Java: accept new tests results

2026-06-29 16:47:09 +02:00 · 2026-06-29 09:42:48 +02:00
191 changed files with 659 additions and 6904 deletions
--- a/actions/ql/lib/qlpack.yml
+++ b/actions/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.39-dev
+version: 0.4.38
 library: true
 warnOnImplicitThis: true
 dependencies:
--- a/actions/ql/src/qlpack.yml
+++ b/actions/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.31-dev
+version: 0.6.30
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 11.0.1-dev
+version: 11.0.0
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp
--- a/cpp/ql/src/qlpack.yml
+++ b/cpp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.6.6-dev
+version: 1.6.5
 groups:
  - cpp
  - queries
--- a/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-all
-version: 1.7.70-dev
+version: 1.7.69
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/campaigns/Solorigate/src/qlpack.yml
+++ b/csharp/ql/campaigns/Solorigate/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-solorigate-queries
-version: 1.7.70-dev
+version: 1.7.69
 groups:
  - csharp
  - solorigate
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-all
-version: 7.0.1-dev
+version: 7.0.0
 groups: csharp
 dbscheme: semmlecode.csharp.dbscheme
 extractor: csharp
--- a/csharp/ql/src/qlpack.yml
+++ b/csharp/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/csharp-queries
-version: 1.7.6-dev
+version: 1.7.5
 groups:
  - csharp
  - queries
--- a/go/extractor/go.mod
+++ b/go/extractor/go.mod
@@ -10,7 +10,7 @@ toolchain go1.26.4
 //    bazel mod tidy
 require (
 	golang.org/x/mod v0.37.0
-	golang.org/x/tools v0.47.0
+	golang.org/x/tools v0.46.0
 )

 require github.com/stretchr/testify v1.11.1
--- a/go/extractor/go.sum
+++ b/go/extractor/go.sum
@@ -10,8 +10,8 @@ golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
 golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
 golang.org/x/sync v0.21.0 h1:HLII4xRRTtCRkxYp4HNFF0Js/Og6q2i++KXbg0gHCwM=
 golang.org/x/sync v0.21.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
-golang.org/x/tools v0.47.0 h1:7Kn5x/d1svx/PzryTsqeoZN4TZwqeH5pGWjefhLi/1Q=
-golang.org/x/tools v0.47.0/go.mod h1:dFHnyTvFWY212G+h7ZY4Vsp/K3U4/7W9TyVaAul8uCA=
+golang.org/x/tools v0.46.0 h1:7jTurBkPZu4moS/Uy4OQT1M+QBlsj3wejyZwsT8Z7rk=
+golang.org/x/tools v0.46.0/go.mod h1:FrD85F8l+NWL+9XWBSyVSHO6Ne4jutsfIFba7AWQ5Ys=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
--- a/go/ql/consistency-queries/qlpack.yml
+++ b/go/ql/consistency-queries/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql-go-consistency-queries
-version: 1.0.53-dev
+version: 1.0.52
 groups:
  - go
  - queries
--- a/go/ql/lib/qlpack.yml
+++ b/go/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-all
-version: 7.2.1-dev
+version: 7.2.0
 groups: go
 dbscheme: go.dbscheme
 extractor: go
--- a/go/ql/lib/semmle/go/security/StoredXssCustomizations.qll
+++ b/go/ql/lib/semmle/go/security/StoredXssCustomizations.qll
@@ -33,11 +33,9 @@ module StoredXss {
        walkFn.getACall().getArgument(1) = f.getASuccessor*()
      )
      or
-      // The return value of a call to `os.DirEntry.Name`, `os.FileInfo.Name`
-      // or `os.File.ReadDirNames`.
-      exists(DataFlow::CallNode cn, Method m | m = cn.getTarget() and this = cn.getResult(0) |
-        m.implements("io/fs", ["DirEntry", "FileInfo"], "Name") or
-        m.hasQualifiedName("os", "File", "ReadDirNames")
+      // A call to os.FileInfo.Name
+      exists(Method m | m.implements("io/fs", "FileInfo", "Name") |
+        m = this.(DataFlow::CallNode).getTarget()
      )
    }
  }
--- a/go/ql/src/qlpack.yml
+++ b/go/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/go-queries
-version: 1.6.6-dev
+version: 1.6.5
 groups:
  - go
  - queries
--- a/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
+++ b/go/ql/test/query-tests/Security/CWE-079/ReflectedXss.expected
@@ -156,3 +156,12 @@ nodes
 | websocketXss.go:54:3:54:38 | ... := ...[1] | semmle.label | ... := ...[1] |
 | websocketXss.go:55:24:55:31 | gorilla3 | semmle.label | gorilla3 |
 subpaths
+testFailures
+| websocketXss.go:30:32:30:60 | comment | Missing result: Source[go/reflected-xss] |
+| websocketXss.go:31:11:31:14 | xnet [postupdate] | Unexpected result: Source |
+| websocketXss.go:34:30:34:58 | comment | Missing result: Source[go/reflected-xss] |
+| websocketXss.go:35:21:35:25 | xnet2 [postupdate] | Unexpected result: Source |
+| websocketXss.go:46:38:46:66 | comment | Missing result: Source[go/reflected-xss] |
+| websocketXss.go:47:26:47:35 | gorillaMsg [postupdate] | Unexpected result: Source |
+| websocketXss.go:50:33:50:61 | comment | Missing result: Source[go/reflected-xss] |
+| websocketXss.go:51:17:51:24 | gorilla2 [postupdate] | Unexpected result: Source |
--- a/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected
+++ b/go/ql/test/query-tests/Security/CWE-079/StoredXss.expected
@@ -1,9 +1,7 @@
 #select
-| StoredXss.go:13:21:13:36 | ...+... | StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | Stored cross-site scripting vulnerability due to $@. | StoredXss.go:13:21:13:31 | call to Name | stored value |
 | stored.go:30:22:30:25 | name | stored.go:18:3:18:28 | ... := ...[0] | stored.go:30:22:30:25 | name | Stored cross-site scripting vulnerability due to $@. | stored.go:18:3:18:28 | ... := ...[0] | stored value |
 | stored.go:61:22:61:25 | path | stored.go:59:30:59:33 | SSA def(path) | stored.go:61:22:61:25 | path | Stored cross-site scripting vulnerability due to $@. | stored.go:59:30:59:33 | SSA def(path) | stored value |
 edges
-| StoredXss.go:13:21:13:31 | call to Name | StoredXss.go:13:21:13:36 | ...+... | provenance |  |
 | stored.go:18:3:18:28 | ... := ...[0] | stored.go:25:14:25:17 | rows | provenance | Src:MaD:1  |
 | stored.go:25:14:25:17 | rows | stored.go:25:29:25:33 | &... [postupdate] | provenance | FunctionModel |
 | stored.go:25:29:25:33 | &... [postupdate] | stored.go:30:22:30:25 | name | provenance |  |
@@ -11,8 +9,6 @@ edges
 models
 | 1 | Source: database/sql; DB; true; Query; ; ; ReturnValue[0]; database; manual |
 nodes
-| StoredXss.go:13:21:13:31 | call to Name | semmle.label | call to Name |
-| StoredXss.go:13:21:13:36 | ...+... | semmle.label | ...+... |
 | stored.go:18:3:18:28 | ... := ...[0] | semmle.label | ... := ...[0] |
 | stored.go:25:14:25:17 | rows | semmle.label | rows |
 | stored.go:25:29:25:33 | &... [postupdate] | semmle.label | &... [postupdate] |
@@ -20,3 +16,5 @@ nodes
 | stored.go:59:30:59:33 | SSA def(path) | semmle.label | SSA def(path) |
 | stored.go:61:22:61:25 | path | semmle.label | path |
 subpaths
+testFailures
+| StoredXss.go:13:39:13:63 | comment | Missing result: Alert[go/stored-xss] |
--- a/go/ql/test/query-tests/Security/CWE-079/websocketXss.go
+++ b/go/ql/test/query-tests/Security/CWE-079/websocketXss.go
@@ -27,12 +27,12 @@ func xss(w http.ResponseWriter, r *http.Request) {
 	origin := "test"
 	{
 		ws, _ := websocket.Dial(uri, "", origin)
-		var xnet = make([]byte, 512)
-		ws.Read(xnet)              // $ Source[go/reflected-xss]
+		var xnet = make([]byte, 512) // $ Source[go/reflected-xss]
+		ws.Read(xnet)
 		fmt.Fprintf(w, "%v", xnet) // $ Alert[go/reflected-xss]
 		codec := &websocket.Codec{Marshal: marshal, Unmarshal: unmarshal}
-		xnet2 := make([]byte, 512)
-		codec.Receive(ws, xnet2)    // $ Source[go/reflected-xss]
+		xnet2 := make([]byte, 512) // $ Source[go/reflected-xss]
+		codec.Receive(ws, xnet2)
 		fmt.Fprintf(w, "%v", xnet2) // $ Alert[go/reflected-xss]
 	}
 	{
@@ -43,12 +43,12 @@ func xss(w http.ResponseWriter, r *http.Request) {
 	{
 		dialer := gorilla.Dialer{}
 		conn, _, _ := dialer.Dial(uri, nil)
-		var gorillaMsg = make([]byte, 512)
-		gorilla.ReadJSON(conn, gorillaMsg) // $ Source[go/reflected-xss]
-		fmt.Fprintf(w, "%v", gorillaMsg)   // $ Alert[go/reflected-xss]
+		var gorillaMsg = make([]byte, 512) // $ Source[go/reflected-xss]
+		gorilla.ReadJSON(conn, gorillaMsg)
+		fmt.Fprintf(w, "%v", gorillaMsg) // $ Alert[go/reflected-xss]

-		gorilla2 := make([]byte, 512)
-		conn.ReadJSON(gorilla2)        // $ Source[go/reflected-xss]
+		gorilla2 := make([]byte, 512) // $ Source[go/reflected-xss]
+		conn.ReadJSON(gorilla2)
 		fmt.Fprintf(w, "%v", gorilla2) // $ Alert[go/reflected-xss]

 		_, gorilla3, _ := conn.ReadMessage() // $ Source[go/reflected-xss]
--- a/java/ql/integration-tests/java/android-8-sample/settings.gradle
+++ b/java/ql/integration-tests/java/android-8-sample/settings.gradle
@@ -14,9 +14,7 @@ pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
    }
 }
 dependencyResolutionManagement {
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
    }
 }
 rootProject.name = "Android Sample"
--- a/java/ql/integration-tests/java/android-sample-kotlin-build-script-no-wrapper/settings.gradle.kts
+++ b/java/ql/integration-tests/java/android-sample-kotlin-build-script-no-wrapper/settings.gradle.kts
@@ -14,9 +14,7 @@ pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        mavenCentral()
    }
 }
 dependencyResolutionManagement {
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        mavenCentral()
    }
 }
 rootProject.name = "Android Sample"
--- a/java/ql/integration-tests/java/android-sample-kotlin-build-script/settings.gradle.kts
+++ b/java/ql/integration-tests/java/android-sample-kotlin-build-script/settings.gradle.kts
@@ -14,9 +14,7 @@ pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        mavenCentral()
    }
 }
 dependencyResolutionManagement {
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        mavenCentral()
    }
 }
 rootProject.name = "Android Sample"
--- a/java/ql/integration-tests/java/android-sample-no-wrapper/settings.gradle
+++ b/java/ql/integration-tests/java/android-sample-no-wrapper/settings.gradle
@@ -14,9 +14,7 @@ pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
    }
 }
 dependencyResolutionManagement {
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
    }
 }
 rootProject.name = "Android Sample"
--- a/java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script-no-wrapper/build.gradle.kts
+++ b/java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script-no-wrapper/build.gradle.kts
@@ -13,9 +13,7 @@ buildscript {

    repositories {
        google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        jcenter()
    }

    /**
@@ -41,8 +39,6 @@ buildscript {
 allprojects {
    repositories {
        google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        jcenter()
    }
 }
--- a/java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script/build.gradle.kts
+++ b/java/ql/integration-tests/java/android-sample-old-style-kotlin-build-script/build.gradle.kts
@@ -13,9 +13,7 @@ buildscript {

    repositories {
        google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        jcenter()
    }

    /**
@@ -41,8 +39,6 @@ buildscript {
 allprojects {
    repositories {
        google()
-        maven {
-            url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-        }
+        jcenter()
    }
 }
--- a/java/ql/integration-tests/java/android-sample-old-style-no-wrapper/build.gradle
+++ b/java/ql/integration-tests/java/android-sample-old-style-no-wrapper/build.gradle
@@ -13,9 +13,7 @@ buildscript {

    repositories {
        google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        jcenter()
    }

    /**
@@ -41,8 +39,6 @@ buildscript {
 allprojects {
    repositories {
        google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        jcenter()
    }
 }
--- a/java/ql/integration-tests/java/android-sample-old-style/build.gradle
+++ b/java/ql/integration-tests/java/android-sample-old-style/build.gradle
@@ -13,9 +13,7 @@ buildscript {

    repositories {
        google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        jcenter()
    }

    /**
@@ -34,15 +32,13 @@ buildscript {
 * dependencies used by all modules in your project, such as third-party plugins
 * or libraries. However, you should configure module-specific dependencies in
 * each module-level build.gradle file. For new projects, Android Studio
- * includes Maven Central and Google's Maven repository by default, but it does not
+ * includes JCenter and Google's Maven repository by default, but it does not
 * configure any dependencies (unless you select a template that requires some).
 */

 allprojects {
    repositories {
        google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        jcenter()
    }
 }
--- a/java/ql/integration-tests/java/android-sample/settings.gradle
+++ b/java/ql/integration-tests/java/android-sample/settings.gradle
@@ -14,9 +14,7 @@ pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
    }
 }
 dependencyResolutionManagement {
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
    }
 }
 rootProject.name = "Android Sample"
--- a/java/ql/integration-tests/java/buildless-gradle-boms/build.gradle
+++ b/java/ql/integration-tests/java/buildless-gradle-boms/build.gradle
@@ -8,9 +8,7 @@
 apply plugin: 'java-library'

 repositories {
-  maven {
-    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-  }
+  mavenCentral()
 }

 dependencies {
--- a/java/ql/integration-tests/java/buildless-gradle-boms/buildless-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-gradle-boms/buildless-fetches.expected
@@ -1,5 +1,5 @@
-https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar
+https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://repo.maven.apache.org/maven2/org/apiguardian/apiguardian-api/1.1.2/apiguardian-api-1.1.2.jar
+https://repo.maven.apache.org/maven2/org/junit/jupiter/junit-jupiter-api/5.12.1/junit-jupiter-api-5.12.1.jar
+https://repo.maven.apache.org/maven2/org/junit/platform/junit-platform-commons/1.12.1/junit-platform-commons-1.12.1.jar
+https://repo.maven.apache.org/maven2/org/opentest4j/opentest4j/1.3.0/opentest4j-1.3.0.jar
--- a/java/ql/integration-tests/java/buildless-gradle-classifiers/build.gradle
+++ b/java/ql/integration-tests/java/buildless-gradle-classifiers/build.gradle
@@ -8,9 +8,7 @@
 apply plugin: 'java-library'

 repositories {
-  maven {
-    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-  }
+  mavenCentral()
 }

 dependencies {
--- a/java/ql/integration-tests/java/buildless-gradle-classifiers/buildless-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-gradle-classifiers/buildless-fetches.expected
@@ -1,2 +1,2 @@
-https://maven-central.storage-download.googleapis.com/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://repo.maven.apache.org/maven2/joda-time/joda-time/2.12.7/joda-time-2.12.7-no-tzdb.jar
+https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
--- a/java/ql/integration-tests/java/buildless-gradle-timeout/build.gradle
+++ b/java/ql/integration-tests/java/buildless-gradle-timeout/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/buildless-gradle/build.gradle
+++ b/java/ql/integration-tests/java/buildless-gradle/build.gradle
@@ -8,9 +8,7 @@
 apply plugin: 'java-library'

 repositories {
-  maven {
-    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-  }
+  mavenCentral()
 }

 dependencies {
--- a/java/ql/integration-tests/java/buildless-gradle/buildless-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-gradle/buildless-fetches.expected
@@ -1 +1 @@
-https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
--- a/java/ql/integration-tests/java/buildless-proxy-gradle/build.gradle
+++ b/java/ql/integration-tests/java/buildless-proxy-gradle/build.gradle
@@ -8,9 +8,7 @@
 apply plugin: 'java-library'

 repositories {
-  maven {
-    url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-  }
+  mavenCentral()
 }

 dependencies {
--- a/java/ql/integration-tests/java/buildless-proxy-gradle/buildless-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-proxy-gradle/buildless-fetches.expected
@@ -1 +1 @@
-https://maven-central.storage-download.googleapis.com/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
+https://repo.maven.apache.org/maven2/org/apache/commons/commons-math3/3.6.1/commons-math3-3.6.1.jar
--- a/java/ql/integration-tests/java/buildless-sibling-projects/buildless-fetches.expected
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/buildless-fetches.expected
@@ -1,7 +1,3 @@
-https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.11/junit-4.11.jar
-https://maven-central.storage-download.googleapis.com/maven2/junit/junit/4.12/junit-4.12.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
-https://maven-central.storage-download.googleapis.com/maven2/org/slf4j/slf4j-api/1.7.21/slf4j-api-1.7.21.jar
 https://repo.maven.apache.org/maven2/com/feiniaojin/naaf/naaf-graceful-response-example/1.0/naaf-graceful-response-example-1.0.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/avro-registry-in-source-tests/1.8/avro-registry-in-source-tests-1.8.jar
 https://repo.maven.apache.org/maven2/com/github/MoebiusSolutions/avro-registry-in-source/example-project/1.5/example-project-1.5.jar
@@ -13,7 +9,10 @@ https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-example_2.11/0.1.2/r
 https://repo.maven.apache.org/maven2/de/knutwalker/rx-redis-java-example_2.11/0.1.2/rx-redis-java-example_2.11-0.1.2.jar
 https://repo.maven.apache.org/maven2/io/github/scrollsyou/example-spring-boot-starter/1.0.0/example-spring-boot-starter-1.0.0.jar
 https://repo.maven.apache.org/maven2/io/streamnative/com/example/maven-central-template/server/3.0.0/server-3.0.0.jar
+https://repo.maven.apache.org/maven2/junit/junit/4.11/junit-4.11.jar
+https://repo.maven.apache.org/maven2/junit/junit/4.12/junit-4.12.jar
 https://repo.maven.apache.org/maven2/no/nav/security/token-validation-ktor-demo/3.1.0/token-validation-ktor-demo-3.1.0.jar
+https://repo.maven.apache.org/maven2/org/hamcrest/hamcrest-core/1.3/hamcrest-core-1.3.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-fileupload/0.5.10/minijax-example-fileupload-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-inject/0.5.10/minijax-example-inject-0.5.10.jar
 https://repo.maven.apache.org/maven2/org/minijax/minijax-example-json/0.5.10/minijax-example-json-0.5.10.jar
--- a/java/ql/integration-tests/java/buildless-sibling-projects/diagnostics.expected
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/diagnostics.expected
@@ -98,7 +98,7 @@
  }
 }
 {
-  "markdownMessage": "Reading the dependency graph from build files provided 4 classpath entries",
+  "markdownMessage": "Reading the dependency graph from build files provided 3 classpath entries",
  "severity": "unknown",
  "source": {
    "extractorName": "java",
@@ -111,3 +111,31 @@
    "telemetry": true
  }
 }
+{
+  "markdownMessage": "Running the Gradle plugin `org.gradle:github-dependency-graph-gradle-plugin` failed. This means precise dependency information will be unavailable, and so dependencies will be guessed based on Java package names. Consider investigating why this plugin fails to run.",
+  "severity": "note",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/github-dependency-graph-gradle-plugin-failed",
+    "name": "Java analysis failed to extract a dependency graph from Gradle"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}
+{
+  "markdownMessage": "Running the Gradle plugin `org.gradle:github-dependency-graph-gradle-plugin` failed. This means precise dependency information will be unavailable, and so dependencies will be guessed based on Java package names. Consider investigating why this plugin fails to run.",
+  "severity": "note",
+  "source": {
+    "extractorName": "java",
+    "id": "java/autobuilder/buildless/github-dependency-graph-gradle-plugin-failed",
+    "name": "Java analysis failed to extract a dependency graph from Gradle"
+  },
+  "visibility": {
+    "cliSummaryTable": true,
+    "statusPage": true,
+    "telemetry": true
+  }
+}
--- a/java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample/build.gradle
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample2/build.gradle
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/gradle-sample2/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/buildless-sibling-projects/settings.xml
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/settings.xml
@@ -1,10 +0,0 @@
-<settings>
-  <mirrors>
-    <mirror>
-      <id>google-maven-central</id>
-      <name>GCS Maven Central mirror</name>
-      <url>https://maven-central.storage-download.googleapis.com/maven2/</url>
-      <mirrorOf>central</mirrorOf>
-    </mirror>
-  </mirrors>
-</settings>
--- a/java/ql/integration-tests/java/buildless-sibling-projects/source_archive.expected
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/source_archive.expected
@@ -26,5 +26,4 @@ maven-project-2/src/main/resources/my-app.properties
 maven-project-2/src/main/resources/page.xml
 maven-project-2/src/main/resources/struts.xml
 maven-project-2/src/test/java/com/example/AppTest4.java
-settings.xml
 test-db/working/settings.xml
--- a/java/ql/integration-tests/java/buildless-sibling-projects/test.py
+++ b/java/ql/integration-tests/java/buildless-sibling-projects/test.py
@@ -1,5 +1,3 @@
-import os
-
 def test(codeql, use_java_11, java, actions_toolchains_file, check_diagnostics_java):
    # The version of gradle used doesn't work on java 17
    codeql.database.create(
@@ -7,6 +5,5 @@ def test(codeql, use_java_11, java, actions_toolchains_file, check_diagnostics_j
            "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS": "true",
            "CODEQL_EXTRACTOR_JAVA_OPTION_BUILDLESS_CLASSPATH_FROM_BUILD_FILES": "true",
            "LGTM_INDEX_MAVEN_TOOLCHAINS_FILE": str(actions_toolchains_file),
-            "LGTM_INDEX_MAVEN_SETTINGS_FILE": os.path.join(os.path.dirname(os.path.realpath(__file__)), "settings.xml"),
        }
    )
--- a/java/ql/integration-tests/java/diagnostics/android-gradle-incompatibility/settings.gradle
+++ b/java/ql/integration-tests/java/diagnostics/android-gradle-incompatibility/settings.gradle
@@ -14,9 +14,7 @@ pluginManagement {
    repositories {
        gradlePluginPortal()
        google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
    }
 }
 dependencyResolutionManagement {
@@ -35,9 +33,7 @@ dependencyResolutionManagement {
    repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS)
    repositories {
        google()
-        maven {
-            url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-        }
+        mavenCentral()
    }
 }
 rootProject.name = "Android Sample"
--- a/java/ql/integration-tests/java/diagnostics/java-version-too-old/build.gradle
+++ b/java/ql/integration-tests/java/diagnostics/java-version-too-old/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/diagnostics/no-gradle-wrapper/build.gradle
+++ b/java/ql/integration-tests/java/diagnostics/no-gradle-wrapper/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/gradle-sample-kotlin-script/app/build.gradle.kts
+++ b/java/ql/integration-tests/java/gradle-sample-kotlin-script/app/build.gradle.kts
@@ -12,9 +12,8 @@ plugins {
 }

 repositories {
-    maven {
-        url = uri("https://maven-central.storage-download.googleapis.com/maven2/")
-    }
+    // Use Maven Central for resolving dependencies.
+    mavenCentral()
 }

 dependencies {
--- a/java/ql/integration-tests/java/gradle-sample-without-wrapper-or-gradle-buildless/build.gradle
+++ b/java/ql/integration-tests/java/gradle-sample-without-wrapper-or-gradle-buildless/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/gradle-sample/build.gradle
+++ b/java/ql/integration-tests/java/gradle-sample/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/partial-gradle-sample-without-gradle/build.gradle
+++ b/java/ql/integration-tests/java/partial-gradle-sample-without-gradle/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/partial-gradle-sample/build.gradle
+++ b/java/ql/integration-tests/java/partial-gradle-sample/build.gradle
@@ -12,9 +12,9 @@ apply plugin: 'java'

 // In this section you declare where to find the dependencies of your project
 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use 'jcenter' for resolving your dependencies.
+    // You can declare any Maven/Ivy/file repository here.
+    jcenter()
 }

 // In this section you declare the dependencies for your production and test code
--- a/java/ql/integration-tests/java/spring-boot-sample/build.gradle
+++ b/java/ql/integration-tests/java/spring-boot-sample/build.gradle
@@ -11,9 +11,7 @@ version = '0.0.1-SNAPSHOT'
 // but I omit it to test we recognise the Spring Boot plugin version.

 repositories {
-	maven {
-		url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-	}
+	mavenCentral()
 }

 dependencies {
--- a/java/ql/integration-tests/kotlin/all-platforms/compiler_arguments/app/build.gradle
+++ b/java/ql/integration-tests/kotlin/all-platforms/compiler_arguments/app/build.gradle
@@ -15,9 +15,8 @@ plugins {
 }

 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use Maven Central for resolving dependencies.
+    mavenCentral()
 }

 application {
--- a/java/ql/integration-tests/kotlin/all-platforms/gradle_groovy_app/app/build.gradle
+++ b/java/ql/integration-tests/kotlin/all-platforms/gradle_groovy_app/app/build.gradle
@@ -15,9 +15,8 @@ plugins {
 }

 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use Maven Central for resolving dependencies.
+    mavenCentral()
 }

 application {
--- a/java/ql/integration-tests/kotlin/all-platforms/gradle_kotlinx_serialization/app/build.gradle
+++ b/java/ql/integration-tests/kotlin/all-platforms/gradle_kotlinx_serialization/app/build.gradle
@@ -4,9 +4,7 @@ plugins {
 }

 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    mavenCentral()
 }

 dependencies {
--- a/java/ql/integration-tests/kotlin/all-platforms/kotlin_kfunction/app/build.gradle
+++ b/java/ql/integration-tests/kotlin/all-platforms/kotlin_kfunction/app/build.gradle
@@ -15,9 +15,8 @@ plugins {
 }

 repositories {
-    maven {
-        url = 'https://maven-central.storage-download.googleapis.com/maven2/'
-    }
+    // Use Maven Central for resolving dependencies.
+    mavenCentral()
 }

 application {
--- a/java/ql/lib/qlpack.yml
+++ b/java/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-all
-version: 9.2.1-dev
+version: 9.2.0
 groups: java
 dbscheme: config/semmlecode.dbscheme
 extractor: java
--- a/java/ql/src/qlpack.yml
+++ b/java/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/java-queries
-version: 1.11.6-dev
+version: 1.11.5
 groups:
  - java
  - queries
--- a/javascript/ql/lib/change-notes/2026-06-22-angular-hostlistener-postmessage.md
+++ b/javascript/ql/lib/change-notes/2026-06-22-angular-hostlistener-postmessage.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* Added support for Angular's `@HostListener('window:message', ...)` and `@HostListener('document:message', ...)` decorators as `postMessage` event handlers. The decorated method's event parameter is now recognized as a client-side remote flow source, and is considered by the `js/missing-origin-check` query.
--- a/javascript/ql/lib/qlpack.yml
+++ b/javascript/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-all
-version: 2.8.1-dev
+version: 2.8.0
 groups: javascript
 dbscheme: semmlecode.javascript.dbscheme
 extractor: javascript
--- a/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll
+++ b/javascript/ql/lib/semmle/javascript/security/dataflow/DOM.qll
@@ -195,18 +195,6 @@ class PostMessageEventHandler extends Function {
      rhs = DataFlow::globalObjectRef().getAPropertyWrite("onmessage").getRhs() and
      rhs.getABoundFunctionValue(paramIndex).getFunction() = this
    )
-    or
-    // Angular's `@HostListener('window:message', ['$event'])` decorator registers
-    // a method as a `message` event handler on the global `window` or `document`
-    // target.  The decorated method receives the `MessageEvent` as its first
-    // parameter, so it is equivalent to `window.addEventListener('message', ...)`.
-    exists(MethodDefinition method, DataFlow::CallNode decorator |
-      decorator = DataFlow::moduleMember("@angular/core", "HostListener").getACall() and
-      decorator = method.getADecorator().getExpression().flow() and
-      decorator.getArgument(0).mayHaveStringValue(["window:message", "document:message"]) and
-      method.getBody() = this and
-      paramIndex = 0
-    )
  }

  /**
--- a/javascript/ql/src/qlpack.yml
+++ b/javascript/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/javascript-queries
-version: 2.4.1-dev
+version: 2.4.0
 groups:
  - javascript
  - queries
--- a/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/Angular.ts
+++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/Angular.ts
@@ -1,29 +0,0 @@
-import { Component, HostListener } from '@angular/core';
-
-@Component({ selector: 'app-root' })
-class AngularComponent {
-  // Angular registers this as a `window` message handler via the decorator,
-  // equivalent to `window.addEventListener('message', ...)`.
-  @HostListener('window:message', ['$event'])
-  onWindowMessage(event: MessageEvent): void { // $ Alert - no origin check
-    eval(event.data);
-  }
-
-  @HostListener('document:message', ['$event'])
-  onDocumentMessage(event: MessageEvent): void { // $ Alert - no origin check
-    eval(event.data);
-  }
-
-  @HostListener('window:message', ['$event'])
-  onCheckedMessage(event: MessageEvent): void { // OK - has an origin check
-    if (event.origin === 'https://www.example.com') {
-      eval(event.data);
-    }
-  }
-
-  // Not a message event, so it is not a postMessage handler.
-  @HostListener('window:resize', ['$event'])
-  onResize(event: MessageEvent): void { // OK - not a message handler
-    eval(event.data);
-  }
-}
--- a/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/MissingOriginCheck.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-020/MissingOriginCheck/MissingOriginCheck.expected
@@ -1,5 +1,3 @@
-| Angular.ts:8:19:8:23 | event | Postmessage handler has no origin check. |
-| Angular.ts:13:21:13:25 | event | Postmessage handler has no origin check. |
 | tst.js:11:20:11:24 | event | Postmessage handler has no origin check. |
 | tst.js:24:27:24:27 | e | Postmessage handler has no origin check. |
 | tst.js:40:27:40:27 | e | Postmessage handler has no origin check. |
--- a/misc/suite-helpers/qlpack.yml
+++ b/misc/suite-helpers/qlpack.yml
@@ -1,4 +1,4 @@
 name: codeql/suite-helpers
-version: 1.0.53-dev
+version: 1.0.52
 groups: shared
 warnOnImplicitThis: true
--- a/python/ql/consistency-queries/CfgConsistency.ql
+++ b/python/ql/consistency-queries/CfgConsistency.ql
@@ -1,2 +0,0 @@
-import semmle.python.controlflow.internal.AstNodeImpl
-import ControlFlow::Consistency
--- a/python/ql/lib/change-notes/2026-05-19-add-shared-cfg.md
+++ b/python/ql/lib/change-notes/2026-05-19-add-shared-cfg.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* A new Python control flow graph implementation has been added under `semmle.python.controlflow.internal.Cfg` (backed by `AstNodeImpl.qll`), built on the shared `codeql.controlflow.ControlFlowGraph` library. It is not yet used by the dataflow library or any production query; the legacy CFG in `semmle/python/Flow.qll` remains the default. The new library is exposed for tests and for upcoming migrations.
--- a/python/ql/lib/change-notes/2026-05-19-flask-subclasses.md
+++ b/python/ql/lib/change-notes/2026-05-19-flask-subclasses.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* `Flask::FlaskApp::instance()` will now also return instances of subclasses defined in the source tree. Previously, these were filtered out. `Flask::FlaskApp::classRef()` has been deprecated in favor of `Flask::FlaskApp::subclassRef()` since it already returned some subclasses.
--- a/python/ql/lib/change-notes/2026-06-04-cfg-parameter-annotations.md
+++ b/python/ql/lib/change-notes/2026-06-04-cfg-parameter-annotations.md
@@ -1,4 +0,0 @@
---
-category: minorAnalysis
---
-* The new (shared-CFG-based) Python control flow graph now visits parameter and return type annotations as CFG nodes for function definitions, matching the legacy CFG. This restores annotation-based type tracking through framework models such as FastAPI's `Depends()`, Pydantic request models, Starlette `WebSocket` handlers, and any other models that flow a class reference through `Parameter.getAnnotation()` to identify instances of the annotated class.
--- a/python/ql/lib/printCfgNew.ql
+++ b/python/ql/lib/printCfgNew.ql
@@ -1,45 +0,0 @@
-/**
- * @name Print CFG (New)
- * @description Produces a representation of a file's Control Flow Graph
- *              using the new shared control flow library.
- *              This query is used by the VS Code extension.
- * @id python/print-cfg
- * @kind graph
- * @tags ide-contextual-queries/print-cfg
- */
-
-private import python as Py
-import semmle.python.controlflow.internal.AstNodeImpl
-
-external string selectedSourceFile();
-
-private predicate selectedSourceFileAlias = selectedSourceFile/0;
-
-external int selectedSourceLine();
-
-private predicate selectedSourceLineAlias = selectedSourceLine/0;
-
-external int selectedSourceColumn();
-
-private predicate selectedSourceColumnAlias = selectedSourceColumn/0;
-
-module ViewCfgQueryInput implements ControlFlow::ViewCfgQueryInputSig<Py::File> {
-  predicate selectedSourceFile = selectedSourceFileAlias/0;
-
-  predicate selectedSourceLine = selectedSourceLineAlias/0;
-
-  predicate selectedSourceColumn = selectedSourceColumnAlias/0;
-
-  predicate cfgScopeSpan(
-    Ast::Callable callable, Py::File file, int startLine, int startColumn, int endLine,
-    int endColumn
-  ) {
-    exists(Py::Scope scope |
-      scope = callable.asScope() and
-      file = scope.getLocation().getFile() and
-      scope.getLocation().hasLocationInfo(_, startLine, startColumn, endLine, endColumn)
-    )
-  }
-}
-
-import ControlFlow::ViewCfgQuery<Py::File, ViewCfgQueryInput>
--- a/python/ql/lib/qlpack.yml
+++ b/python/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-all
-version: 7.2.1-dev
+version: 7.2.0
 groups: python
 dbscheme: semmlecode.python.dbscheme
 extractor: python
--- a/python/ql/lib/semmle/python/controlflow/internal/AstNodeImpl.qll
+++ b/python/ql/lib/semmle/python/controlflow/internal/AstNodeImpl.qll
--- a/python/ql/lib/semmle/python/controlflow/internal/Cfg.qll
+++ b/python/ql/lib/semmle/python/controlflow/internal/Cfg.qll
--- a/python/ql/lib/semmle/python/frameworks/Flask.qll
+++ b/python/ql/lib/semmle/python/frameworks/Flask.qll
@@ -71,21 +71,14 @@ module Flask {
   * See https://flask.palletsprojects.com/en/1.1.x/api/#flask.Flask.
   */
  module FlaskApp {
-    /**
-     * Gets a reference to the `flask.Flask` class or any subclass.
-     *
-     * Deprecated: Use `subclassRef()` instead, this predicate always returned some subclasses.
-     */
-    deprecated API::Node classRef() { result = subclassRef() }
-
-    /** Gets a reference to the `flask.Flask` class or any subclass. */
-    API::Node subclassRef() {
-      result = API::moduleImport("flask").getMember("Flask").getASubclass*() or
+    /** Gets a reference to the `flask.Flask` class. */
+    API::Node classRef() {
+      result = API::moduleImport("flask").getMember("Flask") or
      result = ModelOutput::getATypeNode("flask.Flask~Subclass").getASubclass*()
    }

    /** Gets a reference to an instance of `flask.Flask` (a flask application). */
-    API::Node instance() { result = subclassRef().getReturn() }
+    API::Node instance() { result = classRef().getReturn() }
  }

  /**
@@ -139,7 +132,7 @@ module Flask {
    API::Node classRef() {
      result = API::moduleImport("flask").getMember("Response")
      or
-      result = [FlaskApp::subclassRef(), FlaskApp::instance()].getMember("response_class")
+      result = [FlaskApp::classRef(), FlaskApp::instance()].getMember("response_class")
      or
      result = ModelOutput::getATypeNode("flask.Response~Subclass").getASubclass*()
    }
--- a/python/ql/src/meta/ClassHierarchy/Find.ql
+++ b/python/ql/src/meta/ClassHierarchy/Find.ql
@@ -351,7 +351,7 @@ class DjangoHttpRequest extends FindSubclassesSpec {
 class FlaskClass extends FindSubclassesSpec {
  FlaskClass() { this = "flask.Flask~Subclass" }

-  override API::Node getAlreadyModeledClass() { result = Flask::FlaskApp::subclassRef() }
+  override API::Node getAlreadyModeledClass() { result = Flask::FlaskApp::classRef() }
 }

 class FlaskBlueprint extends FindSubclassesSpec {
--- a/python/ql/src/qlpack.yml
+++ b/python/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/python-queries
-version: 1.8.6-dev
+version: 1.8.5
 groups:
  - python
  - queries
--- a/python/ql/test/experimental/meta/InlineInstanceTest.qll
+++ b/python/ql/test/experimental/meta/InlineInstanceTest.qll
@@ -1,29 +0,0 @@
-/**
- * Defines an InlineExpectationsTest for class instances, that is,
- * for any API::Node that is an instance of a class (e.g. `Flask`).
- */
-
-import python
-import semmle.python.ApiGraphs
-import utils.test.InlineExpectationsTest
-private import semmle.python.dataflow.new.internal.PrintNode
-
-signature API::Node getInstanceSig();
-
-module MakeInlineInstanceTest<getInstanceSig/0 getInstance> {
-  private module InlineInstanceTest implements TestSig {
-    string getARelevantTag() { result = "instance" }
-
-    predicate hasActualResult(Location location, string element, string tag, string value) {
-      exists(location.getFile().getRelativePath()) and
-      exists(API::Node instance | instance = getInstance() |
-        location = instance.getLocation() and
-        element = prettyNode(instance.asSource()) and
-        value = "" and
-        tag = "instance"
-      )
-    }
-  }
-
-  import MakeTest<InlineInstanceTest>
-}
--- a/python/ql/test/extractor-tests/syntax_error/CONSISTENCY/CfgConsistency.expected
+++ b/python/ql/test/extractor-tests/syntax_error/CONSISTENCY/CfgConsistency.expected
@@ -1,4 +0,0 @@
-consistencyOverview
-| deadEnd | 1 |
-deadEnd
-| without_loop.py:7:5:7:9 | Break |
--- a/python/ql/test/library-tests/ControlFlow/bindings/BindingsTest.expected
+++ b/python/ql/test/library-tests/ControlFlow/bindings/BindingsTest.expected
--- a/python/ql/test/library-tests/ControlFlow/bindings/BindingsTest.ql
+++ b/python/ql/test/library-tests/ControlFlow/bindings/BindingsTest.ql
@@ -1,32 +0,0 @@
-/**
- * Phase -1 of the dataflow CFG migration: verifies that every variable
- * binding visible to the AST (`Name.defines(v)`) corresponds to a CFG node
- * in the new CFG (`semmle.python.controlflow.internal.AstNodeImpl`).
- *
- * The expected tag is `cfgdefines=<name>`. Each binding annotation in the
- * test sources looks like `# $ cfgdefines=x` for a binding currently
- * covered by the new CFG, or `# $ MISSING: cfgdefines=x` for a binding
- * that is known to be uncovered (a "red" test case that should be
- * green-flipped once the corresponding `cfg-ext-*` extension lands).
- */
-
-import python
-import semmle.python.controlflow.internal.AstNodeImpl as CfgImpl
-import utils.test.InlineExpectationsTest
-
-module CfgBindingsTest implements TestSig {
-  string getARelevantTag() { result = "cfgdefines" }
-
-  predicate hasActualResult(Location location, string element, string tag, string value) {
-    exists(Name n, Variable v, CfgImpl::ControlFlowNode cfg |
-      n.defines(v) and
-      cfg.getAstNode().asExpr() = n and
-      location = n.getLocation() and
-      element = n.toString() and
-      tag = "cfgdefines" and
-      value = v.getId()
-    )
-  }
-}
-
-import MakeTest<CfgBindingsTest>
--- a/python/ql/test/library-tests/ControlFlow/bindings/annassign.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/annassign.py
@@ -1,13 +0,0 @@
-# Annotated assignment (PEP 526). Both with and without an initializer.
-
-a: int = 1  # $ cfgdefines=a
-b: str = "hi"  # $ cfgdefines=b
-
-# Annotation without value: the AST records `c` as defined,
-# and the new CFG now visits it via the AnnAssignStmt wrapper.
-c: int  # $ cfgdefines=c
-
-class K:  # $ cfgdefines=K
-    field: int = 0  # $ cfgdefines=field
-
-
--- a/python/ql/test/library-tests/ControlFlow/bindings/compound.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/compound.py
@@ -1,14 +0,0 @@
-# Compound (tuple/list) assignment targets — actually wired in the new CFG.
-
-a, b = (1, 2)  # $ cfgdefines=a cfgdefines=b
-[c, d] = [3, 4]  # $ cfgdefines=c cfgdefines=d
-
-# Nested unpacking.
-(e, (f, g)) = (1, (2, 3))  # $ cfgdefines=e cfgdefines=f cfgdefines=g
-
-# Star unpacking.
-h, *i = [1, 2, 3]  # $ cfgdefines=h cfgdefines=i
-
-# Chained assignment with compound target.
-j = k, l = (5, 6)  # $ cfgdefines=j cfgdefines=k cfgdefines=l
-
--- a/python/ql/test/library-tests/ControlFlow/bindings/comprehension.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/comprehension.py
@@ -1,21 +0,0 @@
-# Comprehension and `for` loop targets — wired in the new CFG.
-# Comprehensions are nested function scopes with a synthetic `.0` parameter
-# bound to the iterable.
-
-# Bare-name `for` target.
-for i in range(3):  # $ cfgdefines=i
-    pass
-
-# Compound `for` target.
-for k, v in [(1, 2)]:  # $ cfgdefines=k cfgdefines=v
-    pass
-
-# Comprehension targets.
-_ = [x for x in range(3)]  # $ cfgdefines=_ cfgdefines=x cfgdefines=.0
-_ = {y: z for y, z in []}  # $ cfgdefines=_ cfgdefines=y cfgdefines=z cfgdefines=.0
-_ = (a for a in [])  # $ cfgdefines=_ cfgdefines=a cfgdefines=.0
-
-# Nested comprehensions.
-_ = [b for c in [] for b in c]  # $ cfgdefines=_ cfgdefines=c cfgdefines=b cfgdefines=.0
-
-
--- a/python/ql/test/library-tests/ControlFlow/bindings/dead_under_no_raise.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/dead_under_no_raise.py
@@ -1,53 +0,0 @@
-# Reachability of code following a try whose body always returns.
-#
-# The new CFG models exception edges for raise-prone expressions when
-# they appear inside a `try` (or `with`) statement, mirroring Java's
-# `mayThrow`. This means the body of a `try` has both a normal
-# completion edge and an exception edge to its handlers, so code
-# following the try-statement is reachable via the except-handler path
-# even when the try-body would otherwise always return.
-#
-# Code that is not reachable under either normal or exception flow
-# (for example, the `else` clause of a try whose body unconditionally
-# raises) remains correctly classified as dead.
-
-
-def f(obj):  # $ cfgdefines=f cfgdefines=obj
-    try:
-        return len(obj)
-    except TypeError:
-        pass
-
-    # The try-body always returns, but `len(obj)` can raise (it is
-    # inside the try, so we model its exception edge). The
-    # `except TypeError: pass` handler falls through to here, making
-    # the code below reachable.
-    try:
-        hint = type(obj).__length_hint__  # $ cfgdefines=hint
-    except AttributeError:
-        return None
-    return hint
-
-
-def g():  # $ cfgdefines=g
-    try:
-        raise Exception("inner")
-    except:
-        raise Exception("outer")
-    else:
-        # Unreachable: the inner try body always raises (via an explicit
-        # `raise`, which is modelled unconditionally), so the `else:`
-        # clause never runs.
-        hit_inner_else = True
-
-
-def h(cache, key):  # $ cfgdefines=h cfgdefines=cache cfgdefines=key
-    try:
-        return cache[key]
-    except KeyError:
-        pass
-
-    # Same pattern as `f`: reachable via the except-handler fall-through.
-    value = compute(key)  # $ cfgdefines=value
-    cache[key] = value
-    return value
--- a/python/ql/test/library-tests/ControlFlow/bindings/decorated.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/decorated.py
@@ -1,30 +0,0 @@
-# Decorated `def`/`class` — wired in the new CFG.
-
-
-def deco(f):  # $ cfgdefines=deco cfgdefines=f
-    return f
-
-
-@deco
-def decorated_func():  # $ cfgdefines=decorated_func
-    pass
-
-
-@deco
-class DecoratedClass:  # $ cfgdefines=DecoratedClass
-    pass
-
-
-# Stacked decorators.
-@deco
-@deco
-def doubly():  # $ cfgdefines=doubly
-    pass
-
-
-# Inside a class body.
-class Outer:  # $ cfgdefines=Outer
-    @staticmethod
-    def inner():  # $ cfgdefines=inner
-        pass
-
--- a/python/ql/test/library-tests/ControlFlow/bindings/except_handler.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/except_handler.py
@@ -1,19 +0,0 @@
-# Exception-handler name bindings. These are already wired in the new
-# CFG provided the try body can raise; `raise` statements are reliably
-# treated as exception sources.
-
-try:
-    raise ValueError("oops")
-except ValueError as e:  # $ cfgdefines=e
-    pass
-
-try:
-    raise TypeError("oops")
-except (TypeError, KeyError) as err:  # $ cfgdefines=err
-    pass
-
-# Exception groups (Python 3.11+).
-try:
-    raise ValueError("oops")
-except* ValueError as eg:  # $ cfgdefines=eg
-    pass
--- a/python/ql/test/library-tests/ControlFlow/bindings/imports.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/imports.py
@@ -1,14 +0,0 @@
-# Import aliases — all bound names below are now reachable via the new
-# CFG's `ImportStmt` wrapper.
-
-import os  # $ cfgdefines=os
-import os.path  # $ cfgdefines=os
-import os as o  # $ cfgdefines=o
-from os import path  # $ cfgdefines=path
-from os import path as p  # $ cfgdefines=p
-from os import sep, linesep  # $ cfgdefines=sep cfgdefines=linesep
-from os import (
-    getcwd,  # $ cfgdefines=getcwd
-    getcwdb,  # $ cfgdefines=getcwdb
-)
-
--- a/python/ql/test/library-tests/ControlFlow/bindings/match_pattern.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/match_pattern.py
@@ -1,24 +0,0 @@
-# Match-statement pattern bindings — wired in the new CFG.
-
-def f(subject):  # $ cfgdefines=f cfgdefines=subject
-    match subject:
-        case x:  # $ cfgdefines=x
-            pass
-        case [a, b]:  # $ cfgdefines=a cfgdefines=b
-            pass
-        case {"k": v}:  # $ cfgdefines=v
-            pass
-        case Point(p, q):  # $ cfgdefines=p cfgdefines=q
-            pass
-        case [_, *rest]:  # $ cfgdefines=rest
-            pass
-        case (1 | 2) as n:  # $ cfgdefines=n
-            pass
-
-
-class Point:  # $ cfgdefines=Point
-    __match_args__ = ("x", "y")  # $ cfgdefines=__match_args__
-    x: int  # $ cfgdefines=x
-    y: int  # $ cfgdefines=y
-
-
--- a/python/ql/test/library-tests/ControlFlow/bindings/parameters.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/parameters.py
@@ -1,42 +0,0 @@
-# Function parameters.
-
-def positional(a, b):  # $ cfgdefines=positional cfgdefines=a cfgdefines=b
-    pass
-
-
-def with_default(x=1, y=2):  # $ cfgdefines=with_default cfgdefines=x cfgdefines=y
-    pass
-
-
-def with_vararg(*args):  # $ cfgdefines=with_vararg cfgdefines=args
-    pass
-
-
-def with_kwarg(**kwargs):  # $ cfgdefines=with_kwarg cfgdefines=kwargs
-    pass
-
-
-def with_kwonly(*, k1, k2=5):  # $ cfgdefines=with_kwonly cfgdefines=k1 cfgdefines=k2
-    pass
-
-
-def kitchen_sink(a, b=2, *args, k1, k2=5, **kw):  # $ cfgdefines=kitchen_sink cfgdefines=a cfgdefines=b cfgdefines=args cfgdefines=k1 cfgdefines=k2 cfgdefines=kw
-    pass
-
-
-# Methods get `self` / `cls`.
-class C:  # $ cfgdefines=C
-    def method(self, x):  # $ cfgdefines=method cfgdefines=self cfgdefines=x
-        pass
-
-    @classmethod
-    def cmethod(cls, x):  # $ cfgdefines=cmethod cfgdefines=cls cfgdefines=x
-        pass
-
-
-# Lambda parameter.
-_ = lambda p: p + 1  # $ cfgdefines=_ cfgdefines=p
-
-# PEP 570 positional-only.
-def pos_only(a, b, /, c):  # $ cfgdefines=pos_only cfgdefines=a cfgdefines=b cfgdefines=c
-    pass
--- a/python/ql/test/library-tests/ControlFlow/bindings/simple.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/simple.py
@@ -1,14 +0,0 @@
-# Simple bindings that should already work in the new CFG.
-# No MISSING annotations expected.
-
-x = 1  # $ cfgdefines=x
-y = x + 1  # $ cfgdefines=y
-
-def f():  # $ cfgdefines=f
-    pass
-
-class C:  # $ cfgdefines=C
-    pass
-
-# Re-assignment.
-x = 2  # $ cfgdefines=x
--- a/python/ql/test/library-tests/ControlFlow/bindings/type_params.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/type_params.py
@@ -1,21 +0,0 @@
-# PEP 695 type parameters (Python 3.12+).
-
-# PEP 695 type-param names on `def`/`class` bind in an annotation scope
-# that nests the function/class body — they have no CFG node in the
-# enclosing scope (matching the legacy CFG).
-def func[T](x: T) -> T:  # $ cfgdefines=func cfgdefines=x
-    return x
-
-
-class Box[T]:  # $ cfgdefines=Box
-    item: T  # $ cfgdefines=item
-
-
-# Multi-parameter, with bound and variadics.
-def multi[T: int, *Ts, **P](x: T, *args: *Ts, **kwargs: P.kwargs) -> T:  # $ cfgdefines=multi cfgdefines=x cfgdefines=args cfgdefines=kwargs
-    return x
-
-
-# `type` statement (PEP 695).
-type Alias[T] = list[T]  # $ cfgdefines=Alias cfgdefines=T
-
--- a/python/ql/test/library-tests/ControlFlow/bindings/walrus_starred.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/walrus_starred.py
@@ -1,14 +0,0 @@
-# Walrus and starred-target edge cases — wired in the new CFG.
-
-# Walrus in expression context.
-if (y := 5) > 0:  # $ cfgdefines=y
-    pass
-
-# Walrus in a comprehension. The comprehension introduces a synthetic
-# `.0` parameter bound to the iterable.
-_ = [w for _ in range(3) if (w := 1)]  # $ cfgdefines=_ cfgdefines=w cfgdefines=.0
-
-# Starred target in a Tuple LHS.
-*head, tail = [1, 2, 3]  # $ cfgdefines=head cfgdefines=tail
-
-
--- a/python/ql/test/library-tests/ControlFlow/bindings/with_stmt.py
+++ b/python/ql/test/library-tests/ControlFlow/bindings/with_stmt.py
@@ -1,21 +0,0 @@
-# `with cm() as x:` bindings — wired in the new CFG.
-
-class CM:  # $ cfgdefines=CM
-    def __enter__(self): return self  # $ cfgdefines=__enter__ cfgdefines=self
-    def __exit__(self, *a): pass  # $ cfgdefines=__exit__ cfgdefines=self cfgdefines=a
-
-with CM() as x:  # $ cfgdefines=x
-    pass
-
-# Multiple items.
-with CM() as a, CM() as b:  # $ cfgdefines=a cfgdefines=b
-    pass
-
-# Parenthesised form (Python 3.10+).
-with (CM() as p, CM() as q):  # $ cfgdefines=p cfgdefines=q
-    pass
-
-# Compound target in `with`.
-with CM() as (m, n):  # $ cfgdefines=m cfgdefines=n
-    pass
-
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAllLiveReachable.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAllLiveReachable.expected
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAllLiveReachable.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAllLiveReachable.ql
@@ -1,14 +0,0 @@
-/** New-CFG version of AllLiveReachable. */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-from TimerCfgNode a, TestFunction f
-where allLiveReachable(a, f)
-select a, "Unreachable live annotation; entry of $@ does not reach this node", f, f.getName()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAnnotationHasCfgNode.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAnnotationHasCfgNode.expected
@@ -1 +0,0 @@
-
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAnnotationHasCfgNode.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgAnnotationHasCfgNode.ql
@@ -1,18 +0,0 @@
-/**
- * New-CFG version of AnnotationHasCfgNode.
- *
- * Checks that every timer annotation has a corresponding CFG node.
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils::CfgTests
-
-from TimerAnnotation ann
-where annotationWithoutCfgNode(ann)
-select ann, "Annotation in $@ has no CFG node", ann.getTestFunction(),
-  ann.getTestFunction().getName()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockAnnotationGap.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockAnnotationGap.expected
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockAnnotationGap.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockAnnotationGap.ql
@@ -1,26 +0,0 @@
-/**
- * New-CFG version of BasicBlockAnnotationGap.
- *
- * Original:
- * Checks that within a basic block, if a node is annotated then its
- * successor is also annotated (or excluded). A gap in annotations
- * within a basic block indicates a missing annotation, since there
- * are no branches to justify the gap.
- *
- * Nodes with exceptional successors are excluded, as the exception
- * edge leaves the basic block and the normal successor may be dead.
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-from TimerCfgNode a, CfgNode succ
-where basicBlockAnnotationGap(a, succ)
-select a, "Annotated node followed by unannotated $@ in the same basic block", succ,
-  succ.getNode().toString()
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockOrdering.expected
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockOrdering.expected
--- a/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockOrdering.ql
+++ b/python/ql/test/library-tests/ControlFlow/evaluation-order/NewCfgBasicBlockOrdering.ql
@@ -1,21 +0,0 @@
-/**
- * New-CFG version of BasicBlockOrdering.
- *
- * Original:
- * Checks that within a single basic block, annotations appear in
- * increasing minimum-timestamp order.
- */
-
-import python
-import TimerUtils
-import NewCfgImpl
-
-private module Utils = EvalOrderCfgUtils<NewCfg>;
-
-private import Utils
-private import Utils::CfgTests
-
-from TimerCfgNode a, TimerCfgNode b, int minA, int minB
-where basicBlockOrdering(a, b, minA, minB)
-select a, "Basic block ordering: $@ appears before $@", a.getTimestampExpr(minA),
-  "timestamp " + minA, b.getTimestampExpr(minB), "timestamp " + minB
--- a/Show More
+++ b/Show More