Python: inline init_module_submodule_defn into ImportResolution

The new-dataflow ImportResolution module only used
semmle.python.essa.SsaDefinitions for the 5-line helper predicate
SsaSource::init_module_submodule_defn. Inline it locally and drop the
dependency on legacy SsaDefinitions. This is the only remaining direct
import of semmle.python.essa.* in the new dataflow stack, so dropping
it makes the layering cleaner.

Semantic noop on the current SSA: SsaSourceVariable.getName() and
GlobalVariable.getId() both project the same DB column
(variable(_,_,result)), and the old call's 'init.getEntryNode() = f'
join was just constraining init = package via Scope.getEntryNode()'s
functional uniqueness. RA dump of accesses.ql confirms only the
expected predicate-rename shuffle; all 70 dataflow + ApiGraphs library
tests pass.

This factors out commit 8cab5a20f2 from the larger shared-CFG
migration #21925.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

MODULE.bazel

@@ -100,63 +100,63 @@ use_repo(
 tree_sitter_extractors_deps = use_extension("//misc/bazel/3rdparty:tree_sitter_extractors_extension.bzl", "r")
 use_repo(
     tree_sitter_extractors_deps,
-    "vendor_ts__anyhow-1.0.102",
-    "vendor_ts__argfile-1.0.0",
-    "vendor_ts__cc-1.2.62",
+    "vendor_ts__anyhow-1.0.100",
+    "vendor_ts__argfile-0.2.1",
+    "vendor_ts__cc-1.2.61",
     "vendor_ts__chalk-ir-0.104.0",
-    "vendor_ts__chrono-0.4.44",
-    "vendor_ts__clap-4.6.1",
+    "vendor_ts__chrono-0.4.42",
+    "vendor_ts__clap-4.5.48",
     "vendor_ts__dunce-1.0.5",
-    "vendor_ts__either-1.16.0",
+    "vendor_ts__either-1.15.0",
     "vendor_ts__encoding-0.2.33",
     "vendor_ts__figment-0.10.19",
-    "vendor_ts__flate2-1.1.9",
+    "vendor_ts__flate2-1.1.2",
     "vendor_ts__glob-0.3.3",
-    "vendor_ts__globset-0.4.18",
+    "vendor_ts__globset-0.4.16",
     "vendor_ts__itertools-0.14.0",
     "vendor_ts__lazy_static-1.5.0",
     "vendor_ts__mustache-0.9.0",
     "vendor_ts__num-traits-0.2.19",
     "vendor_ts__num_cpus-1.17.0",
-    "vendor_ts__proc-macro2-1.0.106",
-    "vendor_ts__quote-1.0.45",
-    "vendor_ts__ra_ap_base_db-0.0.328",
-    "vendor_ts__ra_ap_cfg-0.0.328",
-    "vendor_ts__ra_ap_hir-0.0.328",
-    "vendor_ts__ra_ap_hir_def-0.0.328",
-    "vendor_ts__ra_ap_hir_expand-0.0.328",
-    "vendor_ts__ra_ap_hir_ty-0.0.328",
-    "vendor_ts__ra_ap_ide_db-0.0.328",
-    "vendor_ts__ra_ap_intern-0.0.328",
-    "vendor_ts__ra_ap_load-cargo-0.0.328",
-    "vendor_ts__ra_ap_parser-0.0.328",
-    "vendor_ts__ra_ap_paths-0.0.328",
-    "vendor_ts__ra_ap_project_model-0.0.328",
-    "vendor_ts__ra_ap_span-0.0.328",
-    "vendor_ts__ra_ap_stdx-0.0.328",
-    "vendor_ts__ra_ap_syntax-0.0.328",
-    "vendor_ts__ra_ap_vfs-0.0.328",
-    "vendor_ts__rand-0.10.1",
-    "vendor_ts__rayon-1.12.0",
-    "vendor_ts__regex-1.12.3",
+    "vendor_ts__proc-macro2-1.0.101",
+    "vendor_ts__quote-1.0.41",
+    "vendor_ts__ra_ap_base_db-0.0.301",
+    "vendor_ts__ra_ap_cfg-0.0.301",
+    "vendor_ts__ra_ap_hir-0.0.301",
+    "vendor_ts__ra_ap_hir_def-0.0.301",
+    "vendor_ts__ra_ap_hir_expand-0.0.301",
+    "vendor_ts__ra_ap_hir_ty-0.0.301",
+    "vendor_ts__ra_ap_ide_db-0.0.301",
+    "vendor_ts__ra_ap_intern-0.0.301",
+    "vendor_ts__ra_ap_load-cargo-0.0.301",
+    "vendor_ts__ra_ap_parser-0.0.301",
+    "vendor_ts__ra_ap_paths-0.0.301",
+    "vendor_ts__ra_ap_project_model-0.0.301",
+    "vendor_ts__ra_ap_span-0.0.301",
+    "vendor_ts__ra_ap_stdx-0.0.301",
+    "vendor_ts__ra_ap_syntax-0.0.301",
+    "vendor_ts__ra_ap_vfs-0.0.301",
+    "vendor_ts__rand-0.9.2",
+    "vendor_ts__rayon-1.11.0",
+    "vendor_ts__regex-1.11.3",
     "vendor_ts__serde-1.0.228",
-    "vendor_ts__serde_json-1.0.150",
-    "vendor_ts__serde_with-3.20.0",
+    "vendor_ts__serde_json-1.0.145",
+    "vendor_ts__serde_with-3.14.1",
     "vendor_ts__serde_yaml-0.9.34-deprecated",
-    "vendor_ts__syn-2.0.117",
-    "vendor_ts__toml-1.1.2-spec-1.1.0",
-    "vendor_ts__tracing-0.1.44",
+    "vendor_ts__syn-2.0.106",
+    "vendor_ts__toml-0.9.7",
+    "vendor_ts__tracing-0.1.41",
     "vendor_ts__tracing-flame-0.2.0",
-    "vendor_ts__tracing-subscriber-0.3.23",
-    "vendor_ts__tree-sitter-0.26.9",
+    "vendor_ts__tracing-subscriber-0.3.20",
+    "vendor_ts__tree-sitter-0.26.8",
     "vendor_ts__tree-sitter-embedded-template-0.25.0",
-    "vendor_ts__tree-sitter-generate-0.26.9",
+    "vendor_ts__tree-sitter-generate-0.26.8",
     "vendor_ts__tree-sitter-json-0.24.8",
-    "vendor_ts__tree-sitter-language-0.1.7",
+    "vendor_ts__tree-sitter-language-0.1.5",
     "vendor_ts__tree-sitter-python-0.23.6",
     "vendor_ts__tree-sitter-ql-0.23.1",
     "vendor_ts__tree-sitter-ruby-0.23.1",
-    "vendor_ts__triomphe-0.1.15",
+    "vendor_ts__triomphe-0.1.14",
     "vendor_ts__ungrammar-1.16.1",
     "vendor_ts__zstd-0.13.3",
 )
@@ -164,12 +164,12 @@ use_repo(
 http_archive = use_repo_rule("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
 
 # rust-analyzer sources needed by the rust ast-generator (see `rust/ast-generator/README.md`)
-RUST_ANALYZER_SRC_TAG = "2026-04-13"
+RUST_ANALYZER_SRC_TAG = "2025-01-07"
 
 http_archive(
     name = "rust-analyzer-src",
     build_file = "//rust/ast-generator:BUILD.rust-analyzer-src.bazel",
-    integrity = "sha256-UB/+EVx/6j4VGvnb7jfRqPaoc7Uwci3rEt6il+2J1Ds=",
+    integrity = "sha256-eo8mIaUafZL8LOM65bDIIIXw1rNQ/P/x5RK/XUtgo5g=",
     patch_args = ["-p1"],
     patches = [
         "//rust/ast-generator:patches/rust-analyzer.patch",

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 0.4.37
+
+### Minor Analysis Improvements
+
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+
 ## 0.4.36
 
 ### Minor Analysis Improvements

actions/ql/lib/change-notes/released/0.4.37.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+## 0.4.37
+
+### Minor Analysis Improvements
+
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.36
+lastReleaseVersion: 0.4.37

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.37-dev
+version: 0.4.38-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,22 @@
+## 0.6.29
+
+### Query Metadata Changes
+
+* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.
+
+### Major Analysis Improvements
+
+* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
+
+### Minor Analysis Improvements
+
+* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.
+* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
+
+### Bug Fixes
+
+* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
+
 ## 0.6.28
 
 ### Query Metadata Changes

actions/ql/src/change-notes/2026-05-05-untrusted-checkout-high.md

@@ -1,4 +0,0 @@
----
-category: majorAnalysis
----
-* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.

actions/ql/src/change-notes/2026-05-12-sha256-pinned-actions.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.

actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-alert.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.

actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-helpfile.md

@@ -1,4 +0,0 @@
----
-category: fix
----
-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.

actions/ql/src/change-notes/2026-05-14-further-iteration-untrusted-checkout-improvements-metadata.md

@@ -1,4 +0,0 @@
----
-category: queryMetadata
----
-* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.

actions/ql/src/change-notes/released/0.6.29.md

@@ -0,0 +1,18 @@
+## 0.6.29
+
+### Query Metadata Changes
+
+* Reversed adjustment of the name of `actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in `actions/untrusted-checkout/high` and `actions/untrusted-checkout/medium`.
+
+### Major Analysis Improvements
+
+* Adjusted `actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
+
+### Minor Analysis Improvements
+
+* Altered the alert message for clarity for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`.
+* The `actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
+
+### Bug Fixes
+
+* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.28
+lastReleaseVersion: 0.6.29

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.29-dev
+version: 0.6.30-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,19 @@
+## 10.2.0
+
+### Deprecated APIs
+
+* The `UsingAliasTypedefType` class has been deprecated. Use `TypeAliasType` instead.
+
+### New Features
+
+* Added a `getOriginalTemplate` predicate to `TemplateClass`, `TemplateFunction`, `TemplateVariable`, and `AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.
+* Added `AliasTemplateType` and `AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.
+
+### Minor Analysis Improvements
+
+* Added flow source models for `scanf_s` and related functions.
+* Added a `Call` column to `LocalFlowSourceFunction::hasLocalFlowSource` and `RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a `Call` column continue to be supported.
+
 ## 10.1.1
 
 ### Minor Analysis Improvements

cpp/ql/lib/DefaultOptions.qll

@@ -30,8 +30,6 @@ class Options extends string {
   predicate overrideReturnsNull(Call call) {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup")
-    or
-    CustomOptions::overrideReturnsNull(call) // old Options.qll
   }
 
   /**
@@ -45,8 +43,6 @@ class Options extends string {
     // Used in CVS:
     call.(FunctionCall).getTarget().hasGlobalName("Xstrdup") and
     nullValue(call.getArgument(0))
-    or
-    CustomOptions::returnsNull(call) // old Options.qll
   }
 
   /**
@@ -65,8 +61,6 @@ class Options extends string {
     f.hasGlobalOrStdName([
         "exit", "_exit", "_Exit", "abort", "__assert_fail", "longjmp", "__builtin_unreachable"
       ])
-    or
-    CustomOptions::exits(f) // old Options.qll
   }
 
   /**
@@ -79,8 +73,7 @@ class Options extends string {
    * runtime, the program's behavior is undefined)
    */
   predicate exprExits(Expr e) {
-    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0 or
-    CustomOptions::exprExits(e) // old Options.qll
+    e.(AssumeExpr).getChild(0).(CompileTimeConstantInt).getIntValue() = 0
   }
 
   /**
@@ -88,10 +81,7 @@ class Options extends string {
    *
    * By default holds only for `fgets`.
    */
-  predicate alwaysCheckReturnValue(Function f) {
-    f.hasGlobalOrStdName("fgets") or
-    CustomOptions::alwaysCheckReturnValue(f) // old Options.qll
-  }
+  predicate alwaysCheckReturnValue(Function f) { f.hasGlobalOrStdName("fgets") }
 
   /**
    * Holds if it is reasonable to ignore the return value of function
@@ -107,8 +97,6 @@ class Options extends string {
     // common way of sleeping using select:
     fc.getTarget().hasGlobalName("select") and
     fc.getArgument(0).getValue() = "0"
-    or
-    CustomOptions::okToIgnoreReturnValue(fc) // old Options.qll
   }
 }
 

cpp/ql/lib/Options.qll

@@ -98,57 +98,3 @@ class CustomMutexType extends MutexType {
    */
   override predicate unlockAccess(FunctionCall fc, Expr arg) { none() }
 }
-
-/**
- * DEPRECATED: customize `CustomOptions.overrideReturnsNull` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate overrideReturnsNull(Call call) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.returnsNull` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate returnsNull(Call call) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.exits` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate exits(Function f) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.exprExits` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate exprExits(Expr e) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.alwaysCheckReturnValue` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate alwaysCheckReturnValue(Function f) { none() }
-
-/**
- * DEPRECATED: customize `CustomOptions.okToIgnoreReturnValue` instead.
- *
- * This predicate is required to support backwards compatibility for
- * older `Options.qll` files.  It should not be removed or modified by
- * end users.
- */
-predicate okToIgnoreReturnValue(FunctionCall fc) { none() }

cpp/ql/lib/change-notes/2026-05-15-secure-scanf.md

@@ -1,5 +0,0 @@
----
-category: minorAnalysis
----
-* Added flow source models for `scanf_s` and related functions.
-* Added a `Call` column to `LocalFlowSourceFunction::hasLocalFlowSource` and `RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a `Call` column continue to be supported.

cpp/ql/lib/change-notes/2026-05-16-alias-template.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added `AliasTemplateType` and `AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.

cpp/ql/lib/change-notes/2026-05-18-alias-type.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* The `UsingAliasTypedefType` class has been deprecated. Use `TypeAliasType` instead.

cpp/ql/lib/change-notes/2026-05-21-generated-from.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a `getOriginalTemplate` predicate to `TemplateClass`, `TemplateFunction`, `TemplateVariable`, and `AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.

cpp/ql/lib/change-notes/2026-05-27-deprecated-removal.md

@@ -0,0 +1,15 @@
+---
+category: breaking
+---
+* Removed the deprecated `overrideReturnsNull` predicate from `Options.qll`. Use `CustomOptions.overrideReturnsNull` instead.
+* Removed the deprecated `returnsNull` predicate from `Options.qll`. Use `CustomOptions.returnsNull` instead.
+* Removed the deprecated `exits` predicate from `Options.qll`. Use `CustomOptions.exits` instead.
+* Removed the deprecated `exprExits` predicate from `Options.qll`. Use `CustomOptions.exprExits` instead.
+* Removed the deprecated `alwaysCheckReturnValue` predicate from `Options.qll`. Use `CustomOptions.alwaysCheckReturnValue` instead.
+* Removed the deprecated `okToIgnoreReturnValue` predicate from `Options.qll`. Use `CustomOptions.okToIgnoreReturnValue` instead.
+* Removed the deprecated `semmle.code.cpp.Member`. Import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly.
+* Removed the deprecated `UnknownDefaultLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownExprLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `UnknownStmtLocation` class. Use `UnknownLocation` instead.
+* Removed the deprecated `TemplateParameter` class. Use `TypeTemplateParameter` instead.
+* Support for class resolution across link targets has been removed for databases which were created with CodeQL versions before 1.23.0.

cpp/ql/lib/change-notes/released/10.2.0.md

@@ -0,0 +1,15 @@
+## 10.2.0
+
+### Deprecated APIs
+
+* The `UsingAliasTypedefType` class has been deprecated. Use `TypeAliasType` instead.
+
+### New Features
+
+* Added a `getOriginalTemplate` predicate to `TemplateClass`, `TemplateFunction`, `TemplateVariable`, and `AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.
+* Added `AliasTemplateType` and `AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.
+
+### Minor Analysis Improvements
+
+* Added flow source models for `scanf_s` and related functions.
+* Added a `Call` column to `LocalFlowSourceFunction::hasLocalFlowSource` and `RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a `Call` column continue to be supported.

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 10.1.1
+lastReleaseVersion: 10.2.0

cpp/ql/lib/cpp.qll

@@ -32,7 +32,6 @@ import semmle.code.cpp.Class
 import semmle.code.cpp.Struct
 import semmle.code.cpp.Union
 import semmle.code.cpp.Enum
-import semmle.code.cpp.Member
 import semmle.code.cpp.Field
 import semmle.code.cpp.Function
 import semmle.code.cpp.MemberFunction

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 10.1.2-dev
+version: 10.2.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/Location.qll

@@ -148,28 +148,3 @@ class UnknownLocation extends Location {
     this.getFile().getAbsolutePath() = "" and locations_default(this, _, 0, 0, 0, 0)
   }
 }
-
-/**
- * A dummy location which is used when something doesn't have a location in
- * the source code but needs to have a `Location` associated with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownDefaultLocation extends UnknownLocation { }
-
-/**
- * A dummy location which is used when an expression doesn't have a
- * location in the source code but needs to have a `Location` associated
- * with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownExprLocation extends UnknownLocation { }
-
-/**
- * A dummy location which is used when a statement doesn't have a location
- * in the source code but needs to have a `Location` associated with it.
- *
- * DEPRECATED: use `UnknownLocation`
- */
-deprecated class UnknownStmtLocation extends UnknownLocation { }

cpp/ql/lib/semmle/code/cpp/Member.qll

@@ -1,6 +0,0 @@
-/**
- * DEPRECATED: import `semmle.code.cpp.Element` and/or `semmle.code.cpp.Type` directly as required.
- */
-
-import semmle.code.cpp.Element
-import semmle.code.cpp.Type

cpp/ql/lib/semmle/code/cpp/TemplateParameter.qll

@@ -35,13 +35,6 @@ class NonTypeTemplateParameter extends Literal, TemplateParameterImpl {
   override string getAPrimaryQlClass() { result = "NonTypeTemplateParameter" }
 }
 
-/**
- * A C++ `typename` (or `class`) template parameter.
- *
- * DEPRECATED: Use `TypeTemplateParameter` instead.
- */
-deprecated class TemplateParameter = TypeTemplateParameter;
-
 /**
  * A C++ `typename` (or `class`) template parameter.
  *

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -276,6 +276,45 @@ private predicate isClassConstructedFrom(Class c, Class templateClass) {
   not c.isConstructedFrom(_) and c = templateClass
 }
 
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClassOld(Class c) {
+  not c.isFromUninstantiatedTemplate(_) and
+  isClassConstructedFrom(c, result)
+}
+
+private TemplateClass getOriginalClassTemplate(TemplateClass tc) {
+  result = tc.getOriginalTemplate()
+  or
+  not exists(tc.getOriginalTemplate()) and
+  result = tc
+}
+
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClassNew(Class c) {
+  not c.isFromUninstantiatedTemplate(_) and
+  exists(Class mid |
+    c.isConstructedFrom(mid)
+    or
+    not c.isConstructedFrom(_) and c = mid
+  |
+    result = getOriginalClassTemplate(mid)
+    or
+    not mid instanceof TemplateClass and mid = result
+  )
+}
+
+/** Gets the fully templated version of `c`. */
+private Class getFullyTemplatedClass(Class c) {
+  // The `Class::getOriginalTemplate` predicate was introduced in CodeQL
+  // version 2.25.6 and the upgrade script leaves the
+  // `class_template_generated_from` extensionals empty if the database
+  // was generated with an older extractor. So we use the old implementation
+  // if the `class_template_generated_from` extensional is empty.
+  if class_template_generated_from(_, _)
+  then result = getFullyTemplatedClassNew(c)
+  else result = getFullyTemplatedClassOld(c)
+}
+
 /**
  * Holds if `f` is an instantiation of a function template `templateFunc`, or
  * holds with `f = templateFunc` if `f` is not an instantiation of any function
@@ -292,7 +331,7 @@ private predicate isFunctionConstructedFrom(Function f, Function templateFunc) {
 }
 
 /** Gets the fully templated version of `f`. */
-Function getFullyTemplatedFunction(Function f) {
+private Function getFullyTemplatedFunctionOld(Function f) {
   not f.isFromUninstantiatedTemplate(_) and
   (
     exists(Class c, Class templateClass, int i |
@@ -306,13 +345,46 @@ Function getFullyTemplatedFunction(Function f) {
   )
 }
 
+private TemplateFunction getOriginalFunctionTemplate(TemplateFunction tf) {
+  result = tf.getOriginalTemplate()
+  or
+  not exists(tf.getOriginalTemplate()) and
+  result = tf
+}
+
+/** Gets the fully templated version of `f`. */
+private Function getFullyTemplatedFunctionNew(Function f) {
+  not f.isFromUninstantiatedTemplate(_) and
+  exists(Function mid |
+    f.isConstructedFrom(mid)
+    or
+    not f.isConstructedFrom(_) and f = mid
+  |
+    result = getOriginalFunctionTemplate(mid)
+    or
+    not mid instanceof TemplateFunction and mid = result
+  )
+}
+
+/** Gets the fully templated version of `f`. */
+Function getFullyTemplatedFunction(Function f) {
+  // The `Function::getOriginalTemplate` predicate was introduced in CodeQL
+  // version 2.25.6 and the upgrade script leaves the
+  // `function_template_generated_from` extensionals empty if the database
+  // was generated with an older extractor. So we use the old implementation
+  // if the `function_template_generated_from` extensional is empty.
+  if function_template_generated_from(_, _)
+  then result = getFullyTemplatedFunctionNew(f)
+  else result = getFullyTemplatedFunctionOld(f)
+}
+
 /** Prefixes `const` to `s` if `t` is const, or returns `s` otherwise. */
 bindingset[s, t]
 private string withConst(string s, Type t) {
   if t.isConst() then result = "const " + s else result = s
 }
 
-/** Prefixes `volatile` to `s` if `t` is const, or returns `s` otherwise. */
+/** Prefixes `volatile` to `s` if `t` is volatile, or returns `s` otherwise. */
 bindingset[s, t]
 private string withVolatile(string s, Type t) {
   if t.isVolatile() then result = "volatile " + s else result = s
@@ -490,7 +562,7 @@ pragma[nomagic]
 private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining) {
   // If there is a declaring type then we start by expanding the function templates
   exists(Class template |
-    isClassConstructedFrom(f.getDeclaringType(), template) and
+    template = getFullyTemplatedClass(f.getDeclaringType()) and
     remaining = getNumberOfSupportedClassTemplateArguments(template) and
     result = getTypeNameWithoutFunctionTemplates(f, n, 0)
   )
@@ -502,7 +574,7 @@ private string getTypeNameWithoutClassTemplates(Function f, int n, int remaining
   or
   exists(string mid, TypeTemplateParameter tp, Class template |
     mid = getTypeNameWithoutClassTemplates(f, n, remaining + 1) and
-    isClassConstructedFrom(f.getDeclaringType(), template) and
+    template = getFullyTemplatedClass(f.getDeclaringType()) and
     tp = getSupportedClassTemplateArgument(template, remaining)
   |
     result = mid.replaceAll(tp.getName(), "class:" + remaining.toString())

cpp/ql/lib/semmle/code/cpp/internal/ResolveClass.qll

@@ -1,59 +1,5 @@
 import semmle.code.cpp.Type
 
-/** For upgraded databases without mangled name info. */
-pragma[noinline]
-private string getTopLevelClassName(@usertype c) {
-  not mangled_name(_, _, _) and
-  isClass(c) and
-  usertypes(c, result, _) and
-  not namespacembrs(_, c) and // not in a namespace
-  not member(_, _, c) and // not in some structure
-  not class_instantiation(c, _) // not a template instantiation
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `d` is a unique complete class named `name`.
- */
-pragma[noinline]
-private predicate existsCompleteWithName(string name, @usertype d) {
-  not mangled_name(_, _, _) and
-  is_complete(d) and
-  name = getTopLevelClassName(d) and
-  onlyOneCompleteClassExistsWithName(name)
-}
-
-/** For upgraded databases without mangled name info. */
-pragma[noinline]
-private predicate onlyOneCompleteClassExistsWithName(string name) {
-  not mangled_name(_, _, _) and
-  strictcount(@usertype c | is_complete(c) and getTopLevelClassName(c) = name) = 1
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `c` is an incomplete class named `name`.
- */
-pragma[noinline]
-private predicate existsIncompleteWithName(string name, @usertype c) {
-  not mangled_name(_, _, _) and
-  not is_complete(c) and
-  name = getTopLevelClassName(c)
-}
-
-/**
- * For upgraded databases without mangled name info.
- * Holds if `c` is an incomplete class, and there exists a unique complete class `d`
- * with the same name.
- */
-private predicate oldHasCompleteTwin(@usertype c, @usertype d) {
-  not mangled_name(_, _, _) and
-  exists(string name |
-    existsIncompleteWithName(name, c) and
-    existsCompleteWithName(name, d)
-  )
-}
-
 pragma[noinline]
 private @mangledname getClassMangledName(@usertype c) {
   isClass(c) and
@@ -103,10 +49,7 @@ private module Cached {
   @usertype resolveClass(@usertype c) {
     hasCompleteTwin(c, result)
     or
-    oldHasCompleteTwin(c, result)
-    or
     not hasCompleteTwin(c, _) and
-    not oldHasCompleteTwin(c, _) and
     result = c
   }
 

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.6.4
+
+No user-facing changes.
+
 ## 1.6.3
 
 ### Minor Analysis Improvements

cpp/ql/src/change-notes/released/1.6.4.md

@@ -0,0 +1,3 @@
+## 1.6.4
+
+No user-facing changes.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.3
+lastReleaseVersion: 1.6.4

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.4-dev
+version: 1.6.5-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/dataflow/external-models/flow.expected

@@ -51,13 +51,16 @@ models
 | 50 | Summary: ; ; false; ymlStepGenerated; ; ; Argument[0]; ReturnValue; taint; df-generated |
 | 51 | Summary: ; ; false; ymlStepManual; ; ; Argument[0]; ReturnValue; taint; manual |
 | 52 | Summary: ; ; false; ymlStepManual_with_body; ; ; Argument[0]; ReturnValue; taint; manual |
-| 53 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
-| 54 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
-| 55 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
-| 56 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
-| 57 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
+| 53 | Summary: ; TemplateClass1; true; templateFunction2<U,V>; (U,V); ; Argument[1]; ReturnValue; value; manual |
+| 54 | Summary: ; TemplateClass1<T>; false; templateFunction<U>; (T,U); ; Argument[0]; ReturnValue; value; manual |
+| 55 | Summary: ; TemplateClass2<T,U>; true; function; (U,T); ; Argument[1]; ReturnValue; value; manual |
+| 56 | Summary: Azure::Core::IO; BodyStream; true; Read; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 57 | Summary: Azure::Core::IO; BodyStream; true; ReadToCount; ; ; Argument[-1]; Argument[*0]; taint; manual |
+| 58 | Summary: Azure::Core::IO; BodyStream; true; ReadToEnd; ; ; Argument[-1]; ReturnValue.Element; taint; manual |
+| 59 | Summary: Azure; Nullable; true; Value; ; ; Argument[-1]; ReturnValue[*]; taint; manual |
+| 60 | Summary: boost::asio; ; false; buffer; ; ; Argument[*0]; ReturnValue; taint; manual |
 edges
-| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:57 |
+| asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | asio_streams.cpp:56:18:56:23 | [summary] to write: ReturnValue in buffer | provenance | MaD:60 |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:91:7:91:17 | recv_buffer | provenance | Src:MaD:32  |
 | asio_streams.cpp:87:34:87:44 | read_until output argument | asio_streams.cpp:93:29:93:39 | *recv_buffer | provenance | Src:MaD:32 Sink:MaD:2 |
 | asio_streams.cpp:97:37:97:44 | call to source | asio_streams.cpp:98:7:98:14 | send_str | provenance | TaintFunction |
@@ -66,24 +69,24 @@ edges
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:101:7:101:17 | send_buffer | provenance |  |
 | asio_streams.cpp:100:44:100:62 | call to buffer | asio_streams.cpp:103:29:103:39 | *send_buffer | provenance | Sink:MaD:2 |
 | asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:56:18:56:23 | [summary param] *0 in buffer | provenance |  |
-| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:57 |
-| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:56 |
-| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:53 |
-| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:54 |
-| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:55 |
+| asio_streams.cpp:100:64:100:71 | *send_str | asio_streams.cpp:100:44:100:62 | call to buffer | provenance | MaD:60 |
+| azure.cpp:62:10:62:14 | [summary param] this in Value | azure.cpp:62:10:62:14 | [summary] to write: ReturnValue[*] in Value | provenance | MaD:59 |
+| azure.cpp:113:16:113:19 | [summary param] this in Read | azure.cpp:113:16:113:19 | [summary param] *0 in Read [Return] | provenance | MaD:56 |
+| azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | azure.cpp:114:16:114:26 | [summary param] *0 in ReadToCount [Return] | provenance | MaD:57 |
+| azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | provenance | MaD:58 |
 | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue.Element in ReadToEnd | azure.cpp:115:30:115:38 | [summary] to write: ReturnValue in ReadToEnd [element] | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:253:48:253:60 | *call to GetBodyStream | provenance | Src:MaD:29  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:257:5:257:8 | *resp | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:262:5:262:8 | *resp | provenance |  |
 | azure.cpp:253:48:253:60 | *call to GetBodyStream | azure.cpp:266:38:266:41 | *resp | provenance |  |
 | azure.cpp:257:5:257:8 | *resp | azure.cpp:113:16:113:19 | [summary param] this in Read | provenance |  |
-| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:53 |
+| azure.cpp:257:5:257:8 | *resp | azure.cpp:257:16:257:21 | Read output argument | provenance | MaD:56 |
 | azure.cpp:257:16:257:21 | Read output argument | azure.cpp:258:10:258:16 | * ... | provenance |  |
 | azure.cpp:262:5:262:8 | *resp | azure.cpp:114:16:114:26 | [summary param] this in ReadToCount | provenance |  |
-| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:54 |
+| azure.cpp:262:5:262:8 | *resp | azure.cpp:262:23:262:28 | ReadToCount output argument | provenance | MaD:57 |
 | azure.cpp:262:23:262:28 | ReadToCount output argument | azure.cpp:263:10:263:16 | * ... | provenance |  |
 | azure.cpp:266:38:266:41 | *resp | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance |  |
-| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:55 |
+| azure.cpp:266:38:266:41 | *resp | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance | MaD:58 |
 | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | provenance |  |
 | azure.cpp:266:44:266:52 | call to ReadToEnd [element] | azure.cpp:267:10:267:12 | vec [element] | provenance |  |
 | azure.cpp:267:10:267:12 | vec [element] | azure.cpp:267:10:267:12 | vec | provenance |  |
@@ -100,11 +103,11 @@ edges
 | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | provenance | Src:MaD:26  |
 | azure.cpp:281:68:281:84 | *call to ExtractBodyStream | azure.cpp:282:21:282:23 | *call to get | provenance |  |
 | azure.cpp:282:21:282:23 | *call to get | azure.cpp:115:30:115:38 | [summary param] this in ReadToEnd | provenance |  |
-| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:55 |
+| azure.cpp:282:21:282:23 | *call to get | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance | MaD:58 |
 | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:10:282:38 | call to ReadToEnd | provenance |  |
 | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | azure.cpp:282:28:282:36 | call to ReadToEnd [element] | provenance |  |
 | azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:62:10:62:14 | [summary param] this in Value | provenance |  |
-| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:56 |
+| azure.cpp:289:24:289:56 | call to GetHeader | azure.cpp:289:63:289:65 | call to Value | provenance | MaD:59 |
 | azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:24:289:56 | call to GetHeader | provenance |  |
 | azure.cpp:289:32:289:40 | call to GetHeader | azure.cpp:289:32:289:40 | call to GetHeader | provenance | Src:MaD:30  |
 | azure.cpp:289:63:289:65 | call to Value | azure.cpp:289:63:289:65 | call to Value | provenance |  |
@@ -180,6 +183,39 @@ edges
 | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | test.cpp:119:10:119:11 | y2 | provenance | Sink:MaD:1 |
 | test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | provenance |  |
 | test.cpp:118:44:118:44 | *x | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | provenance | MaD:48 |
+| test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | provenance | MaD:54 |
+| test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | provenance | MaD:53 |
+| test.cpp:133:10:133:18 | call to ymlSource | test.cpp:133:10:133:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:133:10:133:18 | call to ymlSource | test.cpp:134:45:134:45 | x | provenance |  |
+| test.cpp:134:13:134:43 | call to templateFunction | test.cpp:134:13:134:43 | call to templateFunction | provenance |  |
+| test.cpp:134:13:134:43 | call to templateFunction | test.cpp:135:10:135:10 | y | provenance | Sink:MaD:1 |
+| test.cpp:134:45:134:45 | x | test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | provenance |  |
+| test.cpp:134:45:134:45 | x | test.cpp:134:13:134:43 | call to templateFunction | provenance | MaD:54 |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:55 |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | provenance | MaD:55 |
+| test.cpp:146:10:146:18 | call to ymlSource | test.cpp:146:10:146:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:146:10:146:18 | call to ymlSource | test.cpp:148:26:148:26 | x | provenance |  |
+| test.cpp:148:10:148:27 | call to function | test.cpp:148:10:148:27 | call to function | provenance |  |
+| test.cpp:148:10:148:27 | call to function | test.cpp:149:10:149:10 | z | provenance | Sink:MaD:1 |
+| test.cpp:148:26:148:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | provenance |  |
+| test.cpp:148:26:148:26 | x | test.cpp:148:10:148:27 | call to function | provenance | MaD:55 |
+| test.cpp:155:10:155:18 | call to ymlSource | test.cpp:155:10:155:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:155:10:155:18 | call to ymlSource | test.cpp:157:26:157:26 | x | provenance |  |
+| test.cpp:157:13:157:20 | call to function | test.cpp:157:13:157:20 | call to function | provenance |  |
+| test.cpp:157:13:157:20 | call to function | test.cpp:158:10:158:10 | z | provenance | Sink:MaD:1 |
+| test.cpp:157:26:157:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | provenance |  |
+| test.cpp:157:26:157:26 | x | test.cpp:157:13:157:20 | call to function | provenance | MaD:55 |
+| test.cpp:164:34:164:34 | x | test.cpp:165:69:165:69 | x | provenance |  |
+| test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:164:7:164:7 | *templateFunction3 | provenance |  |
+| test.cpp:165:12:165:64 | call to templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 | provenance |  |
+| test.cpp:165:69:165:69 | x | test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | provenance |  |
+| test.cpp:165:69:165:69 | x | test.cpp:165:12:165:64 | call to templateFunction2 | provenance | MaD:53 |
+| test.cpp:170:10:170:18 | call to ymlSource | test.cpp:170:10:170:18 | call to ymlSource | provenance | Src:MaD:25  |
+| test.cpp:170:10:170:18 | call to ymlSource | test.cpp:172:51:172:51 | x | provenance |  |
+| test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 | provenance |  |
+| test.cpp:172:13:172:44 | call to templateFunction3 | test.cpp:173:10:173:10 | y | provenance | Sink:MaD:1 |
+| test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | provenance |  |
+| test.cpp:172:51:172:51 | x | test.cpp:172:13:172:44 | call to templateFunction3 | provenance | MaD:53 |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | provenance | MaD:33 |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:22:15:22:29 | *call to GetCommandLineA | provenance | Src:MaD:3  |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | windows.cpp:24:8:24:11 | * ... | provenance |  |
@@ -483,6 +519,43 @@ nodes
 | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate | semmle.label | call to callWithNonTypeTemplate |
 | test.cpp:118:44:118:44 | *x | semmle.label | *x |
 | test.cpp:119:10:119:11 | y2 | semmle.label | y2 |
+| test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | semmle.label | [summary param] 0 in templateFunction |
+| test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | semmle.label | [summary] to write: ReturnValue in templateFunction |
+| test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | semmle.label | [summary param] 1 in templateFunction2 |
+| test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | semmle.label | [summary] to write: ReturnValue in templateFunction2 |
+| test.cpp:133:10:133:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:133:10:133:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:134:13:134:43 | call to templateFunction | semmle.label | call to templateFunction |
+| test.cpp:134:13:134:43 | call to templateFunction | semmle.label | call to templateFunction |
+| test.cpp:134:45:134:45 | x | semmle.label | x |
+| test.cpp:135:10:135:10 | y | semmle.label | y |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | semmle.label | [summary param] 1 in function |
+| test.cpp:140:4:140:11 | [summary param] 1 in function | semmle.label | [summary param] 1 in function |
+| test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | semmle.label | [summary] to write: ReturnValue in function |
+| test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | semmle.label | [summary] to write: ReturnValue in function |
+| test.cpp:146:10:146:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:146:10:146:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:148:10:148:27 | call to function | semmle.label | call to function |
+| test.cpp:148:10:148:27 | call to function | semmle.label | call to function |
+| test.cpp:148:26:148:26 | x | semmle.label | x |
+| test.cpp:149:10:149:10 | z | semmle.label | z |
+| test.cpp:155:10:155:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:155:10:155:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:157:13:157:20 | call to function | semmle.label | call to function |
+| test.cpp:157:13:157:20 | call to function | semmle.label | call to function |
+| test.cpp:157:26:157:26 | x | semmle.label | x |
+| test.cpp:158:10:158:10 | z | semmle.label | z |
+| test.cpp:164:7:164:7 | *templateFunction3 | semmle.label | *templateFunction3 |
+| test.cpp:164:34:164:34 | x | semmle.label | x |
+| test.cpp:165:12:165:64 | call to templateFunction2 | semmle.label | call to templateFunction2 |
+| test.cpp:165:12:165:64 | call to templateFunction2 | semmle.label | call to templateFunction2 |
+| test.cpp:165:69:165:69 | x | semmle.label | x |
+| test.cpp:170:10:170:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:170:10:170:18 | call to ymlSource | semmle.label | call to ymlSource |
+| test.cpp:172:13:172:44 | call to templateFunction3 | semmle.label | call to templateFunction3 |
+| test.cpp:172:13:172:44 | call to templateFunction3 | semmle.label | call to templateFunction3 |
+| test.cpp:172:51:172:51 | x | semmle.label | x |
+| test.cpp:173:10:173:10 | y | semmle.label | y |
 | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | semmle.label | [summary param] *0 in CommandLineToArgvA |
 | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | semmle.label | [summary] to write: ReturnValue[**] in CommandLineToArgvA |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | semmle.label | *call to GetCommandLineA |
@@ -688,6 +761,11 @@ subpaths
 | test.cpp:25:35:25:35 | x | test.cpp:6:5:6:27 | [summary param] 0 in ymlStepManual_with_body | test.cpp:6:5:6:27 | [summary] to write: ReturnValue in ymlStepManual_with_body | test.cpp:25:11:25:33 | call to ymlStepManual_with_body |
 | test.cpp:32:41:32:41 | x | test.cpp:7:47:7:52 | value2 | test.cpp:7:5:7:30 | *ymlStepGenerated_with_body | test.cpp:32:11:32:36 | call to ymlStepGenerated_with_body |
 | test.cpp:118:44:118:44 | *x | test.cpp:111:3:111:25 | [summary param] *0 in callWithNonTypeTemplate | test.cpp:111:3:111:25 | [summary] to write: ReturnValue in callWithNonTypeTemplate | test.cpp:118:11:118:42 | call to callWithNonTypeTemplate |
+| test.cpp:134:45:134:45 | x | test.cpp:125:5:125:20 | [summary param] 0 in templateFunction | test.cpp:125:5:125:20 | [summary] to write: ReturnValue in templateFunction | test.cpp:134:13:134:43 | call to templateFunction |
+| test.cpp:148:26:148:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | test.cpp:148:10:148:27 | call to function |
+| test.cpp:157:26:157:26 | x | test.cpp:140:4:140:11 | [summary param] 1 in function | test.cpp:140:4:140:11 | [summary] to write: ReturnValue in function | test.cpp:157:13:157:20 | call to function |
+| test.cpp:165:69:165:69 | x | test.cpp:128:5:128:21 | [summary param] 1 in templateFunction2 | test.cpp:128:5:128:21 | [summary] to write: ReturnValue in templateFunction2 | test.cpp:165:12:165:64 | call to templateFunction2 |
+| test.cpp:172:51:172:51 | x | test.cpp:164:34:164:34 | x | test.cpp:164:7:164:7 | *templateFunction3 | test.cpp:172:13:172:44 | call to templateFunction3 |
 | windows.cpp:27:36:27:38 | *cmd | windows.cpp:17:8:17:25 | [summary param] *0 in CommandLineToArgvA | windows.cpp:17:8:17:25 | [summary] to write: ReturnValue[**] in CommandLineToArgvA | windows.cpp:27:17:27:34 | **call to CommandLineToArgvA |
 | windows.cpp:537:40:537:41 | *& ... | windows.cpp:473:17:473:37 | [summary param] *1 in RtlCopyVolatileMemory | windows.cpp:473:17:473:37 | [summary param] *0 in RtlCopyVolatileMemory [Return] | windows.cpp:537:27:537:37 | RtlCopyVolatileMemory output argument |
 | windows.cpp:542:38:542:39 | *& ... | windows.cpp:479:17:479:35 | [summary param] *1 in RtlCopyDeviceMemory | windows.cpp:479:17:479:35 | [summary param] *0 in RtlCopyDeviceMemory [Return] | windows.cpp:542:25:542:35 | RtlCopyDeviceMemory output argument |

cpp/ql/test/library-tests/dataflow/external-models/flow.ext.yml

@@ -18,4 +18,7 @@ extensions:
       - ["", "", False, "ymlStepManual_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "manual"]
       - ["", "", False, "ymlStepGenerated_with_body", "", "", "Argument[0]", "ReturnValue", "taint", "df-generated"]
       - ["", "", False, "callWithArgument", "", "", "Argument[1]", "Argument[0].Parameter[0]", "value", "manual"]
-      - ["", "", False, "callWithNonTypeTemplate<T>", "(const T &)", "", "Argument[*0]", "ReturnValue", "value", "manual"]
+      - ["", "", False, "callWithNonTypeTemplate<T>", "(const T &)", "", "Argument[*0]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass1<T>", False, "templateFunction<U>", "(T,U)", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass1", True, "templateFunction2<U,V>", "(U,V)", "", "Argument[1]", "ReturnValue", "value", "manual"]
+      - ["", "TemplateClass2<T,U>", True, "function", "(U,T)", "", "Argument[1]", "ReturnValue", "value", "manual"]

cpp/ql/test/library-tests/dataflow/external-models/sinks.expected

@@ -15,3 +15,7 @@
 | test.cpp:89:11:89:11 | y | test-sink |
 | test.cpp:116:10:116:11 | y1 | test-sink |
 | test.cpp:119:10:119:11 | y2 | test-sink |
+| test.cpp:135:10:135:10 | y | test-sink |
+| test.cpp:149:10:149:10 | z | test-sink |
+| test.cpp:158:10:158:10 | z | test-sink |
+| test.cpp:173:10:173:10 | y | test-sink |

cpp/ql/test/library-tests/dataflow/external-models/sources.expected

@@ -9,6 +9,10 @@
 | test.cpp:56:8:56:16 | call to ymlSource | local |
 | test.cpp:94:10:94:18 | call to ymlSource | local |
 | test.cpp:114:10:114:18 | call to ymlSource | local |
+| test.cpp:133:10:133:18 | call to ymlSource | local |
+| test.cpp:146:10:146:18 | call to ymlSource | local |
+| test.cpp:155:10:155:18 | call to ymlSource | local |
+| test.cpp:170:10:170:18 | call to ymlSource | local |
 | windows.cpp:22:15:22:29 | *call to GetCommandLineA | local |
 | windows.cpp:34:17:34:38 | *call to GetEnvironmentStringsA | local |
 | windows.cpp:39:36:39:38 | GetEnvironmentVariableA output argument | local |

cpp/ql/test/library-tests/dataflow/external-models/test.cpp

@@ -118,3 +118,57 @@ void test_callWithNonTypeTemplate() {
 	int y2 = callWithNonTypeTemplate<int, 10>(x);
 	ymlSink(y2); // $ ir
 }
+
+template<class T>
+struct TemplateClass1 {
+  template<class U>
+  U templateFunction(T, U);
+
+	template<class U, class V>
+  V templateFunction2(U, V);
+};
+
+void test_template_function_in_template_class() {
+	TemplateClass1<int> b;
+	int x = ymlSource();
+	auto y = b.templateFunction<unsigned long>(x, 0UL);
+	ymlSink(y); // $ ir
+}
+
+template<class S, class T>
+struct TemplateClass2 {
+	T function(T, S);
+};
+
+template<class V> using PartialInstantiationOfTemplateClass2 = TemplateClass2<int, V>;
+
+void test_partial_class_instantiation() {
+	int x = ymlSource();
+	PartialInstantiationOfTemplateClass2<unsigned long> y;
+	int z = y.function(0UL, x);
+	ymlSink(z); // $ ir
+}
+
+template<class V> struct DeriveFromFromPartialTemplateInstantiation : TemplateClass2<int, V> { };
+
+void test_inheritance() {
+	int x = ymlSource();
+	DeriveFromFromPartialTemplateInstantiation<long> y;
+	auto z = y.function(0L, x);
+	ymlSink(z); // $ ir
+}
+
+template<class T>
+struct Class1 : TemplateClass1<T> {
+  template<class U>
+  int templateFunction3(U u, int x) {
+    return TemplateClass1<T>::template templateFunction2<U, int>(u, x);
+  }
+};
+
+void test_class1() {
+	int x = ymlSource();
+	Class1<int> c;
+	auto y = c.templateFunction3<unsigned long>(0UL, x);
+	ymlSink(y); // $ ir
+}

cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected

@@ -27383,54 +27383,55 @@ getParameterTypeName
 | stl.h:91:24:91:33 | operator++ | 0 | int |
 | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & |
 | stl.h:95:44:95:44 | back_inserter | 0 | func:0 & |
-| stl.h:148:3:148:14 | basic_string | 0 | const class:2 & |
-| stl.h:149:33:149:44 | basic_string | 0 | const class:0 * |
-| stl.h:149:33:149:44 | basic_string | 1 | const class:2 & |
-| stl.h:151:16:151:20 | c_str | 0 | func:0 |
-| stl.h:151:16:151:20 | c_str | 1 | func:0 |
-| stl.h:151:16:151:20 | c_str | 2 | const class:2 & |
+| stl.h:147:12:147:23 | basic_string | 0 | const class:2 & |
+| stl.h:148:3:148:14 | basic_string | 0 | const class:0 * |
+| stl.h:148:3:148:14 | basic_string | 1 | const class:2 & |
+| stl.h:149:33:149:44 | basic_string | 0 | func:0 |
+| stl.h:149:33:149:44 | basic_string | 1 | func:0 |
+| stl.h:149:33:149:44 | basic_string | 2 | const class:2 & |
+| stl.h:165:8:165:16 | push_back | 0 | class:0 |
 | stl.h:173:13:173:22 | operator[] | 0 | size_type |
 | stl.h:175:13:175:14 | at | 0 | size_type |
-| stl.h:176:35:176:44 | operator+= | 0 | size_type |
-| stl.h:176:35:176:44 | operator+= | 0 | size_type |
-| stl.h:177:17:177:26 | operator+= | 0 | const func:0 & |
-| stl.h:178:17:178:22 | append | 0 | const class:0 * |
-| stl.h:179:17:179:22 | append | 0 | const basic_string & |
-| stl.h:180:17:180:22 | append | 0 | const class:0 * |
-| stl.h:181:47:181:52 | append | 0 | size_type |
-| stl.h:181:47:181:52 | append | 1 | class:0 |
-| stl.h:182:17:182:22 | assign | 0 | func:0 |
-| stl.h:182:17:182:22 | assign | 1 | func:0 |
-| stl.h:183:17:183:22 | assign | 0 | const basic_string & |
-| stl.h:184:47:184:52 | assign | 0 | size_type |
-| stl.h:184:47:184:52 | assign | 1 | class:0 |
-| stl.h:185:17:185:22 | insert | 0 | func:0 |
-| stl.h:185:17:185:22 | insert | 1 | func:0 |
+| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & |
+| stl.h:176:35:176:44 | operator+= | 0 | const func:0 & |
+| stl.h:177:17:177:26 | operator+= | 0 | const class:0 * |
+| stl.h:178:17:178:22 | append | 0 | const basic_string & |
+| stl.h:179:17:179:22 | append | 0 | const class:0 * |
+| stl.h:180:17:180:22 | append | 0 | size_type |
+| stl.h:180:17:180:22 | append | 1 | class:0 |
+| stl.h:181:47:181:52 | append | 0 | func:0 |
+| stl.h:181:47:181:52 | append | 1 | func:0 |
+| stl.h:182:17:182:22 | assign | 0 | const basic_string & |
+| stl.h:183:17:183:22 | assign | 0 | size_type |
+| stl.h:183:17:183:22 | assign | 1 | class:0 |
+| stl.h:184:47:184:52 | assign | 0 | func:0 |
+| stl.h:184:47:184:52 | assign | 1 | func:0 |
+| stl.h:185:17:185:22 | insert | 0 | size_type |
+| stl.h:185:17:185:22 | insert | 1 | const basic_string & |
 | stl.h:186:17:186:22 | insert | 0 | size_type |
-| stl.h:186:17:186:22 | insert | 1 | const basic_string & |
+| stl.h:186:17:186:22 | insert | 1 | size_type |
+| stl.h:186:17:186:22 | insert | 2 | class:0 |
 | stl.h:187:17:187:22 | insert | 0 | size_type |
-| stl.h:187:17:187:22 | insert | 1 | size_type |
-| stl.h:187:17:187:22 | insert | 2 | class:0 |
-| stl.h:188:12:188:17 | insert | 0 | size_type |
-| stl.h:188:12:188:17 | insert | 1 | const class:0 * |
+| stl.h:187:17:187:22 | insert | 1 | const class:0 * |
+| stl.h:188:12:188:17 | insert | 0 | const_iterator |
+| stl.h:188:12:188:17 | insert | 1 | size_type |
+| stl.h:188:12:188:17 | insert | 2 | class:0 |
 | stl.h:189:42:189:47 | insert | 0 | const_iterator |
-| stl.h:189:42:189:47 | insert | 1 | size_type |
-| stl.h:189:42:189:47 | insert | 2 | class:0 |
-| stl.h:190:17:190:23 | replace | 0 | const_iterator |
-| stl.h:190:17:190:23 | replace | 1 | func:0 |
-| stl.h:190:17:190:23 | replace | 2 | func:0 |
+| stl.h:189:42:189:47 | insert | 1 | func:0 |
+| stl.h:189:42:189:47 | insert | 2 | func:0 |
+| stl.h:190:17:190:23 | replace | 0 | size_type |
+| stl.h:190:17:190:23 | replace | 1 | size_type |
+| stl.h:190:17:190:23 | replace | 2 | const basic_string & |
 | stl.h:191:17:191:23 | replace | 0 | size_type |
 | stl.h:191:17:191:23 | replace | 1 | size_type |
-| stl.h:191:17:191:23 | replace | 2 | const basic_string & |
-| stl.h:192:13:192:16 | copy | 0 | size_type |
+| stl.h:191:17:191:23 | replace | 2 | size_type |
+| stl.h:191:17:191:23 | replace | 3 | class:0 |
+| stl.h:192:13:192:16 | copy | 0 | class:0 * |
 | stl.h:192:13:192:16 | copy | 1 | size_type |
 | stl.h:192:13:192:16 | copy | 2 | size_type |
-| stl.h:192:13:192:16 | copy | 3 | class:0 |
-| stl.h:193:8:193:12 | clear | 0 | class:0 * |
-| stl.h:193:8:193:12 | clear | 1 | size_type |
-| stl.h:193:8:193:12 | clear | 2 | size_type |
-| stl.h:195:8:195:11 | swap | 0 | size_type |
-| stl.h:195:8:195:11 | swap | 1 | size_type |
+| stl.h:194:16:194:21 | substr | 0 | size_type |
+| stl.h:194:16:194:21 | substr | 1 | size_type |
+| stl.h:195:8:195:11 | swap | 0 | basic_string & |
 | stl.h:198:94:198:102 | operator+ | 0 | const basic_string & |
 | stl.h:198:94:198:102 | operator+ | 1 | const basic_string & |
 | stl.h:199:94:199:102 | operator+ | 0 | const basic_string & |

cpp/ql/test/library-tests/friends/loop/friends.expected

@@ -1,14 +1,14 @@
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<D> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:5:26:5:29 | E<D> |
 | file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:26 | F<T> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
+| file://:0:0:0:0 | E<C>'s friend | loop.cpp:10:26:10:29 | F<D> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
-| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<D> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:5:26:5:29 | E<C> |
 | file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:26 | F<T> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<C> |
-| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<D> |
+| file://:0:0:0:0 | E<D>'s friend | loop.cpp:10:26:10:29 | F<D> |
 | file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:26 | E<T> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:29 | E<C> |
+| file://:0:0:0:0 | F<D>'s friend | loop.cpp:5:26:5:29 | E<D> |
 | loop.cpp:6:5:6:5 | E<T>'s friend | loop.cpp:5:26:5:26 | E<T> |
 | loop.cpp:7:5:7:5 | E<T>'s friend | loop.cpp:7:36:7:36 | F<U> |
 | loop.cpp:11:5:11:5 | F<T>'s friend | loop.cpp:11:36:11:36 | E<U> |

csharp/extractor/Semmle.Extraction.CSharp/CodeAnalysisExtensions/SymbolExtensions.cs

@@ -664,7 +664,7 @@ namespace Semmle.Extraction.CSharp
                 // Find the (possibly unbound) original extension method that maps to this implementation (if any).
                 var unboundDeclaration = extensions.SelectMany(e => e.GetMembers())
                     .OfType<IMethodSymbol>()
-                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation, method.ConstructedFrom));
+                    .FirstOrDefault(m => SymbolEqualityComparer.Default.Equals(m.AssociatedExtensionImplementation?.ConstructedFrom, method.ConstructedFrom));
 
                 var isFullyConstructed = method.IsBoundGenericMethod();
                 if (isFullyConstructed && unboundDeclaration?.ContainingType is INamedTypeSymbol extensionType)

csharp/extractor/Semmle.Extraction.CSharp/Entities/Accessor.cs

@@ -69,6 +69,7 @@ namespace Semmle.Extraction.CSharp.Entities
             }
 
             Overrides(trapFile);
+            ExtractRefReturn(trapFile, Symbol, this);
 
             if (Symbol.FromSource() && !HasBody)
             {

csharp/paket.dependencies

@@ -4,7 +4,7 @@ source https://api.nuget.org/v3/index.json
 # behave like nuget in choosing transitive dependency versions
 strategy: max
 
-nuget Basic.CompilerLog.Util 0.9.25
+nuget Basic.CompilerLog.Util 0.9.39
 nuget Mono.Posix.NETStandard
 nuget Newtonsoft.Json
 nuget NuGet.Versioning
@@ -12,7 +12,7 @@ nuget xunit
 nuget xunit.runner.visualstudio
 nuget xunit.runner.utility
 nuget Microsoft.NET.Test.Sdk
-nuget Microsoft.CodeAnalysis.CSharp 5.0.0
-nuget Microsoft.CodeAnalysis 5.0.0
-nuget Microsoft.Build 18.0.2
+nuget Microsoft.CodeAnalysis.CSharp 5.3.0
+nuget Microsoft.CodeAnalysis 5.3.0
+nuget Microsoft.Build 18.6.3
 nuget Microsoft.VisualStudio.SolutionPersistence

csharp/paket.lock

@@ -3,45 +3,42 @@ STRATEGY: MAX
 RESTRICTION: == net10.0
 NUGET
   remote: https://api.nuget.org/v3/index.json
-    Basic.CompilerLog.Util (0.9.25)
+    Basic.CompilerLog.Util (0.9.39)
       MessagePack (>= 3.1.4)
-      Microsoft.Bcl.Memory (>= 9.0.10)
+      Microsoft.Bcl.Memory (>= 10.0.7)
       Microsoft.CodeAnalysis (>= 4.8)
       Microsoft.CodeAnalysis.CSharp (>= 4.8)
       Microsoft.CodeAnalysis.VisualBasic (>= 4.8)
-      Microsoft.Extensions.ObjectPool (>= 9.0.10)
-      MSBuild.StructuredLogger (>= 2.3.71)
-      NaturalSort.Extension (>= 4.4)
-      NuGet.Versioning (>= 6.14)
+      Microsoft.Extensions.ObjectPool (>= 10.0.7)
+      MSBuild.StructuredLogger (>= 2.3.178)
     Humanizer.Core (3.0.10)
-    MessagePack (3.1.4)
-      MessagePack.Annotations (>= 3.1.4)
-      MessagePackAnalyzer (>= 3.1.4)
+    MessagePack (3.1.6)
+      MessagePack.Annotations (>= 3.1.6)
+      MessagePackAnalyzer (>= 3.1.6)
       Microsoft.NET.StringTools (>= 17.11.4)
-    MessagePack.Annotations (3.1.4)
-    MessagePackAnalyzer (3.1.4)
+    MessagePack.Annotations (3.1.6)
+    MessagePackAnalyzer (3.1.6)
     Microsoft.Bcl.AsyncInterfaces (10.0.8)
     Microsoft.Bcl.Memory (10.0.8)
-    Microsoft.Build (18.0.2)
-      Microsoft.Build.Framework (>= 18.0.2)
-      Microsoft.NET.StringTools (>= 18.0.2)
-      System.Configuration.ConfigurationManager (>= 9.0)
-      System.Diagnostics.EventLog (>= 9.0)
-      System.Reflection.MetadataLoadContext (>= 9.0)
-      System.Security.Cryptography.ProtectedData (>= 9.0.6)
-    Microsoft.Build.Framework (18.4)
-    Microsoft.Build.Utilities.Core (18.4)
-      Microsoft.Build.Framework (>= 18.4)
-      Microsoft.NET.StringTools (>= 18.4)
-      System.Configuration.ConfigurationManager (>= 10.0.1)
-      System.Diagnostics.EventLog (>= 10.0.1)
-      System.Security.Cryptography.ProtectedData (>= 10.0.1)
-    Microsoft.CodeAnalysis (5.0)
+    Microsoft.Build (18.6.3)
+      Microsoft.Build.Framework (>= 18.6.3)
+      System.Configuration.ConfigurationManager (>= 10.0.3)
+      System.Diagnostics.EventLog (>= 10.0.3)
+      System.Reflection.MetadataLoadContext (>= 10.0.3)
+      System.Security.Cryptography.ProtectedData (>= 10.0.3)
+    Microsoft.Build.Framework (18.6.3)
+      Microsoft.NET.StringTools (>= 18.6.3)
+    Microsoft.Build.Utilities.Core (18.6.3)
+      Microsoft.Build.Framework (>= 18.6.3)
+      System.Configuration.ConfigurationManager (>= 10.0.3)
+      System.Diagnostics.EventLog (>= 10.0.3)
+      System.Security.Cryptography.ProtectedData (>= 10.0.3)
+    Microsoft.CodeAnalysis (5.3)
       Humanizer.Core (>= 2.14.1)
       Microsoft.Bcl.AsyncInterfaces (>= 9.0)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-      Microsoft.CodeAnalysis.CSharp.Workspaces (5.0)
-      Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.0)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+      Microsoft.CodeAnalysis.CSharp.Workspaces (5.3)
+      Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.3)
       System.Buffers (>= 4.6)
       System.Collections.Immutable (>= 9.0)
       System.Composition (>= 9.0)
@@ -54,36 +51,36 @@ NUGET
       System.Threading.Channels (>= 8.0)
       System.Threading.Tasks.Extensions (>= 4.6)
     Microsoft.CodeAnalysis.Analyzers (5.3)
-    Microsoft.CodeAnalysis.Common (5.0)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-    Microsoft.CodeAnalysis.CSharp (5.0)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-      Microsoft.CodeAnalysis.Common (5.0)
-    Microsoft.CodeAnalysis.CSharp.Workspaces (5.0)
+    Microsoft.CodeAnalysis.Common (5.3)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+    Microsoft.CodeAnalysis.CSharp (5.3)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+      Microsoft.CodeAnalysis.Common (5.3)
+    Microsoft.CodeAnalysis.CSharp.Workspaces (5.3)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-      Microsoft.CodeAnalysis.Common (5.0)
-      Microsoft.CodeAnalysis.CSharp (5.0)
-      Microsoft.CodeAnalysis.Workspaces.Common (5.0)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+      Microsoft.CodeAnalysis.Common (5.3)
+      Microsoft.CodeAnalysis.CSharp (5.3)
+      Microsoft.CodeAnalysis.Workspaces.Common (5.3)
       System.Composition (>= 9.0)
-    Microsoft.CodeAnalysis.VisualBasic (5.0)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-      Microsoft.CodeAnalysis.Common (5.0)
-    Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.0)
+    Microsoft.CodeAnalysis.VisualBasic (5.3)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+      Microsoft.CodeAnalysis.Common (5.3)
+    Microsoft.CodeAnalysis.VisualBasic.Workspaces (5.3)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-      Microsoft.CodeAnalysis.Common (5.0)
-      Microsoft.CodeAnalysis.VisualBasic (5.0)
-      Microsoft.CodeAnalysis.Workspaces.Common (5.0)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+      Microsoft.CodeAnalysis.Common (5.3)
+      Microsoft.CodeAnalysis.VisualBasic (5.3)
+      Microsoft.CodeAnalysis.Workspaces.Common (5.3)
       System.Composition (>= 9.0)
-    Microsoft.CodeAnalysis.Workspaces.Common (5.0)
+    Microsoft.CodeAnalysis.Workspaces.Common (5.3)
       Humanizer.Core (>= 2.14.1)
-      Microsoft.CodeAnalysis.Analyzers (>= 3.11)
-      Microsoft.CodeAnalysis.Common (5.0)
+      Microsoft.CodeAnalysis.Analyzers (>= 5.3.0-2.25625.1)
+      Microsoft.CodeAnalysis.Common (5.3)
       System.Composition (>= 9.0)
     Microsoft.CodeCoverage (18.5.1)
     Microsoft.Extensions.ObjectPool (10.0.8)
-    Microsoft.NET.StringTools (18.4)
+    Microsoft.NET.StringTools (18.6.3)
     Microsoft.NET.Test.Sdk (18.5.1)
       Microsoft.CodeCoverage (>= 18.5.1)
       Microsoft.TestPlatform.TestHost (>= 18.5.1)
@@ -97,7 +94,6 @@ NUGET
     MSBuild.StructuredLogger (2.3.204)
       Microsoft.Build.Framework (>= 17.5)
       Microsoft.Build.Utilities.Core (>= 17.5)
-    NaturalSort.Extension (4.4.1)
     Newtonsoft.Json (13.0.4)
     NuGet.Versioning (7.6)
     System.Buffers (4.6.1)

csharp/ql/campaigns/Solorigate/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.68
+
+No user-facing changes.
+
 ## 1.7.67
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/change-notes/released/1.7.68.md

@@ -0,0 +1,3 @@
+## 1.7.68
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.67
+lastReleaseVersion: 1.7.68

csharp/ql/campaigns/Solorigate/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.68-dev
+version: 1.7.69-dev
 groups:
   - csharp
   - solorigate

csharp/ql/campaigns/Solorigate/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.68
+
+No user-facing changes.
+
 ## 1.7.67
 
 No user-facing changes.

csharp/ql/campaigns/Solorigate/src/change-notes/released/1.7.68.md

@@ -0,0 +1,3 @@
+## 1.7.68
+
+No user-facing changes.

csharp/ql/campaigns/Solorigate/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.67
+lastReleaseVersion: 1.7.68

csharp/ql/campaigns/Solorigate/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.68-dev
+version: 1.7.69-dev
 groups:
   - csharp
   - solorigate

csharp/ql/integration-tests/posix/standalone_dependencies_executing_runtime/Assemblies.expected

@@ -22,7 +22,6 @@
 | [...]/csharp/tools/[...]/Microsoft.Win32.Primitives.dll |
 | [...]/csharp/tools/[...]/Microsoft.Win32.Registry.dll |
 | [...]/csharp/tools/[...]/Mono.Posix.NETStandard.dll |
-| [...]/csharp/tools/[...]/NaturalSort.Extension.dll |
 | [...]/csharp/tools/[...]/Newtonsoft.Json.dll |
 | [...]/csharp/tools/[...]/NuGet.Versioning.dll |
 | [...]/csharp/tools/[...]/StructuredLogger.dll |

csharp/ql/lib/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 6.0.2
+
+### Minor Analysis Improvements
+
+* Full support for C# 14 / .NET 10. All new language features are now supported by the extractor. The QL library and data flow analysis now support the new C# 14 language constructs and include generated Models as Data (MaD) models for the .NET 10 runtime.
+* C# 14: Added support for user-defined instance increment/decrement operators.
+
 ## 6.0.1
 
 No user-facing changes.

csharp/ql/lib/change-notes/2026-05-12-user-increment-decrement.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* C# 14: Added support for user-defined instance increment/decrement operators.

csharp/ql/lib/change-notes/2026-05-19-properties-indexers-refreturn.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved call target resolution for ref-return properties and indexers.

csharp/ql/lib/change-notes/released/6.0.2.md

@@ -1,4 +1,6 @@
----
-category: minorAnalysis
----
+## 6.0.2
+
+### Minor Analysis Improvements
+
 * Full support for C# 14 / .NET 10. All new language features are now supported by the extractor. The QL library and data flow analysis now support the new C# 14 language constructs and include generated Models as Data (MaD) models for the .NET 10 runtime.
+* C# 14: Added support for user-defined instance increment/decrement operators.

csharp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 6.0.1
+lastReleaseVersion: 6.0.2

csharp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 6.0.2-dev
+version: 6.0.3-dev
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp

csharp/ql/lib/semmle/code/csharp/exprs/Call.qll

@@ -766,7 +766,16 @@ class PropertyCall extends AccessorCall, PropertyAccessExpr {
   }
 
   override Accessor getWriteTarget() {
-    this instanceof AssignableWrite and result = this.getProperty().getSetter()
+    this instanceof AssignableWrite and
+    exists(Property p | p = this.getProperty() |
+      result = p.getSetter()
+      or
+      result =
+        any(Getter g |
+          g = p.getGetter() and
+          g.getAnnotatedReturnType().isRef()
+        )
+    )
   }
 
   override Expr getArgument(int i) {
@@ -801,7 +810,16 @@ class IndexerCall extends AccessorCall, IndexerAccessExpr {
   }
 
   override Accessor getWriteTarget() {
-    this instanceof AssignableWrite and result = this.getIndexer().getSetter()
+    this instanceof AssignableWrite and
+    exists(Indexer i | i = this.getIndexer() |
+      result = i.getSetter()
+      or
+      result =
+        any(Getter g |
+          g = i.getGetter() and
+          g.getAnnotatedReturnType().isRef()
+        )
+    )
   }
 
   override Expr getArgument(int i) {

csharp/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.7.4
+
+No user-facing changes.
+
 ## 1.7.3
 
 No user-facing changes.

csharp/ql/src/change-notes/released/1.7.4.md

@@ -0,0 +1,3 @@
+## 1.7.4
+
+No user-facing changes.

csharp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.7.3
+lastReleaseVersion: 1.7.4

csharp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.4-dev
+version: 1.7.5-dev
 groups:
   - csharp
   - queries

csharp/ql/test/library-tests/csharp8/NullableRefTypes.expected

@@ -227,7 +227,7 @@ returnTypes
 | NullableRefTypes.cs:107:26:107:36 | ReturnsRef5 | readonly MyClass! |
 | NullableRefTypes.cs:108:26:108:36 | ReturnsRef6 | readonly MyClass! |
 | NullableRefTypes.cs:110:10:110:20 | Parameters1 | Void! |
-| NullableRefTypes.cs:113:32:113:44 | get_RefProperty | MyClass! |
+| NullableRefTypes.cs:113:32:113:44 | get_RefProperty | ref MyClass! |
 | NullableRefTypes.cs:116:7:116:23 | <object initializer> | Void |
 | NullableRefTypes.cs:116:7:116:23 | ToStringWithTypes | Void! |
 | NullableRefTypes.cs:136:7:136:24 | <object initializer> | Void |

csharp/ql/test/library-tests/encoding/SBCS.cs

@@ -1,4 +1,4 @@
-class SBCS
+class SBCS
 {
-    string sbcs = "<22>";
+    string sbcs = "<22>";
 }

csharp/ql/test/library-tests/indexers/Indexers13.expected

@@ -0,0 +1,4 @@
+| indexers.cs:24:21:24:24 | Item | indexers.cs:62:22:62:29 | access to indexer | indexers.cs:26:13:26:15 | get_Item |
+| indexers.cs:24:21:24:24 | Item | indexers.cs:65:25:65:32 | access to indexer | indexers.cs:34:13:34:15 | set_Item |
+| indexers.cs:143:24:143:27 | Item | indexers.cs:156:13:156:16 | access to indexer | indexers.cs:145:13:145:15 | get_Item |
+| indexers.cs:143:24:143:27 | Item | indexers.cs:157:21:157:24 | access to indexer | indexers.cs:145:13:145:15 | get_Item |

csharp/ql/test/library-tests/indexers/Indexers13.ql

@@ -0,0 +1,8 @@
+import csharp
+
+from IndexerCall ic, Indexer i, Accessor target
+where
+  ic.getIndexer() = i and
+  ic.getTarget() = target and
+  i.fromSource()
+select i, ic, target

csharp/ql/test/library-tests/indexers/PrintAst.expected

@@ -360,3 +360,57 @@ indexers.cs:
 #  130|         4: [BlockStmt] {...}
 #  130|           0: [ReturnStmt] return ...;
 #  130|             0: [IntLiteral] 0
+#  134|   5: [RefStruct] S
+#  136|     6: [Field] x
+#  136|       -1: [TypeMention] int
+#  138|     7: [InstanceConstructor] S
+#-----|       2: (Parameters)
+#  138|         0: [Parameter] v
+#  138|           -1: [TypeMention] int
+#  139|       4: [BlockStmt] {...}
+#  140|         0: [ExprStmt] ...;
+#  140|           0: [AssignExpr] ... = ...
+#  140|             0: [FieldAccess] access to field x
+#  140|             1: [RefExpr] ref ...
+#  140|               0: [ParameterAccess] access to parameter v
+#  143|     8: [Indexer] Item
+#  143|       -1: [TypeMention] int
+#-----|       1: (Parameters)
+#  143|         0: [Parameter] i
+#  143|           -1: [TypeMention] int
+#  145|       3: [Getter] get_Item
+#-----|         2: (Parameters)
+#  143|           0: [Parameter] i
+#  145|         4: [BlockStmt] {...}
+#  145|           0: [ReturnStmt] return ...;
+#  145|             0: [RefExpr] ref ...
+#  145|               0: [FieldAccess] access to field x
+#  149|   6: [Class] TestRefReturns
+#  151|     6: [Method] M
+#  151|       -1: [TypeMention] Void
+#  152|       4: [BlockStmt] {...}
+#  153|         0: [LocalVariableDeclStmt] ... ...;
+#  153|           0: [LocalVariableDeclAndInitExpr] Int32 a = ...
+#  153|             -1: [TypeMention] int
+#  153|             0: [LocalVariableAccess] access to local variable a
+#  153|             1: [IntLiteral] 0
+#  155|         1: [LocalVariableDeclStmt] ... ...;
+#  155|           0: [LocalVariableDeclAndInitExpr] S s = ...
+#  155|             -1: [TypeMention] S
+#  155|             0: [LocalVariableAccess] access to local variable s
+#  155|             1: [ObjectCreation] object creation of type S
+#  155|               -1: [TypeMention] S
+#  155|               0: [LocalVariableAccess] access to local variable a
+#  156|         2: [ExprStmt] ...;
+#  156|           0: [AssignExpr] ... = ...
+#  156|             0: [IndexerCall] access to indexer
+#  156|               -1: [LocalVariableAccess] access to local variable s
+#  156|               0: [IntLiteral] 0
+#  156|             1: [IntLiteral] 1
+#  157|         3: [LocalVariableDeclStmt] ... ...;
+#  157|           0: [LocalVariableDeclAndInitExpr] Int32 x = ...
+#  157|             -1: [TypeMention] int
+#  157|             0: [LocalVariableAccess] access to local variable x
+#  157|             1: [IndexerCall] access to indexer
+#  157|               -1: [LocalVariableAccess] access to local variable s
+#  157|               0: [IntLiteral] 0

csharp/ql/test/library-tests/indexers/indexers.cs

@@ -130,4 +130,31 @@ namespace Indexers
             get { return 0; }
         }
     }
+
+    public ref struct S
+    {
+        private ref int x;
+
+        public S(ref int v)
+        {
+            x = ref v;
+        }
+
+        public ref int this[int i]
+        {
+            get { return ref x; }
+        }
+    }
+
+    public class TestRefReturns
+    {
+        public void M()
+        {
+            int a = 0;
+
+            S s = new S(ref a);
+            s[0] = 1;
+            var x = s[0];
+        }
+    }
 }

csharp/ql/test/library-tests/properties/PrintAst.expected

@@ -246,3 +246,50 @@ properties.cs:
 #  133|               0: [FieldAccess] access to field Prop.field
 #  133|               1: [ParameterAccess] access to parameter value
 #  130|     7: [Field] Prop.field
+#  137|   11: [RefStruct] S
+#  139|     6: [Field] x
+#  139|       -1: [TypeMention] int
+#  141|     7: [InstanceConstructor] S
+#-----|       2: (Parameters)
+#  141|         0: [Parameter] v
+#  141|           -1: [TypeMention] int
+#  142|       4: [BlockStmt] {...}
+#  143|         0: [ExprStmt] ...;
+#  143|           0: [AssignExpr] ... = ...
+#  143|             0: [FieldAccess] access to field x
+#  143|             1: [RefExpr] ref ...
+#  143|               0: [ParameterAccess] access to parameter v
+#  146|     8: [Property] Prop
+#  146|       -1: [TypeMention] int
+#  148|       3: [Getter] get_Prop
+#  148|         4: [BlockStmt] {...}
+#  148|           0: [ReturnStmt] return ...;
+#  148|             0: [RefExpr] ref ...
+#  148|               0: [FieldAccess] access to field x
+#  152|   12: [Class] TestRefReturns
+#  154|     6: [Method] M
+#  154|       -1: [TypeMention] Void
+#  155|       4: [BlockStmt] {...}
+#  156|         0: [LocalVariableDeclStmt] ... ...;
+#  156|           0: [LocalVariableDeclAndInitExpr] Int32 a = ...
+#  156|             -1: [TypeMention] int
+#  156|             0: [LocalVariableAccess] access to local variable a
+#  156|             1: [IntLiteral] 0
+#  158|         1: [LocalVariableDeclStmt] ... ...;
+#  158|           0: [LocalVariableDeclAndInitExpr] S s = ...
+#  158|             -1: [TypeMention] S
+#  158|             0: [LocalVariableAccess] access to local variable s
+#  158|             1: [ObjectCreation] object creation of type S
+#  158|               -1: [TypeMention] S
+#  158|               0: [LocalVariableAccess] access to local variable a
+#  159|         2: [ExprStmt] ...;
+#  159|           0: [AssignExpr] ... = ...
+#  159|             0: [PropertyCall] access to property Prop
+#  159|               -1: [LocalVariableAccess] access to local variable s
+#  159|             1: [IntLiteral] 1
+#  160|         3: [LocalVariableDeclStmt] ... ...;
+#  160|           0: [LocalVariableDeclAndInitExpr] Int32 x = ...
+#  160|             -1: [TypeMention] int
+#  160|             0: [LocalVariableAccess] access to local variable x
+#  160|             1: [PropertyCall] access to property Prop
+#  160|               -1: [LocalVariableAccess] access to local variable s

csharp/ql/test/library-tests/properties/Properties17.expected

@@ -1,5 +1,6 @@
 | Prop.field |
 | caption |
 | next |
+| x |
 | y |
 | z |

csharp/ql/test/library-tests/properties/Properties19.expected

@@ -0,0 +1,8 @@
+| properties.cs:12:23:12:29 | Caption | properties.cs:29:13:29:28 | access to property Caption | properties.cs:17:13:17:15 | set_Caption |
+| properties.cs:12:23:12:29 | Caption | properties.cs:30:24:30:39 | access to property Caption | properties.cs:15:13:15:15 | get_Caption |
+| properties.cs:57:20:57:20 | X | properties.cs:61:13:61:13 | access to property X | properties.cs:57:37:57:39 | set_X |
+| properties.cs:58:20:58:20 | Y | properties.cs:62:13:62:13 | access to property Y | properties.cs:58:37:58:39 | set_Y |
+| properties.cs:70:28:70:28 | X | properties.cs:82:46:82:51 | access to property X | properties.cs:70:32:70:34 | get_X |
+| properties.cs:71:28:71:28 | Y | properties.cs:83:39:83:44 | access to property Y | properties.cs:74:13:74:15 | set_Y |
+| properties.cs:146:24:146:27 | Prop | properties.cs:159:13:159:18 | access to property Prop | properties.cs:148:13:148:15 | get_Prop |
+| properties.cs:146:24:146:27 | Prop | properties.cs:160:21:160:26 | access to property Prop | properties.cs:148:13:148:15 | get_Prop |

csharp/ql/test/library-tests/properties/Properties19.ql

@@ -0,0 +1,8 @@
+import csharp
+
+from PropertyCall pc, Property p, Accessor target
+where
+  pc.getProperty() = p and
+  pc.getTarget() = target and
+  p.fromSource()
+select p, pc, target

csharp/ql/test/library-tests/properties/properties.cs

@@ -133,4 +133,31 @@ namespace Properties
             set { field = value; }
         }
     }
+
+    public ref struct S
+    {
+        private ref int x;
+
+        public S(ref int v)
+        {
+            x = ref v;
+        }
+
+        public ref int Prop
+        {
+            get { return ref x; }
+        }
+    }
+
+    public class TestRefReturns
+    {
+        public void M()
+        {
+            int a = 0;
+
+            S s = new S(ref a);
+            s.Prop = 1;
+            var x = s.Prop;
+        }
+    }
 }

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/IsNotOkayCall.expected

@@ -1,3 +1,2 @@
 | Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer |
 | Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer |
-| Quality.cs:32:9:32:21 | access to indexer | Call without target $@. | Quality.cs:32:9:32:21 | access to indexer | access to indexer |

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/NoTarget.expected

@@ -9,6 +9,5 @@
 | Quality.cs:23:9:23:30 | delegate call | Call without target $@. | Quality.cs:23:9:23:30 | delegate call | delegate call |
 | Quality.cs:26:19:26:26 | access to indexer | Call without target $@. | Quality.cs:26:19:26:26 | access to indexer | access to indexer |
 | Quality.cs:29:21:29:27 | access to indexer | Call without target $@. | Quality.cs:29:21:29:27 | access to indexer | access to indexer |
-| Quality.cs:32:9:32:21 | access to indexer | Call without target $@. | Quality.cs:32:9:32:21 | access to indexer | access to indexer |
 | Quality.cs:38:16:38:26 | access to property MyProperty2 | Call without target $@. | Quality.cs:38:16:38:26 | access to property MyProperty2 | access to property MyProperty2 |
 | Quality.cs:50:20:50:26 | object creation of type T | Call without target $@. | Quality.cs:50:20:50:26 | object creation of type T | object creation of type T |

csharp/ql/test/query-tests/Telemetry/DatabaseQuality/Quality.cs

@@ -29,7 +29,7 @@ public class Test
         var slice = sp[..3];        // TODO: this is not an indexer call, but rather a `sp.Slice(0, 3)` call.
 
         Span<byte> guidBytes = stackalloc byte[16];
-        guidBytes[08] = 1;          // TODO: this indexer call has no target, because the target is a `ref` returning getter.
+        guidBytes[08] = 1;
 
         new MyList([new(), new Test()]);
     }

go/ql/consistency-queries/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.0.51
+
+No user-facing changes.
+
 ## 1.0.50
 
 No user-facing changes.

go/ql/consistency-queries/change-notes/released/1.0.51.md

@@ -0,0 +1,3 @@
+## 1.0.51
+
+No user-facing changes.

go/ql/consistency-queries/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.0.50
+lastReleaseVersion: 1.0.51

go/ql/consistency-queries/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.51-dev
+version: 1.0.52-dev
 groups:
   - go
   - queries

go/ql/lib/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 7.1.2
+
+No user-facing changes.
+
 ## 7.1.1
 
 No user-facing changes.

go/ql/lib/change-notes/released/7.1.2.md

@@ -0,0 +1,3 @@
+## 7.1.2
+
+No user-facing changes.

go/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 7.1.1
+lastReleaseVersion: 7.1.2

go/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.1.2-dev
+version: 7.1.3-dev
 groups: go
 dbscheme: go.dbscheme
 extractor: go

go/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.6.4
+
+No user-facing changes.
+
 ## 1.6.3
 
 No user-facing changes.

go/ql/src/change-notes/released/1.6.4.md

@@ -0,0 +1,3 @@
+## 1.6.4
+
+No user-facing changes.

go/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.6.3
+lastReleaseVersion: 1.6.4

go/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.4-dev
+version: 1.6.5-dev
 groups:
   - go
   - queries

java/ql/lib/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 9.1.2
+
+### Minor Analysis Improvements
+
+* Added LLM-generated source and sink models for `org.apache.avro`.
+
 ## 9.1.1
 
 ### Minor Analysis Improvements

java/ql/lib/change-notes/released/9.1.2.md

@@ -1,4 +1,5 @@
----
-category: minorAnalysis
----
+## 9.1.2
+
+### Minor Analysis Improvements
+
 * Added LLM-generated source and sink models for `org.apache.avro`.

java/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 9.1.1
+lastReleaseVersion: 9.1.2

java/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 9.1.2-dev
+version: 9.1.3-dev
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java

java/ql/src/CHANGELOG.md

@@ -1,3 +1,7 @@
+## 1.11.4
+
+No user-facing changes.
+
 ## 1.11.3
 
 ### Minor Analysis Improvements

java/ql/src/change-notes/released/1.11.4.md

@@ -0,0 +1,3 @@
+## 1.11.4
+
+No user-facing changes.