Extend C# control flow elements with type mentions

Ruby AST: preserve ExceptionList node in RescueClause for 2+ exceptions

.github/workflows/go-version-update.yml

@@ -0,0 +1,208 @@
+name: Update Go version
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 3 * * 1"  # Run weekly on Mondays at 3 AM UTC (1 = Monday)
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-go-version:
+    name: Check and update Go version
+    if: github.repository == 'github/codeql'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Fetch latest Go version
+        id: fetch-version
+        run: |
+          LATEST_GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq -r '.[0].version')
+          
+          if [ -z "$LATEST_GO_VERSION" ] || [ "$LATEST_GO_VERSION" = "null" ]; then
+            echo "Error: Failed to fetch latest Go version from go.dev"
+            exit 1
+          fi
+          
+          echo "Latest Go version from go.dev: $LATEST_GO_VERSION"
+          echo "version=$LATEST_GO_VERSION" >> $GITHUB_OUTPUT
+          
+          # Extract version numbers (e.g., go1.26.0 -> 1.26.0)
+          LATEST_VERSION_NUM=$(echo $LATEST_GO_VERSION | sed 's/^go//')
+          echo "version_num=$LATEST_VERSION_NUM" >> $GITHUB_OUTPUT
+          
+          # Extract major.minor version (e.g., 1.26.0 -> 1.26)
+          LATEST_MAJOR_MINOR=$(echo $LATEST_VERSION_NUM | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
+          echo "major_minor=$LATEST_MAJOR_MINOR" >> $GITHUB_OUTPUT
+
+      - name: Check current Go version
+        id: current-version
+        run: |
+          CURRENT_VERSION=$(sed -n 's/.*go_sdk\.download(version = \"\([^\"]*\)\".*/\1/p' MODULE.bazel)
+          
+          if [ -z "$CURRENT_VERSION" ]; then
+            echo "Error: Could not extract Go version from MODULE.bazel"
+            exit 1
+          fi
+          
+          echo "Current Go version in MODULE.bazel: $CURRENT_VERSION"
+          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          
+          # Extract major.minor version
+          CURRENT_MAJOR_MINOR=$(echo $CURRENT_VERSION | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
+          echo "major_minor=$CURRENT_MAJOR_MINOR" >> $GITHUB_OUTPUT
+
+      - name: Compare versions
+        id: compare
+        run: |
+          LATEST="${{ steps.fetch-version.outputs.version_num }}"
+          CURRENT="${{ steps.current-version.outputs.version }}"
+          
+          echo "Latest: $LATEST"
+          echo "Current: $CURRENT"
+          
+          if [ "$LATEST" = "$CURRENT" ]; then
+            echo "Go version is up to date"
+            echo "needs_update=false" >> $GITHUB_OUTPUT
+          else
+            echo "Go version needs update from $CURRENT to $LATEST"
+            echo "needs_update=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Update Go version in files
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
+          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
+          CURRENT_MAJOR_MINOR="${{ steps.current-version.outputs.major_minor }}"
+          
+          echo "Updating from $CURRENT_VERSION to $LATEST_VERSION_NUM"
+          
+          # Escape dots in current version strings for use in sed patterns
+          CURRENT_VERSION_ESCAPED=$(echo "$CURRENT_VERSION" | sed 's/\./\\./g')
+          CURRENT_MAJOR_MINOR_ESCAPED=$(echo "$CURRENT_MAJOR_MINOR" | sed 's/\./\\./g')
+          
+          # Update MODULE.bazel
+          sed -i "s/go_sdk\.download(version = \"$CURRENT_VERSION_ESCAPED\")/go_sdk.download(version = \"$LATEST_VERSION_NUM\")/" MODULE.bazel
+          if ! grep -q "go_sdk.download(version = \"$LATEST_VERSION_NUM\")" MODULE.bazel; then
+            echo "Error: Failed to update MODULE.bazel"
+            exit 1
+          fi
+          
+          # Update go/extractor/go.mod
+          if ! sed -i "s/^go $CURRENT_MAJOR_MINOR_ESCAPED\$/go $LATEST_MAJOR_MINOR/" go/extractor/go.mod; then
+            echo "Warning: Failed to update go directive in go.mod"
+          fi
+          if ! sed -i "s/^toolchain go$CURRENT_VERSION_ESCAPED\$/toolchain go$LATEST_VERSION_NUM/" go/extractor/go.mod; then
+            echo "Warning: Failed to update toolchain in go.mod"
+          fi
+          
+          # Update go/extractor/autobuilder/build-environment.go
+          if ! sed -i "s/var maxGoVersion = util\.NewSemVer(\"$CURRENT_MAJOR_MINOR_ESCAPED\")/var maxGoVersion = util.NewSemVer(\"$LATEST_MAJOR_MINOR\")/" go/extractor/autobuilder/build-environment.go; then
+            echo "Warning: Failed to update build-environment.go"
+          fi
+          
+          # Update go/actions/test/action.yml
+          if ! sed -i "s/default: \"~$CURRENT_VERSION_ESCAPED\"/default: \"~$LATEST_VERSION_NUM\"/" go/actions/test/action.yml; then
+            echo "Warning: Failed to update action.yml"
+          fi
+          
+          # Show what changed
+          git diff
+
+      - name: Check for changes
+        id: check-changes
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          if git diff --quiet; then
+            echo "No changes detected"
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "Changes detected"
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check for existing PR
+        if: steps.check-changes.outputs.has_changes == 'true'
+        id: check-pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
+          
+          if [ -n "$PR_NUMBER" ]; then
+            echo "Existing PR found: #$PR_NUMBER"
+            echo "pr_exists=true" >> $GITHUB_OUTPUT
+            echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+          else
+            echo "No existing PR found"
+            echo "pr_exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Commit and push changes
+        if: steps.check-changes.outputs.has_changes == 'true'
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
+          
+          # Create or switch to branch
+          git checkout -B "$BRANCH_NAME"
+          
+          # Stage and commit changes
+          git add MODULE.bazel go/extractor/go.mod go/extractor/autobuilder/build-environment.go go/actions/test/action.yml
+          git commit -m "Go: Update to $LATEST_VERSION_NUM"
+          
+          # Push changes
+          git push --force-with-lease origin "$BRANCH_NAME"
+
+      - name: Create or update PR
+        if: steps.check-changes.outputs.has_changes == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
+          
+          PR_TITLE="Go: Update to $LATEST_VERSION_NUM"
+          
+          PR_BODY=$(cat <<EOF
+          This PR updates Go from $CURRENT_VERSION to $LATEST_VERSION_NUM.
+
+          Updated files:
+          - \`MODULE.bazel\` - go_sdk.download version
+          - \`go/extractor/go.mod\` - go directive and toolchain
+          - \`go/extractor/autobuilder/build-environment.go\` - maxGoVersion (only if MAJOR.MINOR changes)
+          - \`go/actions/test/action.yml\` - default go-test-version
+
+          This PR was automatically created by the [Go version update workflow](https://github.com/${{ github.repository }}/blob/main/.github/workflows/go-version-update.yml).
+          EOF
+          )
+          
+          if [ "${{ steps.check-pr.outputs.pr_exists }}" = "true" ]; then
+            echo "Updating existing PR #${{ steps.check-pr.outputs.pr_number }}"
+            gh pr edit "${{ steps.check-pr.outputs.pr_number }}" --title "$PR_TITLE" --body "$PR_BODY"
+          else
+            echo "Creating new PR"
+            gh pr create \
+              --title "$PR_TITLE" \
+              --body "$PR_BODY" \
+              --base main \
+              --head "$BRANCH_NAME" \
+              --label "Go"
+          fi

CODEOWNERS

@@ -2,7 +2,7 @@
 * @github/code-scanning-alert-coverage
 
 # CodeQL language libraries
-/actions/ @github/codeql-dynamic
+/actions/ @github/code-scanning-alert-coverage
 /cpp/ @github/codeql-c-analysis
 /csharp/ @github/codeql-csharp
 /csharp/autobuilder/Semmle.Autobuild.Cpp @github/codeql-c-extractor @github/code-scanning-language-coverage
@@ -59,9 +59,5 @@ MODULE.bazel @github/codeql-ci-reviewers
 /.github/workflows/rust.yml @github/codeql-rust
 /.github/workflows/swift.yml @github/codeql-swift
 
-# Misc
-/misc/scripts/accept-expected-changes-from-ci.py @RasmusWL
-/misc/scripts/generate-code-scanning-query-list.py @RasmusWL
-
 # .devcontainer
 /.devcontainer/ @github/codeql-ci-reviewers

MODULE.bazel

@@ -100,63 +100,63 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.102",
-    "vendor_ts__argfile-1.0.0",
-    "vendor_ts__cc-1.2.62",
+    "vendor_ts__anyhow-1.0.100",
+    "vendor_ts__argfile-0.2.1",
+    "vendor_ts__cc-1.2.61",
     "vendor_ts__chalk-ir-0.104.0",
-    "vendor_ts__chrono-0.4.44",
-    "vendor_ts__clap-4.6.1",
+    "vendor_ts__chrono-0.4.42",
+    "vendor_ts__clap-4.5.48",
     "vendor_ts__dunce-1.0.5",
-    "vendor_ts__either-1.16.0",
+    "vendor_ts__either-1.15.0",
     "vendor_ts__encoding-0.2.33",
     "vendor_ts__figment-0.10.19",
-    "vendor_ts__flate2-1.1.9",
+    "vendor_ts__flate2-1.1.2",
     "vendor_ts__glob-0.3.3",
-    "vendor_ts__globset-0.4.18",
+    "vendor_ts__globset-0.4.16",
     "vendor_ts__itertools-0.14.0",
     "vendor_ts__lazy_static-1.5.0",
     "vendor_ts__mustache-0.9.0",
     "vendor_ts__num-traits-0.2.19",
     "vendor_ts__num_cpus-1.17.0",
-    "vendor_ts__proc-macro2-1.0.106",
-    "vendor_ts__quote-1.0.45",
-    "vendor_ts__ra_ap_base_db-0.0.328",
-    "vendor_ts__ra_ap_cfg-0.0.328",
-    "vendor_ts__ra_ap_hir-0.0.328",
-    "vendor_ts__ra_ap_hir_def-0.0.328",
-    "vendor_ts__ra_ap_hir_expand-0.0.328",
-    "vendor_ts__ra_ap_hir_ty-0.0.328",
-    "vendor_ts__ra_ap_ide_db-0.0.328",
-    "vendor_ts__ra_ap_intern-0.0.328",
-    "vendor_ts__ra_ap_load-cargo-0.0.328",
-    "vendor_ts__ra_ap_parser-0.0.328",
-    "vendor_ts__ra_ap_paths-0.0.328",
-    "vendor_ts__ra_ap_project_model-0.0.328",
-    "vendor_ts__ra_ap_span-0.0.328",
-    "vendor_ts__ra_ap_stdx-0.0.328",
-    "vendor_ts__ra_ap_syntax-0.0.328",
-    "vendor_ts__ra_ap_vfs-0.0.328",
-    "vendor_ts__rand-0.10.1",
-    "vendor_ts__rayon-1.12.0",
-    "vendor_ts__regex-1.12.3",
+    "vendor_ts__proc-macro2-1.0.101",
+    "vendor_ts__quote-1.0.41",
+    "vendor_ts__ra_ap_base_db-0.0.301",
+    "vendor_ts__ra_ap_cfg-0.0.301",
+    "vendor_ts__ra_ap_hir-0.0.301",
+    "vendor_ts__ra_ap_hir_def-0.0.301",
+    "vendor_ts__ra_ap_hir_expand-0.0.301",
+    "vendor_ts__ra_ap_hir_ty-0.0.301",
+    "vendor_ts__ra_ap_ide_db-0.0.301",
+    "vendor_ts__ra_ap_intern-0.0.301",
+    "vendor_ts__ra_ap_load-cargo-0.0.301",
+    "vendor_ts__ra_ap_parser-0.0.301",
+    "vendor_ts__ra_ap_paths-0.0.301",
+    "vendor_ts__ra_ap_project_model-0.0.301",
+    "vendor_ts__ra_ap_span-0.0.301",
+    "vendor_ts__ra_ap_stdx-0.0.301",
+    "vendor_ts__ra_ap_syntax-0.0.301",
+    "vendor_ts__ra_ap_vfs-0.0.301",
+    "vendor_ts__rand-0.9.2",
+    "vendor_ts__rayon-1.11.0",
+    "vendor_ts__regex-1.11.3",
     "vendor_ts__serde-1.0.228",
-    "vendor_ts__serde_json-1.0.150",
-    "vendor_ts__serde_with-3.20.0",
+    "vendor_ts__serde_json-1.0.145",
+    "vendor_ts__serde_with-3.14.1",
     "vendor_ts__serde_yaml-0.9.34-deprecated",
-    "vendor_ts__syn-2.0.117",
-    "vendor_ts__toml-1.1.2-spec-1.1.0",
-    "vendor_ts__tracing-0.1.44",
+    "vendor_ts__syn-2.0.106",
+    "vendor_ts__toml-0.9.7",
+    "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
-    "vendor_ts__tracing-subscriber-0.3.23",
-    "vendor_ts__tree-sitter-0.26.9",
+    "vendor_ts__tracing-subscriber-0.3.20",
+    "vendor_ts__tree-sitter-0.26.8",
     "vendor_ts__tree-sitter-embedded-template-0.25.0",
-    "vendor_ts__tree-sitter-generate-0.26.9",
+    "vendor_ts__tree-sitter-generate-0.26.8",
     "vendor_ts__tree-sitter-json-0.24.8",
-    "vendor_ts__tree-sitter-language-0.1.7",
+    "vendor_ts__tree-sitter-language-0.1.5",
     "vendor_ts__tree-sitter-python-0.23.6",
     "vendor_ts__tree-sitter-ql-0.23.1",
     "vendor_ts__tree-sitter-ruby-0.23.1",
-    "vendor_ts__triomphe-0.1.15",
+    "vendor_ts__triomphe-0.1.14",
     "vendor_ts__ungrammar-1.16.1",
     "vendor_ts__zstd-0.13.3",
 )
@@ -164,12 +164,12 @@ use_repo(
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
 # rust-analyzer sources needed by the rust ast-generator (see `rust/ast-generator/README.md`)
-RUST_ANALYZER_SRC_TAG = "2026-04-13"
+RUST_ANALYZER_SRC_TAG = "2025-01-07"
 
 http_archive(
     name = "rust-analyzer-src",
     build_file = "//rust/ast-generator:BUILD.rust-analyzer-src.bazel",
-    integrity = "sha256-UB/+EVx/6j4VGvnb7jfRqPaoc7Uwci3rEt6il+2J1Ds=",
+    integrity = "sha256-eo8mIaUafZL8LOM65bDIIIXw1rNQ/P/x5RK/XUtgo5g=",
     patch_args = ["-p1"],
     patches = [
         "//rust/ast-generator:patches/rust-analyzer.patch",
@@ -273,7 +273,7 @@ use_repo(
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.26.0")
+go_sdk.download(version = "1.26.4")
 
 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")

actions/ql/lib/CHANGELOG.md

@@ -2,7 +2,7 @@
 
 ### Minor Analysis Improvements
 
-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
 
 ## 0.4.36
 

actions/ql/lib/change-notes/2026-06-12-self_hosted_runners.md

@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* The query `actions/pr-on-self-hosted-runner` was updated to the latest standard runner labels reducing false positive results.

actions/ql/lib/change-notes/released/0.4.37.md

@@ -2,4 +2,4 @@
 
 ### Minor Analysis Improvements
 
-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.

actions/ql/lib/codeql/actions/ast/internal/Ast.qll

@@ -1920,3 +1920,5 @@ private YamlMappingLikeNode resolveMatrixAccessPath(
     else result = resolveMatrixAccessPath(newRoot, rest)
   )
 }
+
+class Comment = YamlComment;

actions/ql/lib/codeql/actions/ast/internal/Yaml.qll

@@ -52,6 +52,12 @@ private module YamlSig implements LibYaml::InputSig {
   class ParseErrorBase extends LocatableBase, @yaml_error {
     string getMessage() { yaml_errors(this, result) }
   }
+
+  class CommentBase extends LocatableBase, @yaml_comment {
+    string getText() { yaml_comments(this, result, _) }
+
+    override string toString() { yaml_comments(this, _, result) }
+  }
 }
 
 import LibYaml::Make<YamlSig>

actions/ql/lib/codeql/actions/security/SelfHostedQuery.qll

@@ -2,10 +2,12 @@ import actions
 
 bindingset[runner]
 predicate isGithubHostedRunner(string runner) {
-  // list of github hosted repos: https://github.com/actions/runner-images/blob/main/README.md#available-images
-  runner
-      .toLowerCase()
-      .regexpMatch("^(ubuntu-([0-9.]+|latest)|macos-([0-9]+|latest)(-x?large)?|windows-([0-9.]+|latest))$")
+  // The list of github hosted repos:
+  // https://github.com/actions/runner-images/blob/main/README.md#available-images
+  // https://docs.github.com/en/enterprise-cloud@latest/actions/how-tos/write-workflows/choose-where-workflows-run/choose-the-runner-for-a-job#standard-github-hosted-runners-for-public-repositories
+  runner.toLowerCase().regexpMatch("^ubuntu-([0-9.]+|latest|slim)(-arm)?$") or
+  runner.toLowerCase().regexpMatch("^macos-([0-9]+|latest)(-x?large|-intel)?$") or
+  runner.toLowerCase().regexpMatch("^windows-([0-9.]+|latest)(-vs[0-9.]+)?(-arm)?$")
 }
 
 bindingset[runner]

actions/ql/src/CHANGELOG.md

@@ -15,7 +15,7 @@
 
 ### Bug Fixes
 
-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
+* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on a minor point, added one more listed resource and added one more recommendation for things to check.
 
 ## 0.6.28
 

actions/ql/src/Security/CWE-829/UntrustedCheckoutMedium.ql

@@ -1,8 +1,8 @@
 /**
- * @name Checkout of untrusted code in a trusted context
- * @description Privileged workflows have read/write access to the base repository and access to secrets.
- *              By explicitly checking out and running the build script from a fork the untrusted code is running in an environment
- *              that is able to push to the base repository and to access secrets.
+ * @name Checkout of untrusted code in a non-privileged context
+ * @description Checking out and running the build script from a fork executes untrusted code. Even in a
+ *              non-privileged workflow, this can be abused, for example to compromise self-hosted runners
+ *              or to poison caches and artifacts that are later consumed by privileged workflows.
  * @kind problem
  * @problem.severity warning
  * @precision medium
@@ -20,4 +20,4 @@ from PRHeadCheckoutStep checkout
 where
   // the checkout occurs in a non-privileged context
   inNonPrivilegedContext(checkout)
-select checkout, "Potential unsafe checkout of untrusted pull request on privileged workflow."
+select checkout, "Potential unsafe checkout of untrusted pull request on non-privileged workflow."

actions/ql/src/change-notes/2026-06-04-untrusted-checkout-medium-metadata.md

@@ -0,0 +1,4 @@
+---
+category: queryMetadata
+---
+* The name, description, and alert message of `actions/untrusted-checkout/medium` have been corrected to describe a non-privileged context.

actions/ql/src/change-notes/released/0.6.29.md

@@ -15,4 +15,4 @@
 
 ### Bug Fixes
 
-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
+* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on a minor point, added one more listed resource and added one more recommendation for things to check.

actions/ql/test/query-tests/Security/CWE-284/.github/workflows/test3.yml

@@ -0,0 +1,43 @@
+name: test
+
+on:
+  pull_request:
+
+jobs:
+  test:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+          - ubuntu-22.04
+          - ubuntu-22.04-arm
+          - ubuntu-26.04
+          - ubuntu-26.04-arm
+          - ubuntu-slim
+          - macos-26
+          - macos-26-xlarge
+          - macos-26-intel
+          - macos-26-large
+          - macos-latest-large
+          - macos-15-large
+          - macos-15
+          - macos-15-intel
+          - macos-latest
+          - macos-15
+          - macos-15-xlarge
+          - macos-14-large
+          - macos-14
+          - macos-14-xlarge
+          - windows-2025-vs2026
+          - windows-latest
+          - windows-2025
+          - windows-2022
+          - windows-11
+          - windows-11-arm
+          - windows-11-vs2026-arm
+    runs-on: ${{ matrix.os }}
+    steps:
+      - run: cmd

actions/ql/test/query-tests/Security/CWE-829/UntrustedCheckoutMedium.expected

@@ -1,10 +1,10 @@
-| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
-| .github/workflows/test9.yml:11:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on privileged workflow. |
+| .github/workflows/artifactpoisoning81.yml:11:9:14:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/dependabot2.yml:33:9:38:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/mend.yml:22:9:29:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/poc3.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/poc.yml:30:9:36:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/priv_pull_request_checkout.yml:14:9:20:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/test3.yml:28:9:33:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/test4.yml:18:7:25:4 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/test8.yml:20:9:26:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |
+| .github/workflows/test9.yml:11:9:16:6 | Uses Step | Potential unsafe checkout of untrusted pull request on non-privileged workflow. |

config/identical-files.json

@@ -11,10 +11,6 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
-  "Bound Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
-  ],
   "ModulusAnalysis Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"

cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/upgrade.properties

@@ -0,0 +1,2 @@
+description: Fix NameQualifier inconsistency
+compatibility: full

cpp/ql/lib/semmle/code/cpp/Type.qll

@@ -1071,7 +1071,7 @@ class NullPointerType extends BuiltInType {
  * const float fa[40];
  * ```
  */
-class DerivedType extends Type, @derivedtype {
+class DerivedType extends Type, NameQualifyingElement, @derivedtype {
   override string toString() { result = this.getName() }
 
   override string getName() { derivedtypes(underlyingElement(this), result, _, _) }

cpp/ql/lib/semmlecode.cpp.dbscheme

@@ -1430,7 +1430,8 @@ specialnamequalifyingelements(
 @namequalifyingelement = @namespace
                        | @specialnamequalifyingelement
                        | @usertype
-                       | @decltype;
+                       | @decltype
+                       | @derivedtype;
 
 namequalifiers(
     unique int id: @namequalifier,

cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties

@@ -0,0 +1,2 @@
+description: Fix NameQualifier inconsistency
+compatibility: full

cpp/ql/test/library-tests/name_qualifiers/NameQualifiers1.expected

@@ -1,3 +1,7 @@
+| inconsistency2.cpp:3:3:3:5 | T:: | inconsistency2.cpp:3:3:3:6 | x | inconsistency2.cpp:2:20:2:20 | T |
+| inconsistency2.cpp:3:3:3:11 | const s:: | inconsistency2.cpp:3:3:3:6 | x | file://:0:0:0:0 | const s |
+| inconsistency.cpp:7:20:7:22 | S:: | inconsistency.cpp:7:20:7:23 | (int)... | inconsistency.cpp:4:8:4:8 | S |
+| inconsistency.cpp:7:20:7:22 | S:: | inconsistency.cpp:7:20:7:23 | A | inconsistency.cpp:4:8:4:8 | S |
 | name_qualifiers.cpp:29:7:29:8 | :: | name_qualifiers.cpp:29:7:29:9 | x | file://:0:0:0:0 | (global namespace) |
 | name_qualifiers.cpp:31:7:31:10 | N1:: | name_qualifiers.cpp:31:7:31:12 | nx | name_qualifiers.cpp:4:11:4:12 | N1 |
 | name_qualifiers.cpp:34:7:34:8 | :: | name_qualifiers.cpp:34:9:34:12 | N1:: | file://:0:0:0:0 | (global namespace) |

cpp/ql/test/library-tests/name_qualifiers/NameQualifiers1.ql

@@ -1,7 +1,5 @@
 import cpp
 
 from NameQualifier nq, Location l
-where
-  l = nq.getQualifiedElement().getLocation() and
-  l.getFile().getShortName() = "name_qualifiers"
+where l = nq.getQualifiedElement().getLocation()
 select nq, nq.getQualifiedElement(), nq.getQualifyingElement()

cpp/ql/test/library-tests/name_qualifiers/inconsistency.cpp

@@ -1,8 +1,8 @@
 // This file is present to test whether name-qualifying an enum constant leads to a database inconsistency.
-// As such, there is no QL part of the test.
+
 
 struct S { enum E { A }; };
 
-static int f() {
+static void f() {
   switch(0) { case S::A: break; }
 }

cpp/ql/test/library-tests/name_qualifiers/inconsistency2.cpp

@@ -0,0 +1,12 @@
+namespace {
+template <typename T> T f() {
+  T::x;
+  return {};
+}
+struct s {
+  static int x;
+};
+struct t {
+  s x = f<const s>();
+};
+}

csharp/autobuilder/Semmle.Autobuild.CSharp.Tests/BuildScripts.cs

@@ -135,7 +135,7 @@ namespace Semmle.Autobuild.CSharp.Tests
             if (!EnumerateFiles.TryGetValue(dir, out var str))
                 throw new ArgumentException("Missing EnumerateFiles " + dir);
 
-            return str.Split("\n").Select(p => PathCombine(dir, p));
+            return str.Split("\n").Select(p => PathJoin(dir, p));
         }
 
         public IDictionary<string, string> EnumerateDirectories { get; } = new Dictionary<string, string>();
@@ -147,7 +147,7 @@ namespace Semmle.Autobuild.CSharp.Tests
 
             return string.IsNullOrEmpty(str)
                 ? Enumerable.Empty<string>()
-                : str.Split("\n").Select(p => PathCombine(dir, p));
+                : str.Split("\n").Select(p => PathJoin(dir, p));
         }
 
         public bool IsWindows { get; set; }
@@ -170,7 +170,7 @@ namespace Semmle.Autobuild.CSharp.Tests
 
         bool IBuildActions.IsMonoInstalled() => IsMonoInstalled;
 
-        public string PathCombine(params string[] parts)
+        public string PathJoin(params string[] parts)
         {
             return string.Join(IsWindows ? '\\' : '/', parts.Where(p => !string.IsNullOrWhiteSpace(p)));
         }

csharp/autobuilder/Semmle.Autobuild.CSharp/DotNetRule.cs

@@ -109,7 +109,7 @@ namespace Semmle.Autobuild.CSharp
             => WithDotNet(builder, ensureDotNetAvailable: false, (_, env) => f(env));
 
         private static string DotNetCommand(IBuildActions actions, string? dotNetPath) =>
-            dotNetPath is not null ? actions.PathCombine(dotNetPath, "dotnet") : "dotnet";
+            dotNetPath is not null ? actions.PathJoin(dotNetPath, "dotnet") : "dotnet";
 
         private static CommandBuilder GetCleanCommand(IBuildActions actions, string? dotNetPath, IDictionary<string, string>? environment)
         {

csharp/autobuilder/Semmle.Autobuild.Cpp.Tests/BuildScripts.cs

@@ -158,7 +158,7 @@ namespace Semmle.Autobuild.Cpp.Tests
 
         bool IBuildActions.IsMonoInstalled() => IsMonoInstalled;
 
-        string IBuildActions.PathCombine(params string[] parts)
+        string IBuildActions.PathJoin(params string[] parts)
         {
             return string.Join(IsWindows ? '\\' : '/', parts.Where(p => !string.IsNullOrWhiteSpace(p)));
         }

csharp/autobuilder/Semmle.Autobuild.Shared/Autobuilder.cs

@@ -108,7 +108,7 @@ namespace Semmle.Autobuild.Shared
         /// </summary>
         /// <param name="path">The relative path.</param>
         /// <returns>True iff the path was found.</returns>
-        public bool HasRelativePath(string path) => HasPath(Actions.PathCombine(RootDirectory, path));
+        public bool HasRelativePath(string path) => HasPath(Actions.PathJoin(RootDirectory, path));
 
         /// <summary>
         /// List of project/solution files to build.

csharp/autobuilder/Semmle.Autobuild.Shared/BuildTools.cs

@@ -32,7 +32,7 @@ namespace Semmle.Autobuild.Shared
                 yield break;
 
             // Attempt to use vswhere to find installations of Visual Studio
-            var vswhere = actions.PathCombine(programFilesx86, "Microsoft Visual Studio", "Installer", "vswhere.exe");
+            var vswhere = actions.PathJoin(programFilesx86, "Microsoft Visual Studio", "Installer", "vswhere.exe");
 
             if (actions.FileExists(vswhere))
             {
@@ -51,14 +51,14 @@ namespace Semmle.Autobuild.Shared
                             if (majorVersion < 15)
                             {
                                 // Visual Studio 2015 and below
-                                yield return new VcVarsBatFile(actions.PathCombine(vsInstallation.InstallationPath, @"VC\vcvarsall.bat"), majorVersion);
+                                yield return new VcVarsBatFile(actions.PathJoin(vsInstallation.InstallationPath, @"VC\vcvarsall.bat"), majorVersion);
                             }
                             else
                             {
                                 // Visual Studio 2017 and above
-                                yield return new VcVarsBatFile(actions.PathCombine(vsInstallation.InstallationPath, @"VC\Auxiliary\Build\vcvars32.bat"), majorVersion);
-                                yield return new VcVarsBatFile(actions.PathCombine(vsInstallation.InstallationPath, @"VC\Auxiliary\Build\vcvars64.bat"), majorVersion);
-                                yield return new VcVarsBatFile(actions.PathCombine(vsInstallation.InstallationPath, @"Common7\Tools\VsDevCmd.bat"), majorVersion);
+                                yield return new VcVarsBatFile(actions.PathJoin(vsInstallation.InstallationPath, @"VC\Auxiliary\Build\vcvars32.bat"), majorVersion);
+                                yield return new VcVarsBatFile(actions.PathJoin(vsInstallation.InstallationPath, @"VC\Auxiliary\Build\vcvars64.bat"), majorVersion);
+                                yield return new VcVarsBatFile(actions.PathJoin(vsInstallation.InstallationPath, @"Common7\Tools\VsDevCmd.bat"), majorVersion);
                             }
                         }
                         // else: Skip installation without a version
@@ -68,10 +68,10 @@ namespace Semmle.Autobuild.Shared
             }
 
             // vswhere not installed or didn't run correctly - return legacy Visual Studio versions
-            yield return new VcVarsBatFile(actions.PathCombine(programFilesx86, @"Microsoft Visual Studio 14.0\VC\vcvarsall.bat"), 14);
-            yield return new VcVarsBatFile(actions.PathCombine(programFilesx86, @"Microsoft Visual Studio 12.0\VC\vcvarsall.bat"), 12);
-            yield return new VcVarsBatFile(actions.PathCombine(programFilesx86, @"Microsoft Visual Studio 11.0\VC\vcvarsall.bat"), 11);
-            yield return new VcVarsBatFile(actions.PathCombine(programFilesx86, @"Microsoft Visual Studio 10.0\VC\vcvarsall.bat"), 10);
+            yield return new VcVarsBatFile(actions.PathJoin(programFilesx86, @"Microsoft Visual Studio 14.0\VC\vcvarsall.bat"), 14);
+            yield return new VcVarsBatFile(actions.PathJoin(programFilesx86, @"Microsoft Visual Studio 12.0\VC\vcvarsall.bat"), 12);
+            yield return new VcVarsBatFile(actions.PathJoin(programFilesx86, @"Microsoft Visual Studio 11.0\VC\vcvarsall.bat"), 11);
+            yield return new VcVarsBatFile(actions.PathJoin(programFilesx86, @"Microsoft Visual Studio 10.0\VC\vcvarsall.bat"), 10);
         }
 
         /// <summary>

csharp/autobuilder/Semmle.Autobuild.Shared/MsBuildRule.cs

@@ -60,7 +60,7 @@ namespace Semmle.Autobuild.Shared
             // Use `nuget.exe` from source code repo, if present, otherwise first attempt with global
             // `nuget` command, and if that fails, attempt to download `nuget.exe` from nuget.org
             var nuget = builder.GetFilename("nuget.exe").Select(t => t.Item1).FirstOrDefault() ?? "nuget";
-            var nugetDownloadPath = builder.Actions.PathCombine(FileUtils.GetTemporaryWorkingDirectory(builder.Actions.GetEnvironmentVariable, builder.Options.Language.UpperCaseName, out _), ".nuget", "nuget.exe");
+            var nugetDownloadPath = builder.Actions.PathJoin(FileUtils.GetTemporaryWorkingDirectory(builder.Actions.GetEnvironmentVariable, builder.Options.Language.UpperCaseName, out _), ".nuget", "nuget.exe");
             var nugetDownloaded = false;
 
             var ret = BuildScript.Success;

csharp/autobuilder/Semmle.Autobuild.Shared/Project.cs

@@ -107,8 +107,9 @@ namespace Semmle.Autobuild.Shared
                             continue;
                         }
 
-                        var includePath = builder.Actions.PathCombine(include.Value.Split('\\', StringSplitOptions.RemoveEmptyEntries));
-                        ret.Add(new Project<TAutobuildOptions>(builder, builder.Actions.PathCombine(DirectoryName, includePath)));
+                        var includePath = builder.Actions.PathJoin(include.Value.Split('\\', StringSplitOptions.RemoveEmptyEntries));
+                        var path = Path.IsPathRooted(includePath) ? includePath : builder.Actions.PathJoin(DirectoryName, includePath);
+                        ret.Add(new Project<TAutobuildOptions>(builder, path));
                     }
                     return ret;
                 });

csharp/autobuilder/Semmle.Autobuild.Shared/Solution.cs

@@ -79,7 +79,7 @@ namespace Semmle.Autobuild.Shared
 
             includedProjects = solution.ProjectsInOrder
                 .Where(p => p.ProjectType == SolutionProjectType.KnownToBeMSBuildFormat)
-                .Select(p => builder.Actions.PathCombine(DirectoryName, builder.Actions.PathCombine(p.RelativePath.Split('\\', StringSplitOptions.RemoveEmptyEntries))))
+                .Select(p => builder.Actions.PathJoin(DirectoryName, builder.Actions.PathJoin(p.RelativePath.Split('\\', StringSplitOptions.RemoveEmptyEntries))))
                 .Select(p => new Project<TAutobuildOptions>(builder, p))
                 .ToArray();
         }

csharp/downgrades/d13c4c187d7318fd2b8f35c7e8d7f4dc26be68b1/upgrade.properties

@@ -0,0 +1,2 @@
+description: Restructure and rename types related to operations.
+compatibility: full

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyContainer.cs

@@ -50,7 +50,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 return;
             }
 
-            var path = Path.Combine(p, ParseFilePath(d));
+            var path = Path.Join(p, ParseFilePath(d));
             Paths.Add(path);
             Packages.Add(GetPackageName(p));
         }

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DependencyManager.cs

@@ -75,7 +75,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 }
             }
 
-            this.diagnosticsWriter = new DiagnosticsStream(Path.Combine(
+            this.diagnosticsWriter = new DiagnosticsStream(Path.Join(
                 diagDirEnv ?? "",
                 $"dependency-manager-{DateTime.UtcNow:yyyyMMddHHmm}-{Environment.ProcessId}.jsonc"));
             this.sourceDir = new DirectoryInfo(srcDir);
@@ -327,7 +327,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         private void RemoveNugetPackageReference(string packagePrefix, ISet<AssemblyLookupLocation> dllLocations)
         {
             var packageFolder = nugetPackageRestorer.PackageDirectory.DirInfo.FullName.ToLowerInvariant();
-            var packagePathPrefix = Path.Combine(packageFolder, packagePrefix.ToLowerInvariant());
+            var packagePathPrefix = Path.Join(packageFolder, packagePrefix.ToLowerInvariant());
             var toRemove = dllLocations.Where(s => s.Path.StartsWith(packagePathPrefix, StringComparison.InvariantCultureIgnoreCase));
             foreach (var path in toRemove)
             {

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNet.cs

@@ -31,7 +31,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             }
         }
 
-        private DotNet(ILogger logger, string? dotNetPath, TemporaryDirectory tempWorkingDirectory, DependabotProxy? dependabotProxy) : this(new DotNetCliInvoker(logger, Path.Combine(dotNetPath ?? string.Empty, "dotnet"), dependabotProxy), logger, dotNetPath is null, tempWorkingDirectory) { }
+        private DotNet(ILogger logger, string? dotNetPath, TemporaryDirectory tempWorkingDirectory, DependabotProxy? dependabotProxy) : this(new DotNetCliInvoker(logger, Path.Join(dotNetPath ?? string.Empty, "dotnet"), dependabotProxy), logger, dotNetPath is null, tempWorkingDirectory) { }
 
         internal static IDotNet Make(IDotNetCliInvoker dotnetCliInvoker, ILogger logger, bool runDotnetInfo) => new DotNet(dotnetCliInvoker, logger, runDotnetInfo);
 
@@ -73,7 +73,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 var path = ".empty";
                 if (tempWorkingDirectory != null)
                 {
-                    path = Path.Combine(tempWorkingDirectory.ToString(), "emptyFakeDotnetRoot");
+                    path = Path.Join(tempWorkingDirectory.ToString(), "emptyFakeDotnetRoot");
                     Directory.CreateDirectory(path);
                 }
 
@@ -303,7 +303,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 }
                 else
                 {
-                    var dotnetInstallPath = actions.PathCombine(tempWorkingDirectory, ".dotnet", "dotnet-install.sh");
+                    var dotnetInstallPath = actions.PathJoin(tempWorkingDirectory, ".dotnet", "dotnet-install.sh");
                     var downloadDotNetInstallSh = BuildScript.DownloadFile(
                         "https://dot.net/v1/dotnet-install.sh",
                         dotnetInstallPath,
@@ -339,7 +339,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                     };
                 }
 
-                var dotnetInfo = InfoScript(actions, actions.PathCombine(path, "dotnet"), MinimalEnvironment.ToDictionary(), logger);
+                var dotnetInfo = InfoScript(actions, actions.PathJoin(path, "dotnet"), MinimalEnvironment.ToDictionary(), logger);
 
                 Func<string, BuildScript> getInstallAndVerify = version =>
                     // run `dotnet --info` after install, to check that it executes successfully
@@ -384,7 +384,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// </summary>
         public static BuildScript WithDotNet(IBuildActions actions, ILogger logger, IEnumerable<string> files, string tempWorkingDirectory, bool shouldCleanUp, bool ensureDotNetAvailable, string? version, Func<string?, BuildScript> f)
         {
-            var installDir = actions.PathCombine(tempWorkingDirectory, ".dotnet");
+            var installDir = actions.PathJoin(tempWorkingDirectory, ".dotnet");
             var installScript = DownloadDotNet(actions, logger, files, tempWorkingDirectory, shouldCleanUp, installDir, version, ensureDotNetAvailable);
             return BuildScript.Bind(installScript, installed =>
             {

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/DotNetVersion.cs

@@ -12,7 +12,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         private string FullVersion =>
             version.ToString();
 
-        public string FullPath => Path.Combine(dir, FullVersion);
+        public string FullPath => Path.Join(dir, FullVersion);
 
         /**
          * The full path to the reference assemblies for this runtime.
@@ -33,7 +33,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 {
                     directories[^2] = "packs";
                     directories[^1] = $"{directories[^1]}.Ref";
-                    return Path.Combine(string.Join(Path.DirectorySeparatorChar, directories), FullVersion, "ref");
+                    return Path.Join(string.Join(Path.DirectorySeparatorChar, directories), FullVersion, "ref");
                 }
                 return null;
             }

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetExeWrapper.cs

@@ -1,304 +0,0 @@
-using System;
-using System.Collections.Generic;
-using System.Diagnostics;
-using System.IO;
-using System.Linq;
-using Semmle.Util;
-
-namespace Semmle.Extraction.CSharp.DependencyFetching
-{
-    /// <summary>
-    /// Manage the downloading of NuGet packages with nuget.exe.
-    /// Locates packages in a source tree and downloads all of the
-    /// referenced assemblies to a temp folder.
-    /// </summary>
-    internal class NugetExeWrapper : IDisposable
-    {
-        private readonly string? nugetExe;
-        private readonly Semmle.Util.Logging.ILogger logger;
-
-        public int PackageCount => fileProvider.PackagesConfigs.Count;
-
-        private readonly string? backupNugetConfig;
-        private readonly string? nugetConfigPath;
-        private readonly FileProvider fileProvider;
-
-        /// <summary>
-        /// The packages directory.
-        /// This will be in the user-specified or computed Temp location
-        /// so as to not trample the source tree.
-        /// </summary>
-        private readonly DependencyDirectory packageDirectory;
-
-        /// <summary>
-        /// Create the package manager for a specified source tree.
-        /// </summary>
-        public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDirectory, Semmle.Util.Logging.ILogger logger, Func<bool> useDefaultFeed)
-        {
-            this.fileProvider = fileProvider;
-            this.packageDirectory = packageDirectory;
-            this.logger = logger;
-
-            if (fileProvider.PackagesConfigs.Count > 0)
-            {
-                logger.LogInfo($"Found packages.config files, trying to use nuget.exe for package restore");
-                nugetExe = ResolveNugetExe();
-                if (HasNoPackageSource() && useDefaultFeed())
-                {
-                    // We only modify or add a top level nuget.config file
-                    nugetConfigPath = Path.Combine(fileProvider.SourceDir.FullName, "nuget.config");
-                    try
-                    {
-                        if (File.Exists(nugetConfigPath))
-                        {
-                            var tempFolderPath = FileUtils.GetTemporaryWorkingDirectory(out _);
-
-                            do
-                            {
-                                backupNugetConfig = Path.Combine(tempFolderPath, Path.GetRandomFileName());
-                            }
-                            while (File.Exists(backupNugetConfig));
-                            File.Copy(nugetConfigPath, backupNugetConfig, true);
-                        }
-                        else
-                        {
-                            File.WriteAllText(nugetConfigPath,
-                                """
-                                <?xml version="1.0" encoding="utf-8"?>
-                                <configuration>
-                                  <packageSources>
-                                  </packageSources>
-                                </configuration>
-                                """);
-                        }
-                        AddDefaultPackageSource(nugetConfigPath);
-                    }
-                    catch (Exception e)
-                    {
-                        logger.LogError($"Failed to add default package source to {nugetConfigPath}: {e}");
-                    }
-                }
-            }
-        }
-
-        /// <summary>
-        /// Tries to find the location of `nuget.exe`. It looks for
-        /// - the environment variable specifying a location,
-        /// - files in the repository,
-        /// - tries to resolve nuget from the PATH, or
-        /// - downloads it if it is not found.
-        /// </summary>
-        private string ResolveNugetExe()
-        {
-            var envVarPath = Environment.GetEnvironmentVariable(EnvironmentVariableNames.NugetExePath);
-            if (!string.IsNullOrEmpty(envVarPath))
-            {
-                logger.LogInfo($"Using nuget.exe from environment variable: '{envVarPath}'");
-                return envVarPath;
-            }
-
-            try
-            {
-                return DownloadNugetExe(fileProvider.SourceDir.FullName);
-            }
-            catch (Exception exc)
-            {
-                logger.LogInfo($"Download of nuget.exe failed: {exc.Message}");
-            }
-
-            var nugetExesInRepo = fileProvider.NugetExes;
-            if (nugetExesInRepo.Count > 1)
-            {
-                logger.LogInfo($"Found multiple nuget.exe files in the repository: {string.Join(", ", nugetExesInRepo.OrderBy(s => s))}");
-            }
-
-            if (nugetExesInRepo.Count > 0)
-            {
-                var path = nugetExesInRepo.First();
-                logger.LogInfo($"Using nuget.exe from path '{path}'");
-                return path;
-            }
-
-            var executableName = Win32.IsWindows() ? "nuget.exe" : "nuget";
-            var nugetPath = FileUtils.FindProgramOnPath(executableName);
-            if (nugetPath is not null)
-            {
-                nugetPath = Path.Combine(nugetPath, executableName);
-                logger.LogInfo($"Using nuget.exe from PATH: {nugetPath}");
-                return nugetPath;
-            }
-
-            throw new Exception("Could not find or download nuget.exe.");
-        }
-
-        private string DownloadNugetExe(string sourceDir)
-        {
-            var directory = Path.Combine(sourceDir, ".nuget");
-            var nuget = Path.Combine(directory, "nuget.exe");
-
-            // Nuget.exe already exists in the .nuget directory.
-            if (File.Exists(nuget))
-            {
-                logger.LogInfo($"Found nuget.exe at {nuget}");
-                return nuget;
-            }
-
-            Directory.CreateDirectory(directory);
-            logger.LogInfo("Attempting to download nuget.exe");
-            FileUtils.DownloadFile(FileUtils.NugetExeUrl, nuget, logger);
-            logger.LogInfo($"Downloaded nuget.exe to {nuget}");
-            return nuget;
-        }
-
-        private bool RunWithMono => !Win32.IsWindows() && !string.IsNullOrEmpty(Path.GetExtension(nugetExe));
-
-        /// <summary>
-        /// Restore all packages in the specified packages.config file.
-        /// </summary>
-        /// <param name="packagesConfig">The packages.config file.</param>
-        private bool TryRestoreNugetPackage(string packagesConfig)
-        {
-            logger.LogInfo($"Restoring file \"{packagesConfig}\"...");
-
-            /* Use nuget.exe to install a package.
-             * Note that there is a clutch of NuGet assemblies which could be used to
-             * invoke this directly, which would arguably be nicer. However they are
-             * really unwieldy and this solution works for now.
-             */
-
-            string exe, args;
-            if (RunWithMono)
-            {
-                exe = "mono";
-                args = $"\"{nugetExe}\" install -OutputDirectory \"{packageDirectory}\" \"{packagesConfig}\"";
-            }
-            else
-            {
-                exe = nugetExe!;
-                args = $"install -OutputDirectory \"{packageDirectory}\" \"{packagesConfig}\"";
-            }
-
-            var pi = new ProcessStartInfo(exe, args)
-            {
-                RedirectStandardOutput = true,
-                RedirectStandardError = true,
-                UseShellExecute = false
-            };
-
-            var threadId = Environment.CurrentManagedThreadId;
-            void onOut(string s) => logger.LogDebug(s, threadId);
-            void onError(string s) => logger.LogError(s, threadId);
-            var exitCode = pi.ReadOutput(out _, onOut, onError);
-            if (exitCode != 0)
-            {
-                logger.LogError($"Command {pi.FileName} {pi.Arguments} failed with exit code {exitCode}");
-                return false;
-            }
-            else
-            {
-                logger.LogInfo($"Restored file \"{packagesConfig}\"");
-                return true;
-            }
-        }
-
-        /// <summary>
-        /// Download the packages to the temp folder.
-        /// </summary>
-        public int InstallPackages()
-        {
-            return fileProvider.PackagesConfigs.Count(TryRestoreNugetPackage);
-        }
-
-        private bool HasNoPackageSource()
-        {
-            if (Win32.IsWindows())
-            {
-                return false;
-            }
-
-            try
-            {
-                logger.LogInfo("Checking if default package source is available...");
-                RunMonoNugetCommand("sources list -ForceEnglishOutput", out var stdout);
-                if (stdout.All(line => line != "No sources found."))
-                {
-                    return false;
-                }
-
-                return true;
-            }
-            catch (Exception e)
-            {
-                logger.LogWarning($"Failed to check if default package source is added: {e}");
-                return false;
-            }
-        }
-
-        private void RunMonoNugetCommand(string command, out IList<string> stdout)
-        {
-            string exe, args;
-            if (RunWithMono)
-            {
-                exe = "mono";
-                args = $"\"{nugetExe}\" {command}";
-            }
-            else
-            {
-                exe = nugetExe!;
-                args = command;
-            }
-
-            var pi = new ProcessStartInfo(exe, args)
-            {
-                RedirectStandardOutput = true,
-                RedirectStandardError = true,
-                UseShellExecute = false
-            };
-
-            var threadId = Environment.CurrentManagedThreadId;
-            void onOut(string s) => logger.LogDebug(s, threadId);
-            void onError(string s) => logger.LogError(s, threadId);
-            pi.ReadOutput(out stdout, onOut, onError);
-        }
-
-        private void AddDefaultPackageSource(string nugetConfig)
-        {
-            logger.LogInfo("Adding default package source...");
-            RunMonoNugetCommand($"sources add -Name DefaultNugetOrg -Source {NugetPackageRestorer.PublicNugetOrgFeed} -ConfigFile \"{nugetConfig}\"", out _);
-        }
-
-        public void Dispose()
-        {
-            if (nugetConfigPath is null)
-            {
-                return;
-            }
-
-            try
-            {
-                if (backupNugetConfig is null)
-                {
-                    logger.LogInfo("Removing nuget.config file");
-                    File.Delete(nugetConfigPath);
-                    return;
-                }
-
-                logger.LogInfo("Reverting nuget.config file content");
-                // The content of the original nuget.config file is reverted without changing the file's attributes or casing:
-                using (var backup = File.OpenRead(backupNugetConfig))
-                using (var current = File.OpenWrite(nugetConfigPath))
-                {
-                    current.SetLength(0);   // Truncate file
-                    backup.CopyTo(current); // Restore original content
-                }
-
-                logger.LogInfo("Deleting backup nuget.config file");
-                File.Delete(backupNugetConfig);
-            }
-            catch (Exception exc)
-            {
-                logger.LogError($"Failed to restore original nuget.config file: {exc}");
-            }
-        }
-    }
-}

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/NugetPackageRestorer.cs

@@ -161,13 +161,13 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                     reachableFeeds.UnionWith(reachableInheritedFeeds);
                 }
 
-                using (var nuget = new NugetExeWrapper(fileProvider, legacyPackageDirectory, logger, IsDefaultFeedReachable))
+                using (var packagesConfigRestore = PackagesConfigRestoreFactory.Create(fileProvider, legacyPackageDirectory, logger, IsDefaultFeedReachable))
                 {
-                    var count = nuget.InstallPackages();
+                    var count = packagesConfigRestore.InstallPackages();
 
-                    if (nuget.PackageCount > 0)
+                    if (packagesConfigRestore.PackageCount > 0)
                     {
-                        compilationInfoContainer.CompilationInfos.Add(("packages.config files", nuget.PackageCount.ToString()));
+                        compilationInfoContainer.CompilationInfos.Add(("packages.config files", packagesConfigRestore.PackageCount.ToString()));
                         compilationInfoContainer.CompilationInfos.Add(("Successfully restored packages.config files", count.ToString()));
                     }
                 }
@@ -209,7 +209,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 
             var paths = dependencies
                 .Paths
-                .Select(d => Path.Combine(PackageDirectory.DirInfo.FullName, d))
+                .Select(d => Path.Join(PackageDirectory.DirInfo.FullName, d))
                 .ToList();
             assemblyLookupLocations.UnionWith(paths.Select(p => new AssemblyLookupLocation(p)));
 
@@ -527,7 +527,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             var sb = new StringBuilder();
             fallbackNugetFeeds.ForEach((feed, index) => sb.AppendLine($"<add key=\"feed{index}\" value=\"{feed}\" />"));
 
-            var nugetConfigPath = Path.Combine(folderPath, "nuget.config");
+            var nugetConfigPath = Path.Join(folderPath, "nuget.config");
             logger.LogInfo($"Creating fallback nuget.config file {nugetConfigPath}.");
             File.WriteAllText(nugetConfigPath,
                 $"""
@@ -1052,7 +1052,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// </summary>
         private static string ComputeTempDirectoryPath(string subfolderName)
         {
-            return Path.Combine(FileUtils.GetTemporaryWorkingDirectory(out _), subfolderName);
+            return Path.Join(FileUtils.GetTemporaryWorkingDirectory(out _), subfolderName);
         }
 
         /// <summary>
@@ -1060,7 +1060,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// </summary>
         private static string ComputeTempDirectoryPath(string srcDir, string subfolderName)
         {
-            return Path.Combine(FileUtils.GetTemporaryWorkingDirectory(out _), FileUtils.ComputeHash(srcDir), subfolderName);
+            return Path.Join(FileUtils.GetTemporaryWorkingDirectory(out _), FileUtils.ComputeHash(srcDir), subfolderName);
         }
     }
 }

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/PackagesConfigRestorer.cs

@@ -0,0 +1,368 @@
+using System;
+using System.Collections.Generic;
+using System.Diagnostics;
+using System.IO;
+using System.Linq;
+using Semmle.Util;
+
+namespace Semmle.Extraction.CSharp.DependencyFetching
+{
+    internal interface IPackagesConfigRestore : IDisposable
+    {
+        /// <summary>
+        /// The number of packages.config files found in the source tree.
+        /// </summary>
+        int PackageCount { get; }
+
+        /// <summary>
+        /// Download the packages to the temp folder.
+        /// </summary>
+        int InstallPackages();
+    }
+
+    /// <summary>
+    /// Factory for creating a package manager to restore NuGet packages referenced in packages.config files.
+    /// If the environment doesn't support using nuget.exe to restore packages from packages.config files, a no-op implementation is returned.
+    /// It is worth noting that for macOS and Linux, nuget.exe is used with mono. However, mono is being deprecated and the last GitHub images
+    /// to contain mono are:
+    /// - Ubuntu 22.04
+    /// - macOS 14
+    ///
+    /// If the packages from the packages.config files are not restored with the packages.config restore functionality below, there is a subsequent
+    /// step that still may succeed in restoring the packages without the help of nuget.exe (by attempting to restore using dotnet).
+    /// </summary>
+    internal class PackagesConfigRestoreFactory
+    {
+        public static IPackagesConfigRestore Create(FileProvider fileProvider, DependencyDirectory packageDirectory, Semmle.Util.Logging.ILogger logger, Func<bool> useDefaultFeed)
+        {
+            if (SystemBuildActions.Instance.IsWindows() || SystemBuildActions.Instance.IsMonoInstalled())
+            {
+                return new NugetExeWrapper(fileProvider, packageDirectory, logger, useDefaultFeed);
+            }
+
+            return new NoOpPackagesConfig(fileProvider, logger);
+        }
+
+        /// <summary>
+        /// Manage the downloading of NuGet packages with nuget.exe.
+        /// Locates packages in a source tree and downloads all of the
+        /// referenced assemblies to a temp folder.
+        /// </summary>
+        private class NugetExeWrapper : IPackagesConfigRestore
+        {
+            private readonly string? nugetExe;
+            private readonly Semmle.Util.Logging.ILogger logger;
+
+            public int PackageCount => fileProvider.PackagesConfigs.Count;
+
+            private readonly string? backupNugetConfig;
+            private readonly string? nugetConfigPath;
+            private readonly FileProvider fileProvider;
+
+            /// <summary>
+            /// The packages directory.
+            /// This will be in the user-specified or computed Temp location
+            /// so as to not trample the source tree.
+            /// </summary>
+            private readonly DependencyDirectory packageDirectory;
+
+            private bool IsWindows => SystemBuildActions.Instance.IsWindows();
+
+            /// <summary>
+            /// Create the package manager for a specified source tree.
+            /// </summary>
+            public NugetExeWrapper(FileProvider fileProvider, DependencyDirectory packageDirectory, Semmle.Util.Logging.ILogger logger, Func<bool> useDefaultFeed)
+            {
+                this.fileProvider = fileProvider;
+                this.packageDirectory = packageDirectory;
+                this.logger = logger;
+
+                if (fileProvider.PackagesConfigs.Count > 0)
+                {
+                    logger.LogInfo($"Found packages.config files, trying to use nuget.exe for package restore");
+                    nugetExe = ResolveNugetExe();
+                    if (!HasPackageSource() && useDefaultFeed())
+                    {
+                        // We only modify or add a top level nuget.config file
+                        nugetConfigPath = Path.Join(fileProvider.SourceDir.FullName, "nuget.config");
+                        try
+                        {
+                            if (File.Exists(nugetConfigPath))
+                            {
+                                var tempFolderPath = FileUtils.GetTemporaryWorkingDirectory(out _);
+
+                                do
+                                {
+                                    backupNugetConfig = Path.Join(tempFolderPath, Path.GetRandomFileName());
+                                }
+                                while (File.Exists(backupNugetConfig));
+                                File.Copy(nugetConfigPath, backupNugetConfig, true);
+                            }
+                            else
+                            {
+                                File.WriteAllText(nugetConfigPath,
+                                    """
+                                <?xml version="1.0" encoding="utf-8"?>
+                                <configuration>
+                                  <packageSources>
+                                  </packageSources>
+                                </configuration>
+                                """);
+                            }
+                            AddDefaultPackageSource(nugetConfigPath);
+                        }
+                        catch (Exception e)
+                        {
+                            logger.LogError($"Failed to add default package source to {nugetConfigPath}: {e}");
+                        }
+                    }
+                }
+            }
+
+            /// <summary>
+            /// Tries to find the location of `nuget.exe`. It looks for
+            /// - the environment variable specifying a location,
+            /// - files in the repository,
+            /// - tries to resolve nuget from the PATH, or
+            /// - downloads it if it is not found.
+            /// </summary>
+            private string ResolveNugetExe()
+            {
+                var envVarPath = Environment.GetEnvironmentVariable(EnvironmentVariableNames.NugetExePath);
+                if (!string.IsNullOrEmpty(envVarPath))
+                {
+                    logger.LogInfo($"Using nuget.exe from environment variable: '{envVarPath}'");
+                    return envVarPath;
+                }
+
+                try
+                {
+                    return DownloadNugetExe(fileProvider.SourceDir.FullName);
+                }
+                catch (Exception exc)
+                {
+                    logger.LogInfo($"Download of nuget.exe failed: {exc.Message}");
+                }
+
+                var nugetExesInRepo = fileProvider.NugetExes;
+                if (nugetExesInRepo.Count > 1)
+                {
+                    logger.LogInfo($"Found multiple nuget.exe files in the repository: {string.Join(", ", nugetExesInRepo.OrderBy(s => s))}");
+                }
+
+                if (nugetExesInRepo.Count > 0)
+                {
+                    var path = nugetExesInRepo.First();
+                    logger.LogInfo($"Using nuget.exe from path '{path}'");
+                    return path;
+                }
+
+                var executableName = IsWindows ? "nuget.exe" : "nuget";
+                var nugetPath = FileUtils.FindProgramOnPath(executableName);
+                if (nugetPath is not null)
+                {
+                    nugetPath = Path.Join(nugetPath, executableName);
+                    logger.LogInfo($"Using nuget.exe from PATH: {nugetPath}");
+                    return nugetPath;
+                }
+
+                throw new Exception("Could not find or download nuget.exe.");
+            }
+
+            private string DownloadNugetExe(string sourceDir)
+            {
+                var directory = Path.Join(sourceDir, ".nuget");
+                var nuget = Path.Join(directory, "nuget.exe");
+
+                // Nuget.exe already exists in the .nuget directory.
+                if (File.Exists(nuget))
+                {
+                    logger.LogInfo($"Found nuget.exe at {nuget}");
+                    return nuget;
+                }
+
+                Directory.CreateDirectory(directory);
+                logger.LogInfo("Attempting to download nuget.exe");
+                FileUtils.DownloadFile(FileUtils.NugetExeUrl, nuget, logger);
+                logger.LogInfo($"Downloaded nuget.exe to {nuget}");
+                return nuget;
+            }
+
+            private bool RunWithMono => !IsWindows && !string.IsNullOrEmpty(Path.GetExtension(nugetExe));
+
+            /// <summary>
+            /// Restore all packages in the specified packages.config file.
+            /// </summary>
+            /// <param name="packagesConfig">The packages.config file.</param>
+            private bool TryRestoreNugetPackage(string packagesConfig)
+            {
+                logger.LogInfo($"Restoring file \"{packagesConfig}\"...");
+
+                /* Use nuget.exe to install a package.
+                 * Note that there is a clutch of NuGet assemblies which could be used to
+                 * invoke this directly, which would arguably be nicer. However they are
+                 * really unwieldy and this solution works for now.
+                 */
+
+                string exe, args;
+                if (RunWithMono)
+                {
+                    exe = "mono";
+                    args = $"\"{nugetExe}\" install -OutputDirectory \"{packageDirectory}\" \"{packagesConfig}\"";
+                }
+                else
+                {
+                    exe = nugetExe!;
+                    args = $"install -OutputDirectory \"{packageDirectory}\" \"{packagesConfig}\"";
+                }
+
+                var pi = new ProcessStartInfo(exe, args)
+                {
+                    RedirectStandardOutput = true,
+                    RedirectStandardError = true,
+                    UseShellExecute = false
+                };
+
+                var threadId = Environment.CurrentManagedThreadId;
+                void onOut(string s) => logger.LogDebug(s, threadId);
+                void onError(string s) => logger.LogError(s, threadId);
+                var exitCode = pi.ReadOutput(out _, onOut, onError);
+                if (exitCode != 0)
+                {
+                    logger.LogError($"Command {pi.FileName} {pi.Arguments} failed with exit code {exitCode}");
+                    return false;
+                }
+                else
+                {
+                    logger.LogInfo($"Restored file \"{packagesConfig}\"");
+                    return true;
+                }
+            }
+
+            /// <summary>
+            /// Download the packages to the temp folder.
+            /// </summary>
+            public int InstallPackages()
+            {
+                return fileProvider.PackagesConfigs.Count(TryRestoreNugetPackage);
+            }
+
+            private bool HasPackageSource()
+            {
+                if (IsWindows)
+                {
+                    return true;
+                }
+
+                try
+                {
+                    logger.LogInfo("Checking if default package source is available...");
+                    RunMonoNugetCommand("sources list -ForceEnglishOutput", out var stdout);
+                    if (stdout.All(line => line != "No sources found."))
+                    {
+                        return true;
+                    }
+
+                    return false;
+                }
+                catch (Exception e)
+                {
+                    logger.LogWarning($"Failed to check if default package source is added: {e}");
+                    return true;
+                }
+            }
+
+            private void RunMonoNugetCommand(string command, out IList<string> stdout)
+            {
+                string exe, args;
+                if (RunWithMono)
+                {
+                    exe = "mono";
+                    args = $"\"{nugetExe}\" {command}";
+                }
+                else
+                {
+                    exe = nugetExe!;
+                    args = command;
+                }
+
+                var pi = new ProcessStartInfo(exe, args)
+                {
+                    RedirectStandardOutput = true,
+                    RedirectStandardError = true,
+                    UseShellExecute = false
+                };
+
+                var threadId = Environment.CurrentManagedThreadId;
+                void onOut(string s) => logger.LogDebug(s, threadId);
+                void onError(string s) => logger.LogError(s, threadId);
+                pi.ReadOutput(out stdout, onOut, onError);
+            }
+
+            private void AddDefaultPackageSource(string nugetConfig)
+            {
+                logger.LogInfo("Adding default package source...");
+                RunMonoNugetCommand($"sources add -Name DefaultNugetOrg -Source {NugetPackageRestorer.PublicNugetOrgFeed} -ConfigFile \"{nugetConfig}\"", out _);
+            }
+
+            public void Dispose()
+            {
+                if (nugetConfigPath is null)
+                {
+                    return;
+                }
+
+                try
+                {
+                    if (backupNugetConfig is null)
+                    {
+                        logger.LogInfo("Removing nuget.config file");
+                        File.Delete(nugetConfigPath);
+                        return;
+                    }
+
+                    logger.LogInfo("Reverting nuget.config file content");
+                    // The content of the original nuget.config file is reverted without changing the file's attributes or casing:
+                    using (var backup = File.OpenRead(backupNugetConfig))
+                    using (var current = File.OpenWrite(nugetConfigPath))
+                    {
+                        current.SetLength(0);   // Truncate file
+                        backup.CopyTo(current); // Restore original content
+                    }
+
+                    logger.LogInfo("Deleting backup nuget.config file");
+                    File.Delete(backupNugetConfig);
+                }
+                catch (Exception exc)
+                {
+                    logger.LogError($"Failed to restore original nuget.config file: {exc}");
+                }
+            }
+        }
+
+        private class NoOpPackagesConfig : IPackagesConfigRestore
+        {
+            private readonly Semmle.Util.Logging.ILogger logger;
+            private readonly FileProvider fileProvider;
+
+            public NoOpPackagesConfig(FileProvider fileProvider, Semmle.Util.Logging.ILogger logger)
+            {
+                this.fileProvider = fileProvider;
+                this.logger = logger;
+            }
+
+            public int PackageCount => fileProvider.PackagesConfigs.Count;
+
+            public int InstallPackages()
+            {
+                if (PackageCount > 0)
+                {
+                    logger.LogInfo("Found packages.config files, but nuget.exe cannot be used to restore packages on this platform. Skipping restore of packages.config files.");
+                }
+                return 0;
+            }
+
+            public void Dispose() { }
+        }
+    }
+}

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/Runtime.cs

@@ -79,7 +79,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
 
                 var monoPath = FileUtils.FindProgramOnPath(Win32.IsWindows() ? "mono.exe" : "mono");
                 string[] monoDirs = monoPath is not null
-                    ? [Path.GetFullPath(Path.Combine(monoPath, "..", "lib", "mono")), monoPath]
+                    ? [Path.GetFullPath(Path.Join(monoPath, "..", "lib", "mono")), monoPath]
                     : ["/usr/lib/mono", "/usr/local/mono", "/usr/local/bin/mono", @"C:\Program Files\Mono\lib\mono"];
 
                 var monoDir = monoDirs.FirstOrDefault(Directory.Exists);

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/Sdk.cs

@@ -63,7 +63,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 return null;
             }
 
-            var path = Path.Combine(version.FullPath, "Roslyn", "bincore", "csc.dll");
+            var path = Path.Join(version.FullPath, "Roslyn", "bincore", "csc.dll");
             logger.LogDebug($"Source generator CSC: '{path}'");
             if (!File.Exists(path))
             {

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/SourceGenerators/DotnetSourceGeneratorWrapper/DotnetSourceGeneratorWrapper.cs

@@ -41,10 +41,10 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                     .Replace('\\', '/'); // Ensure we're generating the same hash regardless of the OS
                 var name = FileUtils.ComputeHash($"{relativePathToCsProj}\n{this.GetType().Name}");
                 using var tempDir = new TemporaryDirectory(Path.Join(FileUtils.GetTemporaryWorkingDirectory(out _), "source-generator"), "source generator temporary", logger);
-                var analyzerConfigPath = Path.Combine(tempDir.DirInfo.FullName, $"{name}.txt");
-                var dllPath = Path.Combine(tempDir.DirInfo.FullName, $"{name}.dll");
-                var cscArgsPath = Path.Combine(tempDir.DirInfo.FullName, $"{name}.rsp");
-                var outputFolder = Path.Combine(targetDir, name);
+                var analyzerConfigPath = Path.Join(tempDir.DirInfo.FullName, $"{name}.txt");
+                var dllPath = Path.Join(tempDir.DirInfo.FullName, $"{name}.dll");
+                var cscArgsPath = Path.Join(tempDir.DirInfo.FullName, $"{name}.rsp");
+                var outputFolder = Path.Join(targetDir, name);
                 Directory.CreateDirectory(outputFolder);
                 logger.LogInfo("Producing analyzer config content.");
                 GenerateAnalyzerConfig(additionalFiles, csprojFile, analyzerConfigPath);

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/SourceGenerators/DotnetSourceGeneratorWrapper/Razor.cs

@@ -21,7 +21,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 throw new Exception("No SDK path available.");
             }
 
-            SourceGeneratorFolder = Path.Combine(sdkPath, "Sdks", "Microsoft.NET.Sdk.Razor", "source-generators");
+            SourceGeneratorFolder = Path.Join(sdkPath, "Sdks", "Microsoft.NET.Sdk.Razor", "source-generators");
             this.logger.LogInfo($"Razor source generator folder: {SourceGeneratorFolder}");
             if (!Directory.Exists(SourceGeneratorFolder))
             {

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/SourceGenerators/ImplicitUsingsGenerator.cs

@@ -50,7 +50,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
             if (usings.Count > 0)
             {
                 var tempDir = GetTemporaryWorkingDirectory("implicitUsings");
-                var path = Path.Combine(tempDir, "GlobalUsings.g.cs");
+                var path = Path.Join(tempDir, "GlobalUsings.g.cs");
                 using (var writer = new StreamWriter(path))
                 {
                     writer.WriteLine("// <auto-generated/>");

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/SourceGenerators/ResxGenerator.cs

@@ -32,7 +32,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
                 var nugetFolder = nugetPackageRestorer.TryRestore("Microsoft.CodeAnalysis.ResxSourceGenerator");
                 if (nugetFolder is not null)
                 {
-                    sourceGeneratorFolder = System.IO.Path.Combine(nugetFolder, "analyzers", "dotnet", "cs");
+                    sourceGeneratorFolder = System.IO.Path.Join(nugetFolder, "analyzers", "dotnet", "cs");
                 }
             }
             catch (Exception e)

csharp/extractor/Semmle.Extraction.CSharp.DependencyFetching/SourceGenerators/SourceGeneratorBase.cs

@@ -35,7 +35,7 @@ namespace Semmle.Extraction.CSharp.DependencyFetching
         /// </summary>
         protected string GetTemporaryWorkingDirectory(string subfolder)
         {
-            var temp = Path.Combine(tempWorkingDirectory.ToString(), subfolder);
+            var temp = Path.Join(tempWorkingDirectory.ToString(), subfolder);
             Directory.CreateDirectory(temp);
 
             return temp;

csharp/extractor/Semmle.Extraction.CSharp/Entities/Expressions/ElementAccess.cs

@@ -1,5 +1,6 @@
 using System.IO;
 using Microsoft.CodeAnalysis;
+using Microsoft.CodeAnalysis.CSharp;
 using Microsoft.CodeAnalysis.CSharp.Syntax;
 using Semmle.Extraction.Kinds;
 
@@ -8,7 +9,7 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
     internal abstract class ElementAccess : Expression<ExpressionSyntax>
     {
         protected ElementAccess(ExpressionNodeInfo info, ExpressionSyntax qualifier, BracketedArgumentListSyntax argumentList)
-            : base(info.SetKind(GetKind(info.Context, qualifier)))
+            : base(info.SetKind(GetKind(info.Context, info.Node, qualifier)))
         {
             this.qualifier = qualifier;
             this.argumentList = argumentList;
@@ -17,6 +18,125 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         private readonly ExpressionSyntax qualifier;
         private readonly BracketedArgumentListSyntax argumentList;
 
+
+        private ISymbol? GetTargetSymbol()
+        {
+            return Context.GetSymbolInfo(base.Syntax).Symbol;
+        }
+
+        private static void SetExprArgument(TextWriter trapFile, Expression left, Expression right)
+        {
+            trapFile.expr_argument(left, 0);
+            trapFile.expr_argument(right, 0);
+        }
+
+        private Expression MakeZeroFromEndExpression(IExpressionParentEntity parent, int child)
+        {
+            var info = new ExpressionInfo(
+                                Context,
+                                AnnotatedTypeSymbol.CreateNotAnnotated(Context.Compilation.GetSpecialType(SpecialType.System_Int32)),
+                                Location,
+                                ExprKind.INDEX,
+                                parent,
+                                child,
+                                isCompilerGenerated: true,
+                                null);
+
+            var index = new Expression(info);
+
+            MakeZeroLiteral(index, 0);
+            return index;
+        }
+
+        private Expression MakeZeroLiteral(IExpressionParentEntity parent, int child)
+        {
+            return Literal.CreateGenerated(Context, parent, child, Context.Compilation.GetSpecialType(SpecialType.System_Int32), 0, Location);
+        }
+
+
+        /// <summary>
+        /// It is assumed that either the input is
+        /// 1. A normal expression that can be used as endpoint (e.g a constant like "3").
+        /// 2. An index expression indicating that we should read from the end (e.g "^1").
+        /// </summary>
+        /// <param name="syntax">The syntax node representing the range endpoint.</param>
+        /// <param name="parent">The parent expression entity.</param>
+        /// <param name="child">The child index within the parent.</param>
+        /// <returns>An expression representing the endpoint of a range to be used in conjunction with a slice operation.</returns>
+        private Expression MakeFromRangeEndpoint(ExpressionSyntax syntax, IExpressionParentEntity parent, int child)
+        {
+            var info = new ExpressionNodeInfo(Context, syntax, parent, child);
+
+            return syntax.Kind() == SyntaxKind.IndexExpression
+                ? PrefixUnary.Create(info.SetKind(ExprKind.INDEX))
+                : Factory.Create(info);
+        }
+
+        /// <summary>
+        /// Determines whether the given method is a slice method, which is defined as a method with
+        /// the name "Slice" or "Substring" and two parameters.
+        /// </summary>
+        /// <param name="method">The method symbol to check.</param>
+        /// <returns>True if the method is a slice method; false otherwise.</returns>
+        private bool IsSlice(IMethodSymbol method, out RangeExpressionSyntax? range)
+        {
+            range = null;
+
+            if (argumentList.Arguments.Count == 1)
+            {
+                range = argumentList.Arguments[0].Expression as RangeExpressionSyntax;
+            }
+
+            return (method.Name == "Slice" || method.Name == "Substring")
+                && method.Parameters.Length == 2;
+        }
+
+        /// <summary>
+        /// Populates a slice method call based on the given range.
+        /// Roslyn translates indexer accesses with range expressions in the following way.
+        ///   1. s[a..b] -> s.Slice(a, b - a)
+        ///   2. s[..b] -> s.Slice(0, b)
+        ///   3. s[a..] -> s.Slice(a, s.Length - a)
+        ///   4. s[..] -> s.Slice(0, s.Length)
+        /// However, it is possible that both the qualifier or the index endpoints may contain method calls.
+        /// If we want to translate this accurately, we would need to introduce synthetic statements for qualifier and 
+        /// the endpoints, which should then be used in the slice method call.
+        /// To avoid this, we translate as follows.
+        /// 1. s[a..b] -> s.Slice(a, b)
+        /// 2. s[..b] -> s.Slice(0, b)
+        /// 3. s[a..] -> s.Slice(a, ^0)
+        /// 4. s[..] -> s.Slice(0, ^0)
+        /// 
+        /// Even though index expressions can't technically be used in this way, they signal that we
+        /// could perceive ^b as "length - b".
+        ///
+        /// Call arguments are only populated when a range expression is directly available in
+        /// the list of arguments.
+        /// This means that cases like below are not handled.
+        /// System.Range x = 1..3;
+        /// s[x]
+        /// </summary>
+        /// <param name="trapFile">The trap file to write to.</param>
+        /// <param name="slice">The slice method symbol.</param>
+        /// <param name="range">The range expression syntax.</param>
+        private void PopulateSlice(TextWriter trapFile, IMethodSymbol slice, RangeExpressionSyntax? range)
+        {
+            if (range is not null)
+            {
+                // Populate the call arguments
+                var left = range.LeftOperand is ExpressionSyntax lsyntax
+                    ? MakeFromRangeEndpoint(lsyntax, this, 0)
+                    : MakeZeroLiteral(this, 0);
+
+                var right = range.RightOperand is ExpressionSyntax rsyntax
+                    ? MakeFromRangeEndpoint(rsyntax, this, 1)
+                    : MakeZeroFromEndExpression(this, 1);
+
+                SetExprArgument(trapFile, left, right);
+            }
+            trapFile.expr_call(this, Method.Create(Context, slice));
+        }
+
         protected override void PopulateExpression(TextWriter trapFile)
         {
             if (Kind == ExprKind.POINTER_INDIRECTION)
@@ -30,11 +150,19 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
             else
             {
                 Create(Context, qualifier, this, -1);
+
+                var target = GetTargetSymbol();
+                if (target is IMethodSymbol method && IsSlice(method, out var range))
+                {
+                    // When an indexer on a span or string is used in conjunction with a range expression, the compiler translates
+                    // this into a call to the "Slice" or "Substring" method.
+                    // In this case, we want to populate a slice/substring method call instead of an indexer access.
+                    PopulateSlice(trapFile, method, range);
+                    return;
+                }
+
                 PopulateArguments(trapFile, argumentList, 0);
-
-                var symbolInfo = Context.GetSymbolInfo(base.Syntax);
-
-                if (symbolInfo.Symbol is IPropertySymbol indexer)
+                if (target is IPropertySymbol { IsIndexer: true } indexer)
                 {
                     trapFile.expr_access(this, Indexer.Create(Context, indexer));
                 }
@@ -46,8 +174,11 @@ namespace Semmle.Extraction.CSharp.Entities.Expressions
         private static bool IsArray(ITypeSymbol symbol) =>
             symbol.TypeKind == Microsoft.CodeAnalysis.TypeKind.Array || symbol.IsInlineArray();
 
-        private static ExprKind GetKind(Context cx, ExpressionSyntax qualifier)
+        private static ExprKind GetKind(Context cx, ExpressionSyntax syntax, ExpressionSyntax qualifier)
         {
+            if (cx.GetSymbolInfo(syntax).Symbol is IMethodSymbol)
+                return ExprKind.METHOD_INVOCATION;
+
             var qualifierType = cx.GetType(qualifier);
 
             // This is a compilation error, so make a guess and continue.

csharp/extractor/Semmle.Extraction.CSharp/Entities/Statements/Catch.cs

@@ -23,7 +23,9 @@ namespace Semmle.Extraction.CSharp.Entities.Statements
             }
             else if (isSpecificCatchClause) // A catch clause of the form 'catch(Ex) { ... }'
             {
-                trapFile.catch_type(this, Type.Create(Context, Context.GetType(Stmt.Declaration!.Type)).TypeRef, true);
+                var type = Type.Create(Context, Context.GetType(Stmt.Declaration!.Type));
+                trapFile.catch_type(this, type.TypeRef, true);
+                TypeMention.Create(Context, Stmt.Declaration!.Type, this, type);
             }
             else // A catch clause of the form 'catch { ... }'
             {

csharp/extractor/Semmle.Extraction.CSharp/Extractor/CompilerVersion.cs

@@ -67,7 +67,7 @@ namespace Semmle.Extraction.CSharp
                     return;
                 }
 
-                var mscorlibExists = File.Exists(Path.Combine(compilerDir, "mscorlib.dll"));
+                var mscorlibExists = File.Exists(Path.Join(compilerDir, "mscorlib.dll"));
 
                 if (specifiedFramework is null && mscorlibExists)
                 {
@@ -107,7 +107,7 @@ namespace Semmle.Extraction.CSharp
         /// <summary>
         /// The file csc.rsp.
         /// </summary>
-        private string CscRsp => Path.Combine(FrameworkPath, csc_rsp);
+        private string CscRsp => Path.Join(FrameworkPath, csc_rsp);
 
         /// <summary>
         /// Should we skip extraction?

csharp/extractor/Semmle.Extraction.CSharp/Extractor/Context.cs

@@ -680,7 +680,7 @@ namespace Semmle.Extraction.CSharp
             {
                 try
                 {
-                    var fullPath = Path.GetFullPath(Path.Combine(Path.GetDirectoryName(mappedFromPath)!, mappedToPath));
+                    var fullPath = Path.GetFullPath(Path.Join(Path.GetDirectoryName(mappedFromPath)!, mappedToPath));
                     ExtractionContext.Logger.LogDebug($"Found relative path in line mapping: '{mappedToPath}', interpreting it as '{fullPath}'");
 
                     mappedToPath = fullPath;

csharp/extractor/Semmle.Extraction.CSharp/Extractor/CsProjFile.cs

@@ -159,7 +159,11 @@ namespace Semmle.Extraction.CSharp
                 return null;
             }
 
-            return Path.GetFullPath(Path.Combine(projDir?.FullName ?? string.Empty, Path.DirectorySeparatorChar == '/' ? file.Replace("\\", "/") : file));
+            var normalized = Path.DirectorySeparatorChar == '/' ? file.Replace("\\", "/") : file;
+            var path = projDir is not null && !Path.IsPathRooted(normalized)
+                ? Path.Join(projDir.FullName, normalized)
+                : normalized;
+            return Path.GetFullPath(path);
         }
 
         private readonly string[] references;

csharp/extractor/Semmle.Extraction.CSharp/Extractor/Extractor.cs

@@ -210,7 +210,7 @@ namespace Semmle.Extraction.CSharp
                             TracingAnalyser.GetOutputName(compilation, args),
                             compilation,
                             generatedSyntaxTrees,
-                            Path.Combine(compilationIdentifierPath, diagnosticName),
+                            Path.Join(compilationIdentifierPath, diagnosticName),
                             options),
                         () => { });
 
@@ -377,7 +377,7 @@ namespace Semmle.Extraction.CSharp
                 else
                 {
                     var composed = referencePaths.Value
-                        .Select(path => Path.Combine(path, clref.Reference))
+                        .Select(path => Path.Join(path, clref.Reference))
                         .Where(path => File.Exists(path))
                         .Select(path => analyser.PathCache.GetCanonicalPath(path))
                         .FirstOrDefault();
@@ -559,13 +559,13 @@ namespace Semmle.Extraction.CSharp
         /// Gets the path to the `csharp.log` file written to by the C# extractor.
         /// </summary>
         public static string GetCSharpLogPath() =>
-            Path.Combine(GetCSharpLogDirectory(), "csharp.log");
+            Path.Join(GetCSharpLogDirectory(), "csharp.log");
 
         /// <summary>
         /// Gets the path to a `csharp.{hash}.txt` file written to by the C# extractor.
         /// </summary>
         public static string GetCSharpArgsLogPath(string hash) =>
-            Path.Combine(GetCSharpLogDirectory(), $"csharp.{hash}.txt");
+            Path.Join(GetCSharpLogDirectory(), $"csharp.{hash}.txt");
 
         /// <summary>
         /// Gets a list of all `csharp.{hash}.txt` files currently written to the log directory.

csharp/extractor/Semmle.Extraction.CSharp/Extractor/TracingAnalyser.cs

@@ -131,7 +131,7 @@ namespace Semmle.Extraction.CSharp
                 return Path.ChangeExtension(entryPointFilename, ".exe");
             }
 
-            return Path.Combine(commandLineArguments.OutputDirectory, commandLineArguments.OutputFileName);
+            return Path.Join(commandLineArguments.OutputDirectory, commandLineArguments.OutputFileName);
         }
 
         private int LogDiagnostics()

csharp/extractor/Semmle.Extraction.CSharp/Extractor/TrapWriter.cs

@@ -61,7 +61,7 @@ namespace Semmle.Extraction.CSharp
                      * Although GetRandomFileName() is cryptographically secure,
                      * there's a tiny chance the file could already exists.
                      */
-                    tmpFile = Path.Combine(tempPath, Path.GetRandomFileName());
+                    tmpFile = Path.Join(tempPath, Path.GetRandomFileName());
                 }
                 while (File.Exists(tmpFile));
 

csharp/extractor/Semmle.Util.Tests/CanonicalPathCache.cs

@@ -82,13 +82,13 @@ namespace SemmleTests.Semmle.Util
         [Fact]
         public void CanonicalPathMissingFile()
         {
-            Assert.Equal(Path.Combine(Directory.GetCurrentDirectory(), "NOSUCHFILE"), cache.GetCanonicalPath("NOSUCHFILE"));
+            Assert.Equal(Path.Join(Directory.GetCurrentDirectory(), "NOSUCHFILE"), cache.GetCanonicalPath("NOSUCHFILE"));
         }
 
         [Fact]
         public void CanonicalPathMissingAbsolutePath()
         {
-            Assert.Equal(Path.Combine(root, "no", "such", "file"), cache.GetCanonicalPath(Path.Combine(root, "no", "such", "file")));
+            Assert.Equal(Path.Join(root, "no", "such", "file"), cache.GetCanonicalPath(Path.Join(root, "no", "such", "file")));
 
             if (Win32.IsWindows())
                 Assert.Equal(@"C:\Windows\no\such\file", cache.GetCanonicalPath(@"C:\windOws\no\such\file"));
@@ -97,7 +97,7 @@ namespace SemmleTests.Semmle.Util
         [Fact]
         public void CanonicalPathMissingRelativePath()
         {
-            Assert.Equal(Path.Combine(Directory.GetCurrentDirectory(), "NO", "SUCH"), cache.GetCanonicalPath(Path.Combine("NO", "SUCH")));
+            Assert.Equal(Path.Join(Directory.GetCurrentDirectory(), "NO", "SUCH"), cache.GetCanonicalPath(Path.Join("NO", "SUCH")));
         }
 
         [Fact]
@@ -125,7 +125,7 @@ namespace SemmleTests.Semmle.Util
         public void CanonicalPathDots()
         {
             var abcPath = Path.GetFullPath("abc");
-            Assert.Equal(abcPath, cache.GetCanonicalPath(Path.Combine("foo", ".", "..", "abc")));
+            Assert.Equal(abcPath, cache.GetCanonicalPath(Path.Join("foo", ".", "..", "abc")));
         }
 
         [Fact]

csharp/extractor/Semmle.Util.Tests/LongPaths.cs

@@ -14,20 +14,20 @@ namespace SemmleTests.Semmle.Util
     public sealed class LongPaths
     {
         private static readonly string tmpDir = Environment.GetEnvironmentVariable("TEST_TMPDIR") ?? Path.GetTempPath();
-        private static readonly string longPathDir = Path.Combine(tmpDir, "aaaaaaaaaaaaaaaaaaaaaaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
+        private static readonly string longPathDir = Path.Join(tmpDir, "aaaaaaaaaaaaaaaaaaaaaaaaaaaa", "bbbbbbbbbbbbbbbbbbbbbbbbbbbbb",
             "ccccccccccccccccccccccccccccccc", "ddddddddddddddddddddddddddddddddddddd", "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeee", "fffffffffffffffffffffffffffffffff",
             "ggggggggggggggggggggggggggggggggggg", "hhhhhhhhhhhhhhhhhhhhhhhhhhhhhh");
 
         private static string MakeLongPath()
         {
             var uniquePostfix = Guid.NewGuid().ToString("N");
-            return Path.Combine(longPathDir, $"iiiiiiiiiiiiiiii{uniquePostfix}.txt");
+            return Path.Join(longPathDir, $"iiiiiiiiiiiiiiii{uniquePostfix}.txt");
         }
 
         private static string MakeShortPath()
         {
             var uniquePostfix = Guid.NewGuid().ToString("N");
-            return Path.Combine(tmpDir, $"test{uniquePostfix}.txt");
+            return Path.Join(tmpDir, $"test{uniquePostfix}.txt");
         }
 
         public LongPaths()
@@ -62,7 +62,7 @@ namespace SemmleTests.Semmle.Util
         [Fact]
         public void ParentDirectory()
         {
-            Assert.Equal("abc", Path.GetDirectoryName(Path.Combine("abc", "def")));
+            Assert.Equal("abc", Path.GetDirectoryName(Path.Join("abc", "def")));
             Assert.Equal(Win32.IsWindows() ? "\\" : "/", Path.GetDirectoryName($@"{Path.DirectorySeparatorChar}def"));
             Assert.Equal("", Path.GetDirectoryName(@"def"));
 

csharp/extractor/Semmle.Util/BuildActions.cs

@@ -137,11 +137,11 @@ namespace Semmle.Util
         bool IsMonoInstalled();
 
         /// <summary>
-        /// Combine path segments, Path.Combine().
+        /// Joins path segments, Path.Join().
         /// </summary>
         /// <param name="parts">The parts of the path.</param>
         /// <returns>The combined path.</returns>
-        string PathCombine(params string[] parts);
+        string PathJoin(params string[] parts);
 
         /// <summary>
         /// Gets the full path for <paramref name="path"/>, Path.GetFullPath().
@@ -293,7 +293,7 @@ namespace Semmle.Util
             }
         }
 
-        string IBuildActions.PathCombine(params string[] parts) => Path.Combine(parts);
+        string IBuildActions.PathJoin(params string[] parts) => Path.Join(parts);
 
         void IBuildActions.WriteAllText(string filename, string contents) => File.WriteAllText(filename, contents);
 

csharp/extractor/Semmle.Util/CanonicalPathCache.cs

@@ -43,7 +43,7 @@ namespace Semmle.Util
             var parent = Directory.GetParent(path);
 
             return parent is not null ?
-                Path.Combine(cache.GetCanonicalPath(parent.FullName), Path.GetFileName(path)) :
+                Path.Join(cache.GetCanonicalPath(parent.FullName), Path.GetFileName(path)) :
                 path.ToUpperInvariant();
         }
     }
@@ -138,12 +138,12 @@ namespace Semmle.Util
                 var entries = Directory.GetFileSystemEntries(parentPath, name);
                 return entries.Length == 1
                     ? entries[0]
-                    : Path.Combine(parentPath, name);
+                    : Path.Join(parentPath, name);
             }
             catch  // lgtm[cs/catch-of-all-exceptions]
             {
                 // IO error or security error querying directory.
-                return Path.Combine(parentPath, name);
+                return Path.Join(parentPath, name);
             }
         }
     }

csharp/extractor/Semmle.Util/FileUtils.cs

@@ -82,7 +82,7 @@ namespace Semmle.Util
             {
                 exes = new[] { prog };
             }
-            var candidates = paths?.Where(path => exes.Any(exe0 => File.Exists(Path.Combine(path, exe0))));
+            var candidates = paths?.Where(path => exes.Any(exe0 => File.Exists(Path.Join(path, exe0))));
             return candidates?.FirstOrDefault();
         }
 
@@ -179,7 +179,7 @@ namespace Semmle.Util
             {
                 innerpath = ConvertPathToSafeRelativePath(innerpath);
 
-                nested = Path.Combine(outerpath, innerpath);
+                nested = Path.Join(outerpath, innerpath);
             }
             try
             {
@@ -203,7 +203,7 @@ namespace Semmle.Util
         {
             var tempPath = Path.GetTempPath();
             var name = Guid.NewGuid().ToString("N").ToUpper();
-            var tempFolder = Path.Combine(tempPath, "GitHub", name);
+            var tempFolder = Path.Join(tempPath, "GitHub", name);
             Directory.CreateDirectory(tempFolder);
             return tempFolder;
         });
@@ -231,7 +231,7 @@ namespace Semmle.Util
             string outputPath;
             do
             {
-                outputPath = Path.Combine(tempFolder, Path.GetRandomFileName() + extension);
+                outputPath = Path.Join(tempFolder, Path.GetRandomFileName() + extension);
             }
             while (File.Exists(outputPath));
 

csharp/ql/lib/change-notes/2026-05-21-spanaccess-range.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved extraction of range-access expressions on spans and strings (for example, `a[0..3]`). These expressions are now extracted as `Slice` (span) or `Substring` (string) calls.

csharp/ql/lib/change-notes/2026-05-22-property-indexer-partial-override.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved property and indexer call target resolution for partially overridden properties and indexers.

csharp/ql/lib/change-notes/2026-06-12-razor-page-handler-sources.md

@@ -0,0 +1,4 @@
+---
+category: majorAnalysis
+---
+* Added Razor Page handler method parameters (e.g., `OnGet`, `OnPost`, `OnPostAsync`) as remote flow sources, enabling security queries such as `cs/sql-injection` to detect vulnerabilities in `PageModel` subclasses.

csharp/ql/lib/change-notes/2026-06-12-restructure-operations.md

@@ -0,0 +1,4 @@
+---
+category: breaking
+---
+* Renamed types related to *operation* expressions. The QL classes `BinaryArithmeticOperation`, `BinaryBitwiseOperation`, and `BinaryLogicalOperation` now include compound assignments; for example, `BinaryArithmeticOperation` now includes `a += b`.

csharp/ql/lib/experimental/code/csharp/Cryptography/NonCryptographicHashes.qll

@@ -50,15 +50,15 @@ private predicate maybeUsedInElfHashFunction(Variable v, Operation xor, Operatio
   |
     add instanceof AddOperation and
     e1.getAChild*() = add.getAnOperand() and
-    e1 instanceof BinaryBitwiseOperation and
-    e2 = e1.(BinaryBitwiseOperation).getLeftOperand() and
+    e1 instanceof BinaryBitwiseExpr and
+    e2 = e1.(BinaryBitwiseExpr).getLeftOperand() and
     v = addAssign.getTargetVariable() and
     addAssign.getAChild*() = add and
     (xor instanceof BitwiseXorExpr or xor instanceof AssignXorExpr) and
     addAssign.getControlFlowNode().getASuccessor*() = xor.getControlFlowNode() and
     xorAssign.getAChild*() = xor and
     v = xorAssign.getTargetVariable() and
-    (notOp instanceof UnaryBitwiseOperation or notOp instanceof AssignBitwiseOperation) and
+    (notOp instanceof UnaryBitwiseOperation or notOp instanceof AssignBitwiseExpr) and
     xor.getControlFlowNode().getASuccessor*() = notOp.getControlFlowNode() and
     notAssign.getAChild*() = notOp and
     v = notAssign.getTargetVariable() and

csharp/ql/lib/qlpack.yml

@@ -9,6 +9,7 @@ dependencies:
   codeql/controlflow: ${workspace}
   codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
+  codeql/rangeanalysis: ${workspace}
   codeql/ssa: ${workspace}
   codeql/threat-models: ${workspace}
   codeql/tutorial: ${workspace}

csharp/ql/lib/semmle/code/csharp/Assignable.qll

@@ -290,7 +290,7 @@ module AssignableInternal {
     newtype TAssignableDefinition =
       TAssignmentDefinition(Assignment a) {
         not a.getLeftOperand() instanceof TupleExpr and
-        not a instanceof AssignCallOperation and
+        not a instanceof AssignCallExpr and
         not a instanceof AssignCoalesceExpr
       } or
       TTupleAssignmentDefinition(AssignExpr ae, Expr leaf) { tupleAssignmentDefinition(ae, leaf) } or
@@ -324,7 +324,7 @@ module AssignableInternal {
       TAddressOfDefinition(AddressOfExpr aoe) or
       TPatternDefinition(TopLevelPatternDecl tlpd) or
       TAssignOperationDefinition(AssignOperation ao) {
-        ao instanceof AssignCallOperation and not ao instanceof CompoundAssignmentOperatorCall
+        ao instanceof AssignCallExpr and not ao instanceof CompoundAssignmentOperatorCall
         or
         ao instanceof AssignCoalesceExpr
       }

csharp/ql/lib/semmle/code/csharp/ExprOrStmtParent.qll

@@ -121,6 +121,13 @@ private module Cached {
     result = getAChildExpr(parent)
     or
     result = parent.getAChildStmt()
+    or
+    result =
+      any(TypeMention tm |
+        tm.getTarget() = parent
+        or
+        tm.getParent+().getTarget() = parent
+      )
   }
 
   private predicate parent(ControlFlowElement child, ExprOrStmtParent parent) {

csharp/ql/lib/semmle/code/csharp/Property.qll

@@ -57,6 +57,28 @@ class DeclarationWithGetSetAccessors extends DeclarationWithAccessors, TopLevelE
   /** Gets the `set` accessor of this declaration, if any. */
   Setter getSetter() { result = this.getAnAccessor() }
 
+  /** Gets the target accessor of this declaration when used in a read context, if any. */
+  Accessor getReadTarget() {
+    result = this.getGetter()
+    or
+    not exists(this.getGetter()) and
+    result = this.getOverridee().getReadTarget()
+  }
+
+  /** Gets the target accessor of this declaration when used in a write context, if any. */
+  Accessor getWriteTarget() {
+    result = this.getSetter()
+    or
+    not exists(this.getSetter()) and
+    result = this.getOverridee().getWriteTarget()
+    or
+    result =
+      any(Getter g |
+        g = this.getReadTarget() and
+        g.getAnnotatedReturnType().isRef()
+      )
+  }
+
   override DeclarationWithGetSetAccessors getOverridee() {
     result = DeclarationWithAccessors.super.getOverridee()
   }

csharp/ql/lib/semmle/code/csharp/Type.qll

@@ -6,6 +6,7 @@ import Generics
 import Location
 import Namespace
 import Property
+import semmle.code.csharp.controlflow.ControlFlowElement
 private import Conversion
 private import semmle.code.csharp.metrics.Coupling
 private import TypeRef
@@ -1286,7 +1287,7 @@ class TupleType extends ValueType, @tuple_type {
  * A type mention, that is, any mention of a type in a source code file.
  * For example, `int` is mentioned in `int M() { return 1; }`.
  */
-class TypeMention extends @type_mention {
+class TypeMention extends ControlFlowElement, @type_mention {
   Type type;
   @type_mention_parent parent;
 
@@ -1319,13 +1320,13 @@ class TypeMention extends @type_mention {
    * }
    * ```
    */
-  TypeMention getParent() { result = parent }
+  override TypeMention getParent() { result = parent }
 
   /** Gets a textual representation of this type mention. */
-  string toString() { result = type.toString() }
+  override string toString() { result = type.toString() }
 
   /** Gets the location of this type mention. */
-  Location getLocation() { type_mention_location(this, result) }
+  override Location getALocation() { type_mention_location(this, result) }
 }
 
 /**

csharp/ql/lib/semmle/code/csharp/controlflow/ControlFlowElement.qll

@@ -20,7 +20,7 @@ class ControlFlowElementOrCallable extends ExprOrStmtParent, TControlFlowElement
  */
 class ControlFlowElement extends ControlFlowElementOrCallable, @control_flow_element {
   /** Gets the enclosing callable of this element, if any. */
-  Callable getEnclosingCallable() { none() }
+  Callable getEnclosingCallable() { enclosingCallable(this, result) }
 
   /** Gets the assembly that this element was compiled into. */
   Assembly getAssembly() {

csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll

@@ -912,18 +912,17 @@ module Internal {
       )
     or
     // In C#, `null + 1` has type `int?` with value `null`
-    exists(BinaryOperation bo, Expr o |
-      bo instanceof BinaryArithmeticOperation or
-      bo instanceof AssignArithmeticOperation
-    |
-      result = bo and
-      bo.getAnOperand() = e and
-      bo.getAnOperand() = o and
-      // The other operand must be provably non-null in order
-      // for `only if` to hold
-      nonNullValueImplied(o) and
-      e != o
-    )
+    result =
+      any(BinaryArithmeticOperation bao |
+        exists(Expr o |
+          bao.getAnOperand() = e and
+          bao.getAnOperand() = o and
+          // The other operand must be provably non-null in order
+          // for `only if` to hold
+          nonNullValueImplied(o) and
+          e != o
+        )
+      )
   }
 
   /**
@@ -934,10 +933,10 @@ module Internal {
       any(QualifiableExpr qe |
         qe.isConditional() and
         result = qe.getQualifier()
-      ) or
+      )
+    or
     // In C#, `null + 1` has type `int?` with value `null`
-    e = any(BinaryArithmeticOperation bao | result = bao.getAnOperand()) or
-    e = any(AssignArithmeticOperation aao | result = aao.getAnOperand())
+    e = any(BinaryArithmeticOperation bao | result = bao.getAnOperand())
   }
 
   deprecated predicate isGuard(Expr e, GuardValue val) {

csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraph.qll

@@ -145,6 +145,8 @@ module Ast implements AstSig<Location> {
   final private class ParameterFinal = CS::Parameter;
 
   class Parameter extends ParameterFinal {
+    AstNode getPattern() { result = this }
+
     Expr getDefaultValue() {
       // Avoid combinatorial explosions for callables with multiple bodies
       result = unique( | | super.getDefaultValue())
@@ -172,6 +174,10 @@ module Ast implements AstSig<Location> {
 
   class DoStmt = CS::DoStmt;
 
+  class UntilStmt extends LoopStmt {
+    UntilStmt() { none() }
+  }
+
   final private class FinalForStmt = CS::ForStmt;
 
   class ForStmt extends FinalForStmt {
@@ -203,7 +209,7 @@ module Ast implements AstSig<Location> {
   final private class FinalTryStmt = CS::TryStmt;
 
   class TryStmt extends FinalTryStmt {
-    Stmt getBody() { result = this.getBlock() }
+    AstNode getBody(int index) { index = 0 and result = this.getBlock() }
 
     CatchClause getCatch(int index) { result = this.getCatchClause(index) }
 

csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll

@@ -4,67 +4,31 @@
 overlay[local?]
 module;
 
-private import internal.rangeanalysis.BoundSpecific
+private import csharp as CS
+private import semmle.code.csharp.dataflow.SSA::Ssa
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils as CU
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as RU
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU
+private import codeql.rangeanalysis.Bound as SharedBound
 
-private newtype TBound =
-  TBoundZero() or
-  TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or
-  TBoundExpr(Expr e) {
-    interestingExprBound(e) and
-    not exists(SsaVariable v | e = v.getAUse())
-  }
+/** Provides C#-specific definitions for bounds. */
+private module BoundDefs implements SharedBound::BoundDefinitions<CS::Location> {
+  class Type = CS::Type;
 
-/**
- * A bound that may be inferred for an expression plus/minus an integer delta.
- */
-abstract class Bound extends TBound {
-  /** Gets a textual representation of this bound. */
-  abstract string toString();
+  class SsaVariable = SU::SsaVariable;
 
-  /** Gets an expression that equals this bound plus `delta`. */
-  abstract Expr getExpr(int delta);
+  class SsaSourceVariable = SourceVariable;
 
-  /** Gets an expression that equals this bound. */
-  Expr getExpr() { result = this.getExpr(0) }
+  class Expr = CS::ControlFlowNodes::ExprNode;
 
-  /** Gets the location of this bound. */
-  abstract Location getLocation();
+  class IntegralType = CS::IntegralType;
+
+  class ConstantIntegerExpr = CU::ConstantIntegerExpr;
+
+  /** Holds if `e` is a bound expression and it is not an SSA variable read. */
+  predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) }
 }
 
-/**
- * The bound that corresponds to the integer 0. This is used to represent all
- * integer bounds as bounds are always accompanied by an added integer delta.
- */
-class ZeroBound extends Bound, TBoundZero {
-  override string toString() { result = "0" }
+module BoundImpl = SharedBound::Bound<CS::Location, BoundDefs>;
 
-  override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta }
-
-  override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) }
-}
-
-/**
- * A bound corresponding to the value of an SSA variable.
- */
-class SsaBound extends Bound, TBoundSsa {
-  /** Gets the SSA variable that equals this bound. */
-  SsaVariable getSsa() { this = TBoundSsa(result) }
-
-  override string toString() { result = this.getSsa().toString() }
-
-  override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 }
-
-  override Location getLocation() { result = this.getSsa().getLocation() }
-}
-
-/**
- * A bound that corresponds to the value of a specific expression that might be
- * interesting, but isn't otherwise represented by the value of an SSA variable.
- */
-class ExprBound extends Bound, TBoundExpr {
-  override string toString() { result = this.getExpr().toString() }
-
-  override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 }
-
-  override Location getLocation() { result = this.getExpr().getLocation() }
-}
+import BoundImpl

csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll

@@ -1,22 +0,0 @@
-/**
- * Provides C#-specific definitions for bounds.
- */
-
-private import csharp as CS
-private import semmle.code.csharp.dataflow.SSA::Ssa as Ssa
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils as CU
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as RU
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU
-
-class SsaVariable = SU::SsaVariable;
-
-class Expr = CS::ControlFlowNodes::ExprNode;
-
-class Location = CS::Location;
-
-class IntegralType = CS::IntegralType;
-
-class ConstantIntegerExpr = CU::ConstantIntegerExpr;
-
-/** Holds if `e` is a bound expression and it is not an SSA variable read. */
-predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) }

csharp/ql/lib/semmle/code/csharp/dispatch/Dispatch.qll

@@ -124,9 +124,7 @@ private module Internal {
       TDispatchDynamicOperatorCall(DynamicOperatorCall doc) or
       TDispatchDynamicMemberAccess(DynamicMemberAccess dma) or
       TDispatchDynamicElementAccess(DynamicElementAccess dea) or
-      TDispatchDynamicEventAccess(
-        AssignArithmeticOperation aao, DynamicMemberAccess dma, string name
-      ) {
+      TDispatchDynamicEventAccess(AssignArithmeticExpr aao, DynamicMemberAccess dma, string name) {
         isPotentialEventCall(aao, dma, name)
       } or
       TDispatchDynamicObjectCreation(DynamicObjectCreation doc) or
@@ -230,7 +228,7 @@ private module Internal {
    * accessor.
    */
   private predicate isPotentialEventCall(
-    AssignArithmeticOperation aao, DynamicMemberAccess dma, string name
+    AssignArithmeticExpr aao, DynamicMemberAccess dma, string name
   ) {
     aao instanceof DynamicOperatorCall and
     dma = aao.getLeftOperand() and
@@ -1397,9 +1395,7 @@ private module Internal {
   private class DispatchDynamicEventAccess extends DispatchReflectionOrDynamicCall,
     TDispatchDynamicEventAccess
   {
-    override AssignArithmeticOperation getCall() {
-      this = TDispatchDynamicEventAccess(result, _, _)
-    }
+    override AssignArithmeticExpr getCall() { this = TDispatchDynamicEventAccess(result, _, _) }
 
     override string getName() { this = TDispatchDynamicEventAccess(_, _, result) }
 

csharp/ql/lib/semmle/code/csharp/exprs/ArithmeticOperation.qll

@@ -11,19 +11,27 @@ import Expr
  * (`UnaryArithmeticOperation`) or a binary arithmetic operation
  * (`BinaryArithmeticOperation`).
  */
-class ArithmeticOperation extends Operation, @arith_op_expr {
+class ArithmeticOperation extends Operation, @arith_operation {
   override string getOperator() { none() }
 }
 
 /**
- * A unary arithmetic operation. Either a unary minus operation
- * (`UnaryMinusExpr`), a unary plus operation (`UnaryPlusExpr`),
- * or a mutator operation (`MutatorOperation`).
+ * A binary arithmetic operation. Either a binary arithmetic expression (`BinaryArithmeticExpr`) or
+ * an arithmetic assignment expression (`AssignArithmeticExpr`).
  */
-class UnaryArithmeticOperation extends ArithmeticOperation, UnaryOperation, @un_arith_op_expr { }
+class BinaryArithmeticOperation extends ArithmeticOperation, BinaryOperation, @bin_arith_operation {
+  override string getOperator() { none() }
+}
 
 /**
- * A unary minus operation, for example `-x`.
+ * A unary arithmetic operation. Either a unary minus expression
+ * (`UnaryMinusExpr`), a unary plus expression (`UnaryPlusExpr`),
+ * or a mutator operation (`MutatorOperation`).
+ */
+class UnaryArithmeticOperation extends ArithmeticOperation, UnaryOperation, @un_arith_operation { }
+
+/**
+ * A unary minus expression, for example `-x`.
  */
 class UnaryMinusExpr extends UnaryArithmeticOperation, @minus_expr {
   override string getOperator() { result = "-" }
@@ -32,7 +40,7 @@ class UnaryMinusExpr extends UnaryArithmeticOperation, @minus_expr {
 }
 
 /**
- * A unary plus operation, for example `+x`.
+ * A unary plus expression, for example `+x`.
  */
 class UnaryPlusExpr extends UnaryArithmeticOperation, @plus_expr {
   override string getOperator() { result = "+" }
@@ -44,40 +52,40 @@ class UnaryPlusExpr extends UnaryArithmeticOperation, @plus_expr {
  * A mutator operation. Either an increment operation (`IncrementOperation`)
  * or a decrement operation (`DecrementOperation`).
  */
-class MutatorOperation extends UnaryArithmeticOperation, @mut_op_expr { }
+class MutatorOperation extends UnaryArithmeticOperation, @mut_operation { }
 
 /**
- * An increment operation. Either a postfix increment operation
- * (`PostIncrExpr`) or a prefix increment operation (`PreIncrExpr`).
+ * An increment operation. Either a postfix increment expression
+ * (`PostIncrExpr`) or a prefix increment expression (`PreIncrExpr`).
  */
-class IncrementOperation extends MutatorOperation, @incr_op_expr {
+class IncrementOperation extends MutatorOperation, @incr_operation {
   override string getOperator() { result = "++" }
 }
 
 /**
- * A decrement operation. Either a postfix decrement operation
- * (`PostDecrExpr`) or a prefix decrement operation (`PreDecrExpr`).
+ * A decrement operation. Either a postfix decrement expression
+ * (`PostDecrExpr`) or a prefix decrement expression (`PreDecrExpr`).
  */
-class DecrementOperation extends MutatorOperation, @decr_op_expr {
+class DecrementOperation extends MutatorOperation, @decr_operation {
   override string getOperator() { result = "--" }
 }
 
 /**
- * A prefix increment operation, for example `++x`.
+ * A prefix increment expression, for example `++x`.
  */
 class PreIncrExpr extends IncrementOperation, @pre_incr_expr {
   override string getAPrimaryQlClass() { result = "PreIncrExpr" }
 }
 
 /**
- * A prefix decrement operation, for example `--x`.
+ * A prefix decrement expression, for example `--x`.
  */
 class PreDecrExpr extends DecrementOperation, @pre_decr_expr {
   override string getAPrimaryQlClass() { result = "PreDecrExpr" }
 }
 
 /**
- * A postfix increment operation, for example `x++`.
+ * A postfix increment expression, for example `x++`.
  */
 class PostIncrExpr extends IncrementOperation, @post_incr_expr {
   override string toString() { result = "..." + this.getOperator() }
@@ -86,7 +94,7 @@ class PostIncrExpr extends IncrementOperation, @post_incr_expr {
 }
 
 /**
- * A postfix decrement operation, for example `x--`.
+ * A postfix decrement expression, for example `x--`.
  */
 class PostDecrExpr extends DecrementOperation, @post_decr_expr {
   override string toString() { result = "..." + this.getOperator() }
@@ -95,55 +103,84 @@ class PostDecrExpr extends DecrementOperation, @post_decr_expr {
 }
 
 /**
- * A binary arithmetic operation. Either an addition operation
- * (`AddExpr`), a subtraction operation (`SubExpr`), a multiplication
- * operation (`MulExpr`), a division operation (`DivExpr`), or a
- * remainder operation (`RemExpr`).
+ * An addition operation, either `x + y` or `x += y`.
  */
-class BinaryArithmeticOperation extends ArithmeticOperation, BinaryOperation, @bin_arith_op_expr {
-  override string getOperator() { none() }
+class AddOperation extends BinaryArithmeticOperation, @add_operation { }
+
+/**
+ * A subtraction operation, either `x - y` or `x -= y`.
+ */
+class SubOperation extends BinaryArithmeticOperation, @sub_operation { }
+
+/**
+ * A multiplication operation, either `x * y` or `x *= y`.
+ */
+class MulOperation extends BinaryArithmeticOperation, @mul_operation { }
+
+/**
+ * A division operation, either `x / y` or `x /= y`.
+ */
+class DivOperation extends BinaryArithmeticOperation, @div_operation {
+  /** Gets the numerator of this division operation. */
+  Expr getNumerator() { result = this.getLeftOperand() }
+
+  /** Gets the denominator of this division operation. */
+  Expr getDenominator() { result = this.getRightOperand() }
 }
 
 /**
- * An addition operation, for example `x + y`.
+ * A remainder operation, either `x % y` or `x %= y`.
  */
-class AddExpr extends BinaryArithmeticOperation, AddOperation, @add_expr {
+class RemOperation extends BinaryArithmeticOperation, @rem_operation { }
+
+/**
+ * A binary arithmetic expression. Either an addition expression
+ * (`AddExpr`), a subtraction expression (`SubExpr`), a multiplication
+ * expression (`MulExpr`), a division expression (`DivExpr`), or a
+ * remainder expression (`RemExpr`).
+ */
+class BinaryArithmeticExpr extends BinaryArithmeticOperation, @bin_arith_expr { }
+
+/**
+ * An addition expression, for example `x + y`.
+ */
+class AddExpr extends BinaryArithmeticExpr, AddOperation, @add_expr {
   override string getOperator() { result = "+" }
 
   override string getAPrimaryQlClass() { result = "AddExpr" }
 }
 
 /**
- * A subtraction operation, for example `x - y`.
+ * A subtraction expression, for example `x - y`.
  */
-class SubExpr extends BinaryArithmeticOperation, SubOperation, @sub_expr {
+class SubExpr extends BinaryArithmeticExpr, SubOperation, @sub_expr {
   override string getOperator() { result = "-" }
 
   override string getAPrimaryQlClass() { result = "SubExpr" }
 }
 
 /**
- * A multiplication operation, for example `x * y`.
+ * A multiplication expression, for example `x * y`.
  */
-class MulExpr extends BinaryArithmeticOperation, MulOperation, @mul_expr {
+class MulExpr extends BinaryArithmeticExpr, MulOperation, @mul_expr {
   override string getOperator() { result = "*" }
 
   override string getAPrimaryQlClass() { result = "MulExpr" }
 }
 
 /**
- * A division operation, for example `x / y`.
+ * A division expression, for example `x / y`.
  */
-class DivExpr extends BinaryArithmeticOperation, DivOperation, @div_expr {
+class DivExpr extends BinaryArithmeticExpr, DivOperation, @div_expr {
   override string getOperator() { result = "/" }
 
   override string getAPrimaryQlClass() { result = "DivExpr" }
 }
 
 /**
- * A remainder operation, for example `x % y`.
+ * A remainder expression, for example `x % y`.
  */
-class RemExpr extends BinaryArithmeticOperation, RemOperation, @rem_expr {
+class RemExpr extends BinaryArithmeticExpr, RemOperation, @rem_expr {
   override string getOperator() { result = "%" }
 
   override string getAPrimaryQlClass() { result = "RemExpr" }

csharp/ql/lib/semmle/code/csharp/exprs/Assignment.qll

@@ -72,9 +72,9 @@ class AssignExpr extends Assignment, @simple_assign_expr {
 }
 
 /**
- * An assignment operation. Either an arithmetic assignment operation
- * (`AssignArithmeticOperation`), a bitwise assignment operation
- * (`AssignBitwiseOperation`), an event assignment (`AddOrRemoveEventExpr`), or
+ * An assignment operation. Either an arithmetic assignment expression
+ * (`AssignArithmeticExpr`), a bitwise assignment expression
+ * (`AssignBitwiseExpr`), an event assignment (`AddOrRemoveEventExpr`), or
  * a null-coalescing assignment (`AssignCoalesceExpr`).
  */
 class AssignOperation extends Assignment, @assign_op_expr {
@@ -94,134 +94,147 @@ class AssignOperation extends Assignment, @assign_op_expr {
 }
 
 /**
- * A compound assignment operation that invokes an operator.
+ * A compound assignment expression that invokes an operator.
  *
  * (1) `x += y` invokes the compound assignment operator `+=` (if it exists).
  * (2) `x += y` invokes the operator `+` and assigns `x + y` to `x`.
  *
- * Either an arithmetic assignment operation (`AssignArithmeticOperation`) or a bitwise
- * assignment operation (`AssignBitwiseOperation`).
+ * Either an arithmetic assignment expression (`AssignArithmeticExpr`) or a bitwise
+ * assignment expression (`AssignBitwiseExpr`).
  */
-class AssignCallOperation extends AssignOperation, OperatorCall, QualifiableExpr,
-  @assign_op_call_expr
-{
+class AssignCallExpr extends AssignOperation, OperatorCall, QualifiableExpr, @assign_op_call_expr {
   override string toString() { result = AssignOperation.super.toString() }
 }
 
 /**
- * An arithmetic assignment operation. Either an addition assignment operation
- * (`AssignAddExpr`), a subtraction assignment operation (`AssignSubExpr`), a
- * multiplication assignment operation (`AssignMulExpr`), a division assignment
- * operation (`AssignDivExpr`), or a remainder assignment operation
- * (`AssignRemExpr`).
+ * DEPRECATED: Use `AssignCallExpr` instead.
  */
-class AssignArithmeticOperation extends AssignCallOperation, @assign_arith_expr { }
+deprecated class AssignCallOperation = AssignCallExpr;
 
 /**
- * An addition assignment operation, for example `x += y`.
+ * An arithmetic assignment expression. Either an addition assignment expression
+ * (`AssignAddExpr`), a subtraction assignment expression (`AssignSubExpr`), a
+ * multiplication assignment expression (`AssignMulExpr`), a division assignment
+ * expression (`AssignDivExpr`), or a remainder assignment expression
+ * (`AssignRemExpr`).
  */
-class AssignAddExpr extends AssignArithmeticOperation, AddOperation, @assign_add_expr {
+class AssignArithmeticExpr extends AssignCallExpr, @assign_arith_expr { }
+
+/**
+ * DEPRECATED: Use `AssignArithmeticExpr` instead.
+ */
+deprecated class AssignArithmeticOperation = AssignArithmeticExpr;
+
+/**
+ * An addition assignment expression, for example `x += y`.
+ */
+class AssignAddExpr extends AssignArithmeticExpr, AddOperation, @assign_add_expr {
   override string getOperator() { result = "+=" }
 
   override string getAPrimaryQlClass() { result = "AssignAddExpr" }
 }
 
 /**
- * A subtraction assignment operation, for example `x -= y`.
+ * A subtraction assignment expression, for example `x -= y`.
  */
-class AssignSubExpr extends AssignArithmeticOperation, SubOperation, @assign_sub_expr {
+class AssignSubExpr extends AssignArithmeticExpr, SubOperation, @assign_sub_expr {
   override string getOperator() { result = "-=" }
 
   override string getAPrimaryQlClass() { result = "AssignSubExpr" }
 }
 
 /**
- * An multiplication assignment operation, for example `x *= y`.
+ * A multiplication assignment expression, for example `x *= y`.
  */
-class AssignMulExpr extends AssignArithmeticOperation, MulOperation, @assign_mul_expr {
+class AssignMulExpr extends AssignArithmeticExpr, MulOperation, @assign_mul_expr {
   override string getOperator() { result = "*=" }
 
   override string getAPrimaryQlClass() { result = "AssignMulExpr" }
 }
 
 /**
- * An division assignment operation, for example `x /= y`.
+ * A division assignment expression, for example `x /= y`.
  */
-class AssignDivExpr extends AssignArithmeticOperation, DivOperation, @assign_div_expr {
+class AssignDivExpr extends AssignArithmeticExpr, DivOperation, @assign_div_expr {
   override string getOperator() { result = "/=" }
 
   override string getAPrimaryQlClass() { result = "AssignDivExpr" }
 }
 
 /**
- * A remainder assignment operation, for example `x %= y`.
+ * A remainder assignment expression, for example `x %= y`.
  */
-class AssignRemExpr extends AssignArithmeticOperation, RemOperation, @assign_rem_expr {
+class AssignRemExpr extends AssignArithmeticExpr, RemOperation, @assign_rem_expr {
   override string getOperator() { result = "%=" }
 
   override string getAPrimaryQlClass() { result = "AssignRemExpr" }
 }
 
 /**
- * A bitwise assignment operation. Either a bitwise-and assignment
- * operation (`AssignAndExpr`), a bitwise-or assignment
- * operation (`AssignOrExpr`), a bitwise exclusive-or assignment
- * operation (`AssignXorExpr`), a left-shift assignment
- * operation (`AssignLeftShiftExpr`), or a right-shift assignment
- * operation (`AssignRightShiftExpr`), or an unsigned right-shift assignment
- * operation (`AssignUnsignedRightShiftExpr`).
+ * A bitwise assignment expression. Either a bitwise-and assignment
+ * expression (`AssignAndExpr`), a bitwise-or assignment
+ * expression (`AssignOrExpr`), a bitwise exclusive-or assignment
+ * expression (`AssignXorExpr`), a left-shift assignment
+ * expression (`AssignLeftShiftExpr`), or a right-shift assignment
+ * expression (`AssignRightShiftExpr`), or an unsigned right-shift assignment
+ * expression (`AssignUnsignedRightShiftExpr`).
  */
-class AssignBitwiseOperation extends AssignCallOperation, @assign_bitwise_expr { }
+class AssignBitwiseExpr extends AssignCallExpr, @assign_bitwise_expr { }
 
 /**
- * A bitwise-and assignment operation, for example `x &= y`.
+ * DEPRECATED: Use `AssignBitwiseExpr` instead.
  */
-class AssignAndExpr extends AssignBitwiseOperation, BitwiseAndOperation, @assign_and_expr {
+deprecated class AssignBitwiseOperation = AssignBitwiseExpr;
+
+/**
+ * A bitwise-and assignment expression, for example `x &= y`.
+ */
+class AssignAndExpr extends AssignBitwiseExpr, BitwiseAndOperation, @assign_and_expr {
   override string getOperator() { result = "&=" }
 
   override string getAPrimaryQlClass() { result = "AssignAndExpr" }
 }
 
 /**
- * A bitwise-or assignment operation, for example `x |= y`.
+ * A bitwise-or assignment expression, for example `x |= y`.
  */
-class AssignOrExpr extends AssignBitwiseOperation, BitwiseOrOperation, @assign_or_expr {
+class AssignOrExpr extends AssignBitwiseExpr, BitwiseOrOperation, @assign_or_expr {
   override string getOperator() { result = "|=" }
 
   override string getAPrimaryQlClass() { result = "AssignOrExpr" }
 }
 
 /**
- * A bitwise exclusive-or assignment operation, for example `x ^= y`.
+ * A bitwise exclusive-or assignment expression, for example `x ^= y`.
  */
-class AssignXorExpr extends AssignBitwiseOperation, BitwiseXorOperation, @assign_xor_expr {
+class AssignXorExpr extends AssignBitwiseExpr, BitwiseXorOperation, @assign_xor_expr {
   override string getOperator() { result = "^=" }
 
   override string getAPrimaryQlClass() { result = "AssignXorExpr" }
 }
 
 /**
- * A left-shift assignment operation, for example `x <<= y`.
+ * A left-shift assignment expression, for example `x <<= y`.
  */
-class AssignLeftShiftExpr extends AssignBitwiseOperation, LeftShiftOperation, @assign_lshift_expr {
+class AssignLeftShiftExpr extends AssignBitwiseExpr, LeftShiftOperation, @assign_lshift_expr {
   override string getOperator() { result = "<<=" }
 
   override string getAPrimaryQlClass() { result = "AssignLeftShiftExpr" }
 }
 
 /**
- * A right-shift assignment operation, for example `x >>= y`.
+ * A right-shift assignment expression, for example `x >>= y`.
  */
-class AssignRightShiftExpr extends AssignBitwiseOperation, RightShiftOperation, @assign_rshift_expr {
+class AssignRightShiftExpr extends AssignBitwiseExpr, RightShiftOperation, @assign_rshift_expr {
   override string getOperator() { result = ">>=" }
 
   override string getAPrimaryQlClass() { result = "AssignRightShiftExpr" }
 }
 
 /**
- * An unsigned right-shift assignment operation, for example `x >>>= y`.
+ * An unsigned right-shift assignment expression, for example `x >>>= y`.
  */
-class AssignUnsignedRightShiftExpr extends AssignBitwiseOperation, UnsignedRightShiftOperation,
+class AssignUnsignedRightShiftExpr extends AssignBitwiseExpr, UnsignedRightShiftOperation,
   @assign_urshift_expr
 {
   override string getOperator() { result = ">>>=" }
@@ -297,10 +310,10 @@ class RemoveEventExpr extends AddOrRemoveEventExpr, @remove_event_expr {
 }
 
 /**
- * A null-coalescing assignment operation, for example `x ??= y`.
+ * A null-coalescing assignment expression, for example `x ??= y`.
  */
 class AssignCoalesceExpr extends AssignOperation, NullCoalescingOperation, @assign_coalesce_expr {
-  override string toString() { result = "... ??= ..." }
+  override string getOperator() { result = "??=" }
 
   override string getAPrimaryQlClass() { result = "AssignCoalesceExpr" }
 }

csharp/ql/lib/semmle/code/csharp/exprs/BitwiseOperation.qll

@@ -10,16 +10,16 @@ import Expr
  * A bitwise operation. Either a unary bitwise operation (`UnaryBitwiseOperation`)
  * or a binary bitwise operation (`BinaryBitwiseOperation`).
  */
-class BitwiseOperation extends Operation, @bit_expr { }
+class BitwiseOperation extends Operation, @bit_operation { }
 
 /**
  * A unary bitwise operation, that is, a bitwise complement operation
  * (`ComplementExpr`).
  */
-class UnaryBitwiseOperation extends BitwiseOperation, UnaryOperation, @un_bit_op_expr { }
+class UnaryBitwiseOperation extends BitwiseOperation, UnaryOperation, @un_bit_operation { }
 
 /**
- * A bitwise complement operation, for example `~x`.
+ * A bitwise complement expression, for example `~x`.
  */
 class ComplementExpr extends UnaryBitwiseOperation, @bit_not_expr {
   override string getOperator() { result = "~" }
@@ -28,67 +28,101 @@ class ComplementExpr extends UnaryBitwiseOperation, @bit_not_expr {
 }
 
 /**
- * A binary bitwise operation. Either a bitwise-and operation
- * (`BitwiseAndExpr`), a bitwise-or operation (`BitwiseOrExpr`),
- * a bitwise exclusive-or operation (`BitwiseXorExpr`), a left-shift
- * operation (`LeftShiftExpr`), a right-shift operation (`RightShiftExpr`),
- * or an unsigned right-shift operation (`UnsignedRightShiftExpr`).
+ * A binary bitwise operation. Either a binary bitwise expression (`BinaryBitwiseExpr`) or
+ * a bitwise assignment expression (`AssignBitwiseExpr`).
  */
-class BinaryBitwiseOperation extends BitwiseOperation, BinaryOperation, @bin_bit_op_expr {
+class BinaryBitwiseOperation extends BitwiseOperation, BinaryOperation, @bin_bit_operation {
   override string getOperator() { none() }
 }
 
 /**
- * A left-shift operation, for example `x << y`.
+ * A bitwise-and operation, either `x & y` or `x &= y`.
  */
-class LeftShiftExpr extends BinaryBitwiseOperation, LeftShiftOperation, @lshift_expr {
+class BitwiseAndOperation extends BinaryBitwiseOperation, @and_operation { }
+
+/**
+ * A bitwise-or operation, either `x | y` or `x |= y`.
+ */
+class BitwiseOrOperation extends BinaryBitwiseOperation, @or_operation { }
+
+/**
+ * A bitwise exclusive-or operation, either `x ^ y` or `x ^= y`.
+ */
+class BitwiseXorOperation extends BinaryBitwiseOperation, @xor_operation { }
+
+/**
+ * A left-shift operation, either `x << y` or `x <<= y`.
+ */
+class LeftShiftOperation extends BinaryBitwiseOperation, @lshift_operation { }
+
+/**
+ * A right-shift operation, either `x >> y` or `x >>= y`.
+ */
+class RightShiftOperation extends BinaryBitwiseOperation, @rshift_operation { }
+
+/**
+ * An unsigned right-shift operation, either `x >>> y` or `x >>>= y`.
+ */
+class UnsignedRightShiftOperation extends BinaryBitwiseOperation, @urshift_operation { }
+
+/**
+ * A binary bitwise expression. Either a bitwise-and expression
+ * (`BitwiseAndExpr`), a bitwise-or expression (`BitwiseOrExpr`),
+ * a bitwise exclusive-or expression (`BitwiseXorExpr`), a left-shift
+ * expression (`LeftShiftExpr`), a right-shift expression (`RightShiftExpr`),
+ * or an unsigned right-shift expression (`UnsignedRightShiftExpr`).
+ */
+class BinaryBitwiseExpr extends BinaryBitwiseOperation, @bin_bit_expr { }
+
+/**
+ * A left-shift expression, for example `x << y`.
+ */
+class LeftShiftExpr extends BinaryBitwiseExpr, LeftShiftOperation, @lshift_expr {
   override string getOperator() { result = "<<" }
 
   override string getAPrimaryQlClass() { result = "LeftShiftExpr" }
 }
 
 /**
- * A right-shift operation, for example `x >> y`.
+ * A right-shift expression, for example `x >> y`.
  */
-class RightShiftExpr extends BinaryBitwiseOperation, RightShiftOperation, @rshift_expr {
+class RightShiftExpr extends BinaryBitwiseExpr, RightShiftOperation, @rshift_expr {
   override string getOperator() { result = ">>" }
 
   override string getAPrimaryQlClass() { result = "RightShiftExpr" }
 }
 
 /**
- * An unsigned right-shift operation, for example `x >>> y`.
+ * An unsigned right-shift expression, for example `x >>> y`.
  */
-class UnsignedRightShiftExpr extends BinaryBitwiseOperation, UnsignedRightShiftOperation,
-  @urshift_expr
-{
+class UnsignedRightShiftExpr extends BinaryBitwiseExpr, UnsignedRightShiftOperation, @urshift_expr {
   override string getOperator() { result = ">>>" }
 
   override string getAPrimaryQlClass() { result = "UnsignedRightShiftExpr" }
 }
 
 /**
- * A bitwise-and operation, for example `x & y`.
+ * A bitwise-and expression, for example `x & y`.
  */
-class BitwiseAndExpr extends BinaryBitwiseOperation, BitwiseAndOperation, @bit_and_expr {
+class BitwiseAndExpr extends BinaryBitwiseExpr, BitwiseAndOperation, @bit_and_expr {
   override string getOperator() { result = "&" }
 
   override string getAPrimaryQlClass() { result = "BitwiseAndExpr" }
 }
 
 /**
- * A bitwise-or operation, for example `x | y`.
+ * A bitwise-or expression, for example `x | y`.
  */
-class BitwiseOrExpr extends BinaryBitwiseOperation, BitwiseOrOperation, @bit_or_expr {
+class BitwiseOrExpr extends BinaryBitwiseExpr, BitwiseOrOperation, @bit_or_expr {
   override string getOperator() { result = "|" }
 
   override string getAPrimaryQlClass() { result = "BitwiseOrExpr" }
 }
 
 /**
- * A bitwise exclusive-or operation, for example `x ^ y`.
+ * A bitwise exclusive-or expression, for example `x ^ y`.
  */
-class BitwiseXorExpr extends BinaryBitwiseOperation, BitwiseXorOperation, @bit_xor_expr {
+class BitwiseXorExpr extends BinaryBitwiseExpr, BitwiseXorOperation, @bit_xor_expr {
   override string getOperator() { result = "^" }
 
   override string getAPrimaryQlClass() { result = "BitwiseXorExpr" }

csharp/ql/lib/semmle/code/csharp/exprs/Call.qll

@@ -609,7 +609,7 @@ class InstanceMutatorOperatorCall extends MutatorOperatorCall {
  * }
  * ```
  */
-class CompoundAssignmentOperatorCall extends AssignCallOperation {
+class CompoundAssignmentOperatorCall extends AssignCallExpr {
   CompoundAssignmentOperatorCall() { this.getTarget() instanceof CompoundAssignmentOperator }
 
   override Expr getArgument(int i) { result = this.getChildExpr(i + 1) and i >= 0 }
@@ -762,20 +762,12 @@ class AccessorCall extends Call, QualifiableExpr, @call_access_expr {
  */
 class PropertyCall extends AccessorCall, PropertyAccessExpr {
   override Accessor getReadTarget() {
-    this instanceof AssignableRead and result = this.getProperty().getGetter()
+    this instanceof AssignableRead and result = this.getProperty().getReadTarget()
   }
 
   override Accessor getWriteTarget() {
     this instanceof AssignableWrite and
-    exists(Property p | p = this.getProperty() |
-      result = p.getSetter()
-      or
-      result =
-        any(Getter g |
-          g = p.getGetter() and
-          g.getAnnotatedReturnType().isRef()
-        )
-    )
+    result = this.getProperty().getWriteTarget()
   }
 
   override Expr getArgument(int i) {
@@ -806,20 +798,12 @@ class PropertyCall extends AccessorCall, PropertyAccessExpr {
  */
 class IndexerCall extends AccessorCall, IndexerAccessExpr {
   override Accessor getReadTarget() {
-    this instanceof AssignableRead and result = this.getIndexer().getGetter()
+    this instanceof AssignableRead and result = this.getIndexer().getReadTarget()
   }
 
   override Accessor getWriteTarget() {
     this instanceof AssignableWrite and
-    exists(Indexer i | i = this.getIndexer() |
-      result = i.getSetter()
-      or
-      result =
-        any(Getter g |
-          g = i.getGetter() and
-          g.getAnnotatedReturnType().isRef()
-        )
-    )
+    result = this.getIndexer().getWriteTarget()
   }
 
   override Expr getArgument(int i) {

csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll

@@ -14,7 +14,6 @@ import Creation
 import Dynamic
 import Literal
 import LogicalOperation
-import Operation
 import semmle.code.csharp.controlflow.ControlFlowElement
 import semmle.code.csharp.Location
 import semmle.code.csharp.Stmt
@@ -212,7 +211,7 @@ class LocalConstantDeclExpr extends LocalVariableDeclExpr {
  * (`UnaryOperation`), a binary operation (`BinaryOperation`), or a
  * ternary operation (`TernaryOperation`).
  */
-class Operation extends Expr, @op_expr {
+class Operation extends Expr, @operation_expr {
   /** Gets the name of the operator in this operation. */
   string getOperator() { none() }
 
@@ -227,7 +226,7 @@ class Operation extends Expr, @op_expr {
  * indirection operation (`PointerIndirectionExpr`), an address-of operation
  * (`AddressOfExpr`), or a unary logical operation (`UnaryLogicalOperation`).
  */
-class UnaryOperation extends Operation, @un_op {
+class UnaryOperation extends Operation, @un_operation {
   /** Gets the operand of this unary operation. */
   Expr getOperand() { result = this.getChild(0) }
 
@@ -241,7 +240,7 @@ class UnaryOperation extends Operation, @un_op {
  * a binary logical operation (`BinaryLogicalOperation`), or an
  * assignment (`Assignment`).
  */
-class BinaryOperation extends Operation, @bin_op {
+class BinaryOperation extends Operation, @bin_operation {
   /** Gets the left operand of this binary operation. */
   Expr getLeftOperand() { result = this.getChild(0) }
 
@@ -264,7 +263,7 @@ class BinaryOperation extends Operation, @bin_op {
  * A ternary operation, that is, a ternary conditional operation
  * (`ConditionalExpr`).
  */
-class TernaryOperation extends Operation, @ternary_op { }
+class TernaryOperation extends Operation, @ternary_operation { }
 
 /**
  * A parenthesized expression, for example `(2 + 3)` in

csharp/ql/lib/semmle/code/csharp/exprs/LogicalOperation.qll

@@ -11,14 +11,14 @@ import Expr
  * a binary logical operation (`BinaryLogicalOperation`), or a ternary logical
  * operation (`TernaryLogicalOperation`).
  */
-class LogicalOperation extends Operation, @log_expr {
+class LogicalOperation extends Operation, @log_operation {
   override string getOperator() { none() }
 }
 
 /**
  * A unary logical operation, that is, a logical 'not' (`LogicalNotExpr`).
  */
-class UnaryLogicalOperation extends LogicalOperation, UnaryOperation, @un_log_op_expr { }
+class UnaryLogicalOperation extends LogicalOperation, UnaryOperation, @un_log_operation { }
 
 /**
  * A logical 'not', for example `!String.IsNullOrEmpty(s)`.
@@ -31,10 +31,10 @@ class LogicalNotExpr extends UnaryLogicalOperation, @log_not_expr {
 
 /**
  * A binary logical operation. Either a logical 'and' (`LogicalAndExpr`),
- * a logical 'or' (`LogicalAndExpr`), or a null-coalescing operation
- * (`NullCoalescingExpr`).
+ * a logical 'or' (`LogicalOrExpr`), or a null-coalescing operation
+ * (`NullCoalescingOperation`).
  */
-class BinaryLogicalOperation extends LogicalOperation, BinaryOperation, @bin_log_op_expr {
+class BinaryLogicalOperation extends LogicalOperation, BinaryOperation, @bin_log_operation {
   override string getOperator() { none() }
 }
 
@@ -57,7 +57,12 @@ class LogicalOrExpr extends BinaryLogicalOperation, @log_or_expr {
 }
 
 /**
- * A null-coalescing operation, for example `s ?? ""` on line 2 in
+ * A null-coalescing operation, either `x ?? y` or `x ??= y`.
+ */
+class NullCoalescingOperation extends BinaryLogicalOperation, @null_coalescing_operation { }
+
+/**
+ * A null-coalescing expression, for example `s ?? ""` on line 2 in
  *
  * ```csharp
  * string NonNullOrEmpty(string s) {
@@ -65,9 +70,7 @@ class LogicalOrExpr extends BinaryLogicalOperation, @log_or_expr {
  * }
  * ```
  */
-class NullCoalescingExpr extends BinaryLogicalOperation, NullCoalescingOperation,
-  @null_coalescing_expr
-{
+class NullCoalescingExpr extends NullCoalescingOperation, @null_coalescing_expr {
   override string getOperator() { result = "??" }
 
   override string getAPrimaryQlClass() { result = "NullCoalescingExpr" }
@@ -77,7 +80,7 @@ class NullCoalescingExpr extends BinaryLogicalOperation, NullCoalescingOperation
  * A ternary logical operation, that is, a ternary conditional expression
  * (`ConditionalExpr`).
  */
-class TernaryLogicalOperation extends LogicalOperation, TernaryOperation, @ternary_log_op_expr { }
+class TernaryLogicalOperation extends LogicalOperation, TernaryOperation, @ternary_log_operation { }
 
 /**
  * A conditional expression, for example `s != null ? s.Length : -1`

csharp/ql/lib/semmle/code/csharp/exprs/Operation.qll

@@ -1,71 +1,6 @@
 /**
  * Provides classes for operations that also have compound assignment forms.
  */
+deprecated module;
 
 import Expr
-
-/**
- * An addition operation, either `x + y` or `x += y`.
- */
-class AddOperation extends BinaryOperation, @add_operation { }
-
-/**
- * A subtraction operation, either `x - y` or `x -= y`.
- */
-class SubOperation extends BinaryOperation, @sub_operation { }
-
-/**
- * A multiplication operation, either `x * y` or `x *= y`.
- */
-class MulOperation extends BinaryOperation, @mul_operation { }
-
-/**
- * A division operation, either `x / y` or `x /= y`.
- */
-class DivOperation extends BinaryOperation, @div_operation {
-  /** Gets the numerator of this division operation. */
-  Expr getNumerator() { result = this.getLeftOperand() }
-
-  /** Gets the denominator of this division operation. */
-  Expr getDenominator() { result = this.getRightOperand() }
-}
-
-/**
- * A remainder operation, either `x % y` or `x %= y`.
- */
-class RemOperation extends BinaryOperation, @rem_operation { }
-
-/**
- * A bitwise-and operation, either `x & y` or `x &= y`.
- */
-class BitwiseAndOperation extends BinaryOperation, @and_operation { }
-
-/**
- * A bitwise-or operation, either `x | y` or `x |= y`.
- */
-class BitwiseOrOperation extends BinaryOperation, @or_operation { }
-
-/**
- * A bitwise exclusive-or operation, either `x ^ y` or `x ^= y`.
- */
-class BitwiseXorOperation extends BinaryOperation, @xor_operation { }
-
-/**
- * A left-shift operation, either `x << y` or `x <<= y`.
- */
-class LeftShiftOperation extends BinaryOperation, @lshift_operation { }
-
-/**
- * A right-shift operation, either `x >> y` or `x >>= y`.
- */
-class RightShiftOperation extends BinaryOperation, @rshift_operation { }
-
-/**
- * An unsigned right-shift operation, either `x >>> y` or `x >>>= y`.
- */
-class UnsignedRightShiftOperation extends BinaryOperation, @urshift_operation { }
-
-/**
- * A null-coalescing operation, either `x ?? y` or `x ??= y`.
- */
-class NullCoalescingOperation extends BinaryOperation, @null_coalescing_operation { }

csharp/ql/lib/semmle/code/csharp/security/dataflow/flowsources/Remote.qll

@@ -13,6 +13,7 @@ private import semmle.code.csharp.frameworks.system.web.ui.WebControls
 private import semmle.code.csharp.frameworks.WCF
 private import semmle.code.csharp.frameworks.microsoft.Owin
 private import semmle.code.csharp.frameworks.microsoft.AspNetCore
+private import semmle.code.csharp.frameworks.Razor
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
 private import semmle.code.csharp.security.dataflow.flowsources.FlowSources
 
@@ -314,6 +315,22 @@ class AspNetCoreActionMethodParameter extends AspNetCoreRemoteFlowSource, DataFl
   override string getSourceType() { result = "ASP.NET Core MVC action method parameter" }
 }
 
+/** A parameter to a Razor Page handler method, viewed as a source of remote user input. */
+class AspNetCorePageHandlerMethodParameter extends AspNetCoreRemoteFlowSource,
+  DataFlow::ParameterNode
+{
+  AspNetCorePageHandlerMethodParameter() {
+    exists(Parameter p |
+      p = this.getParameter() and
+      p.fromSource()
+    |
+      p = any(PageModelClass pm).getAHandlerMethod().getAParameter()
+    )
+  }
+
+  override string getSourceType() { result = "ASP.NET Core Razor Page handler method parameter" }
+}
+
 private class ExternalRemoteFlowSource extends RemoteFlowSource {
   ExternalRemoteFlowSource() { sourceNode(this, "remote") }
 

csharp/ql/lib/semmlecode.csharp.dbscheme

@@ -219,7 +219,7 @@ overlayChangedFiles(
 /** ELEMENTS **/
 
 @element = @declaration | @stmt | @expr | @modifier | @attribute | @namespace_declaration
-         | @using_directive | @type_parameter_constraints | @externalDataElement
+         | @using_directive | @type_parameter_constraints | @type_mention | @externalDataElement
          | @xmllocatable | @asp_element | @namespace | @preprocessor_directive;
 
 @declaration = @callable | @generic | @assignable | @namespace;
@@ -1254,33 +1254,39 @@ case @expr.kind of
 
 @delegate_creation_expr = @explicit_delegate_creation_expr | @implicit_delegate_creation_expr;
 
-@bin_arith_op_expr = @mul_expr | @div_expr | @rem_expr | @add_expr | @sub_expr;
-@incr_op_expr =  @pre_incr_expr | @post_incr_expr;
-@decr_op_expr =  @pre_decr_expr | @post_decr_expr;
-@mut_op_expr = @incr_op_expr | @decr_op_expr;
-@un_arith_op_expr = @plus_expr | @minus_expr | @mut_op_expr;
-@arith_op_expr = @bin_arith_op_expr | @un_arith_op_expr;
+@bin_arith_expr = @mul_expr | @div_expr | @rem_expr | @add_expr | @sub_expr;
+@bin_arith_operation = @mul_operation | @div_operation | @rem_operation | @add_operation | @sub_operation;
 
-@ternary_log_op_expr = @conditional_expr;
-@bin_log_op_expr = @log_and_expr | @log_or_expr | @null_coalescing_expr;
-@un_log_op_expr = @log_not_expr;
-@log_expr = @un_log_op_expr | @bin_log_op_expr | @ternary_log_op_expr;
+@incr_operation =  @pre_incr_expr | @post_incr_expr;
+@decr_operation =  @pre_decr_expr | @post_decr_expr;
+@mut_operation = @incr_operation | @decr_operation;
+@un_arith_operation = @plus_expr | @minus_expr | @mut_operation;
+@arith_operation = @bin_arith_operation | @un_arith_operation;
 
-@bin_bit_op_expr =  @bit_and_expr | @bit_or_expr | @bit_xor_expr | @lshift_expr
-                 | @rshift_expr | @urshift_expr;
-@un_bit_op_expr = @bit_not_expr;
-@bit_expr = @un_bit_op_expr | @bin_bit_op_expr;
+@ternary_log_operation = @conditional_expr;
+@bin_log_operation = @log_and_expr | @log_or_expr | @null_coalescing_operation;
+@un_log_operation = @log_not_expr;
+@log_operation = @un_log_operation | @bin_log_operation | @ternary_log_operation;
+
+@bin_bit_expr =  @bit_and_expr | @bit_or_expr | @bit_xor_expr | @lshift_expr
+              | @rshift_expr | @urshift_expr;
+@bin_bit_operation = @and_operation | @or_operation | @xor_operation | @lshift_operation
+              | @rshift_operation | @urshift_operation;
+@un_bit_expr = @bit_not_expr;
+@un_bit_operation = @un_bit_expr;
+@bit_expr = @un_bit_expr | @bin_bit_expr;
+@bit_operation = @un_bit_operation | @bin_bit_operation;
 
 @equality_op_expr =  @eq_expr | @ne_expr;
 @rel_op_expr = @gt_expr | @lt_expr| @ge_expr | @le_expr;
 @comp_expr = @equality_op_expr | @rel_op_expr;
 
-@op_expr = @un_op | @bin_op | @ternary_op;
+@operation_expr = @un_operation | @bin_operation | @ternary_operation;
 
-@ternary_op = @ternary_log_op_expr;
-@bin_op = @assign_expr | @bin_arith_op_expr | @bin_log_op_expr | @bin_bit_op_expr | @comp_expr;
-@un_op = @un_arith_op_expr | @un_log_op_expr | @un_bit_op_expr | @sizeof_expr
-       | @pointer_indirection_expr | @address_of_expr;
+@ternary_operation = @ternary_log_operation;
+@bin_operation = @assign_expr | @bin_arith_operation | @bin_log_operation | @bin_bit_operation | @comp_expr;
+@un_operation = @un_arith_operation | @un_log_operation | @un_bit_operation | @sizeof_expr
+              | @pointer_indirection_expr | @address_of_expr;
 
 @anonymous_function_expr = @lambda_expr | @anonymous_method_expr;
 
@@ -1363,7 +1369,7 @@ compiler_generated(unique int id: @element ref);
 
 /** CONTROL/DATA FLOW **/
 
-@control_flow_element = @stmt | @expr | @parameter;
+@control_flow_element = @stmt | @expr | @parameter | @type_mention;
 
 /* XML Files */
 

csharp/ql/lib/upgrades/3cabc77473cbbda95edebafea345c2e3fdfa12d9/upgrade.properties

@@ -0,0 +1,2 @@
+description: Restructure and rename types related to operations.
+compatibility: full

csharp/ql/src/Telemetry/DatabaseQuality.qll

@@ -63,7 +63,7 @@ module CallTargetStats implements StatsSig {
 
   additional predicate isNotOkCall(Call c) {
     not exists(c.getTarget()) and
-    not c instanceof DelegateCall and
+    not c instanceof DelegateLikeCall and
     not c instanceof DynamicExpr and
     not isNoSetterPropertyCallInConstructor(c) and
     not isNoSetterPropertyInitialization(c) and

csharp/ql/test/library-tests/csharp11/operators.expected

@@ -1,6 +1,7 @@
 binarybitwise
 | Operators.cs:7:18:7:25 | ... >>> ... | Operators.cs:7:18:7:19 | access to local variable x1 | Operators.cs:7:25:7:25 | 2 | >>> | UnsignedRightShiftExpr |
 | Operators.cs:10:18:10:25 | ... >>> ... | Operators.cs:10:18:10:19 | access to local variable y1 | Operators.cs:10:25:10:25 | 3 | >>> | UnsignedRightShiftExpr |
+| Operators.cs:13:9:13:16 | ... >>>= ... | Operators.cs:13:9:13:9 | access to local variable z | Operators.cs:13:16:13:16 | 5 | >>>= | AssignUnsignedRightShiftExpr |
 assignbitwise
 | Operators.cs:13:9:13:16 | ... >>>= ... | Operators.cs:13:9:13:9 | access to local variable z | Operators.cs:13:16:13:16 | 5 | >>>= | AssignUnsignedRightShiftExpr |
 userdefined

csharp/ql/test/library-tests/csharp11/operators.ql

@@ -11,7 +11,7 @@ query predicate binarybitwise(
 }
 
 query predicate assignbitwise(
-  AssignBitwiseOperation op, Expr left, Expr right, string name, string qlclass
+  AssignBitwiseExpr op, Expr left, Expr right, string name, string qlclass
 ) {
   op.getFile().getStem() = "Operators" and
   left = op.getLeftOperand() and

csharp/ql/test/library-tests/csharp6/PrintAst.expected

@@ -101,6 +101,7 @@ csharp6.cs:
 #   32|                   0: [IntLiteral] 2
 #   32|                 0: [IntLiteral] 1
 #   34|         1: [SpecificCatchClause] catch (...) {...}
+#   34|           0: [TypeMention] IndexOutOfRangeException
 #   35|           1: [BlockStmt] {...}
 #   34|           2: [EQExpr] ... == ...
 #   34|             0: [PropertyCall] access to property Value

csharp/ql/test/library-tests/dataflow/external-models/ExternalFlow.cs

@@ -442,4 +442,31 @@ namespace My.Qltest
 
         static void Sink(object o) { }
     }
+
+    // Test operator overloads
+    public class N
+    {
+        public void operator +=(N y) => throw null;
+
+        public void operator checked +=(N y) => throw null;
+
+        public void M1(N n)
+        {
+            var n0 = new N();
+            n += n0;
+            Sink(n);
+        }
+
+        public void M2(N n)
+        {
+            var n0 = new N();
+            checked
+            {
+                n += n0;
+            }
+            Sink(n);
+        }
+
+        static void Sink(object o) { }
+    }
 }