11 | ... = ... | test.cpp:23:27:23:29 | [input] SSA phi(*t1) |
+| test.cpp:24:10:24:11 | t2 | test.cpp:23:27:23:29 | [input] SSA phi read(*t2) |
 | test.cpp:24:10:24:11 | t2 | test.cpp:23:27:23:29 | [input] SSA phi read(t2) |
 | test.cpp:24:10:24:11 | t2 | test.cpp:24:5:24:11 | ... = ... |
 | test.cpp:382:48:382:54 | source1 | test.cpp:384:16:384:23 | *& ... |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test-source-sink.expected

@@ -171,7 +171,6 @@ astFlow
 | test.cpp:1312:7:1312:12 | call to source | test.cpp:1313:8:1313:24 | ... ? ... : ... |
 | test.cpp:1312:7:1312:12 | call to source | test.cpp:1314:8:1314:8 | x |
 | test.cpp:1329:11:1329:16 | call to source | test.cpp:1330:10:1330:10 | i |
-| test.cpp:1335:10:1335:15 | buffer | test.cpp:1336:10:1336:18 | access to array |
 | true_upon_entry.cpp:17:11:17:16 | call to source | true_upon_entry.cpp:21:8:21:8 | x |
 | true_upon_entry.cpp:27:9:27:14 | call to source | true_upon_entry.cpp:29:8:29:8 | x |
 | true_upon_entry.cpp:33:11:33:16 | call to source | true_upon_entry.cpp:39:8:39:8 | x |

cpp/ql/test/library-tests/dataflow/dataflow-tests/test.cpp

@@ -1329,11 +1329,3 @@ void nsdmi_test() {
   nsdmi y(source());
   sink(y.i); // $ ir ast
 }
-
-void certain_def_uninitialized_instruction_test() {
-  for(int i = 0; i < 10; i++) {
-    char buffer[10];
-    sink(buffer[0]); // $ SPURIOUS: ast
-    buffer[0] = source();
-  }
-}

cpp/ql/test/library-tests/dataflow/dataflow-tests/uninitialized.expected

@@ -59,5 +59,3 @@
 | test.cpp:1137:7:1137:10 | data | test.cpp:1138:5:1138:8 | data |
 | test.cpp:1137:7:1137:10 | data | test.cpp:1139:4:1139:7 | data |
 | test.cpp:1137:7:1137:10 | data | test.cpp:1140:10:1140:13 | data |
-| test.cpp:1335:10:1335:15 | buffer | test.cpp:1336:10:1336:15 | buffer |
-| test.cpp:1335:10:1335:15 | buffer | test.cpp:1337:5:1337:10 | buffer |

cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp

@@ -131,112 +131,3 @@ void test_strsafe_gets() {
 		StringCchGetsExA(dest, sizeof(dest), &end, &remaining, 0); // $ local_source
 	}
 }
-
-int scanf_s(const char *format, ...);
-int fscanf_s(FILE *stream, const char *format, ...);
-
-void test_scanf_s(FILE *stream) {
-  {
-  int n1, n2;
-  scanf_s(
-    "%d %d",
-    &n1, // $ local_source
-    &n2); // $ local_source
-  }
-
-  {
-  int n;
-  fscanf_s(stream, "%d", &n); // $ remote_source
-  }
-
-  {
-  int n1, n2;
-  char buf[256];
-  scanf_s("%d %s %d",
-    &n1, // $ local_source
-    buf, // $ local_source
-    256,
-    &n2); // $ local_source
-  }
-
-  {
-  int n1, n2;
-  char buf[256];
-  fscanf_s(stream, "%d %s %d",
-    &n1, // $ remote_source
-    buf, // $ remote_source
-    256,
-    &n2); // $ remote_source
-  }
-}
-
-typedef void *locale_t;
-
-int wscanf_s(const wchar_t *format, ...);
-int _scanf_s_l(const char *format, locale_t locale, ...);
-int _wscanf_s_l(const wchar_t *format, locale_t locale, ...);
-int fwscanf_s(FILE *stream, const wchar_t *format, ...);
-int _fscanf_s_l(FILE *stream, const char *format, locale_t locale, ...);
-int _fwscanf_s_l(FILE *stream, const wchar_t *format, locale_t locale, ...);
-
-void test_additional_scanf_s_variants(FILE *stream, locale_t locale) {
-  {
-  int n1, n2;
-  wchar_t buf[256];
-  wscanf_s(L"%d %s %d",
-    &n1, // $ local_source
-    buf, // $ local_source
-    256,
-    &n2); // $ local_source
-  }
-
-  {
-  int n1, n2;
-  char buf[256];
-  _scanf_s_l("%d %s %d", locale,
-    &n1, // $ local_source
-    buf, // $ local_source
-    256,
-    &n2); // $ local_source
-  }
-
-  {
-  int n1, n2;
-  wchar_t buf[256];
-  _wscanf_s_l(L"%d %s %d", locale,
-    &n1, // $ local_source
-    buf, // $ local_source
-    256,
-    &n2); // $ local_source
-  }
-
-  {
-  int n1, n2;
-  wchar_t buf[256];
-  fwscanf_s(stream, L"%d %s %d",
-    &n1, // $ remote_source
-    buf, // $ remote_source
-    256,
-    &n2); // $ remote_source
-  }
-
-  {
-  int n1, n2;
-  char buf[256];
-  _fscanf_s_l(stream, "%d %s %d", locale,
-    &n1, // $ remote_source
-    buf, // $ remote_source
-    256,
-    &n2); // $ remote_source
-  }
-
-  {
-  int n1, n2;
-  wchar_t buf[256];
-  _fwscanf_s_l(stream, L"%d %s %d", locale,
-    &n1, // $ remote_source
-    buf, // $ remote_source
-    256,
-    &n2); // $ remote_source
-  }
-}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -4928,8 +4928,6 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | stl.h:95:69:95:69 | x | stl.h:96:42:96:42 | x |  |
 | stl.h:96:42:96:42 | ref arg x | stl.h:95:69:95:69 | x |  |
 | stl.h:96:42:96:42 | ref arg x | stl.h:95:69:95:69 | x |  |
-| stl.h:292:30:292:40 | 0 | file://:0:0:0:0 | noexcept(...) | TAINT |
-| stl.h:292:30:292:40 | 0 | file://:0:0:0:0 | noexcept(...) | TAINT |
 | stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
 | stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |
 | stl.h:292:30:292:40 | call to allocator | stl.h:292:21:292:41 | noexcept(...) | TAINT |

cpp/ql/test/library-tests/scanf/scanfFormatLiteral.expected

@@ -1,8 +1,5 @@
-| test.c:19:2:19:6 | call to scanf | 0 | s | 0 | 0 |
-| test.c:20:2:20:7 | call to fscanf | 0 | s | 10 | 10 |
-| test.c:20:2:20:7 | call to fscanf | 1 | i | 0 | 0 |
-| test.c:21:2:21:7 | call to sscanf | 0 | s | 0 | 0 |
-| test.c:22:2:22:8 | call to swscanf | 0 | s | 10 | 10 |
-| test.c:23:2:23:8 | call to scanf_s | 0 | d | 0 | 0 |
-| test.c:23:2:23:8 | call to scanf_s | 1 | s | 0 | 0 |
-| test.c:23:2:23:8 | call to scanf_s | 2 | d | 0 | 0 |
+| test.c:18:2:18:6 | call to scanf | 0 | s | 0 | 0 |
+| test.c:19:2:19:7 | call to fscanf | 0 | s | 10 | 10 |
+| test.c:19:2:19:7 | call to fscanf | 1 | i | 0 | 0 |
+| test.c:20:2:20:7 | call to sscanf | 0 | s | 0 | 0 |
+| test.c:21:2:21:8 | call to swscanf | 0 | s | 10 | 10 |

cpp/ql/test/library-tests/scanf/scanfFunctionCall.expected

@@ -1,6 +1,5 @@
 | ms.cpp:17:3:17:8 | call to sscanf | 0 | 1 | ms.cpp:17:24:17:30 | %I64i | non-wide |
-| test.c:19:2:19:6 | call to scanf | 0 | 0 | test.c:19:8:19:11 | %s | non-wide |
-| test.c:20:2:20:7 | call to fscanf | 0 | 1 | test.c:20:15:20:23 | %10s %i | non-wide |
-| test.c:21:2:21:7 | call to sscanf | 0 | 1 | test.c:21:19:21:28 | %*i%s%*s | non-wide |
-| test.c:22:2:22:8 | call to swscanf | 0 | 1 | test.c:22:21:22:26 | %10s | wide |
-| test.c:23:2:23:8 | call to scanf_s | 0 | 0 | test.c:23:10:23:19 | %d %s %d | non-wide |
+| test.c:18:2:18:6 | call to scanf | 0 | 0 | test.c:18:8:18:11 | %s | non-wide |
+| test.c:19:2:19:7 | call to fscanf | 0 | 1 | test.c:19:15:19:23 | %10s %i | non-wide |
+| test.c:20:2:20:7 | call to sscanf | 0 | 1 | test.c:20:19:20:28 | %*i%s%*s | non-wide |
+| test.c:21:2:21:8 | call to swscanf | 0 | 1 | test.c:21:21:21:26 | %10s | wide |

cpp/ql/test/library-tests/scanf/scanfFunctionCallOutput.expected

@@ -1,9 +0,0 @@
-| ms.cpp:17:3:17:8 | call to sscanf | ms.cpp:17:33:17:36 | & ... | 0 |
-| test.c:19:2:19:6 | call to scanf | test.c:19:14:19:19 | buffer | 0 |
-| test.c:20:2:20:7 | call to fscanf | test.c:20:26:20:31 | buffer | 0 |
-| test.c:20:2:20:7 | call to fscanf | test.c:20:34:20:34 | i | 1 |
-| test.c:21:2:21:7 | call to sscanf | test.c:21:31:21:36 | buffer | 0 |
-| test.c:22:2:22:8 | call to swscanf | test.c:22:29:22:35 | wbuffer | 0 |
-| test.c:23:2:23:8 | call to scanf_s | test.c:23:22:23:23 | & ... | 0 |
-| test.c:23:2:23:8 | call to scanf_s | test.c:23:26:23:31 | buffer | 1 |
-| test.c:23:2:23:8 | call to scanf_s | test.c:23:38:23:40 | & ... | 2 |

cpp/ql/test/library-tests/scanf/scanfFunctionCallOutput.ql

@@ -1,5 +0,0 @@
-import semmle.code.cpp.commons.Scanf
-
-from ScanfFunctionCall sfc, Expr e, int n
-where e = sfc.getOutputArgument(n)
-select sfc, e, n

cpp/ql/test/library-tests/scanf/test.c

@@ -7,20 +7,18 @@ int scanf(const char *format, ...);
 int fscanf(FILE *stream, const char *format, ...);
 int sscanf(const char *s, const char *format, ...);
 int swscanf(const wchar_t* ws, const wchar_t* format, ...);
-int scanf_s(const char *format, ...);
 
 int main(int argc, char *argv[])
 {
 	char buffer[256];
 	wchar_t wbuffer[256];
 	FILE *file;
-	int i, i2;
+	int i;
 
 	scanf("%s", buffer);
 	fscanf(file, "%10s %i", buffer, i);
 	sscanf("Hello.", "%*i%s%*s", buffer);
 	swscanf(L"Hello.", "%10s", wbuffer);
-	scanf_s("%d %s %d", &i, buffer, 10, &i2);
 
 	return 0;
 }

cpp/ql/test/library-tests/using-aliases/using-alias.expected

@@ -1,9 +1,9 @@
 | file://:0:0:0:0 | X | NestedTypedefType | file://:0:0:0:0 | int * |
-| file://:0:0:0:0 | X | TypeAliasType | file://:0:0:0:0 | int * |
+| file://:0:0:0:0 | X | UsingAliasTypedefType | file://:0:0:0:0 | int * |
 | using-alias.cpp:2:13:2:17 | type1 | CTypedefType | file://:0:0:0:0 | int |
-| using-alias.cpp:3:7:3:12 | using1 | TypeAliasType | file://:0:0:0:0 | float |
+| using-alias.cpp:3:7:3:12 | using1 | UsingAliasTypedefType | file://:0:0:0:0 | float |
 | using-alias.cpp:5:16:5:20 | type2 | CTypedefType | file://:0:0:0:0 | float |
-| using-alias.cpp:6:7:6:12 | using2 | TypeAliasType | file://:0:0:0:0 | int |
+| using-alias.cpp:6:7:6:12 | using2 | UsingAliasTypedefType | file://:0:0:0:0 | int |
 | using-alias.cpp:8:39:8:39 | X | NestedTypedefType | file://:0:0:0:0 | T * |
-| using-alias.cpp:8:39:8:39 | X | TypeAliasType | file://:0:0:0:0 | T * |
-| using-alias.cpp:10:7:10:7 | Y | TypeAliasType | file://:0:0:0:0 | int * |
+| using-alias.cpp:8:39:8:39 | X | UsingAliasTypedefType | file://:0:0:0:0 | T * |
+| using-alias.cpp:10:7:10:7 | Y | UsingAliasTypedefType | file://:0:0:0:0 | int * |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/test3.cpp

@@ -577,10 +577,3 @@ void tests3()
 	str = get_home_address();
 	send(val(), str, strlen(str), val()); // BAD
 }
-
-int fscanf(FILE* stream, const char* format, ... );
-
-void test_scanf() {
-	char password[256];
-	fscanf(stdin, "%255s", password); // GOOD: this is not a remote source
-}

csharp/.config/dotnet-tools.json

@@ -3,7 +3,7 @@
   "isRoot": true,
   "tools": {
     "paket": {
-      "version": "10.3.1",
+      "version": "10.0.0-alpha011",
       "commands": [
         "paket"
       ]

csharp/.paket/Paket.Restore.targets

@@ -241,9 +241,8 @@
 				<OmitContent Condition="%(PaketReferencesFileLinesInfo.Splits) &gt;= 7">$([System.String]::Copy('%(PaketReferencesFileLines.Identity)').Split(',')[6])</OmitContent>
 				<ImportTargets Condition="%(PaketReferencesFileLinesInfo.Splits) &gt;= 8">$([System.String]::Copy('%(PaketReferencesFileLines.Identity)').Split(',')[7])</ImportTargets>
 				<Aliases Condition="%(PaketReferencesFileLinesInfo.Splits) &gt;= 9">$([System.String]::Copy('%(PaketReferencesFileLines.Identity)').Split(',')[8])</Aliases>
-				<ReferenceCondition Condition="%(PaketReferencesFileLinesInfo.Splits) &gt;= 10">$([System.String]::Copy('%(PaketReferencesFileLines.Identity)').Split(',')[9])</ReferenceCondition>
 			</PaketReferencesFileLinesInfo>
-			<PackageReference Condition=" ('$(ManagePackageVersionsCentrally)' != 'true' Or '%(PaketReferencesFileLinesInfo.Reference)' == 'Direct') AND ('%(PaketReferencesFileLinesInfo.ReferenceCondition)' == 'true' Or $(%(PaketReferencesFileLinesInfo.ReferenceCondition)) == 'true')" Include="%(PaketReferencesFileLinesInfo.PackageName)">
+			<PackageReference Condition=" '$(ManagePackageVersionsCentrally)' != 'true' Or '%(PaketReferencesFileLinesInfo.Reference)' == 'Direct' " Include="%(PaketReferencesFileLinesInfo.PackageName)">
 				<Version Condition=" '$(ManagePackageVersionsCentrally)' != 'true' ">%(PaketReferencesFileLinesInfo.PackageVersion)</Version>
 				<PrivateAssets Condition=" ('%(PaketReferencesFileLinesInfo.AllPrivateAssets)' == 'true') Or ('$(PackAsTool)' == 'true') ">All</PrivateAssets>
 				<ExcludeAssets Condition=" %(PaketReferencesFileLinesInfo.CopyLocal) == 'false' or %(PaketReferencesFileLinesInfo.AllPrivateAssets) == 'exclude'">runtime</ExcludeAssets>
@@ -252,8 +251,10 @@
 				<Aliases Condition=" %(PaketReferencesFileLinesInfo.Aliases) != ''">%(PaketReferencesFileLinesInfo.Aliases)</Aliases>
 				<Publish Condition=" '$(PackAsTool)' == 'true' ">true</Publish>
 				<AllowExplicitVersion>true</AllowExplicitVersion>
+
 			</PackageReference>
-			<PackageVersion Condition="('$(ManagePackageVersionsCentrally)' != 'true' Or '%(PaketReferencesFileLinesInfo.Reference)' == 'Direct') AND ('%(PaketReferencesFileLinesInfo.ReferenceCondition)' == 'true' Or $(%(PaketReferencesFileLinesInfo.ReferenceCondition)) == 'true')" Include="%(PaketReferencesFileLinesInfo.PackageName)">
+
+			<PackageVersion Include="%(PaketReferencesFileLinesInfo.PackageName)">
 				<Version>%(PaketReferencesFileLinesInfo.PackageVersion)</Version>
 			</PackageVersion>
 		</ItemGroup>
@@ -318,17 +319,7 @@
 		</ItemGroup>
 
 		<Error Text="Error Because of PAKET_ERROR_ON_MSBUILD_EXEC (not calling fix-nuspecs)" Condition=" '$(PAKET_ERROR_ON_MSBUILD_EXEC)' == 'true' " />
-		<Exec Condition="@(_NuspecFiles) != ''" Command='$(PaketCommand) show-conditions -s' ConsoleToMSBuild="true" StandardOutputImportance="low">
-			<Output TaskParameter="ConsoleOutput" ItemName="_ConditionProperties"/>
-		</Exec>
-		<ItemGroup>
-			<_DefinedConditionProperties Include="@(_ConditionProperties)" Condition="$(%(Identity)) == 'true'"/>
-		</ItemGroup>
-		<PropertyGroup>
-			<_ConditionsParameter></_ConditionsParameter>
-			<_ConditionsParameter Condition="@(_DefinedConditionProperties) != ''">--conditions @(_DefinedConditionProperties)</_ConditionsParameter>
-		</PropertyGroup>
-		<Exec Condition="@(_NuspecFiles) != ''" Command='$(PaketCommand) fix-nuspecs files "@(_NuspecFiles)" project-file "$(PaketProjectFile)" $(_ConditionsParameter)' />
+		<Exec Condition="@(_NuspecFiles) != ''" Command='$(PaketCommand) fix-nuspecs files "@(_NuspecFiles)" project-file "$(PaketProjectFile)" ' />
 		<Error Condition="@(_NuspecFiles) == ''" Text='Could not find nuspec files in "$(AdjustedNuspecOutputPath)" (Version: "$(PackageVersion)"), therefore we cannot call "paket fix-nuspecs" and have to error out!' />
 
 		<ConvertToAbsolutePath Condition="@(_NuspecFiles) != ''" Paths="@(_NuspecFiles)">

csharp/extractor/Semmle.Extraction.CSharp.Util/SymbolExtensions.cs

@@ -52,13 +52,6 @@ namespace Semmle.Extraction.CSharp.Util
             { "op_False", "false" }
         });
 
-        /// <summary>
-        /// The operatorname for user-defined instance increment- and decrement operators are "op_IncrementAssignment" and
-        /// "op_DecrementAssignment" respectively.
-        /// Thus we need to handle this explicitly to avoid postfixing them with an "=".
-        /// </summary>
-        private static bool IsIncrementOrDecrement(string operatorName) => operatorName == "++" || operatorName == "--";
-
         /// <summary>
         /// Convert an operator method name in to a symbolic name.
         /// A return value indicates whether the conversion succeeded.
@@ -79,7 +72,7 @@ namespace Semmle.Extraction.CSharp.Util
             if (match.Success && methodToOperator.TryGetValue($"op_{match.Groups[2]}", out var rawOperatorName))
             {
                 var prefix = match.Groups[1].Success ? "checked " : "";
-                var postfix = match.Groups[3].Success && !IsIncrementOrDecrement(rawOperatorName) ? "=" : "";
+                var postfix = match.Groups[3].Success ? "=" : "";
                 operatorName = $"{prefix}{rawOperatorName}{postfix}";
                 return true;
             }

csharp/extractor/Semmle.Extraction.CSharp/Entities/Compilations/Compilation.cs

@@ -32,13 +32,9 @@ namespace Semmle.Extraction.CSharp.Entities
         {
             var assembly = Assembly.CreateOutputAssembly(Context);
 
-            var path = Context.ExtractionContext.PathTransformer.Transform(cwd);
-            trapFile.compilations(this, path.Value);
+            trapFile.compilations(this, FileUtils.ConvertToUnix(cwd));
             trapFile.compilation_assembly(this, assembly);
 
-            // Ensure that a `Folder` entity exists
-            Folder.Create(Context, path);
-
             // Arguments
             var expandedIndex = 0;
             for (var i = 0; i < args.Length; i++)

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expression.cs

@@ -234,9 +234,9 @@ namespace Semmle.Extraction.CSharp.Entities
         /// </summary>
         /// <param name="node">The expression syntax node.</param>
         /// <returns>Returns the target method symbol, or null if it cannot be resolved.</returns>
-        protected static IMethodSymbol? GetTargetSymbol(Context cx, ExpressionSyntax node)
+        protected IMethodSymbol? GetTargetSymbol(ExpressionSyntax node)
         {
-            var si = cx.GetSymbolInfo(node);
+            var si = Context.GetSymbolInfo(node);
             if (si.Symbol is ISymbol symbol)
             {
                 var method = symbol as IMethodSymbol;
@@ -255,7 +255,7 @@ namespace Semmle.Extraction.CSharp.Entities
                     .Where(method => method.Parameters.Length >= syntax.ArgumentList.Arguments.Count)
                     .Where(method => method.Parameters.Count(p => !p.HasExplicitDefaultValue) <= syntax.ArgumentList.Arguments.Count);
 
-                return cx.ExtractionContext.IsStandalone ?
+                return Context.ExtractionContext.IsStandalone ?
                     candidates.FirstOrDefault() :
                     candidates.SingleOrDefault();
             }
@@ -281,7 +281,7 @@ namespace Semmle.Extraction.CSharp.Entities
         /// <param name="node">The expression.</param>
         public void AddOperatorCall(TextWriter trapFile, ExpressionSyntax node)
         {
-            var @operator = GetTargetSymbol(Context, node);
+            var @operator = GetTargetSymbol(node);
             if (@operator is IMethodSymbol method)
             {
                 var callType = GetCallType(Context, node);
@@ -312,9 +312,9 @@ namespace Semmle.Extraction.CSharp.Entities
         /// <returns>The call type.</returns>
         public static CallType GetCallType(Context cx, ExpressionSyntax node)
         {
-            var @operator = GetTargetSymbol(cx, node);
+            var @operator = cx.GetSymbolInfo(node);
 
-            if (@operator is IMethodSymbol method)
+            if (@operator.Symbol is IMethodSymbol method)
             {
                 if (method.ContainingSymbol is ITypeSymbol containingSymbol && containingSymbol.TypeKind == Microsoft.CodeAnalysis.TypeKind.Dynamic)
                 {

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Factory.cs

@@ -58,10 +58,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         return Invocation.Create(info);
 
                     case SyntaxKind.PostIncrementExpression:
-                        return PostfixUnary.Create(info.SetKind(ExprKind.POST_INCR));
+                        return PostfixUnary.Create(info.SetKind(ExprKind.POST_INCR), ((PostfixUnaryExpressionSyntax)info.Node).Operand);
 
                     case SyntaxKind.PostDecrementExpression:
-                        return PostfixUnary.Create(info.SetKind(ExprKind.POST_DECR));
+                        return PostfixUnary.Create(info.SetKind(ExprKind.POST_DECR), ((PostfixUnaryExpressionSyntax)info.Node).Operand);
 
                     case SyntaxKind.AwaitExpression:
                         return Await.Create(info);
@@ -109,10 +109,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         return MemberAccess.Create(info, (MemberAccessExpressionSyntax)info.Node);
 
                     case SyntaxKind.UnaryMinusExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.MINUS));
+                        return Unary.Create(info.SetKind(ExprKind.MINUS));
 
                     case SyntaxKind.UnaryPlusExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.PLUS));
+                        return Unary.Create(info.SetKind(ExprKind.PLUS));
 
                     case SyntaxKind.SimpleLambdaExpression:
                         return Lambda.Create(info, (SimpleLambdaExpressionSyntax)info.Node);
@@ -146,16 +146,16 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         return Name.Create(info);
 
                     case SyntaxKind.LogicalNotExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.LOG_NOT));
+                        return Unary.Create(info.SetKind(ExprKind.LOG_NOT));
 
                     case SyntaxKind.BitwiseNotExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.BIT_NOT));
+                        return Unary.Create(info.SetKind(ExprKind.BIT_NOT));
 
                     case SyntaxKind.PreIncrementExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.PRE_INCR));
+                        return Unary.Create(info.SetKind(ExprKind.PRE_INCR));
 
                     case SyntaxKind.PreDecrementExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.PRE_DECR));
+                        return Unary.Create(info.SetKind(ExprKind.PRE_DECR));
 
                     case SyntaxKind.ThisExpression:
                         return This.CreateExplicit(info);
@@ -164,10 +164,10 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         return PropertyFieldAccess.Create(info);
 
                     case SyntaxKind.AddressOfExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.ADDRESS_OF));
+                        return Unary.Create(info.SetKind(ExprKind.ADDRESS_OF));
 
                     case SyntaxKind.PointerIndirectionExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.POINTER_INDIRECTION));
+                        return Unary.Create(info.SetKind(ExprKind.POINTER_INDIRECTION));
 
                     case SyntaxKind.DefaultExpression:
                         return Default.Create(info);
@@ -248,13 +248,13 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
                         return RangeExpression.Create(info);
 
                     case SyntaxKind.IndexExpression:
-                        return PrefixUnary.Create(info.SetKind(ExprKind.INDEX));
+                        return Unary.Create(info.SetKind(ExprKind.INDEX));
 
                     case SyntaxKind.SwitchExpression:
                         return Switch.Create(info);
 
                     case SyntaxKind.SuppressNullableWarningExpression:
-                        return PostfixUnary.Create(info.SetKind(ExprKind.SUPPRESS_NULLABLE_WARNING));
+                        return PostfixUnary.Create(info.SetKind(ExprKind.SUPPRESS_NULLABLE_WARNING), ((PostfixUnaryExpressionSyntax)info.Node).Operand);
 
                     case SyntaxKind.WithExpression:
                         return WithExpression.Create(info);

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/Invocation.cs

@@ -44,7 +44,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
 
             var child = -1;
             string? memberName = null;
-            var target = GetTargetSymbol(Context, Syntax);
+            var target = GetTargetSymbol(Syntax);
             switch (Syntax.Expression)
             {
                 case MemberAccessExpressionSyntax memberAccess when IsValidMemberAccessKind():