update codeql documentation

Update CSV framework coverage reports

config/identical-files.json

@@ -11,10 +11,6 @@
     "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
   ],
-  "Bound Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
-  ],
   "ModulusAnalysis Java/C#": [
     "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
     "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"

csharp/ql/lib/qlpack.yml

@@ -9,6 +9,7 @@ dependencies:
   codeql/controlflow: ${workspace}
   codeql/dataflow: ${workspace}
   codeql/mad: ${workspace}
+  codeql/rangeanalysis: ${workspace}
   codeql/ssa: ${workspace}
   codeql/threat-models: ${workspace}
   codeql/tutorial: ${workspace}

csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll

@@ -4,67 +4,31 @@
 overlay[local?]
 module;
 
-private import internal.rangeanalysis.BoundSpecific
+private import csharp as CS
+private import semmle.code.csharp.dataflow.SSA::Ssa
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils as CU
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as RU
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU
+private import codeql.rangeanalysis.Bound as SharedBound
 
-private newtype TBound =
-  TBoundZero() or
-  TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or
-  TBoundExpr(Expr e) {
-    interestingExprBound(e) and
-    not exists(SsaVariable v | e = v.getAUse())
-  }
+/** Provides C#-specific definitions for bounds. */
+private module BoundDefs implements SharedBound::BoundDefinitions<CS::Location> {
+  class Type = CS::Type;
 
-/**
- * A bound that may be inferred for an expression plus/minus an integer delta.
- */
-abstract class Bound extends TBound {
-  /** Gets a textual representation of this bound. */
-  abstract string toString();
+  class SsaVariable = SU::SsaVariable;
 
-  /** Gets an expression that equals this bound plus `delta`. */
-  abstract Expr getExpr(int delta);
+  class SsaSourceVariable = SourceVariable;
 
-  /** Gets an expression that equals this bound. */
-  Expr getExpr() { result = this.getExpr(0) }
+  class Expr = CS::ControlFlowNodes::ExprNode;
 
-  /** Gets the location of this bound. */
-  abstract Location getLocation();
+  class IntegralType = CS::IntegralType;
+
+  class ConstantIntegerExpr = CU::ConstantIntegerExpr;
+
+  /** Holds if `e` is a bound expression and it is not an SSA variable read. */
+  predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) }
 }
 
-/**
- * The bound that corresponds to the integer 0. This is used to represent all
- * integer bounds as bounds are always accompanied by an added integer delta.
- */
-class ZeroBound extends Bound, TBoundZero {
-  override string toString() { result = "0" }
+module BoundImpl = SharedBound::Bound<CS::Location, BoundDefs>;
 
-  override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta }
-
-  override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) }
-}
-
-/**
- * A bound corresponding to the value of an SSA variable.
- */
-class SsaBound extends Bound, TBoundSsa {
-  /** Gets the SSA variable that equals this bound. */
-  SsaVariable getSsa() { this = TBoundSsa(result) }
-
-  override string toString() { result = this.getSsa().toString() }
-
-  override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 }
-
-  override Location getLocation() { result = this.getSsa().getLocation() }
-}
-
-/**
- * A bound that corresponds to the value of a specific expression that might be
- * interesting, but isn't otherwise represented by the value of an SSA variable.
- */
-class ExprBound extends Bound, TBoundExpr {
-  override string toString() { result = this.getExpr().toString() }
-
-  override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 }
-
-  override Location getLocation() { result = this.getExpr().getLocation() }
-}
+import BoundImpl

csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll

@@ -1,22 +0,0 @@
-/**
- * Provides C#-specific definitions for bounds.
- */
-
-private import csharp as CS
-private import semmle.code.csharp.dataflow.SSA::Ssa as Ssa
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils as CU
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as RU
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU
-
-class SsaVariable = SU::SsaVariable;
-
-class Expr = CS::ControlFlowNodes::ExprNode;
-
-class Location = CS::Location;
-
-class IntegralType = CS::IntegralType;
-
-class ConstantIntegerExpr = CU::ConstantIntegerExpr;
-
-/** Holds if `e` is a bound expression and it is not an SSA variable read. */
-predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) }

docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.6.rst

@@ -0,0 +1,139 @@
+.. _codeql-cli-2.25.6:
+
+==========================
+CodeQL 2.25.6 (2026-06-04)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.25.6 runs a total of 496 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 131 queries (covering 32 more CWE).
+
+CodeQL CLI
+----------
+
+Improvements
+~~~~~~~~~~~~
+
+*   When the :code:`git` executable is available, CodeQL can now obtain configuration and queries from SHA-256 Git repositories, and infer Git metadata about them.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.11.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Adjusted (minor) help file descriptions for queries: :code:`actions/untrusted-checkout/critical`, :code:`actions/untrusted-checkout/high`, :code:`actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Adjusted :code:`actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Altered the alert message for clarity for queries: :code:`actions/untrusted-checkout/critical`, :code:`actions/untrusted-checkout/high`.
+*   The :code:`actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Reversed adjustment of the name of :code:`actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in :code:`actions/untrusted-checkout/high` and :code:`actions/untrusted-checkout/medium`.
+
+Language Libraries
+------------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Swift
+"""""
+
+*   Upgraded to allow analysis of Swift 6.3.2.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added flow source models for :code:`scanf_s` and related functions.
+*   Added a :code:`Call` column to :code:`LocalFlowSourceFunction::hasLocalFlowSource` and :code:`RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a :code:`Call` column continue to be supported.
+
+C#
+""
+
+*   Full support for C# 14 / .NET 10. All new language features are now supported by the extractor. The QL library and data flow analysis now support the new C# 14 language constructs and include generated Models as Data (MaD) models for the .NET 10 runtime.
+*   C# 14: Added support for user-defined instance increment/decrement operators.
+
+Java/Kotlin
+"""""""""""
+
+*   Added LLM-generated source and sink models for :code:`org.apache.avro`.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example :code:`js/clear-text-logging`) may find more correct results and fewer false positive results after these changes.
+
+Python
+""""""
+
+*   The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example :code:`py/clear-text-logging-sensitive-data`) may find more correct results and less fewer positive results after these changes.
+
+Swift
+"""""
+
+*   The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example :code:`swift/cleartext-logging`) may find more correct results and fewer false positive results after these changes.
+
+GitHub Actions
+""""""""""""""
+
+*   The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like :code:`^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+
+Rust
+""""
+
+*   The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example :code:`rust/cleartext-logging`) may find more correct results and fewer false positive results after these changes.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`UsingAliasTypedefType` class has been deprecated. Use :code:`TypeAliasType` instead.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a :code:`getOriginalTemplate` predicate to :code:`TemplateClass`, :code:`TemplateFunction`, :code:`TemplateVariable`, and :code:`AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.
+*   Added :code:`AliasTemplateType` and :code:`AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.

docs/codeql/codeql-overview/codeql-changelog/index.rst

@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
    :maxdepth: 1
 
+   codeql-cli-2.25.6
    codeql-cli-2.25.5
    codeql-cli-2.25.4
    codeql-cli-2.25.3

go/ql/lib/change-notes/2026-06-01-non-returning-functions.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* More logging functions are now recognized as not returning or panicking.

go/ql/lib/semmle/go/Concepts.qll

@@ -413,17 +413,13 @@ private class ExternalLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
   }
 }
 
-/**
- * A call to an interface that looks like a logger. It is common to use a
- * locally-defined interface for logging to make it easy to changing logging
- * library.
- */
-private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
-  HeuristicLoggerCall() {
-    exists(Method m, string tp, string logFunctionPrefix, string name |
-      m = this.getTarget() and
-      m.hasQualifiedName(_, tp, name) and
-      m.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
+private class HeuristicLoggerFunction extends Method {
+  string logFunctionPrefix;
+
+  HeuristicLoggerFunction() {
+    exists(string tp, string name |
+      this.hasQualifiedName(_, tp, name) and
+      this.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
     |
       tp.regexpMatch(".*[lL]ogger") and
       logFunctionPrefix =
@@ -435,6 +431,19 @@ private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode
     )
   }
 
+  override predicate mayReturnNormally() { logFunctionPrefix != "Fatal" }
+
+  override predicate mustPanic() { logFunctionPrefix = "Panic" }
+}
+
+/**
+ * A call to an interface that looks like a logger. It is common to use a
+ * locally-defined interface for logging to make it easy to change logging
+ * library.
+ */
+private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
+  HeuristicLoggerCall() { this.getTarget() instanceof HeuristicLoggerFunction }
+
   override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
 }
 

go/ql/lib/semmle/go/frameworks/Glog.qll

@@ -12,17 +12,37 @@ import go
  * forks.
  */
 module Glog {
+  /** Gets a package name for `glog` or `klog` (which is a fork). */
+  string packagePath() {
+    result =
+      package([
+          "github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog", "github.com/barakmich/glog"
+        ], "")
+  }
+
   private class GlogFunction extends Function {
     int firstPrintedArg;
+    string format;
+    string level;
 
     GlogFunction() {
-      exists(string pkg, string fn, string level |
-        pkg = package(["github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog"], "") and
+      exists(string pkg, string context, int nContextArgs, string depth, int nDepthArgs, string fn |
+        pkg = packagePath() and
         level = ["Error", "Exit", "Fatal", "Info", "Warning"] and
         (
-          fn = level + ["", "f", "ln"] and firstPrintedArg = 0
+          context = "" and nContextArgs = 0
           or
-          fn = level + "Depth" and firstPrintedArg = 1
+          context = "Context" and nContextArgs = 1
+        ) and
+        (
+          depth = "" and nDepthArgs = 0
+          or
+          depth = "Depth" and nDepthArgs = 1
+        ) and
+        format = ["", "f", "ln"] and
+        (
+          fn = level + context + depth + format and
+          firstPrintedArg = nContextArgs + nDepthArgs
         )
       |
         this.hasQualifiedName(pkg, fn)
@@ -35,10 +55,15 @@ module Glog {
      * Gets the index of the first argument that may be output, including a format string if one is present.
      */
     int getFirstPrintedArg() { result = firstPrintedArg }
+
+    /** Holds if this function takes a format string. */
+    predicate formatter() { format = "f" }
+
+    override predicate mayReturnNormally() { level != "Fatal" and level != "Exit" }
   }
 
   private class StringFormatter extends StringOps::Formatting::Range instanceof GlogFunction {
-    StringFormatter() { this.getName().matches("%f") }
+    StringFormatter() { this.formatter() }
 
     override int getFormatStringIndex() { result = super.getFirstPrintedArg() }
   }

go/ql/lib/semmle/go/frameworks/Logrus.qll

@@ -28,6 +28,12 @@ module Logrus {
         this.(Method).hasQualifiedName(packagePath(), ["Entry", "Logger"], name)
       )
     }
+
+    override predicate mayReturnNormally() {
+      not exists(string level, string suffix | level = ["Fatal", "Panic"] |
+        this.getName() = level + suffix
+      )
+    }
   }
 
   private class StringFormatters extends StringOps::Formatting::Range instanceof LogFunction {

go/ql/lib/semmle/go/frameworks/Zap.qll

@@ -47,7 +47,7 @@ module Zap {
   }
 
   /** A Zap logging function which always panics. */
-  private class FatalLogMethod extends Method {
+  private class FatalLogMethod extends ZapFunction {
     FatalLogMethod() {
       this.hasQualifiedName(packagePath(), "Logger", "Fatal")
       or
@@ -58,7 +58,7 @@ module Zap {
   }
 
   /** A Zap logging function which always panics. */
-  private class MustPanicLogMethod extends Method {
+  private class MustPanicLogMethod extends ZapFunction {
     MustPanicLogMethod() {
       this.hasQualifiedName(packagePath(), "Logger", "Panic")
       or

go/ql/lib/semmle/go/frameworks/stdlib/Log.qll

@@ -29,18 +29,37 @@ module Log {
   }
 
   private class LogFormatter extends StringOps::Formatting::Range instanceof LogFunction {
-    LogFormatter() { this.getName() = ["Fatalf", "Panicf", "Printf"] }
+    LogFormatter() { this.getName() = ["Fatalf", "Panicf", "Printf", "Panic", "Panicf", "Panicln"] }
 
     override int getFormatStringIndex() { result = 0 }
   }
 
   /** A fatal log function, which calls `os.Exit`. */
   private class FatalLogFunction extends Function {
-    FatalLogFunction() { this.hasQualifiedName("log", ["Fatal", "Fatalf", "Fatalln"]) }
+    FatalLogFunction() {
+      exists(string fn | fn = ["Fatal", "Fatalf", "Fatalln"] |
+        this.hasQualifiedName("log", fn)
+        or
+        this.(Method).hasQualifiedName("log", "Logger", fn)
+      )
+    }
 
     override predicate mayReturnNormally() { none() }
   }
 
+  /** A log function which must panic. */
+  private class PanicLogFunction extends Function {
+    PanicLogFunction() {
+      exists(string fn | fn = ["Panic", "Panicf", "Panicln"] |
+        this.hasQualifiedName("log", fn)
+        or
+        this.(Method).hasQualifiedName("log", "Logger", fn)
+      )
+    }
+
+    override predicate mustPanic() { any() }
+  }
+
   // These models are not implemented using Models-as-Data because they represent reverse flow.
   private class FunctionModels extends TaintTracking::FunctionModel {
     FunctionInput inp;
@@ -63,30 +82,6 @@ module Log {
     FunctionOutput outp;
 
     MethodModels() {
-      // signature: func (*Logger) Fatal(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatal") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Fatalf(format string, v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatalf") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Fatalln(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatalln") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panic(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panic") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panicf(format string, v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panicf") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panicln(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panicln") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
       // signature: func (*Logger) Print(v ...interface{})
       this.hasQualifiedName("log", "Logger", "Print") and
       (inp.isParameter(_) and outp.isReceiver())

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go

@@ -1,54 +1,181 @@
-//go:generate depstubber -vendor github.com/golang/glog "" Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln
-//go:generate depstubber -vendor k8s.io/klog "" Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln
+//go:generate depstubber -vendor github.com/golang/glog Level,Verbose Error,ErrorContext,ErrorContextDepth,ErrorContextDepthf,ErrorContextf,ErrorDepth,ErrorDepthf,Errorf,Errorln,Exit,ExitContext,ExitContextDepth,ExitContextDepthf,ExitContextf,ExitDepth,ExitDepthf,Exitf,Exitln,Fatal,FatalContext,FatalContextDepth,FatalContextDepthf,FatalContextf,FatalDepth,FatalDepthf,Fatalf,Fatalln,Info,InfoContext,InfoContextDepth,InfoContextDepthf,InfoContextf,InfoDepth,InfoDepthf,Infof,Infoln,V,VDepth,Warning,WarningContext,WarningContextDepth,WarningContextDepthf,WarningContextf,WarningDepth,WarningDepthf,Warningf,Warningln
+//go:generate depstubber -vendor k8s.io/klog Level,Verbose Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,V,Warning,WarningDepth,Warningf,Warningln
 
 package main
 
 import (
+	"context"
+
 	"github.com/golang/glog"
 	"k8s.io/klog"
 )
 
-func glogTest() {
-	glog.Error(text)           // $ logger=text
-	glog.ErrorDepth(0, text)   // $ logger=text
-	glog.Errorf(fmt, text)     // $ logger=fmt logger=text
-	glog.Errorln(text)         // $ logger=text
-	glog.Exit(text)            // $ logger=text
-	glog.ExitDepth(0, text)    // $ logger=text
-	glog.Exitf(fmt, text)      // $ logger=fmt logger=text
-	glog.Exitln(text)          // $ logger=text
-	glog.Fatal(text)           // $ logger=text
-	glog.FatalDepth(0, text)   // $ logger=text
-	glog.Fatalf(fmt, text)     // $ logger=fmt logger=text
-	glog.Fatalln(text)         // $ logger=text
-	glog.Info(text)            // $ logger=text
-	glog.InfoDepth(0, text)    // $ logger=text
-	glog.Infof(fmt, text)      // $ logger=fmt logger=text
-	glog.Infoln(text)          // $ logger=text
-	glog.Warning(text)         // $ logger=text
-	glog.WarningDepth(0, text) // $ logger=text
-	glog.Warningf(fmt, text)   // $ logger=fmt logger=text
-	glog.Warningln(text)       // $ logger=text
+func glogTest(selector int) {
+	ctx := context.Background()
+
+	glog.Error(text)                           // $ logger=text
+	glog.ErrorContext(ctx, text)               // $ logger=text
+	glog.ErrorContextDepth(ctx, 0, text)       // $ logger=text
+	glog.ErrorContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.ErrorContextf(ctx, fmt, text)         // $ logger=fmt logger=text
+	glog.ErrorDepth(0, text)                   // $ logger=text
+	glog.ErrorDepthf(0, fmt, text)             // $ logger=fmt logger=text
+	glog.Errorf(fmt, text)                     // $ logger=fmt logger=text
+	glog.Errorln(text)                         // $ logger=text
+	if selector == 1 {
+		glog.Exit(text) // $ logger=text
+	}
+	if selector == 2 {
+		glog.ExitContext(ctx, text) // $ logger=text
+	}
+	if selector == 3 {
+		glog.ExitContextDepth(ctx, 0, text) // $ logger=text
+	}
+	if selector == 4 {
+		glog.ExitContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 5 {
+		glog.ExitContextf(ctx, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 6 {
+		glog.ExitDepth(0, text) // $ logger=text
+	}
+	if selector == 7 {
+		glog.ExitDepthf(0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 8 {
+		glog.Exitf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 9 {
+		glog.Exitln(text) // $ logger=text
+	}
+	if selector == 10 {
+		glog.Fatal(text) // $ logger=text
+	}
+	if selector == 11 {
+		glog.FatalContext(ctx, text) // $ logger=text
+	}
+	if selector == 12 {
+		glog.FatalContextDepth(ctx, 0, text) // $ logger=text
+	}
+	if selector == 13 {
+		glog.FatalContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 14 {
+		glog.FatalContextf(ctx, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 15 {
+		glog.FatalDepth(0, text) // $ logger=text
+	}
+	if selector == 16 {
+		glog.FatalDepthf(0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 17 {
+		glog.Fatalf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 18 {
+		glog.Fatalln(text) // $ logger=text
+	}
+	glog.Info(text)                              // $ logger=text
+	glog.InfoContext(ctx, text)                  // $ logger=text
+	glog.InfoContextDepth(ctx, 0, text)          // $ logger=text
+	glog.InfoContextDepthf(ctx, 0, fmt, text)    // $ logger=fmt logger=text
+	glog.InfoContextf(ctx, fmt, text)            // $ logger=fmt logger=text
+	glog.InfoDepth(0, text)                      // $ logger=text
+	glog.InfoDepthf(0, fmt, text)                // $ logger=fmt logger=text
+	glog.Infof(fmt, text)                        // $ logger=fmt logger=text
+	glog.Infoln(text)                            // $ logger=text
+	glog.Warning(text)                           // $ logger=text
+	glog.WarningContext(ctx, text)               // $ logger=text
+	glog.WarningContextDepth(ctx, 0, text)       // $ logger=text
+	glog.WarningContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.WarningContextf(ctx, fmt, text)         // $ logger=fmt logger=text
+	glog.WarningDepth(0, text)                   // $ logger=text
+	glog.WarningDepthf(0, fmt, text)             // $ logger=fmt logger=text
+	glog.Warningf(fmt, text)                     // $ logger=fmt logger=text
+	glog.Warningln(text)                         // $ logger=text
+
+	glog.V(0).Info(text)                           // $ logger=text
+	glog.V(0).InfoContext(ctx, text)               // $ logger=text
+	glog.V(0).InfoContextDepth(ctx, 0, text)       // $ logger=text
+	glog.V(0).InfoContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.V(0).InfoContextf(ctx, fmt, text)         // $ logger=fmt logger=text
+	glog.V(0).InfoDepth(0, text)                   // $ logger=text
+	glog.V(0).InfoDepthf(0, fmt, text)             // $ logger=fmt logger=text
+	glog.V(0).Infof(fmt, text)                     // $ logger=fmt logger=text
+	glog.V(0).Infoln(text)                         // $ logger=text
+	glog.VDepth(0, 0).Info(text)                   // $ logger=text
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	glog.Errorf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Exitf("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Fatalf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Infof("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorContextf(ctx, "%s: found type %T", text, v)         // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorDepthf(0, "%s: found type %T", text, v)             // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.Errorf("%s: found type %T", text, v)                     // $ logger="%s: found type %T" logger=text type-logger=v
+	if selector == 19 {
+		glog.ExitContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 20 {
+		glog.ExitContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 21 {
+		glog.ExitDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 22 {
+		glog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 23 {
+		glog.FatalContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 24 {
+		glog.FatalContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 25 {
+		glog.FatalDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 26 {
+		glog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	glog.InfoContextDepthf(ctx, 0, "%s: found type %T", text, v)      // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.InfoContextf(ctx, "%s: found type %T", text, v)              // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.InfoDepthf(0, "%s: found type %T", text, v)                  // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.Infof("%s: found type %T", text, v)                          // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningContextDepthf(ctx, 0, "%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningContextf(ctx, "%s: found type %T", text, v)           // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningDepthf(0, "%s: found type %T", text, v)               // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.Warningf("%s: found type %T", text, v)                       // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoContextf(ctx, "%s: found type %T", text, v)         // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoDepthf(0, "%s: found type %T", text, v)             // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).Infof("%s: found type %T", text, v)                     // $ logger="%s: found type %T" logger=text type-logger=v
 
-	klog.Error(text)           // $ logger=text
-	klog.ErrorDepth(0, text)   // $ logger=text
-	klog.Errorf(fmt, text)     // $ logger=fmt logger=text
-	klog.Errorln(text)         // $ logger=text
-	klog.Exit(text)            // $ logger=text
-	klog.ExitDepth(0, text)    // $ logger=text
-	klog.Exitf(fmt, text)      // $ logger=fmt logger=text
-	klog.Exitln(text)          // $ logger=text
-	klog.Fatal(text)           // $ logger=text
-	klog.FatalDepth(0, text)   // $ logger=text
-	klog.Fatalf(fmt, text)     // $ logger=fmt logger=text
-	klog.Fatalln(text)         // $ logger=text
+	klog.Error(text)         // $ logger=text
+	klog.ErrorDepth(0, text) // $ logger=text
+	klog.Errorf(fmt, text)   // $ logger=fmt logger=text
+	klog.Errorln(text)       // $ logger=text
+	if selector == 27 {
+		klog.Exit(text) // $ logger=text
+	}
+	if selector == 28 {
+		klog.ExitDepth(0, text) // $ logger=text
+	}
+	if selector == 29 {
+		klog.Exitf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 30 {
+		klog.Exitln(text) // $ logger=text
+	}
+	if selector == 31 {
+		klog.Fatal(text) // $ logger=text
+	}
+	if selector == 32 {
+		klog.FatalDepth(0, text) // $ logger=text
+	}
+	if selector == 33 {
+		klog.Fatalf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 34 {
+		klog.Fatalln(text) // $ logger=text
+	}
 	klog.Info(text)            // $ logger=text
 	klog.InfoDepth(0, text)    // $ logger=text
 	klog.Infof(fmt, text)      // $ logger=fmt logger=text
@@ -57,11 +184,19 @@ func glogTest() {
 	klog.WarningDepth(0, text) // $ logger=text
 	klog.Warningf(fmt, text)   // $ logger=fmt logger=text
 	klog.Warningln(text)       // $ logger=text
+	klog.V(0).Info(text)       // $ logger=text
+	klog.V(0).Infof(fmt, text) // $ logger=fmt logger=text
+	klog.V(0).Infoln(text)     // $ logger=text
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	klog.Errorf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
-	klog.Exitf("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
-	klog.Fatalf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
-	klog.Infof("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
-	klog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.Errorf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	if selector == 35 {
+		klog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 36 {
+		klog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	klog.Infof("%s: found type %T", text, v)      // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.Warningf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.V(0).Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
 }

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/go.mod

@@ -3,7 +3,7 @@ module codeql-go-tests/concepts/loggercall
 go 1.15
 
 require (
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+	github.com/golang/glog v1.2.5
 	github.com/sirupsen/logrus v1.7.0
 	k8s.io/klog v1.0.0
 )

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go

@@ -6,5 +6,6 @@ const text = "test"
 var v []byte
 
 func main() {
+	glogTest(len(v))
 	stdlib()
 }

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/github.com/golang/glog/stub.go

@@ -2,47 +2,125 @@
 // This is a simple stub for github.com/golang/glog, strictly for use in testing.
 
 // See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/golang/glog (exports: ; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln)
+// Source: github.com/golang/glog (exports: Level,Verbose; functions: Error,ErrorContext,ErrorContextDepth,ErrorContextDepthf,ErrorContextf,ErrorDepth,ErrorDepthf,Errorf,Errorln,Exit,ExitContext,ExitContextDepth,ExitContextDepthf,ExitContextf,ExitDepth,ExitDepthf,Exitf,Exitln,Fatal,FatalContext,FatalContextDepth,FatalContextDepthf,FatalContextf,FatalDepth,FatalDepthf,Fatalf,Fatalln,Info,InfoContext,InfoContextDepth,InfoContextDepthf,InfoContextf,InfoDepth,InfoDepthf,Infof,Infoln,V,VDepth,Warning,WarningContext,WarningContextDepth,WarningContextDepthf,WarningContextf,WarningDepth,WarningDepthf,Warningf,Warningln)
 
 // Package glog is a stub of github.com/golang/glog, generated by depstubber.
 package glog
 
+import "context"
+
+type Level int32
+
+type Verbose bool
+
 func Error(_ ...interface{}) {}
 
+func ErrorContext(_ context.Context, _ ...interface{}) {}
+
+func ErrorContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func ErrorContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func ErrorContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func ErrorDepth(_ int, _ ...interface{}) {}
 
+func ErrorDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Errorf(_ string, _ ...interface{}) {}
 
 func Errorln(_ ...interface{}) {}
 
 func Exit(_ ...interface{}) {}
 
+func ExitContext(_ context.Context, _ ...interface{}) {}
+
+func ExitContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func ExitContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func ExitContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func ExitDepth(_ int, _ ...interface{}) {}
 
+func ExitDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Exitf(_ string, _ ...interface{}) {}
 
 func Exitln(_ ...interface{}) {}
 
 func Fatal(_ ...interface{}) {}
 
+func FatalContext(_ context.Context, _ ...interface{}) {}
+
+func FatalContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func FatalContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func FatalContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func FatalDepth(_ int, _ ...interface{}) {}
 
+func FatalDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Fatalf(_ string, _ ...interface{}) {}
 
 func Fatalln(_ ...interface{}) {}
 
 func Info(_ ...interface{}) {}
 
+func InfoContext(_ context.Context, _ ...interface{}) {}
+
+func InfoContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func InfoContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func InfoContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func InfoDepth(_ int, _ ...interface{}) {}
 
+func InfoDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Infof(_ string, _ ...interface{}) {}
 
 func Infoln(_ ...interface{}) {}
 
+func V(_ Level) Verbose { return false }
+
+func VDepth(_ int, _ Level) Verbose { return false }
+
 func Warning(_ ...interface{}) {}
 
+func WarningContext(_ context.Context, _ ...interface{}) {}
+
+func WarningContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func WarningContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func WarningContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func WarningDepth(_ int, _ ...interface{}) {}
 
+func WarningDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Warningf(_ string, _ ...interface{}) {}
 
 func Warningln(_ ...interface{}) {}
+
+func (_ Verbose) Info(_ ...interface{}) {}
+
+func (_ Verbose) InfoContext(_ context.Context, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextf(_ context.Context, _ string, _ ...interface{}) {}
+
+func (_ Verbose) InfoDepth(_ int, _ ...interface{}) {}
+
+func (_ Verbose) InfoDepthf(_ int, _ string, _ ...interface{}) {}
+
+func (_ Verbose) Infof(_ string, _ ...interface{}) {}
+
+func (_ Verbose) Infoln(_ ...interface{}) {}

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/k8s.io/klog/stub.go

@@ -2,11 +2,15 @@
 // This is a simple stub for k8s.io/klog, strictly for use in testing.
 
 // See the LICENSE file for information about the licensing of the original library.
-// Source: k8s.io/klog (exports: ; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln)
+// Source: k8s.io/klog (exports: Level,Verbose; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,V,Warning,WarningDepth,Warningf,Warningln)
 
 // Package klog is a stub of k8s.io/klog, generated by depstubber.
 package klog
 
+type Level int32
+
+type Verbose bool
+
 func Error(_ ...interface{}) {}
 
 func ErrorDepth(_ int, _ ...interface{}) {}
@@ -39,6 +43,8 @@ func Infof(_ string, _ ...interface{}) {}
 
 func Infoln(_ ...interface{}) {}
 
+func V(_ Level) Verbose { return false }
+
 func Warning(_ ...interface{}) {}
 
 func WarningDepth(_ int, _ ...interface{}) {}
@@ -46,3 +52,9 @@ func WarningDepth(_ int, _ ...interface{}) {}
 func Warningf(_ string, _ ...interface{}) {}
 
 func Warningln(_ ...interface{}) {}
+
+func (_ Verbose) Info(_ ...interface{}) {}
+
+func (_ Verbose) Infof(_ string, _ ...interface{}) {}
+
+func (_ Verbose) Infoln(_ ...interface{}) {}

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/modules.txt

@@ -1,4 +1,4 @@
-# github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+# github.com/golang/glog v1.2.5
 ## explicit
 github.com/golang/glog
 # github.com/sirupsen/logrus v1.7.0

go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected

@@ -1,11 +1,21 @@
-| file://:0:0:0:0 | Exit | package os |
-| file://:0:0:0:0 | Fatal | package log |
-| file://:0:0:0:0 | Fatalf | package log |
-| file://:0:0:0:0 | Fatalln | package log |
-| noretfunctions.go:8:6:8:12 | isNoRet | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
-| noretfunctions.go:20:6:20:22 | noRetUsesLogFatal | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
-| noretfunctions.go:24:6:24:23 | noRetUsesLogFatalf | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
-| stmts7.go:10:6:10:15 | canRecover | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
-| stmts.go:10:6:10:10 | test5 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
-| stmts.go:46:6:46:10 | test6 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
-| stmts.go:112:6:112:10 | test9 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Exit | os.Exit |
+| file://:0:0:0:0 | Fatal | log.Fatal |
+| file://:0:0:0:0 | Fatal | log.Logger.Fatal |
+| file://:0:0:0:0 | Fatalf | log.Fatalf |
+| file://:0:0:0:0 | Fatalf | log.Logger.Fatalf |
+| file://:0:0:0:0 | Fatalln | log.Fatalln |
+| file://:0:0:0:0 | Fatalln | log.Logger.Fatalln |
+| file://:0:0:0:0 | Panic | log.Logger.Panic |
+| file://:0:0:0:0 | Panic | log.Panic |
+| file://:0:0:0:0 | Panicf | log.Logger.Panicf |
+| file://:0:0:0:0 | Panicf | log.Panicf |
+| file://:0:0:0:0 | Panicln | log.Logger.Panicln |
+| file://:0:0:0:0 | Panicln | log.Panicln |
+| file://:0:0:0:0 | panic | panic |
+| noretfunctions.go:8:6:8:12 | isNoRet | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.isNoRet |
+| noretfunctions.go:20:6:20:22 | noRetUsesLogFatal | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.noRetUsesLogFatal |
+| noretfunctions.go:24:6:24:23 | noRetUsesLogFatalf | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.noRetUsesLogFatalf |
+| stmts7.go:10:6:10:15 | canRecover | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.canRecover |
+| stmts.go:10:6:10:10 | test5 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test5 |
+| stmts.go:46:6:46:10 | test6 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test6 |
+| stmts.go:112:6:112:10 | test9 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test9 |

go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.ql

@@ -2,4 +2,4 @@ import go
 
 from Function f
 where not f.mayReturnNormally()
-select f, f.getPackage()
+select f, f.getQualifiedName()

go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ql

@@ -9,9 +9,9 @@ import semmle.go.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 import utils.test.InlineFlowTest
 
 module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { sourceNode(src, "qltest") }
+  predicate isSource(DataFlow::Node source) { sourceNode(source, "qltest") }
 
-  predicate isSink(DataFlow::Node src) { sinkNode(src, "qltest") }
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, "qltest") }
 }
 
 import ValueFlowTest<Config>

go/ql/test/library-tests/semmle/go/dataflow/VarArgs/CONSISTENCY/DataFlowConsistency.expected

@@ -0,0 +1,2 @@
+reverseRead
+| main.go:23:3:23:5 | out | Origin of readStep is missing a PostUpdateNode. |

go/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go

@@ -4,7 +4,7 @@ func source() string {
 	return "untrusted data"
 }
 
-func sink(string) {
+func sink(any) {
 }
 
 type A struct {
@@ -19,6 +19,10 @@ func functionWithVarArgsParameter(s ...string) string {
 	return s[1]
 }
 
+func functionWithVarArgsOutParameter(in string, out ...*string) {
+	*out[0] = in
+}
+
 func functionWithSliceOfStructsParameter(s []A) string {
 	return s[1].f
 }
@@ -38,6 +42,12 @@ func main() {
 	sink(functionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to functionWithVarArgsParameter"
 	sink(functionWithVarArgsParameter(s0, s1))    // $ hasValueFlow="call to functionWithVarArgsParameter"
 
+	var out1 *string
+	var out2 *string
+	functionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ MISSING: hasValueFlow="out1"
+	sink(out2) // $ MISSING: hasValueFlow="out2"
+
 	sliceOfStructs := []A{{f: source()}}
 	sink(sliceOfStructs[0].f) // $ hasValueFlow="selection of f"
 

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected

@@ -0,0 +1,2 @@
+invalidModelRow
+testFailures

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml

@@ -0,0 +1,21 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "FunctionWithParameter", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithSliceParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOutParameter", "", "", "Argument[0]", "Argument[1].ArrayElement", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithSliceOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "VariadicSource", "", "", "Argument[0]", "qltest", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "VariadicSink", "", "", "Argument[0]", "qltest", "manual"]

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql

@@ -0,0 +1,22 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import utils.test.InlineFlowTest
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    sourceNode(source, "qltest")
+    or
+    exists(Function fn | fn.hasQualifiedName(_, ["source", "taint"]) |
+      source = fn.getACall().getResult()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sinkNode(sink, "qltest")
+    or
+    exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument())
+  }
+}
+
+import FlowTest<Config, Config>

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod

@@ -0,0 +1,5 @@
+module semmle.go.Packages
+
+go 1.25
+
+require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	"github.com/nonexistent/test"
+)
+
+func source() string {
+	return "untrusted data"
+}
+
+func sink(any) {
+}
+
+func main() {
+	s := source()
+	sink(test.FunctionWithParameter(s)) // $ hasValueFlow="call to FunctionWithParameter"
+
+	stringSlice := []string{source()}
+	sink(stringSlice[0]) // $ hasValueFlow="index expression"
+
+	s0 := ""
+	s1 := source()
+	sSlice := []string{s0, s1}
+	sink(test.FunctionWithParameter(sSlice[1]))        // $ hasValueFlow="call to FunctionWithParameter"
+	sink(test.FunctionWithSliceParameter(sSlice))      // $ hasValueFlow="call to FunctionWithSliceParameter"
+	sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+	sink(test.FunctionWithVarArgsParameter(s0, s1))    // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+
+	var out1 *string
+	var out2 *string
+	test.FunctionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ MISSING: hasValueFlow="out1"
+	sink(out2) // $ MISSING: hasValueFlow="out2"
+
+	sliceOfStructs := []test.A{{Field: source()}}
+	sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
+
+	a0 := test.A{Field: ""}
+	a1 := test.A{Field: source()}
+	aSlice := []test.A{a0, a1}
+	sink(test.FunctionWithSliceOfStructsParameter(aSlice))      // $ hasValueFlow="call to FunctionWithSliceOfStructsParameter"
+	sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
+	sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1))    // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
+
+	var variadicSource string
+	test.VariadicSource(&variadicSource)
+	sink(variadicSource)  // $ MISSING: hasTaintFlow="variadicSource"
+	sink(&variadicSource) // $ MISSING: hasTaintFlow="&..."
+
+	var variadicSourcePtr *string
+	test.VariadicSource(variadicSourcePtr)
+	sink(variadicSourcePtr)  // $ MISSING: hasTaintFlow="variadicSourcePtr"
+	sink(*variadicSourcePtr) // $ MISSING: hasTaintFlow="star expression"
+
+	test.VariadicSink(source()) // $ hasTaintFlow="[]type{args}"
+}

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go

@@ -0,0 +1,32 @@
+package test
+
+type A struct {
+	Field string
+}
+
+func FunctionWithParameter(s string) string {
+	return ""
+}
+
+func FunctionWithSliceParameter(s []string) string {
+	return ""
+}
+
+func FunctionWithVarArgsParameter(s ...string) string {
+	return ""
+}
+
+func FunctionWithVarArgsOutParameter(in string, out ...*string) {
+}
+
+func FunctionWithSliceOfStructsParameter(s []A) string {
+	return ""
+}
+
+func FunctionWithVarArgsOfStructsParameter(s ...A) string {
+	return ""
+}
+
+func VariadicSource(s ...*string) {}
+
+func VariadicSink(s ...string) {}

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/modules.txt

@@ -0,0 +1,3 @@
+# github.com/nonexistent/test v0.0.0-20200203000000-0000000000000
+## explicit
+github.com/nonexistent/test

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql

@@ -20,6 +20,9 @@ class SummaryModelTest extends DataFlow::FunctionModel {
     this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsParameter") and
     (inp.isParameter(_) and outp.isResult())
     or
+    this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsOutParameter") and
+    (inp.isParameter(0) and outp.isParameter(any(int i | i >= 1)))
+    or
     this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithSliceOfStructsParameter") and
     (inp.isParameter(0) and outp.isResult())
     or

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/go.mod

@@ -1,5 +1,5 @@
 module semmle.go.Packages
 
-go 1.17
+go 1.25
 
 require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go

@@ -8,7 +8,7 @@ func source() string {
 	return "untrusted data"
 }
 
-func sink(string) {
+func sink(any) {
 }
 
 func main() {
@@ -21,10 +21,17 @@ func main() {
 	s0 := ""
 	s1 := source()
 	sSlice := []string{s0, s1}
-	sink(test.FunctionWithParameter(sSlice[1]))        // $ hasValueFlow="call to FunctionWithParameter"
-	sink(test.FunctionWithSliceParameter(sSlice))      // $ hasTaintFlow="call to FunctionWithSliceParameter" MISSING: hasValueFlow="call to FunctionWithSliceParameter"
-	sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasTaintFlow="call to FunctionWithVarArgsParameter" MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
-	sink(test.FunctionWithVarArgsParameter(s0, s1))    // $ MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
+	sink(test.FunctionWithParameter(sSlice[1]))           // $ hasValueFlow="call to FunctionWithParameter"
+	sink(test.FunctionWithSliceParameter(sSlice))         // $ hasTaintFlow="call to FunctionWithSliceParameter" MISSING: hasValueFlow="call to FunctionWithSliceParameter"
+	sink(test.FunctionWithVarArgsParameter(sSlice...))    // $ hasTaintFlow="call to FunctionWithVarArgsParameter" MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
+	randomFunctionWithMoreThanOneParameter(1, 2, 3, 4, 5) // This is needed to make the next line pass, because we need to have seen a call to a function with at least 2 parameters for ParameterInput to exist with index 1.
+	sink(test.FunctionWithVarArgsParameter(s0, s1))       // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+
+	var out1 *string
+	var out2 *string
+	test.FunctionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ hasValueFlow="out1"
+	sink(out2) // $ hasValueFlow="out2"
 
 	sliceOfStructs := []test.A{{Field: source()}}
 	sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
@@ -37,3 +44,6 @@ func main() {
 	sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ MISSING: hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
 	sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1))    // $ MISSING: hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
 }
+
+func randomFunctionWithMoreThanOneParameter(i1, i2, i3, i4, i5 int) {
+}

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/vendor/github.com/nonexistent/test/stub.go

@@ -16,6 +16,9 @@ func FunctionWithVarArgsParameter(s ...string) string {
 	return ""
 }
 
+func FunctionWithVarArgsOutParameter(in string, out ...*string) {
+}
+
 func FunctionWithSliceOfStructsParameter(s []A) string {
 	return ""
 }

go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Log.go

@@ -15,62 +15,6 @@ func TaintStepTest_LogNew_B0I0O0(sourceCQL interface{}) interface{} {
 	return intoWriter414
 }
 
-func TaintStepTest_LogLoggerFatal_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface518 := sourceCQL.(interface{})
-	var intoLogger650 log.Logger
-	intoLogger650.Fatal(fromInterface518)
-	return intoLogger650
-}
-
-func TaintStepTest_LogLoggerFatalf_B0I0O0(sourceCQL interface{}) interface{} {
-	fromString784 := sourceCQL.(string)
-	var intoLogger957 log.Logger
-	intoLogger957.Fatalf(fromString784, nil)
-	return intoLogger957
-}
-
-func TaintStepTest_LogLoggerFatalf_B0I1O0(sourceCQL interface{}) interface{} {
-	fromInterface520 := sourceCQL.(interface{})
-	var intoLogger443 log.Logger
-	intoLogger443.Fatalf("", fromInterface520)
-	return intoLogger443
-}
-
-func TaintStepTest_LogLoggerFatalln_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface127 := sourceCQL.(interface{})
-	var intoLogger483 log.Logger
-	intoLogger483.Fatalln(fromInterface127)
-	return intoLogger483
-}
-
-func TaintStepTest_LogLoggerPanic_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface989 := sourceCQL.(interface{})
-	var intoLogger982 log.Logger
-	intoLogger982.Panic(fromInterface989)
-	return intoLogger982
-}
-
-func TaintStepTest_LogLoggerPanicf_B0I0O0(sourceCQL interface{}) interface{} {
-	fromString417 := sourceCQL.(string)
-	var intoLogger584 log.Logger
-	intoLogger584.Panicf(fromString417, nil)
-	return intoLogger584
-}
-
-func TaintStepTest_LogLoggerPanicf_B0I1O0(sourceCQL interface{}) interface{} {
-	fromInterface991 := sourceCQL.(interface{})
-	var intoLogger881 log.Logger
-	intoLogger881.Panicf("", fromInterface991)
-	return intoLogger881
-}
-
-func TaintStepTest_LogLoggerPanicln_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface186 := sourceCQL.(interface{})
-	var intoLogger284 log.Logger
-	intoLogger284.Panicln(fromInterface186)
-	return intoLogger284
-}
-
 func TaintStepTest_LogLoggerPrint_B0I0O0(sourceCQL interface{}) interface{} {
 	fromInterface908 := sourceCQL.(interface{})
 	var intoLogger137 log.Logger
@@ -125,46 +69,6 @@ func RunAllTaints_Log() {
 		out := TaintStepTest_LogNew_B0I0O0(source)
 		sink(0, out)
 	}
-	{
-		source := newSource(1)
-		out := TaintStepTest_LogLoggerFatal_B0I0O0(source)
-		sink(1, out)
-	}
-	{
-		source := newSource(2)
-		out := TaintStepTest_LogLoggerFatalf_B0I0O0(source)
-		sink(2, out)
-	}
-	{
-		source := newSource(3)
-		out := TaintStepTest_LogLoggerFatalf_B0I1O0(source)
-		sink(3, out)
-	}
-	{
-		source := newSource(4)
-		out := TaintStepTest_LogLoggerFatalln_B0I0O0(source)
-		sink(4, out)
-	}
-	{
-		source := newSource(5)
-		out := TaintStepTest_LogLoggerPanic_B0I0O0(source)
-		sink(5, out)
-	}
-	{
-		source := newSource(6)
-		out := TaintStepTest_LogLoggerPanicf_B0I0O0(source)
-		sink(6, out)
-	}
-	{
-		source := newSource(7)
-		out := TaintStepTest_LogLoggerPanicf_B0I1O0(source)
-		sink(7, out)
-	}
-	{
-		source := newSource(8)
-		out := TaintStepTest_LogLoggerPanicln_B0I0O0(source)
-		sink(8, out)
-	}
 	{
 		source := newSource(9)
 		out := TaintStepTest_LogLoggerPrint_B0I0O0(source)

go/ql/test/query-tests/Security/CWE-117/CONSISTENCY/DataFlowConsistency.expected

@@ -3,9 +3,9 @@ reverseRead
 | LogInjection.go:33:14:33:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | LogInjection.go:34:18:34:20 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | LogInjection.go:35:14:35:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:447:14:447:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:455:14:455:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:463:14:463:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:498:14:498:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:499:14:499:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:724:12:724:14 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:551:14:551:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:559:14:559:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:567:14:567:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:602:14:602:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:603:14:603:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:828:12:828:14 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |

go/ql/test/query-tests/Security/CWE-117/LogInjection.go

@@ -49,22 +49,22 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		log.Printf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		log.Println("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 
-		if testFlag == "true" {
+		if testFlag == "1" {
 			log.Fatal("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "2" {
 			log.Fatalf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "3" {
 			log.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "4" {
 			log.Panic("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "5" {
 			log.Panicf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "6" {
 			log.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
 
@@ -72,12 +72,24 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.Print("user is logged in:", username, password)   // $ hasTaintFlow="username" hasTaintFlow="password"
 		logger.Printf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		logger.Println("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
-		logger.Fatal("user is logged in:", username, password)   // $ hasTaintFlow="username" hasTaintFlow="password"
-		logger.Fatalf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
-		logger.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
-		logger.Panic("user is logged in:", username, password)   // $ hasTaintFlow="username" hasTaintFlow="password"
-		logger.Panicf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
-		logger.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		if testFlag == "7" {
+			logger.Fatal("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "8" {
+			logger.Fatalf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "9" {
+			logger.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "10" {
+			logger.Panic("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "11" {
+			logger.Panicf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "12" {
+			logger.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
 	}
 	// k8s.io/klog
 	{
@@ -91,12 +103,24 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		klog.Error(username)     // $ hasTaintFlow="username"
 		klog.Errorf(username)    // $ hasTaintFlow="username"
 		klog.Errorln(username)   // $ hasTaintFlow="username"
-		klog.Fatal(username)     // $ hasTaintFlow="username"
-		klog.Fatalf(username)    // $ hasTaintFlow="username"
-		klog.Fatalln(username)   // $ hasTaintFlow="username"
-		klog.Exit(username)      // $ hasTaintFlow="username"
-		klog.Exitf(username)     // $ hasTaintFlow="username"
-		klog.Exitln(username)    // $ hasTaintFlow="username"
+		if testFlag == "77" {
+			klog.Fatal(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "78" {
+			klog.Fatalf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "79" {
+			klog.Fatalln(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "80" {
+			klog.Exit(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "81" {
+			klog.Exitf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "82" {
+			klog.Exitln(username) // $ hasTaintFlow="username"
+		}
 	}
 	// astaxie/beego
 	{
@@ -161,14 +185,30 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		glog.ErrorDepth(0, username) // $ hasTaintFlow="username"
 		glog.Errorf(username)        // $ hasTaintFlow="username"
 		glog.Errorln(username)       // $ hasTaintFlow="username"
-		glog.Fatal(username)         // $ hasTaintFlow="username"
-		glog.FatalDepth(0, username) // $ hasTaintFlow="username"
-		glog.Fatalf(username)        // $ hasTaintFlow="username"
-		glog.Fatalln(username)       // $ hasTaintFlow="username"
-		glog.Exit(username)          // $ hasTaintFlow="username"
-		glog.ExitDepth(0, username)  // $ hasTaintFlow="username"
-		glog.Exitf(username)         // $ hasTaintFlow="username"
-		glog.Exitln(username)        // $ hasTaintFlow="username"
+		if testFlag == "83" {
+			glog.Fatal(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "84" {
+			glog.FatalDepth(0, username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "85" {
+			glog.Fatalf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "86" {
+			glog.Fatalln(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "87" {
+			glog.Exit(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "88" {
+			glog.ExitDepth(0, username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "89" {
+			glog.Exitf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "90" {
+			glog.Exitln(username) // $ hasTaintFlow="username"
+		}
 
 	}
 	// sirupsen/logrus
@@ -179,26 +219,42 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger := logrus.New()
 		entry := logrus.NewEntry(logger)
 
-		logrus.Debug(username)         // $ hasTaintFlow="username"
-		logrus.Debugf(username, "")    // $ hasTaintFlow="username"
-		logrus.Debugf("", username)    // $ hasTaintFlow="username"
-		logrus.Debugln(username)       // $ hasTaintFlow="username"
-		logrus.Error(username)         // $ hasTaintFlow="username"
-		logrus.Errorf(username, "")    // $ hasTaintFlow="username"
-		logrus.Errorf("", username)    // $ hasTaintFlow="username"
-		logrus.Errorln(username)       // $ hasTaintFlow="username"
-		logrus.Fatal(username)         // $ hasTaintFlow="username"
-		logrus.Fatalf(username, "")    // $ hasTaintFlow="username"
-		logrus.Fatalf("", username)    // $ hasTaintFlow="username"
-		logrus.Fatalln(username)       // $ hasTaintFlow="username"
-		logrus.Info(username)          // $ hasTaintFlow="username"
-		logrus.Infof(username, "")     // $ hasTaintFlow="username"
-		logrus.Infof("", username)     // $ hasTaintFlow="username"
-		logrus.Infoln(username)        // $ hasTaintFlow="username"
-		logrus.Panic(username)         // $ hasTaintFlow="username"
-		logrus.Panicf(username, "")    // $ hasTaintFlow="username"
-		logrus.Panicf("", username)    // $ hasTaintFlow="username"
-		logrus.Panicln(username)       // $ hasTaintFlow="username"
+		logrus.Debug(username)      // $ hasTaintFlow="username"
+		logrus.Debugf(username, "") // $ hasTaintFlow="username"
+		logrus.Debugf("", username) // $ hasTaintFlow="username"
+		logrus.Debugln(username)    // $ hasTaintFlow="username"
+		logrus.Error(username)      // $ hasTaintFlow="username"
+		logrus.Errorf(username, "") // $ hasTaintFlow="username"
+		logrus.Errorf("", username) // $ hasTaintFlow="username"
+		logrus.Errorln(username)    // $ hasTaintFlow="username"
+		if testFlag == "13" {
+			logrus.Fatal(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "14" {
+			logrus.Fatalf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "15" {
+			logrus.Fatalf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "16" {
+			logrus.Fatalln(username) // $ hasTaintFlow="username"
+		}
+		logrus.Info(username)      // $ hasTaintFlow="username"
+		logrus.Infof(username, "") // $ hasTaintFlow="username"
+		logrus.Infof("", username) // $ hasTaintFlow="username"
+		logrus.Infoln(username)    // $ hasTaintFlow="username"
+		if testFlag == "17" {
+			logrus.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "18" {
+			logrus.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "19" {
+			logrus.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "20" {
+			logrus.Panicln(username) // $ hasTaintFlow="username"
+		}
 		logrus.Print(username)         // $ hasTaintFlow="username"
 		logrus.Printf(username, "")    // $ hasTaintFlow="username"
 		logrus.Printf("", username)    // $ hasTaintFlow="username"
@@ -220,30 +276,46 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logrus.WithField("", username) // $ hasTaintFlow="username"
 		logrus.WithFields(fields)      // $ hasTaintFlow="fields"
 
-		entry.Debug(username)         // $ hasTaintFlow="username"
-		entry.Debugf(username, "")    // $ hasTaintFlow="username"
-		entry.Debugf("", username)    // $ hasTaintFlow="username"
-		entry.Debugln(username)       // $ hasTaintFlow="username"
-		entry.Error(username)         // $ hasTaintFlow="username"
-		entry.Errorf(username, "")    // $ hasTaintFlow="username"
-		entry.Errorf("", username)    // $ hasTaintFlow="username"
-		entry.Errorln(username)       // $ hasTaintFlow="username"
-		entry.Fatal(username)         // $ hasTaintFlow="username"
-		entry.Fatalf(username, "")    // $ hasTaintFlow="username"
-		entry.Fatalf("", username)    // $ hasTaintFlow="username"
-		entry.Fatalln(username)       // $ hasTaintFlow="username"
-		entry.Info(username)          // $ hasTaintFlow="username"
-		entry.Infof(username, "")     // $ hasTaintFlow="username"
-		entry.Infof("", username)     // $ hasTaintFlow="username"
-		entry.Infoln(username)        // $ hasTaintFlow="username"
-		entry.Log(0, username)        // $ hasTaintFlow="username"
-		entry.Logf(0, username, "")   // $ hasTaintFlow="username"
-		entry.Logf(0, "", username)   // $ hasTaintFlow="username"
-		entry.Logln(0, username)      // $ hasTaintFlow="username"
-		entry.Panic(username)         // $ hasTaintFlow="username"
-		entry.Panicf(username, "")    // $ hasTaintFlow="username"
-		entry.Panicf("", username)    // $ hasTaintFlow="username"
-		entry.Panicln(username)       // $ hasTaintFlow="username"
+		entry.Debug(username)      // $ hasTaintFlow="username"
+		entry.Debugf(username, "") // $ hasTaintFlow="username"
+		entry.Debugf("", username) // $ hasTaintFlow="username"
+		entry.Debugln(username)    // $ hasTaintFlow="username"
+		entry.Error(username)      // $ hasTaintFlow="username"
+		entry.Errorf(username, "") // $ hasTaintFlow="username"
+		entry.Errorf("", username) // $ hasTaintFlow="username"
+		entry.Errorln(username)    // $ hasTaintFlow="username"
+		if testFlag == "21" {
+			entry.Fatal(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "22" {
+			entry.Fatalf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "23" {
+			entry.Fatalf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "24" {
+			entry.Fatalln(username) // $ hasTaintFlow="username"
+		}
+		entry.Info(username)        // $ hasTaintFlow="username"
+		entry.Infof(username, "")   // $ hasTaintFlow="username"
+		entry.Infof("", username)   // $ hasTaintFlow="username"
+		entry.Infoln(username)      // $ hasTaintFlow="username"
+		entry.Log(0, username)      // $ hasTaintFlow="username"
+		entry.Logf(0, username, "") // $ hasTaintFlow="username"
+		entry.Logf(0, "", username) // $ hasTaintFlow="username"
+		entry.Logln(0, username)    // $ hasTaintFlow="username"
+		if testFlag == "25" {
+			entry.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "26" {
+			entry.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "27" {
+			entry.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "28" {
+			entry.Panicln(username) // $ hasTaintFlow="username"
+		}
 		entry.Print(username)         // $ hasTaintFlow="username"
 		entry.Printf(username, "")    // $ hasTaintFlow="username"
 		entry.Printf("", username)    // $ hasTaintFlow="username"
@@ -265,30 +337,46 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry.WithField("", username) // $ hasTaintFlow="username"
 		entry.WithFields(fields)      // $ hasTaintFlow="fields"
 
-		logger.Debug(username)         // $ hasTaintFlow="username"
-		logger.Debugf(username, "")    // $ hasTaintFlow="username"
-		logger.Debugf("", username)    // $ hasTaintFlow="username"
-		logger.Debugln(username)       // $ hasTaintFlow="username"
-		logger.Error(username)         // $ hasTaintFlow="username"
-		logger.Errorf(username, "")    // $ hasTaintFlow="username"
-		logger.Errorf("", username)    // $ hasTaintFlow="username"
-		logger.Errorln(username)       // $ hasTaintFlow="username"
-		logger.Fatal(username)         // $ hasTaintFlow="username"
-		logger.Fatalf(username, "")    // $ hasTaintFlow="username"
-		logger.Fatalf("", username)    // $ hasTaintFlow="username"
-		logger.Fatalln(username)       // $ hasTaintFlow="username"
-		logger.Info(username)          // $ hasTaintFlow="username"
-		logger.Infof(username, "")     // $ hasTaintFlow="username"
-		logger.Infof("", username)     // $ hasTaintFlow="username"
-		logger.Infoln(username)        // $ hasTaintFlow="username"
-		logger.Log(0, username)        // $ hasTaintFlow="username"
-		logger.Logf(0, username, "")   // $ hasTaintFlow="username"
-		logger.Logf(0, "", username)   // $ hasTaintFlow="username"
-		logger.Logln(0, username)      // $ hasTaintFlow="username"
-		logger.Panic(username)         // $ hasTaintFlow="username"
-		logger.Panicf(username, "")    // $ hasTaintFlow="username"
-		logger.Panicf("", username)    // $ hasTaintFlow="username"
-		logger.Panicln(username)       // $ hasTaintFlow="username"
+		logger.Debug(username)      // $ hasTaintFlow="username"
+		logger.Debugf(username, "") // $ hasTaintFlow="username"
+		logger.Debugf("", username) // $ hasTaintFlow="username"
+		logger.Debugln(username)    // $ hasTaintFlow="username"
+		logger.Error(username)      // $ hasTaintFlow="username"
+		logger.Errorf(username, "") // $ hasTaintFlow="username"
+		logger.Errorf("", username) // $ hasTaintFlow="username"
+		logger.Errorln(username)    // $ hasTaintFlow="username"
+		if testFlag == "29" {
+			logger.Fatal(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "30" {
+			logger.Fatalf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "31" {
+			logger.Fatalf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "32" {
+			logger.Fatalln(username) // $ hasTaintFlow="username"
+		}
+		logger.Info(username)        // $ hasTaintFlow="username"
+		logger.Infof(username, "")   // $ hasTaintFlow="username"
+		logger.Infof("", username)   // $ hasTaintFlow="username"
+		logger.Infoln(username)      // $ hasTaintFlow="username"
+		logger.Log(0, username)      // $ hasTaintFlow="username"
+		logger.Logf(0, username, "") // $ hasTaintFlow="username"
+		logger.Logf(0, "", username) // $ hasTaintFlow="username"
+		logger.Logln(0, username)    // $ hasTaintFlow="username"
+		if testFlag == "33" {
+			logger.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "34" {
+			logger.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "35" {
+			logger.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "36" {
+			logger.Panicln(username) // $ hasTaintFlow="username"
+		}
 		logger.Print(username)         // $ hasTaintFlow="username"
 		logger.Printf(username, "")    // $ hasTaintFlow="username"
 		logger.Printf("", username)    // $ hasTaintFlow="username"
@@ -311,26 +399,42 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.WithFields(fields)      // $ hasTaintFlow="fields"
 
 		var fieldlogger logrus.FieldLogger = entry
-		fieldlogger.Debug(username)         // $ hasTaintFlow="username"
-		fieldlogger.Debugf(username, "")    // $ hasTaintFlow="username"
-		fieldlogger.Debugf("", username)    // $ hasTaintFlow="username"
-		fieldlogger.Debugln(username)       // $ hasTaintFlow="username"
-		fieldlogger.Error(username)         // $ hasTaintFlow="username"
-		fieldlogger.Errorf(username, "")    // $ hasTaintFlow="username"
-		fieldlogger.Errorf("", username)    // $ hasTaintFlow="username"
-		fieldlogger.Errorln(username)       // $ hasTaintFlow="username"
-		fieldlogger.Fatal(username)         // $ hasTaintFlow="username"
-		fieldlogger.Fatalf(username, "")    // $ hasTaintFlow="username"
-		fieldlogger.Fatalf("", username)    // $ hasTaintFlow="username"
-		fieldlogger.Fatalln(username)       // $ hasTaintFlow="username"
-		fieldlogger.Info(username)          // $ hasTaintFlow="username"
-		fieldlogger.Infof(username, "")     // $ hasTaintFlow="username"
-		fieldlogger.Infof("", username)     // $ hasTaintFlow="username"
-		fieldlogger.Infoln(username)        // $ hasTaintFlow="username"
-		fieldlogger.Panic(username)         // $ hasTaintFlow="username"
-		fieldlogger.Panicf(username, "")    // $ hasTaintFlow="username"
-		fieldlogger.Panicf("", username)    // $ hasTaintFlow="username"
-		fieldlogger.Panicln(username)       // $ hasTaintFlow="username"
+		fieldlogger.Debug(username)      // $ hasTaintFlow="username"
+		fieldlogger.Debugf(username, "") // $ hasTaintFlow="username"
+		fieldlogger.Debugf("", username) // $ hasTaintFlow="username"
+		fieldlogger.Debugln(username)    // $ hasTaintFlow="username"
+		fieldlogger.Error(username)      // $ hasTaintFlow="username"
+		fieldlogger.Errorf(username, "") // $ hasTaintFlow="username"
+		fieldlogger.Errorf("", username) // $ hasTaintFlow="username"
+		fieldlogger.Errorln(username)    // $ hasTaintFlow="username"
+		if testFlag == "37" {
+			fieldlogger.Fatal(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "38" {
+			fieldlogger.Fatalf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "39" {
+			fieldlogger.Fatalf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "40" {
+			fieldlogger.Fatalln(username) // $ hasTaintFlow="username"
+		}
+		fieldlogger.Info(username)      // $ hasTaintFlow="username"
+		fieldlogger.Infof(username, "") // $ hasTaintFlow="username"
+		fieldlogger.Infof("", username) // $ hasTaintFlow="username"
+		fieldlogger.Infoln(username)    // $ hasTaintFlow="username"
+		if testFlag == "41" {
+			fieldlogger.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "42" {
+			fieldlogger.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "43" {
+			fieldlogger.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "44" {
+			fieldlogger.Panicln(username) // $ hasTaintFlow="username"
+		}
 		fieldlogger.Print(username)         // $ hasTaintFlow="username"
 		fieldlogger.Printf(username, "")    // $ hasTaintFlow="username"
 		fieldlogger.Printf("", username)    // $ hasTaintFlow="username"
@@ -366,11 +470,11 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.DPanic(username) // $ hasTaintFlow="username"
 		logger.Debug(username)  // $ hasTaintFlow="username"
 		logger.Error(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "45" {
 			logger.Fatal(username) // $ hasTaintFlow="username"
 		}
 		logger.Info(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "46" {
 			logger.Panic(username) // $ hasTaintFlow="username"
 		}
 		logger.Warn(username)        // $ hasTaintFlow="username"
@@ -382,33 +486,33 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.DPanic(username) // $ hasTaintFlow="username"
 		sLogger.Debug(username)  // $ hasTaintFlow="username"
 		sLogger.Error(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "47" {
 			sLogger.Fatal(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Info(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "48" {
 			sLogger.Panic(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warn(username)    // $ hasTaintFlow="username"
 		sLogger.DPanicf(username) // $ hasTaintFlow="username"
 		sLogger.Debugf(username)  // $ hasTaintFlow="username"
 		sLogger.Errorf(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "49" {
 			sLogger.Fatalf(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Infof(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "50" {
 			sLogger.Panicf(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warnf(username)   // $ hasTaintFlow="username"
 		sLogger.DPanicw(username) // $ hasTaintFlow="username"
 		sLogger.Debugw(username)  // $ hasTaintFlow="username"
 		sLogger.Errorw(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "51" {
 			sLogger.Fatalw(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Infow(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "52" {
 			sLogger.Panicw(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warnw(username) // $ hasTaintFlow="username"
@@ -515,10 +619,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		verbose.Infof("user %q logged in.\n", username)
 		klog.Infof("user %q logged in.\n", username)
 		klog.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "53" {
 			klog.Fatalf("user %q logged in.\n", username)
 		}
-		if testFlag == " true" {
+		if testFlag == "54" {
 			klog.Exitf("user %q logged in.\n", username)
 		}
 	}
@@ -534,10 +638,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 
 		glog.Infof("user %q logged in.\n", username)
 		glog.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "55" {
 			glog.Fatalf("user %q logged in.\n", username)
 		}
-		if testFlag == " true" {
+		if testFlag == "56" {
 			glog.Exitf("user %q logged in.\n", username)
 		}
 	}
@@ -545,11 +649,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 	{
 		logrus.Debugf("user %q logged in.\n", username)
 		logrus.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "57" {
 			logrus.Fatalf("user %q logged in.\n", username)
 		}
 		logrus.Infof("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "58" {
 			logrus.Panicf("user %q logged in.\n", username)
 		}
 		logrus.Printf("user %q logged in.\n", username)
@@ -561,12 +665,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry := logrus.WithFields(fields)
 		entry.Debugf("user %q logged in.\n", username)
 		entry.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "59" {
 			entry.Fatalf("user %q logged in.\n", username)
 		}
 		entry.Infof("user %q logged in.\n", username)
 		entry.Logf(0, "user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "60" {
 			entry.Panicf("user %q logged in.\n", username)
 		}
 		entry.Printf("user %q logged in.\n", username)
@@ -577,12 +681,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger := entry.Logger
 		logger.Debugf("user %q logged in.\n", username)
 		logger.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "61" {
 			logger.Fatalf("user %q logged in.\n", username)
 		}
 		logger.Infof("user %q logged in.\n", username)
 		logger.Logf(0, "user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "62" {
 			logger.Panicf("user %q logged in.\n", username)
 		}
 		logger.Printf("user %q logged in.\n", username)
@@ -603,11 +707,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.DPanicf("user %q logged in.\n", username)
 		sLogger.Debugf("user %q logged in.\n", username)
 		sLogger.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "63" {
 			sLogger.Fatalf("user %q logged in.\n", username)
 		}
 		sLogger.Infof("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "64" {
 			sLogger.Panicf("user %q logged in.\n", username)
 		}
 		sLogger.Warnf("user %q logged in.\n", username)
@@ -620,10 +724,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		verbose.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		klog.Infof("user %#q logged in.\n", username)    // $ hasTaintFlow="username"
 		klog.Errorf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "65" {
 			klog.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
-		if testFlag == " true" {
+		if testFlag == "66" {
 			klog.Exitf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 	}
@@ -639,10 +743,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 
 		glog.Infof("user %#q logged in.\n", username)  // $ hasTaintFlow="username"
 		glog.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "67" {
 			glog.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
-		if testFlag == " true" {
+		if testFlag == "68" {
 			glog.Exitf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 	}
@@ -650,11 +754,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 	{
 		logrus.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		logrus.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "69" {
 			logrus.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logrus.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "70" {
 			logrus.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logrus.Printf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
@@ -666,12 +770,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry := logrus.WithFields(fields)
 		entry.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		entry.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "71" {
 			entry.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		entry.Infof("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
 		entry.Logf(0, "user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "72" {
 			entry.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		entry.Printf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
@@ -682,12 +786,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger := entry.Logger
 		logger.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		logger.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "73" {
 			logger.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logger.Infof("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
 		logger.Logf(0, "user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "74" {
 			logger.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logger.Printf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
@@ -708,11 +812,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.DPanicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		sLogger.Debugf("user %#q logged in.\n", username)  // $ hasTaintFlow="username"
 		sLogger.Errorf("user %#q logged in.\n", username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "75" {
 			sLogger.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		sLogger.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "76" {
 			sLogger.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warnf("user %#q logged in.\n", username) // $ hasTaintFlow="username"

go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected

@@ -37,22 +37,22 @@
 | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | $@ flows to a logging call. | passwords.go:26:14:26:23 | selection of password | Sensitive data returned by an access to password |
 | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | $@ flows to a logging call. | passwords.go:27:14:27:26 | call to getPassword | Sensitive data returned by a call to getPassword |
 | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | $@ flows to a logging call. | passwords.go:28:14:28:28 | call to getPassword | Sensitive data returned by a call to getPassword |
-| passwords.go:32:12:32:19 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:34:14:34:35 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:34:14:34:35 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:39:14:39:17 | obj1 | passwords.go:37:13:37:13 | x | passwords.go:39:14:39:17 | obj1 | $@ flows to a logging call. | passwords.go:37:13:37:13 | x | Sensitive data returned by an access to password |
-| passwords.go:44:14:44:17 | obj2 | passwords.go:21:2:21:9 | definition of password | passwords.go:44:14:44:17 | obj2 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:51:14:51:27 | fixed_password | passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | $@ flows to a logging call. | passwords.go:50:2:50:15 | definition of fixed_password | Sensitive data returned by an access to fixed_password |
-| passwords.go:89:14:89:26 | utilityObject | passwords.go:87:16:87:36 | call to make | passwords.go:89:14:89:26 | utilityObject | $@ flows to a logging call. | passwords.go:87:16:87:36 | call to make | Sensitive data returned by an access to passwordSet |
-| passwords.go:92:23:92:28 | secret | passwords.go:21:2:21:9 | definition of password | passwords.go:92:23:92:28 | secret | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:102:15:102:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:102:15:102:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:108:16:108:41 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:108:16:108:41 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:113:15:113:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:113:15:113:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:117:14:117:45 | ...+... | passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:14:117:45 | ...+... | $@ flows to a logging call. | passwords.go:116:6:116:14 | definition of password1 | Sensitive data returned by an access to password1 |
-| passwords.go:127:14:127:19 | config | passwords.go:21:2:21:9 | definition of password | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:127:14:127:19 | config | passwords.go:121:13:121:14 | x3 | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:121:13:121:14 | x3 | Sensitive data returned by an access to password |
-| passwords.go:127:14:127:19 | config | passwords.go:124:13:124:25 | call to getPassword | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword |
-| passwords.go:128:14:128:21 | selection of x | passwords.go:21:2:21:9 | definition of password | passwords.go:128:14:128:21 | selection of x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:129:14:129:21 | selection of y | passwords.go:124:13:124:25 | call to getPassword | passwords.go:129:14:129:21 | selection of y | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword |
+| passwords.go:33:13:33:20 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:33:13:33:20 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:36:14:36:35 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:36:14:36:35 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:41:14:41:17 | obj1 | passwords.go:39:13:39:13 | x | passwords.go:41:14:41:17 | obj1 | $@ flows to a logging call. | passwords.go:39:13:39:13 | x | Sensitive data returned by an access to password |
+| passwords.go:46:14:46:17 | obj2 | passwords.go:21:2:21:9 | definition of password | passwords.go:46:14:46:17 | obj2 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:53:14:53:27 | fixed_password | passwords.go:52:2:52:15 | definition of fixed_password | passwords.go:53:14:53:27 | fixed_password | $@ flows to a logging call. | passwords.go:52:2:52:15 | definition of fixed_password | Sensitive data returned by an access to fixed_password |
+| passwords.go:91:14:91:26 | utilityObject | passwords.go:89:16:89:36 | call to make | passwords.go:91:14:91:26 | utilityObject | $@ flows to a logging call. | passwords.go:89:16:89:36 | call to make | Sensitive data returned by an access to passwordSet |
+| passwords.go:94:23:94:28 | secret | passwords.go:21:2:21:9 | definition of password | passwords.go:94:23:94:28 | secret | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:104:15:104:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:104:15:104:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:110:16:110:41 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:110:16:110:41 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:115:15:115:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:115:15:115:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:119:14:119:45 | ...+... | passwords.go:118:6:118:14 | definition of password1 | passwords.go:119:14:119:45 | ...+... | $@ flows to a logging call. | passwords.go:118:6:118:14 | definition of password1 | Sensitive data returned by an access to password1 |
+| passwords.go:129:14:129:19 | config | passwords.go:21:2:21:9 | definition of password | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:129:14:129:19 | config | passwords.go:123:13:123:14 | x3 | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:123:13:123:14 | x3 | Sensitive data returned by an access to password |
+| passwords.go:129:14:129:19 | config | passwords.go:126:13:126:25 | call to getPassword | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:126:13:126:25 | call to getPassword | Sensitive data returned by a call to getPassword |
+| passwords.go:130:14:130:21 | selection of x | passwords.go:21:2:21:9 | definition of password | passwords.go:130:14:130:21 | selection of x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:131:14:131:21 | selection of y | passwords.go:126:13:126:25 | call to getPassword | passwords.go:131:14:131:21 | selection of y | $@ flows to a logging call. | passwords.go:126:13:126:25 | call to getPassword | Sensitive data returned by a call to getPassword |
 | protobuf.go:14:14:14:35 | call to GetDescription | protobuf.go:9:2:9:9 | definition of password | protobuf.go:14:14:14:35 | call to GetDescription | $@ flows to a logging call. | protobuf.go:9:2:9:9 | definition of password | Sensitive data returned by an access to password |
 edges
 | klog.go:21:3:26:3 | range statement[1] | klog.go:22:27:22:33 | headers | provenance |  |
@@ -82,95 +82,15 @@ edges
 | main.go:53:11:53:18 | password | main.go:54:12:54:19 | password | provenance |  |
 | main.go:53:11:53:18 | password | main.go:54:12:54:19 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:56:11:56:18 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:56:11:56:18 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:62:12:62:19 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 |
 | main.go:54:12:54:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:68:11:68:18 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:68:11:68:18 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:74:12:74:19 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
 | main.go:54:12:54:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:77:13:77:20 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
 | main.go:54:12:54:19 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:62:12:62:19 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 |
-| main.go:56:11:56:18 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:56:11:56:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:56:11:56:18 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:62:12:62:19 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 |
-| main.go:59:18:59:25 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:59:18:59:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:59:18:59:25 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:62:12:62:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:62:12:62:19 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:65:13:65:20 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:65:13:65:20 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:68:11:68:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:68:11:68:18 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:71:18:71:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:71:18:71:25 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:74:12:74:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:74:12:74:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:74:12:74:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:74:12:74:19 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:77:13:77:20 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:77:13:77:20 | password | main.go:80:17:80:24 | password | provenance |  |
 | main.go:80:17:80:24 | password | main.go:82:12:82:19 | password | provenance |  |
 | main.go:80:17:80:24 | password | main.go:83:17:83:24 | password | provenance |  |
 | main.go:80:17:80:24 | password | main.go:86:19:86:26 | password | provenance |  |
@@ -182,46 +102,46 @@ edges
 | passwords.go:8:12:8:12 | definition of x | passwords.go:9:14:9:14 | x | provenance |  |
 | passwords.go:21:2:21:9 | definition of password | passwords.go:25:14:25:21 | password | provenance |  |
 | passwords.go:21:2:21:9 | definition of password | passwords.go:30:8:30:15 | password | provenance |  |
-| passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | provenance |  |
-| passwords.go:21:2:21:9 | definition of password | passwords.go:34:28:34:35 | password | provenance |  |
+| passwords.go:21:2:21:9 | definition of password | passwords.go:33:13:33:20 | password | provenance |  |
+| passwords.go:21:2:21:9 | definition of password | passwords.go:36:28:36:35 | password | provenance |  |
 | passwords.go:30:8:30:15 | password | passwords.go:8:12:8:12 | definition of x | provenance |  |
-| passwords.go:34:28:34:35 | password | passwords.go:34:14:34:35 | ...+... | provenance | Config |
-| passwords.go:34:28:34:35 | password | passwords.go:42:6:42:13 | password | provenance |  |
-| passwords.go:36:10:38:2 | struct literal | passwords.go:39:14:39:17 | obj1 | provenance |  |
-| passwords.go:37:13:37:13 | x | passwords.go:36:10:38:2 | struct literal | provenance | Config |
-| passwords.go:41:10:43:2 | struct literal | passwords.go:44:14:44:17 | obj2 | provenance |  |
-| passwords.go:42:6:42:13 | password | passwords.go:41:10:43:2 | struct literal | provenance | Config |
-| passwords.go:42:6:42:13 | password | passwords.go:48:11:48:18 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:92:23:92:28 | secret | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:102:33:102:40 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:108:34:108:41 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:113:33:113:40 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:123:13:123:20 | password | provenance |  |
-| passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | provenance |  |
-| passwords.go:86:19:88:2 | struct literal | passwords.go:89:14:89:26 | utilityObject | provenance |  |
-| passwords.go:87:16:87:36 | call to make | passwords.go:86:19:88:2 | struct literal | provenance | Config |
-| passwords.go:102:33:102:40 | password | passwords.go:102:15:102:40 | ...+... | provenance | Config |
-| passwords.go:102:33:102:40 | password | passwords.go:108:34:108:41 | password | provenance |  |
-| passwords.go:102:33:102:40 | password | passwords.go:113:33:113:40 | password | provenance |  |
-| passwords.go:102:33:102:40 | password | passwords.go:123:13:123:20 | password | provenance |  |
-| passwords.go:108:34:108:41 | password | passwords.go:108:16:108:41 | ...+... | provenance | Config |
-| passwords.go:108:34:108:41 | password | passwords.go:113:33:113:40 | password | provenance |  |
-| passwords.go:108:34:108:41 | password | passwords.go:123:13:123:20 | password | provenance |  |
-| passwords.go:113:33:113:40 | password | passwords.go:113:15:113:40 | ...+... | provenance | Config |
-| passwords.go:113:33:113:40 | password | passwords.go:123:13:123:20 | password | provenance |  |
-| passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:28:117:36 | password1 | provenance |  |
-| passwords.go:117:28:117:36 | password1 | passwords.go:117:28:117:45 | call to String | provenance | Config |
-| passwords.go:117:28:117:45 | call to String | passwords.go:117:14:117:45 | ...+... | provenance | Config |
-| passwords.go:120:12:125:2 | struct literal | passwords.go:127:14:127:19 | config | provenance |  |
-| passwords.go:120:12:125:2 | struct literal [x] | passwords.go:128:14:128:19 | config [x] | provenance |  |
-| passwords.go:120:12:125:2 | struct literal [y] | passwords.go:129:14:129:19 | config [y] | provenance |  |
-| passwords.go:121:13:121:14 | x3 | passwords.go:120:12:125:2 | struct literal | provenance | Config |
-| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal | provenance | Config |
-| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal [x] | provenance |  |
-| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal | provenance | Config |
-| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal [y] | provenance |  |
-| passwords.go:128:14:128:19 | config [x] | passwords.go:128:14:128:21 | selection of x | provenance |  |
-| passwords.go:129:14:129:19 | config [y] | passwords.go:129:14:129:21 | selection of y | provenance |  |
+| passwords.go:36:28:36:35 | password | passwords.go:36:14:36:35 | ...+... | provenance | Config |
+| passwords.go:36:28:36:35 | password | passwords.go:44:6:44:13 | password | provenance |  |
+| passwords.go:38:10:40:2 | struct literal | passwords.go:41:14:41:17 | obj1 | provenance |  |
+| passwords.go:39:13:39:13 | x | passwords.go:38:10:40:2 | struct literal | provenance | Config |
+| passwords.go:43:10:45:2 | struct literal | passwords.go:46:14:46:17 | obj2 | provenance |  |
+| passwords.go:44:6:44:13 | password | passwords.go:43:10:45:2 | struct literal | provenance | Config |
+| passwords.go:44:6:44:13 | password | passwords.go:50:11:50:18 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:94:23:94:28 | secret | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:104:33:104:40 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:110:34:110:41 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:115:33:115:40 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:125:13:125:20 | password | provenance |  |
+| passwords.go:52:2:52:15 | definition of fixed_password | passwords.go:53:14:53:27 | fixed_password | provenance |  |
+| passwords.go:88:19:90:2 | struct literal | passwords.go:91:14:91:26 | utilityObject | provenance |  |
+| passwords.go:89:16:89:36 | call to make | passwords.go:88:19:90:2 | struct literal | provenance | Config |
+| passwords.go:104:33:104:40 | password | passwords.go:104:15:104:40 | ...+... | provenance | Config |
+| passwords.go:104:33:104:40 | password | passwords.go:110:34:110:41 | password | provenance |  |
+| passwords.go:104:33:104:40 | password | passwords.go:115:33:115:40 | password | provenance |  |
+| passwords.go:104:33:104:40 | password | passwords.go:125:13:125:20 | password | provenance |  |
+| passwords.go:110:34:110:41 | password | passwords.go:110:16:110:41 | ...+... | provenance | Config |
+| passwords.go:110:34:110:41 | password | passwords.go:115:33:115:40 | password | provenance |  |
+| passwords.go:110:34:110:41 | password | passwords.go:125:13:125:20 | password | provenance |  |
+| passwords.go:115:33:115:40 | password | passwords.go:115:15:115:40 | ...+... | provenance | Config |
+| passwords.go:115:33:115:40 | password | passwords.go:125:13:125:20 | password | provenance |  |
+| passwords.go:118:6:118:14 | definition of password1 | passwords.go:119:28:119:36 | password1 | provenance |  |
+| passwords.go:119:28:119:36 | password1 | passwords.go:119:28:119:45 | call to String | provenance | Config |
+| passwords.go:119:28:119:45 | call to String | passwords.go:119:14:119:45 | ...+... | provenance | Config |
+| passwords.go:122:12:127:2 | struct literal | passwords.go:129:14:129:19 | config | provenance |  |
+| passwords.go:122:12:127:2 | struct literal [x] | passwords.go:130:14:130:19 | config [x] | provenance |  |
+| passwords.go:122:12:127:2 | struct literal [y] | passwords.go:131:14:131:19 | config [y] | provenance |  |
+| passwords.go:123:13:123:14 | x3 | passwords.go:122:12:127:2 | struct literal | provenance | Config |
+| passwords.go:125:13:125:20 | password | passwords.go:122:12:127:2 | struct literal | provenance | Config |
+| passwords.go:125:13:125:20 | password | passwords.go:122:12:127:2 | struct literal [x] | provenance |  |
+| passwords.go:126:13:126:25 | call to getPassword | passwords.go:122:12:127:2 | struct literal | provenance | Config |
+| passwords.go:126:13:126:25 | call to getPassword | passwords.go:122:12:127:2 | struct literal [y] | provenance |  |
+| passwords.go:130:14:130:19 | config [x] | passwords.go:130:14:130:21 | selection of x | provenance |  |
+| passwords.go:131:14:131:19 | config [y] | passwords.go:131:14:131:21 | selection of y | provenance |  |
 | protobuf.go:9:2:9:9 | definition of password | protobuf.go:12:22:12:29 | password | provenance |  |
 | protobuf.go:12:2:12:6 | implicit dereference [postupdate] [Description] | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | provenance |  |
 | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | protobuf.go:14:14:14:18 | query [pointer, Description] | provenance |  |
@@ -274,20 +194,12 @@ nodes
 | main.go:54:12:54:19 | password | semmle.label | password |
 | main.go:54:12:54:19 | password | semmle.label | password |
 | main.go:56:11:56:18 | password | semmle.label | password |
-| main.go:56:11:56:18 | password | semmle.label | password |
-| main.go:59:18:59:25 | password | semmle.label | password |
 | main.go:59:18:59:25 | password | semmle.label | password |
 | main.go:62:12:62:19 | password | semmle.label | password |
-| main.go:62:12:62:19 | password | semmle.label | password |
-| main.go:65:13:65:20 | password | semmle.label | password |
 | main.go:65:13:65:20 | password | semmle.label | password |
 | main.go:68:11:68:18 | password | semmle.label | password |
-| main.go:68:11:68:18 | password | semmle.label | password |
-| main.go:71:18:71:25 | password | semmle.label | password |
 | main.go:71:18:71:25 | password | semmle.label | password |
 | main.go:74:12:74:19 | password | semmle.label | password |
-| main.go:74:12:74:19 | password | semmle.label | password |
-| main.go:77:13:77:20 | password | semmle.label | password |
 | main.go:77:13:77:20 | password | semmle.label | password |
 | main.go:79:14:79:21 | password | semmle.label | password |
 | main.go:80:17:80:24 | password | semmle.label | password |
@@ -308,43 +220,43 @@ nodes
 | passwords.go:27:14:27:26 | call to getPassword | semmle.label | call to getPassword |
 | passwords.go:28:14:28:28 | call to getPassword | semmle.label | call to getPassword |
 | passwords.go:30:8:30:15 | password | semmle.label | password |
-| passwords.go:32:12:32:19 | password | semmle.label | password |
-| passwords.go:34:14:34:35 | ...+... | semmle.label | ...+... |
-| passwords.go:34:28:34:35 | password | semmle.label | password |
-| passwords.go:36:10:38:2 | struct literal | semmle.label | struct literal |
-| passwords.go:37:13:37:13 | x | semmle.label | x |
-| passwords.go:39:14:39:17 | obj1 | semmle.label | obj1 |
-| passwords.go:41:10:43:2 | struct literal | semmle.label | struct literal |
-| passwords.go:42:6:42:13 | password | semmle.label | password |
-| passwords.go:44:14:44:17 | obj2 | semmle.label | obj2 |
-| passwords.go:48:11:48:18 | password | semmle.label | password |
-| passwords.go:50:2:50:15 | definition of fixed_password | semmle.label | definition of fixed_password |
-| passwords.go:51:14:51:27 | fixed_password | semmle.label | fixed_password |
-| passwords.go:86:19:88:2 | struct literal | semmle.label | struct literal |
-| passwords.go:87:16:87:36 | call to make | semmle.label | call to make |
-| passwords.go:89:14:89:26 | utilityObject | semmle.label | utilityObject |
-| passwords.go:92:23:92:28 | secret | semmle.label | secret |
-| passwords.go:102:15:102:40 | ...+... | semmle.label | ...+... |
-| passwords.go:102:33:102:40 | password | semmle.label | password |
-| passwords.go:108:16:108:41 | ...+... | semmle.label | ...+... |
-| passwords.go:108:34:108:41 | password | semmle.label | password |
-| passwords.go:113:15:113:40 | ...+... | semmle.label | ...+... |
-| passwords.go:113:33:113:40 | password | semmle.label | password |
-| passwords.go:116:6:116:14 | definition of password1 | semmle.label | definition of password1 |
-| passwords.go:117:14:117:45 | ...+... | semmle.label | ...+... |
-| passwords.go:117:28:117:36 | password1 | semmle.label | password1 |
-| passwords.go:117:28:117:45 | call to String | semmle.label | call to String |
-| passwords.go:120:12:125:2 | struct literal | semmle.label | struct literal |
-| passwords.go:120:12:125:2 | struct literal [x] | semmle.label | struct literal [x] |
-| passwords.go:120:12:125:2 | struct literal [y] | semmle.label | struct literal [y] |
-| passwords.go:121:13:121:14 | x3 | semmle.label | x3 |
-| passwords.go:123:13:123:20 | password | semmle.label | password |
-| passwords.go:124:13:124:25 | call to getPassword | semmle.label | call to getPassword |
-| passwords.go:127:14:127:19 | config | semmle.label | config |
-| passwords.go:128:14:128:19 | config [x] | semmle.label | config [x] |
-| passwords.go:128:14:128:21 | selection of x | semmle.label | selection of x |
-| passwords.go:129:14:129:19 | config [y] | semmle.label | config [y] |
-| passwords.go:129:14:129:21 | selection of y | semmle.label | selection of y |
+| passwords.go:33:13:33:20 | password | semmle.label | password |
+| passwords.go:36:14:36:35 | ...+... | semmle.label | ...+... |
+| passwords.go:36:28:36:35 | password | semmle.label | password |
+| passwords.go:38:10:40:2 | struct literal | semmle.label | struct literal |
+| passwords.go:39:13:39:13 | x | semmle.label | x |
+| passwords.go:41:14:41:17 | obj1 | semmle.label | obj1 |
+| passwords.go:43:10:45:2 | struct literal | semmle.label | struct literal |
+| passwords.go:44:6:44:13 | password | semmle.label | password |
+| passwords.go:46:14:46:17 | obj2 | semmle.label | obj2 |
+| passwords.go:50:11:50:18 | password | semmle.label | password |
+| passwords.go:52:2:52:15 | definition of fixed_password | semmle.label | definition of fixed_password |
+| passwords.go:53:14:53:27 | fixed_password | semmle.label | fixed_password |
+| passwords.go:88:19:90:2 | struct literal | semmle.label | struct literal |
+| passwords.go:89:16:89:36 | call to make | semmle.label | call to make |
+| passwords.go:91:14:91:26 | utilityObject | semmle.label | utilityObject |
+| passwords.go:94:23:94:28 | secret | semmle.label | secret |
+| passwords.go:104:15:104:40 | ...+... | semmle.label | ...+... |
+| passwords.go:104:33:104:40 | password | semmle.label | password |
+| passwords.go:110:16:110:41 | ...+... | semmle.label | ...+... |
+| passwords.go:110:34:110:41 | password | semmle.label | password |
+| passwords.go:115:15:115:40 | ...+... | semmle.label | ...+... |
+| passwords.go:115:33:115:40 | password | semmle.label | password |
+| passwords.go:118:6:118:14 | definition of password1 | semmle.label | definition of password1 |
+| passwords.go:119:14:119:45 | ...+... | semmle.label | ...+... |
+| passwords.go:119:28:119:36 | password1 | semmle.label | password1 |
+| passwords.go:119:28:119:45 | call to String | semmle.label | call to String |
+| passwords.go:122:12:127:2 | struct literal | semmle.label | struct literal |
+| passwords.go:122:12:127:2 | struct literal [x] | semmle.label | struct literal [x] |
+| passwords.go:122:12:127:2 | struct literal [y] | semmle.label | struct literal [y] |
+| passwords.go:123:13:123:14 | x3 | semmle.label | x3 |
+| passwords.go:125:13:125:20 | password | semmle.label | password |
+| passwords.go:126:13:126:25 | call to getPassword | semmle.label | call to getPassword |
+| passwords.go:129:14:129:19 | config | semmle.label | config |
+| passwords.go:130:14:130:19 | config [x] | semmle.label | config [x] |
+| passwords.go:130:14:130:21 | selection of x | semmle.label | selection of x |
+| passwords.go:131:14:131:19 | config [y] | semmle.label | config [y] |
+| passwords.go:131:14:131:21 | selection of y | semmle.label | selection of y |
 | protobuf.go:9:2:9:9 | definition of password | semmle.label | definition of password |
 | protobuf.go:12:2:12:6 | implicit dereference [postupdate] [Description] | semmle.label | implicit dereference [postupdate] [Description] |
 | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | semmle.label | query [postupdate] [pointer, Description] |

go/ql/test/query-tests/Security/CWE-312/passwords.go

@@ -16,7 +16,7 @@ func redact(kind, value string) string {
 	return value
 }
 
-func test() {
+func test(selector int) {
 	name := "user"
 	password := "P@ssw0rd" // $ Source
 	x := "horsebatterystapleincorrect"
@@ -29,7 +29,9 @@ func test() {
 
 	myLog(password)
 
-	log.Panic(password) // $ Alert
+	if selector == 1 {
+		log.Panic(password) // $ Alert
+	}
 
 	log.Println(name + ", " + password) // $ Alert
 

java/documentation/library-coverage/coverage.csv

@@ -194,7 +194,7 @@ org.apache.hc.core5.http,73,2,45,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,,,,,,72,,,,,,,,,,,
 org.apache.hc.core5.net,,,18,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,
 org.apache.hc.core5.util,,,24,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,18,6
 org.apache.hive.hcatalog.templeton,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,,,,,,,,,,,,,,,,
-org.apache.http,48,3,95,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,46,,,,,,,,,,,,,,,,3,86,9
+org.apache.http,53,3,117,,,,,,,,,,,,,2,,,,,,,,,,,,,,,,,,,,,51,,,,,,,,,,,,,,,,3,108,9
 org.apache.ibatis.jdbc,6,,57,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,6,,,,,,,,,,,,,,,57,
 org.apache.ibatis.mapping,,,1,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,1,
 org.apache.log4j,11,,,,,,,,,,,,,,,,,,,,,,11,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

java/documentation/library-coverage/coverage.rst

@@ -13,7 +13,7 @@ Java framework & library support
    `Apache Commons IO <https://commons.apache.org/proper/commons-io/>`_,``org.apache.commons.io``,,570,124,105,,,,,15
    `Apache Commons Lang <https://commons.apache.org/proper/commons-lang/>`_,``org.apache.commons.lang3``,,425,7,,,,,,
    `Apache Commons Text <https://commons.apache.org/proper/commons-text/>`_,``org.apache.commons.text``,,272,,,,,,,
-   `Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,183,122,,3,,,,119
+   `Apache HttpComponents <https://hc.apache.org/>`_,"``org.apache.hc.core5.*``, ``org.apache.http``",5,205,127,,3,,,,124
    `Apache Log4j 2 <https://logging.apache.org/log4j/2.0/>`_,``org.apache.logging.log4j``,,8,359,,,,,,
    `Apache Struts <https://struts.apache.org/>`_,"``org.apache.struts2``, ``org.apache.struts.beanvalidation.validation.interceptor``",,3877,14,,,,,,
    `Apache Velocity <https://velocity.apache.org/>`_,"``org.apache.velocity.app``, ``org.apache.velocity.runtime``",,,8,,,,,,
@@ -41,5 +41,5 @@ Java framework & library support
    `Thymeleaf <https://www.thymeleaf.org/>`_,``org.thymeleaf``,,2,2,,,,,,
    `jOOQ <https://www.jooq.org/>`_,``org.jooq``,,,1,,,1,,,
    Others,"``actions.osgi``, ``antlr``, ``ch.ethz.ssh2``, ``cn.hutool.core.codec``, ``com.alibaba.com.caucho.hessian.io``, ``com.alibaba.druid.sql``, ``com.alibaba.fastjson2``, ``com.amazonaws.auth``, ``com.auth0.jwt.algorithms``, ``com.azure.identity``, ``com.caucho.burlap.io``, ``com.caucho.hessian.io``, ``com.cedarsoftware.util.io``, ``com.esotericsoftware.kryo.io``, ``com.esotericsoftware.kryo5.io``, ``com.esotericsoftware.yamlbeans``, ``com.hubspot.jinjava``, ``com.jcraft.jsch``, ``com.microsoft.sqlserver.jdbc``, ``com.mitchellbosecke.pebble``, ``com.opensymphony.xwork2``, ``com.sshtools.j2ssh.authentication``, ``com.sun.crypto.provider``, ``com.sun.jndi.ldap``, ``com.sun.net.httpserver``, ``com.sun.net.ssl``, ``com.sun.rowset``, ``com.sun.security.auth.module``, ``com.sun.security.ntlm``, ``com.sun.security.sasl.digest``, ``com.thoughtworks.xstream``, ``com.trilead.ssh2``, ``com.unboundid.ldap.sdk``, ``com.zaxxer.hikari``, ``flexjson``, ``hudson``, ``io.jsonwebtoken``, ``io.undertow.server.handlers.resource``, ``javafx.scene.web``, ``jenkins``, ``jodd.json``, ``liquibase.database.jvm``, ``liquibase.statement.core``, ``net.lingala.zip4j``, ``net.schmizz.sshj``, ``net.sf.json``, ``net.sf.saxon.s9api``, ``ognl``, ``org.acegisecurity``, ``org.antlr.runtime``, ``org.apache.avro``, ``org.apache.commons.codec``, ``org.apache.commons.compress.archivers.tar``, ``org.apache.commons.exec``, ``org.apache.commons.fileupload``, ``org.apache.commons.httpclient.util``, ``org.apache.commons.jelly``, ``org.apache.commons.jexl2``, ``org.apache.commons.jexl3``, ``org.apache.commons.lang``, ``org.apache.commons.logging``, ``org.apache.commons.net``, ``org.apache.commons.ognl``, ``org.apache.cxf.catalog``, ``org.apache.cxf.common.classloader``, ``org.apache.cxf.common.jaxb``, ``org.apache.cxf.common.logging``, ``org.apache.cxf.configuration.jsse``, ``org.apache.cxf.helpers``, ``org.apache.cxf.resource``, ``org.apache.cxf.staxutils``, ``org.apache.cxf.tools.corba.utils``, ``org.apache.cxf.tools.util``, ``org.apache.cxf.transform``, ``org.apache.directory.ldap.client.api``, ``org.apache.hadoop.fs``, ``org.apache.hadoop.hive.metastore``, ``org.apache.hadoop.hive.ql.exec``, ``org.apache.hadoop.hive.ql.metadata``, ``org.apache.hc.client5.http.async.methods``, ``org.apache.hc.client5.http.classic.methods``, ``org.apache.hc.client5.http.fluent``, ``org.apache.hive.hcatalog.templeton``, ``org.apache.ibatis.jdbc``, ``org.apache.ibatis.mapping``, ``org.apache.log4j``, ``org.apache.shiro.authc``, ``org.apache.shiro.codec``, ``org.apache.shiro.jndi``, ``org.apache.shiro.mgt``, ``org.apache.sshd.client.session``, ``org.apache.tools.ant``, ``org.apache.tools.zip``, ``org.codehaus.cargo.container.installer``, ``org.dom4j``, ``org.exolab.castor.xml``, ``org.fusesource.leveldbjni``, ``org.geogebra.web.full.main``, ``org.gradle.api.file``, ``org.ho.yaml``, ``org.influxdb``, ``org.jabsorb``, ``org.jboss.vfs``, ``org.jdbi.v3.core``, ``org.jenkins.ui.icon``, ``org.jenkins.ui.symbol``, ``org.keycloak.models.map.storage``, ``org.kohsuke.stapler``, ``org.lastaflute.web``, ``org.mvel2``, ``org.openjdk.jmh.runner.options``, ``org.owasp.esapi``, ``org.pac4j.jwt.config.encryption``, ``org.pac4j.jwt.config.signature``, ``org.scijava.log``, ``org.xml.sax``, ``org.xmlpull.v1``, ``play.libs.ws``, ``play.mvc``, ``ratpack.core.form``, ``ratpack.core.handling``, ``ratpack.core.http``, ``ratpack.exec``, ``ratpack.form``, ``ratpack.func``, ``ratpack.handling``, ``ratpack.http``, ``ratpack.util``, ``software.amazon.awssdk.transfer.s3.model``, ``sun.jvmstat.perfdata.monitor.protocol.local``, ``sun.jvmstat.perfdata.monitor.protocol.rmi``, ``sun.misc``, ``sun.net.ftp``, ``sun.net.www.protocol.http``, ``sun.security.acl``, ``sun.security.jgss.krb5``, ``sun.security.krb5``, ``sun.security.pkcs``, ``sun.security.pkcs11``, ``sun.security.provider``, ``sun.security.ssl``, ``sun.security.x509``, ``sun.tools.jconsole``",127,6034,775,148,6,14,18,,186
-   Totals,,382,26381,2702,421,16,137,33,1,410
+   Totals,,382,26403,2707,421,16,137,33,1,415
 

java/ql/lib/change-notes/2026-05-07-apache-httpclient-ssrf-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved modeling of Apache HttpClient `execute` method sinks for `java/ssrf` and `java/non-https-url`.

java/ql/lib/ext/org.apache.http.client.methods.model.yml

@@ -11,7 +11,7 @@ extensions:
       - ["org.apache.http.client.methods", "HttpPost", False, "HttpPost", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "HttpPut", False, "HttpPut", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "HttpRequestBase", True, "setURI", "", "", "Argument[0]", "request-forgery", "manual"]
-      - ["org.apache.http.client.methods", "HttpRequestWrapper", True, "setURI", "(URI)", "", "Argument[0]", "request-forgery", "hq-manual"]
+      - ["org.apache.http.client.methods", "HttpRequestWrapper", True, "setURI", "(URI)", "", "Argument[0]", "request-forgery", "ai-manual"]
       - ["org.apache.http.client.methods", "HttpTrace", False, "HttpTrace", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "RequestBuilder", False, "delete", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "RequestBuilder", False, "get", "", "", "Argument[0]", "request-forgery", "manual"]
@@ -22,3 +22,29 @@ extensions:
       - ["org.apache.http.client.methods", "RequestBuilder", False, "put", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "RequestBuilder", False, "setUri", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "RequestBuilder", False, "trace", "", "", "Argument[0]", "request-forgery", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "build", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "delete", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "delete", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "get", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "get", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "getUri", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "head", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "head", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "options", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "options", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "patch", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "patch", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "post", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "post", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "put", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "put", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "setUri", "(String)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "setUri", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "setUri", "(URI)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "setUri", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "trace", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "trace", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

java/ql/lib/ext/org.apache.http.client.model.yml

@@ -3,6 +3,11 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
-      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
       - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]

java/ql/lib/semmle/code/java/dataflow/Bound.qll

@@ -4,67 +4,33 @@
 overlay[local?]
 module;
 
-private import internal.rangeanalysis.BoundSpecific
+private import java as J
+private import semmle.code.java.dataflow.SSA
+private import semmle.code.java.dataflow.RangeUtils as RU
+private import codeql.rangeanalysis.Bound as SharedBound
 
-private newtype TBound =
-  TBoundZero() or
-  TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or
-  TBoundExpr(Expr e) {
-    interestingExprBound(e) and
-    not exists(SsaVariable v | e = v.getAUse())
+private module BoundDefs implements SharedBound::BoundDefinitions<J::Location> {
+  class SsaVariable extends Ssa::SsaDefinition {
+    /** Gets a use of this variable. */
+    Expr getAUse() { result = super.getARead() }
   }
 
-/**
- * A bound that may be inferred for an expression plus/minus an integer delta.
- */
-abstract class Bound extends TBound {
-  /** Gets a textual representation of this bound. */
-  abstract string toString();
+  class SsaSourceVariable = Ssa::SourceVariable;
 
-  /** Gets an expression that equals this bound plus `delta`. */
-  abstract Expr getExpr(int delta);
+  class Type = J::Type;
 
-  /** Gets an expression that equals this bound. */
-  Expr getExpr() { result = this.getExpr(0) }
+  class Expr = J::Expr;
 
-  /** Gets the location of this bound. */
-  abstract Location getLocation();
+  class IntegralType = J::IntegralType;
+
+  class ConstantIntegerExpr = RU::ConstantIntegerExpr;
+
+  /** Holds if `e` is a bound expression and it is not an SSA variable read. */
+  predicate interestingExprBound(Expr e) {
+    e.(J::FieldRead).getField() instanceof J::ArrayLengthField
+  }
 }
 
-/**
- * The bound that corresponds to the integer 0. This is used to represent all
- * integer bounds as bounds are always accompanied by an added integer delta.
- */
-class ZeroBound extends Bound, TBoundZero {
-  override string toString() { result = "0" }
+module BoundImpl = SharedBound::Bound<J::Location, BoundDefs>;
 
-  override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta }
-
-  override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) }
-}
-
-/**
- * A bound corresponding to the value of an SSA variable.
- */
-class SsaBound extends Bound, TBoundSsa {
-  /** Gets the SSA variable that equals this bound. */
-  SsaVariable getSsa() { this = TBoundSsa(result) }
-
-  override string toString() { result = this.getSsa().toString() }
-
-  override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 }
-
-  override Location getLocation() { result = this.getSsa().getLocation() }
-}
-
-/**
- * A bound that corresponds to the value of a specific expression that might be
- * interesting, but isn't otherwise represented by the value of an SSA variable.
- */
-class ExprBound extends Bound, TBoundExpr {
-  override string toString() { result = this.getExpr().toString() }
-
-  override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 }
-
-  override Location getLocation() { result = this.getExpr().getLocation() }
-}
+import BoundImpl

java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/BoundSpecific.qll

@@ -1,27 +0,0 @@
-/**
- * Provides Java-specific definitions for bounds.
- */
-overlay[local?]
-module;
-
-private import java as J
-private import semmle.code.java.dataflow.SSA as Ssa
-private import semmle.code.java.dataflow.RangeUtils as RU
-
-class SsaVariable extends Ssa::SsaDefinition {
-  /** Gets a use of this variable. */
-  Expr getAUse() { result = super.getARead() }
-}
-
-class Expr = J::Expr;
-
-class Location = J::Location;
-
-class IntegralType = J::IntegralType;
-
-class ConstantIntegerExpr = RU::ConstantIntegerExpr;
-
-/** Holds if `e` is a bound expression and it is not an SSA variable read. */
-predicate interestingExprBound(Expr e) {
-  e.(J::FieldRead).getField() instanceof J::ArrayLengthField
-}

java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java

@@ -0,0 +1,45 @@
+import java.io.IOException;
+
+import org.apache.http.HttpHost;
+import org.apache.http.HttpRequest;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.ResponseHandler;
+import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.client.methods.RequestBuilder;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.http.message.BasicHttpRequest;
+import org.apache.http.protocol.HttpContext;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class ApacheHttpClientExecuteSSRF extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            String source = request.getParameter("host"); // $ Source
+
+            HttpHost host = new HttpHost(source);
+            HttpRequest req = new BasicHttpRequest("GET", "/");
+            HttpUriRequest uriReq = RequestBuilder.get(source).build(); // $ Alert
+            HttpContext context = null;
+            HttpClient client = HttpClients.createDefault();
+            ResponseHandler<Object> handler = null;
+
+            client.execute(host, req); // $ Alert
+            client.execute(host, req, context); // $ Alert
+            client.execute(host, req, handler); // $ Alert
+            client.execute(host, req, handler, context); // $ Alert
+            client.execute(uriReq); // $ Alert
+            client.execute(uriReq, context); // $ Alert
+            client.execute(uriReq, handler); // $ Alert
+            client.execute(uriReq, handler, context); // $ Alert
+
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+}

java/ql/test/query-tests/security/CWE-918/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/javax-validation-constraints:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/apache-cxf
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/javax-validation-constraints:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/apache-http-client-4.4.13:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/apache-cxf

java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/HttpClient.java

@@ -0,0 +1,23 @@
+// Generated automatically from org.apache.http.client.HttpClient for testing purposes
+
+package org.apache.http.client;
+
+import java.io.IOException;
+import org.apache.http.HttpHost;
+import org.apache.http.HttpRequest;
+import org.apache.http.HttpResponse;
+import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.protocol.HttpContext;
+
+public interface HttpClient {
+    HttpResponse execute(HttpHost target, HttpRequest request) throws IOException;
+    HttpResponse execute(HttpHost target, HttpRequest request, HttpContext context) throws IOException;
+    <T> T execute(HttpHost target, HttpRequest request, ResponseHandler<? extends T> responseHandler) throws IOException;
+    <T> T execute(HttpHost target, HttpRequest request, ResponseHandler<? extends T> responseHandler, HttpContext context)
+            throws IOException;
+    HttpResponse execute(HttpUriRequest request) throws IOException;
+    HttpResponse execute(HttpUriRequest request, HttpContext context) throws IOException;
+    <T> T execute(HttpUriRequest request, ResponseHandler<? extends T> responseHandler) throws IOException;
+    <T> T execute(HttpUriRequest request, ResponseHandler<? extends T> responseHandler, HttpContext context)
+            throws IOException;
+}

java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/ResponseHandler.java

@@ -0,0 +1,9 @@
+// Generated automatically from org.apache.http.client.ResponseHandler for testing purposes
+
+package org.apache.http.client;
+
+import org.apache.http.HttpResponse;
+
+public interface ResponseHandler<T> {
+    T handleResponse(HttpResponse response);
+}

java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/CloseableHttpClient.java

@@ -0,0 +1,7 @@
+package org.apache.http.impl.client;
+
+import org.apache.http.client.HttpClient;
+
+public abstract class CloseableHttpClient implements HttpClient {
+
+}

java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/HttpClients.java

@@ -0,0 +1,10 @@
+// Generated automatically from org.apache.http.client.HttpClient for testing purposes
+
+package org.apache.http.impl.client;
+
+import java.io.IOException;
+import org.apache.http.impl.client.CloseableHttpClient;
+
+public final class HttpClients {
+        public static CloseableHttpClient createDefault() { return null; }
+}

javascript/resources/codeql-extractor.yml

@@ -21,13 +21,19 @@ file_coverage_languages:
     scc_languages:
       - TypeScript
       - TypeScript Typings
+  - name: vue
+    display_name: Vue.js component
+    scc_languages:
+      - Vue
 github_api_languages:
   - JavaScript
   - TypeScript
+  - Vue
 scc_languages:
   - JavaScript
   - TypeScript
   - TypeScript Typings
+  - Vue
 file_types:
   - name: javascript
     display_name: JavaScript

python/ql/lib/change-notes/2026-06-01-decorator-predicate-simplification.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Simplified the internal predicates that detect `@staticmethod`, `@classmethod` and `@property` decorators to match the decorator's AST `Name` directly, rather than going through the CFG and requiring the name to resolve globally. Code that shadows these three builtin decorators at the module-scope will now be classified by the decorator name alone; in practice, shadowing these names is extremely rare and the call-graph results are unchanged.

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll

@@ -256,12 +256,9 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
  */
 overlay[local]
 predicate isStaticmethod(Function func) {
-  // The decorator is *syntactically* a `Name` "staticmethod" — we don't
-  // care which variable it resolves to. `staticmethod` is a builtin and
-  // is almost never shadowed in a module-level scope; even if a class
-  // redefines `staticmethod` in its body, the class body has not started
-  // executing yet at the decorator position, so Python uses the builtin.
-  func.getADecorator().(Name).getId() = "staticmethod"
+  exists(NameNode id | id.getId() = "staticmethod" and id.isGlobal() |
+    func.getADecorator() = id.getNode()
+  )
 }
 
 /**
@@ -271,9 +268,9 @@ predicate isStaticmethod(Function func) {
  */
 overlay[local]
 predicate isClassmethod(Function func) {
-  // See `isStaticmethod` for the rationale for matching on the AST `Name`
-  // rather than going via the CFG and `isGlobal()`.
-  func.getADecorator().(Name).getId() = "classmethod"
+  exists(NameNode id | id.getId() = "classmethod" and id.isGlobal() |
+    func.getADecorator() = id.getNode()
+  )
   or
   exists(Class cls |
     cls.getAMethod() = func and
@@ -288,8 +285,9 @@ predicate isClassmethod(Function func) {
 /** Holds if the function `func` has a `property` decorator. */
 overlay[local]
 predicate hasPropertyDecorator(Function func) {
-  // See `isStaticmethod` for the rationale for matching on the AST `Name`.
-  func.getADecorator().(Name).getId() = "property"
+  exists(NameNode id | id.getId() = "property" and id.isGlobal() |
+    func.getADecorator() = id.getNode()
+  )
 }
 
 /**

python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll

@@ -9,19 +9,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.ImportStar
 private import semmle.python.dataflow.new.TypeTracking
 private import semmle.python.dataflow.new.internal.DataFlowPrivate
-
-/**
- * Holds if `init` is a package's `__init__.py` and `var` is a global variable in
- * `init` whose name matches a submodule of the package.
- *
- * Inlined from `SsaSource::init_module_submodule_defn` to avoid pulling
- * `semmle.python.essa.SsaDefinitions` into the new dataflow stack.
- */
-private predicate initModuleSubmoduleDefn(GlobalVariable var, Module init) {
-  init.isPackageInit() and
-  exists(init.getPackage().getSubModule(var.getId())) and
-  var.getScope() = init
-}
+private import semmle.python.essa.SsaDefinitions
 
 /**
  * Python modules and the way imports are resolved are... complicated. Here's a crash course in how
@@ -338,7 +326,7 @@ module ImportResolution {
     // imported yet.
     exists(string submodule, Module package, EssaVariable var |
       submodule = var.getName() and
-      initModuleSubmoduleDefn(var.getSourceVariable(), package) and
+      SsaSource::init_module_submodule_defn(var.getSourceVariable(), package.getEntryNode()) and
       m = getModuleFromName(package.getPackageName() + "." + submodule) and
       result.asCfgNode() = var.getDefinition().(EssaNodeDefinition).getDefiningNode()
     )

ruby/ql/lib/codeql/ruby/ast/Parameter.qll

@@ -134,7 +134,7 @@ class BlockParameter extends NamedParameter, TBlockParameter {
   final override string getName() { result = g.getName().getValue() }
 
   final override LocalVariable getVariable() {
-    result = TLocalVariableReal(_, _, g.getName()) or
+    result.(LocalVariableReal).getDefiningNode() = g.getName() or
     result = TLocalVariableSynth(this, 0)
   }
 
@@ -164,7 +164,7 @@ class HashSplatParameter extends NamedParameter, THashSplatParameter {
   final override string getAPrimaryQlClass() { result = "HashSplatParameter" }
 
   final override LocalVariable getVariable() {
-    result = TLocalVariableReal(_, _, g.getName()) or
+    result.(LocalVariableReal).getDefiningNode() = g.getName() or
     result = TLocalVariableSynth(this, 0)
   }
 
@@ -212,7 +212,9 @@ class KeywordParameter extends NamedParameter, TKeywordParameter {
 
   final override string getAPrimaryQlClass() { result = "KeywordParameter" }
 
-  final override LocalVariable getVariable() { result = TLocalVariableReal(_, _, g.getName()) }
+  final override LocalVariable getVariable() {
+    result.(LocalVariableReal).getDefiningNode() = g.getName()
+  }
 
   /**
    * Gets the default value, i.e. the value assigned to the parameter when one
@@ -262,7 +264,9 @@ class OptionalParameter extends NamedParameter, TOptionalParameter {
    */
   final Expr getDefaultValue() { toGenerated(result) = g.getValue() }
 
-  final override LocalVariable getVariable() { result = TLocalVariableReal(_, _, g.getName()) }
+  final override LocalVariable getVariable() {
+    result.(LocalVariableReal).getDefiningNode() = g.getName()
+  }
 
   final override string toString() { result = this.getName() }
 
@@ -293,7 +297,7 @@ class SplatParameter extends NamedParameter, TSplatParameter {
   final override string getAPrimaryQlClass() { result = "SplatParameter" }
 
   final override LocalVariable getVariable() {
-    result = TLocalVariableReal(_, _, g.getName()) or
+    result.(LocalVariableReal).getDefiningNode() = g.getName() or
     result = TLocalVariableSynth(this, 0)
   }
 

ruby/ql/lib/codeql/ruby/ast/internal/AST.qll

@@ -207,9 +207,7 @@ private module Cached {
     TLambda(Ruby::Lambda g) or
     TLine(Ruby::Line g) or
     TLeftAssignmentList(Ruby::LeftAssignmentList g) or
-    TLocalVariableAccessReal(Ruby::Identifier g, TLocalVariableReal v) {
-      LocalVariableAccess::range(g, v)
-    } or
+    TLocalVariableAccessReal(Ruby::Identifier g, TLocalVariableReal v) { access(g, v) } or
     TLocalVariableAccessSynth(Ast::AstNode parent, int i, Ast::LocalVariable v) {
       mkSynthChild(LocalVariableAccessRealKind(v), parent, i)
       or

ruby/ql/lib/codeql/ruby/ast/internal/Parameter.qll

@@ -33,7 +33,7 @@ class SimpleParameterRealImpl extends SimpleParameterImpl, TSimpleParameterReal
 
   SimpleParameterRealImpl() { this = TSimpleParameterReal(g) }
 
-  override LocalVariable getVariableImpl() { result = TLocalVariableReal(_, _, g) }
+  override LocalVariable getVariableImpl() { result.(LocalVariableReal).getDefiningNode() = g }
 
   override string getNameImpl() { result = g.getValue() }
 }

ruby/ql/lib/codeql/ruby/ast/internal/Scope.qll

@@ -118,7 +118,7 @@ private Ruby::AstNode specialParentOf(Ruby::AstNode n) {
     ]
 }
 
-private Ruby::AstNode parentOf(Ruby::AstNode n) {
+Ruby::AstNode parentOf(Ruby::AstNode n) {
   n = getHereDocBody(result)
   or
   result = specialParentOf(n).getParent()
@@ -172,13 +172,15 @@ private module Cached {
   }
 }
 
-bindingset[n]
-pragma[inline_late]
-Scope::Range scopeOf(Ruby::AstNode n) { result = Cached::scopeOfImpl(n) }
+import Cached
 
 bindingset[n]
 pragma[inline_late]
-Scope scopeOfInclSynth(AstNode n) { result = Cached::scopeOfInclSynthImpl(n) }
+Scope::Range scopeOf(Ruby::AstNode n) { result = scopeOfImpl(n) }
+
+bindingset[n]
+pragma[inline_late]
+Scope scopeOfInclSynth(AstNode n) { result = scopeOfInclSynthImpl(n) }
 
 abstract class ScopeImpl extends AstNode, TScopeType {
   final Scope getOuterScopeImpl() { result = scopeOfInclSynth(this) }

ruby/ql/lib/codeql/ruby/ast/internal/Synthesis.qll

@@ -299,9 +299,12 @@ private predicate hasLocation(AstNode n, Location l) {
 private module ImplicitSelfSynthesis {
   pragma[nomagic]
   private predicate identifierMethodCallSelfSynthesis(AstNode mc, int i, Child child) {
-    child = SynthChild(SelfKind(TSelfVariable(scopeOf(toGenerated(mc)).getEnclosingSelfScope()))) and
-    mc = TIdentifierMethodCall(_) and
-    i = 0
+    exists(SelfVariableImpl self |
+      self.getDeclaringScopeImpl() = scopeOf(toGenerated(mc)).getEnclosingSelfScope() and
+      child = SynthChild(SelfKind(self)) and
+      mc = TIdentifierMethodCall(_) and
+      i = 0
+    )
   }
 
   private class IdentifierMethodCallSelfSynthesis extends Synthesis {
@@ -312,13 +315,14 @@ private module ImplicitSelfSynthesis {
 
   pragma[nomagic]
   private predicate regularMethodCallSelfSynthesis(TRegularMethodCall mc, int i, Child child) {
-    exists(Ruby::AstNode g |
+    exists(Ruby::AstNode g, SelfVariableImpl self |
       mc = TRegularMethodCall(g) and
       // If there's no explicit receiver, then the receiver is implicitly `self`.
-      not exists(g.(Ruby::Call).getReceiver())
-    ) and
-    child = SynthChild(SelfKind(TSelfVariable(scopeOf(toGenerated(mc)).getEnclosingSelfScope()))) and
-    i = 0
+      not exists(g.(Ruby::Call).getReceiver()) and
+      self.getDeclaringScopeImpl() = scopeOf(toGenerated(mc)).getEnclosingSelfScope() and
+      child = SynthChild(SelfKind(self)) and
+      i = 0
+    )
   }
 
   private class RegularMethodCallSelfSynthesis extends Synthesis {
@@ -341,9 +345,10 @@ private module ImplicitSelfSynthesis {
    */
   pragma[nomagic]
   private SelfKind getSelfKind(InstanceVariableAccess var) {
-    exists(Ruby::AstNode owner |
+    exists(Ruby::AstNode owner, SelfVariableImpl self |
+      self.getDeclaringScopeImpl() = scopeOf(owner).getEnclosingSelfScope() and
       owner = toGenerated(instanceVarAccessSynthParentStar(var)) and
-      result = SelfKind(TSelfVariable(scopeOf(owner).getEnclosingSelfScope()))
+      result = SelfKind(self)
     )
   }
 
@@ -1566,20 +1571,20 @@ private module ForLoopDesugar {
  * { a: a }
  * ```
  */
-private module ImplicitHashValueSynthesis {
-  private Ruby::AstNode keyWithoutValue(AstNode parent, int i) {
+module ImplicitHashValueSynthesis {
+  Ruby::AstNode keyWithoutValue(Ruby::AstNode parent, int i) {
     exists(Ruby::KeywordPattern pair |
       result = pair.getKey() and
-      result = toGenerated(parent.(HashPattern).getKey(i)) and
+      result = parent.(Ruby::HashPattern).getChild(i).(Ruby::KeywordPattern).getKey() and
       not exists(pair.getValue())
     )
     or
-    exists(Ruby::Pair pair |
-      i = 0 and
-      result = pair.getKey() and
-      pair = toGenerated(parent) and
-      not exists(pair.getValue())
-    )
+    parent =
+      any(Ruby::Pair pair |
+        i = 0 and
+        result = pair.getKey() and
+        not exists(pair.getValue())
+      )
   }
 
   private string keyName(Ruby::AstNode key) {
@@ -1589,7 +1594,7 @@ private module ImplicitHashValueSynthesis {
 
   private class ImplicitHashValueSynthesis extends Synthesis {
     final override predicate child(AstNode parent, int i, Child child) {
-      exists(Ruby::AstNode key | key = keyWithoutValue(parent, i) |
+      exists(Ruby::AstNode key | key = keyWithoutValue(toGenerated(parent), i) |
         exists(TVariableReal variable |
           access(key, variable) and
           child = SynthChild(LocalVariableAccessRealKind(variable))
@@ -1616,7 +1621,7 @@ private module ImplicitHashValueSynthesis {
     }
 
     final override predicate location(AstNode n, Location l) {
-      exists(AstNode p, int i | l = keyWithoutValue(p, i).getLocation() |
+      exists(AstNode p, int i | l = keyWithoutValue(toGenerated(p), i).getLocation() |
         n = p.(HashPattern).getValue(i)
         or
         i = 0 and n = p.(Pair).getValue()

ruby/ql/lib/codeql/ruby/ast/internal/Variable.qll

@@ -2,6 +2,7 @@ overlay[local]
 module;
 
 private import TreeSitter
+private import codeql.namebinding.LocalNameBinding
 private import codeql.ruby.AST
 private import codeql.ruby.CFG
 private import codeql.ruby.ast.internal.AST
@@ -94,10 +95,11 @@ predicate scopeDefinesParameterVariable(
   // In case of overlapping parameter names (e.g. `_`), only the first
   // parameter will give rise to a variable
   i =
-    min(Ruby::Identifier other |
-      parameterAssignment(scope, name, other, _)
+    min(Ruby::Identifier other, int startline, int startcolumn |
+      parameterAssignment(scope, name, other, _) and
+      other.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
     |
-      other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
+      other order by startline, startcolumn
     ) and
   parameterAssignment(scope, name, _, pos)
   or
@@ -113,7 +115,8 @@ predicate scopeDefinesParameterVariable(
   )
 }
 
-pragma[nomagic]
+bindingset[i]
+pragma[inline_late]
 private string variableNameInScope(Ruby::AstNode i, Scope::Range scope) {
   scope = scopeOf(i) and
   (
@@ -137,40 +140,142 @@ private predicate scopeAssigns(Scope::Range scope, string name, Ruby::AstNode i)
   name = variableNameInScope(i, scope)
 }
 
+private module Input implements LocalNameBindingInputSig<Location> {
+  predicate cacheRevRef() { exists(TVariable v) implies any() }
+
+  class AstNode = Ruby::AstNode;
+
+  AstNode getChild(AstNode parent, int index) {
+    parent = parentOf(result) and
+    (
+      index = result.getParentIndex()
+      or
+      not exists(result.getParentIndex()) and
+      index = -1
+    )
+  }
+
+  class Conditional extends AstNode {
+    Conditional() { none() }
+
+    AstNode getCondition() { none() }
+
+    AstNode getThen() { none() }
+
+    AstNode getElse() { none() }
+  }
+
+  class SiblingShadowingDecl extends AstNode {
+    SiblingShadowingDecl() { none() }
+
+    AstNode getLhs() { none() }
+
+    AstNode getRhs() { none() }
+
+    AstNode getElse() { none() }
+  }
+
+  predicate isTopScope(AstNode scope) {
+    scope instanceof Scope::Range and
+    not (
+      scope instanceof Ruby::Block or
+      scope instanceof Ruby::DoBlock or
+      scope instanceof Ruby::Lambda
+    )
+  }
+
+  private Scope::Range getParentScope(Scope::Range scope) {
+    result = scopeOf(scope) and
+    not isTopScope(scope)
+  }
+
+  bindingset[name, scope]
+  pragma[inline_late]
+  private predicate declInScope0(AstNode definingNode, string name, AstNode scope) {
+    scopeDefinesParameterVariable(scope, name, definingNode, _) or
+    scopeAssigns(scope, name, definingNode)
+  }
+
+  predicate declInScope(AstNode definingNode, string name, AstNode scope) {
+    scopeDefinesParameterVariable(scope, name, definingNode, _)
+    or
+    /*
+     * Variables are not declared explicitly in Ruby, so we consider the _first_ assignment to
+     * be the declaration:
+     *
+     * ```rb
+     * a = 1 # declares `a`
+     * a = 2 # does not declare `a`
+     * 1.times do | x | # declares `x`
+     *   a = 2 # does not declare `a`
+     * end
+     * ```
+     */
+
+    scopeAssigns(scope, name, definingNode) and
+    not scopeDefinesParameterVariable(scope, name, _, _) and
+    not exists(AstNode prev, AstNode prevScope |
+      prevScope = getParentScope*(scope) and
+      declInScope0(prev, name, prevScope) and
+      prev.getLocation().strictlyBefore(definingNode.getLocation())
+    )
+  }
+
+  predicate implicitDeclInScope(string name, AstNode scope) {
+    name = "self" and
+    scope instanceof SelfBase::Range
+  }
+
+  predicate accessCand(AstNode n, string name) {
+    name = variableNameInScope(n, _) and
+    (
+      explicitAssignmentNode(n, _)
+      or
+      implicitAssignmentNode(n)
+      or
+      scopeDefinesParameterVariable(_, _, n, _)
+      or
+      vcall(n)
+      or
+      n = any(Ruby::VariableReferencePattern vr).getName()
+      or
+      n = ImplicitHashValueSynthesis::keyWithoutValue(_, _)
+    )
+    or
+    n instanceof Ruby::Self and
+    name = "self"
+  }
+}
+
+private import LocalNameBinding<Location, Input>
+
 cached
 private module Cached {
   cached
   newtype TVariable =
-    TGlobalVariable(string name) { name = any(Ruby::GlobalVariable var).getValue() } or
+    TGlobalVariable(string name) {
+      CachedStage::ref() and
+      name = any(Ruby::GlobalVariable var).getValue()
+    } or
     TClassVariable(Scope::Range scope, string name, Ruby::AstNode decl) {
       decl =
-        min(Ruby::ClassVariable other |
-          classVariableAccess(other, name, scope)
+        min(Ruby::ClassVariable other, int startline, int startcolumn |
+          classVariableAccess(other, name, scope) and
+          other.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
         |
-          other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
+          other order by startline, startcolumn
         )
     } or
     TInstanceVariable(Scope::Range scope, string name, boolean instance, Ruby::AstNode decl) {
       decl =
-        min(Ruby::InstanceVariable other |
-          instanceVariableAccess(other, name, scope, instance)
+        min(Ruby::InstanceVariable other, int startline, int startcolumn |
+          instanceVariableAccess(other, name, scope, instance) and
+          other.getLocation().hasLocationInfo(_, startline, startcolumn, _, _)
         |
-          other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
+          other order by startline, startcolumn
         )
     } or
-    TLocalVariableReal(Scope::Range scope, string name, Ruby::AstNode i) {
-      scopeDefinesParameterVariable(scope, name, i, _)
-      or
-      i =
-        min(Ruby::AstNode other |
-          scopeAssigns(scope, name, other)
-        |
-          other order by other.getLocation().getStartLine(), other.getLocation().getStartColumn()
-        ) and
-      not scopeDefinesParameterVariable(scope, name, _, _) and
-      not inherits(scope, name, _)
-    } or
-    TSelfVariable(SelfBase::Range scope) or
+    TLocalVariableReal(Local l) or
     TLocalVariableSynth(AstNode n, int i) { any(Synthesis s).localVariable(n, i) }
 
   // Db types that can be vcalls
@@ -321,39 +426,37 @@ private module Cached {
     i = any(Ruby::ExpressionReferencePattern x).getValue()
   }
 
-  pragma[nomagic]
-  private predicate hasScopeAndName(VariableReal variable, Scope::Range scope, string name) {
-    variable.getNameImpl() = name and
-    scope = variable.getDeclaringScopeImpl()
-  }
-
   cached
   predicate access(Ruby::AstNode access, VariableReal variable) {
-    exists(string name, Scope::Range scope |
-      pragma[only_bind_into](name) = variableNameInScope(access, scope)
+    exists(Local l |
+      variable = TLocalVariableReal(l) and
+      access = l.getAnAccess()
     |
-      hasScopeAndName(variable, scope, name) and
-      not access.getLocation().strictlyBefore(variable.getLocationImpl()) and
-      // In case of overlapping parameter names, later parameters should not
-      // be considered accesses to the first parameter
-      if parameterAssignment(_, _, access, _)
-      then scopeDefinesParameterVariable(_, _, access, _)
-      else any()
+      l instanceof ImplicitLocal
       or
-      exists(Scope::Range declScope |
-        hasScopeAndName(variable, declScope, pragma[only_bind_into](name)) and
-        inherits(scope, name, declScope)
-      )
+      /*
+       * In the example below, `a` is declared in the scope of `M`, but only the
+       * second mention of `a` is an actual access:
+       *
+       * ```rb
+       * module M
+       *   puts a # calls method `a`
+       *   a = 1  # declares `a`
+       *   puts a # accesses variable `a`
+       * end
+       * ```
+       */
+
+      not access.getLocation().strictlyBefore(l.getDefiningNode().getLocation())
     )
   }
 
   private class Access extends Ruby::Token {
     Access() {
-      access(this.(Ruby::Identifier), _) or
+      access(this, _) or
       this instanceof Ruby::GlobalVariable or
       this instanceof Ruby::InstanceVariable or
-      this instanceof Ruby::ClassVariable or
-      this instanceof Ruby::Self
+      this instanceof Ruby::ClassVariable
     }
   }
 
@@ -398,29 +501,6 @@ private module Cached {
 
 import Cached
 
-/** Holds if this scope inherits `name` from an outer scope `outer`. */
-private predicate inherits(Scope::Range scope, string name, Scope::Range outer) {
-  (
-    scope instanceof Ruby::Block or
-    scope instanceof Ruby::DoBlock or
-    scope instanceof Ruby::Lambda
-  ) and
-  not scopeDefinesParameterVariable(scope, name, _, _) and
-  (
-    outer = scope.getOuterScope() and
-    (
-      scopeDefinesParameterVariable(outer, name, _, _)
-      or
-      exists(Ruby::AstNode i |
-        scopeAssigns(outer, name, i) and
-        i.getLocation().strictlyBefore(scope.getLocation())
-      )
-    )
-    or
-    inherits(scope.getOuterScope(), name, outer)
-  )
-}
-
 abstract class VariableImpl extends TVariable {
   abstract string getNameImpl();
 
@@ -429,10 +509,9 @@ abstract class VariableImpl extends TVariable {
   abstract Location getLocationImpl();
 }
 
-class TVariableReal =
-  TGlobalVariable or TClassVariable or TInstanceVariable or TLocalVariableReal or TSelfVariable;
+class TVariableReal = TGlobalVariable or TClassVariable or TInstanceVariable or TLocalVariableReal;
 
-class TLocalVariable = TLocalVariableReal or TLocalVariableSynth or TSelfVariable;
+class TLocalVariable = TLocalVariableReal or TLocalVariableSynth;
 
 /**
  * A "real" (i.e. non-synthesized) variable. This class only exists to
@@ -458,19 +537,19 @@ private class VariableRealAdapter extends VariableImpl, TVariableReal instanceof
 }
 
 class LocalVariableReal extends VariableReal, TLocalVariableReal {
-  private Scope::Range scope;
-  private string name;
-  private Ruby::AstNode i;
+  private Local l;
 
-  LocalVariableReal() { this = TLocalVariableReal(scope, name, i) }
+  LocalVariableReal() { this = TLocalVariableReal(l) }
 
-  final override string getNameImpl() { result = name }
+  Ruby::AstNode getDefiningNode() { result = l.getDefiningNode() }
 
-  final override Location getLocationImpl() { result = i.getLocation() }
+  final override string getNameImpl() { result = l.getName() }
 
-  final override Scope::Range getDeclaringScopeImpl() { result = scope }
+  final override Location getLocationImpl() { result = l.getLocation() }
 
-  final VariableAccess getDefiningAccessImpl() { toGenerated(result) = i }
+  final override Scope::Range getDeclaringScopeImpl() { result = l.getScope() }
+
+  final VariableAccess getDefiningAccessImpl() { toGenerated(result) = l.getDefiningNode() }
 }
 
 class LocalVariableSynth extends VariableImpl, TLocalVariableSynth {
@@ -531,34 +610,16 @@ class ClassVariableImpl extends VariableReal, TClassVariable {
   final override Scope::Range getDeclaringScopeImpl() { result = scope }
 }
 
-class SelfVariableImpl extends VariableReal, TSelfVariable {
-  private SelfBase::Range scope;
+class SelfVariableImpl extends LocalVariableReal {
+  private ImplicitLocal l;
 
-  SelfVariableImpl() { this = TSelfVariable(scope) }
-
-  final override string getNameImpl() { result = "self" }
-
-  final override Location getLocationImpl() { result = scope.getLocation() }
-
-  final override Scope::Range getDeclaringScopeImpl() { result = scope }
+  SelfVariableImpl() { this = TLocalVariableReal(l) }
 }
 
 abstract class VariableAccessImpl extends Expr, TVariableAccess {
   abstract VariableImpl getVariableImpl();
 }
 
-module LocalVariableAccess {
-  predicate range(Ruby::Identifier id, TLocalVariableReal v) {
-    access(id, v) and
-    (
-      explicitWriteAccess(id, _) or
-      implicitWriteAccess(id) or
-      vcall(id) or
-      id = any(Ruby::VariableReferencePattern vr).getName()
-    )
-  }
-}
-
 class TVariableAccessReal =
   TLocalVariableAccessReal or TGlobalVariableAccess or TInstanceVariableAccess or
       TClassVariableAccess;
@@ -681,7 +742,8 @@ private class SelfVariableAccessReal extends SelfVariableAccessImpl, TSelfReal {
 
   SelfVariableAccessReal() {
     exists(Ruby::Self self |
-      this = TSelfReal(self) and var = TSelfVariable(scopeOf(self).getEnclosingSelfScope())
+      this = TSelfReal(self) and
+      access(self, var)
     )
   }
 

ruby/ql/lib/qlpack.yml

@@ -14,6 +14,7 @@ dependencies:
   codeql/ssa: ${workspace}
   codeql/tutorial: ${workspace}
   codeql/util: ${workspace}
+  codeql/namebinding: ${workspace}
 dataExtensions:
   - codeql/ruby/frameworks/**/model.yml
   - codeql/ruby/frameworks/**/*.model.yml

ruby/ql/test/library-tests/variables/parameter.expected

@@ -28,6 +28,7 @@ parameterVariable
 | parameters.rb:59:22:59:26 | (..., ...) | parameters.rb:59:25:59:25 | c |
 | scopes.rb:2:14:2:14 | x | scopes.rb:2:14:2:14 | x |
 | scopes.rb:9:14:9:14 | x | scopes.rb:9:14:9:14 | x |
+| scopes.rb:69:15:69:15 | x | scopes.rb:69:15:69:15 | x |
 | ssa.rb:1:7:1:7 | b | ssa.rb:1:7:1:7 | b |
 | ssa.rb:18:8:18:8 | x | ssa.rb:18:8:18:8 | x |
 | ssa.rb:25:8:25:15 | elements | ssa.rb:25:8:25:15 | elements |

ruby/ql/test/library-tests/variables/scopes.rb

@@ -47,3 +47,27 @@ module M
   #{var2}
  EOF
 end
+
+module ExceptionVariable
+  class MyException < Exception
+  end
+
+  x = 1
+  puts x
+
+  begin
+    raise MyException
+  rescue MyException => x # reuses `x` from above
+    puts x
+  end
+  puts x # prints `MyException`, not `1`
+end
+
+module ParameterShadowing
+  x = 1
+  xs = [1, 2, 3]
+  xs.each do |x|
+    puts x
+  end
+  puts x # prints `1`, not `3`
+end

ruby/ql/test/library-tests/variables/ssa.expected

@@ -86,12 +86,12 @@ definition
 | parameters.rb:59:20:59:20 | a | parameters.rb:59:20:59:20 | a |
 | parameters.rb:59:23:59:23 | b | parameters.rb:59:23:59:23 | b |
 | parameters.rb:59:25:59:25 | c | parameters.rb:59:25:59:25 | c |
-| scopes.rb:1:1:49:4 | self (scopes.rb) | scopes.rb:1:1:49:4 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self |
+| scopes.rb:1:1:73:3 | self (scopes.rb) | scopes.rb:1:1:73:3 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self |
 | scopes.rb:4:4:4:4 | a | scopes.rb:4:4:4:4 | a |
 | scopes.rb:7:1:7:1 | a | scopes.rb:7:1:7:1 | a |
 | scopes.rb:9:9:18:3 | <captured entry> a | scopes.rb:7:1:7:1 | a |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self |
 | scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a |
 | scopes.rb:13:4:13:4 | a | scopes.rb:7:1:7:1 | a |
 | scopes.rb:13:7:13:7 | b | scopes.rb:13:7:13:7 | b |
@@ -99,13 +99,18 @@ definition
 | scopes.rb:13:11:13:11 | c | scopes.rb:13:11:13:11 | c |
 | scopes.rb:13:14:13:14 | d | scopes.rb:13:14:13:14 | d |
 | scopes.rb:13:19:13:32 | __synth__3 | scopes.rb:13:4:13:32 | __synth__3 |
-| scopes.rb:26:1:26:12 | self (A) | scopes.rb:26:1:26:12 | self |
 | scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x |
-| scopes.rb:28:1:30:3 | self (B) | scopes.rb:28:1:30:3 | self |
-| scopes.rb:34:1:36:3 | self (C) | scopes.rb:34:1:36:3 | self |
 | scopes.rb:41:1:49:3 | self (M) | scopes.rb:41:1:49:3 | self |
 | scopes.rb:42:2:42:4 | var | scopes.rb:42:2:42:4 | var |
 | scopes.rb:46:5:46:8 | var2 | scopes.rb:46:5:46:8 | var2 |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self |
+| scopes.rb:55:3:55:3 | x | scopes.rb:55:3:55:3 | x |
+| scopes.rb:60:25:60:25 | x | scopes.rb:55:3:55:3 | x |
+| scopes.rb:66:1:73:3 | self (ParameterShadowing) | scopes.rb:66:1:73:3 | self |
+| scopes.rb:67:3:67:3 | x | scopes.rb:67:3:67:3 | x |
+| scopes.rb:68:3:68:4 | xs | scopes.rb:68:3:68:4 | xs |
+| scopes.rb:69:11:71:5 | <captured entry> self | scopes.rb:66:1:73:3 | self |
+| scopes.rb:69:15:69:15 | x | scopes.rb:69:15:69:15 | x |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self |
 | ssa.rb:1:7:1:7 | b | ssa.rb:1:7:1:7 | b |
 | ssa.rb:2:3:2:3 | i | ssa.rb:2:3:2:3 | i |
@@ -262,20 +267,20 @@ read
 | parameters.rb:59:20:59:20 | a | parameters.rb:59:20:59:20 | a | parameters.rb:60:11:60:11 | a |
 | parameters.rb:59:23:59:23 | b | parameters.rb:59:23:59:23 | b | parameters.rb:60:16:60:16 | b |
 | parameters.rb:59:25:59:25 | c | parameters.rb:59:25:59:25 | c | parameters.rb:60:21:60:21 | c |
-| scopes.rb:1:1:49:4 | self (scopes.rb) | scopes.rb:1:1:49:4 | self | scopes.rb:8:1:8:6 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:3:4:3:9 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:3:9:3:9 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:5:4:5:9 | self |
+| scopes.rb:1:1:73:3 | self (scopes.rb) | scopes.rb:1:1:73:3 | self | scopes.rb:8:1:8:6 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:3:4:3:9 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:3:9:3:9 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:5:4:5:9 | self |
 | scopes.rb:4:4:4:4 | a | scopes.rb:4:4:4:4 | a | scopes.rb:5:9:5:9 | a |
 | scopes.rb:7:1:7:1 | a | scopes.rb:7:1:7:1 | a | scopes.rb:8:6:8:6 | a |
 | scopes.rb:9:9:18:3 | <captured entry> a | scopes.rb:7:1:7:1 | a | scopes.rb:10:9:10:9 | a |
 | scopes.rb:9:9:18:3 | <captured entry> a | scopes.rb:7:1:7:1 | a | scopes.rb:11:4:11:4 | a |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:10:4:10:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:12:4:12:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:14:4:14:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:15:4:15:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:16:4:16:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:17:4:17:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:10:4:10:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:12:4:12:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:14:4:14:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:15:4:15:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:16:4:16:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:17:4:17:9 | self |
 | scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:12:9:12:9 | a |
 | scopes.rb:13:4:13:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:14:9:14:9 | a |
 | scopes.rb:13:7:13:7 | b | scopes.rb:13:7:13:7 | b | scopes.rb:15:9:15:9 | b |
@@ -294,6 +299,18 @@ read
 | scopes.rb:41:1:49:3 | self (M) | scopes.rb:41:1:49:3 | self | scopes.rb:45:5:45:7 | self |
 | scopes.rb:42:2:42:4 | var | scopes.rb:42:2:42:4 | var | scopes.rb:44:5:44:7 | var |
 | scopes.rb:46:5:46:8 | var2 | scopes.rb:46:5:46:8 | var2 | scopes.rb:47:5:47:8 | var2 |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:56:3:56:8 | self |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:59:5:59:21 | self |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:61:5:61:10 | self |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:63:3:63:8 | self |
+| scopes.rb:55:3:55:3 | x | scopes.rb:55:3:55:3 | x | scopes.rb:56:8:56:8 | x |
+| scopes.rb:60:25:60:25 | x | scopes.rb:55:3:55:3 | x | scopes.rb:61:10:61:10 | x |
+| scopes.rb:60:25:60:25 | x | scopes.rb:55:3:55:3 | x | scopes.rb:63:8:63:8 | x |
+| scopes.rb:66:1:73:3 | self (ParameterShadowing) | scopes.rb:66:1:73:3 | self | scopes.rb:72:3:72:8 | self |
+| scopes.rb:67:3:67:3 | x | scopes.rb:67:3:67:3 | x | scopes.rb:72:8:72:8 | x |
+| scopes.rb:68:3:68:4 | xs | scopes.rb:68:3:68:4 | xs | scopes.rb:69:3:69:4 | xs |
+| scopes.rb:69:11:71:5 | <captured entry> self | scopes.rb:66:1:73:3 | self | scopes.rb:70:5:70:10 | self |
+| scopes.rb:69:15:69:15 | x | scopes.rb:69:15:69:15 | x | scopes.rb:70:10:70:10 | x |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:3:3:3:8 | self |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:4:3:4:12 | self |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:7:5:7:10 | self |
@@ -443,12 +460,12 @@ firstRead
 | parameters.rb:59:20:59:20 | a | parameters.rb:59:20:59:20 | a | parameters.rb:60:11:60:11 | a |
 | parameters.rb:59:23:59:23 | b | parameters.rb:59:23:59:23 | b | parameters.rb:60:16:60:16 | b |
 | parameters.rb:59:25:59:25 | c | parameters.rb:59:25:59:25 | c | parameters.rb:60:21:60:21 | c |
-| scopes.rb:1:1:49:4 | self (scopes.rb) | scopes.rb:1:1:49:4 | self | scopes.rb:8:1:8:6 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:3:4:3:9 | self |
+| scopes.rb:1:1:73:3 | self (scopes.rb) | scopes.rb:1:1:73:3 | self | scopes.rb:8:1:8:6 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:3:4:3:9 | self |
 | scopes.rb:4:4:4:4 | a | scopes.rb:4:4:4:4 | a | scopes.rb:5:9:5:9 | a |
 | scopes.rb:7:1:7:1 | a | scopes.rb:7:1:7:1 | a | scopes.rb:8:6:8:6 | a |
 | scopes.rb:9:9:18:3 | <captured entry> a | scopes.rb:7:1:7:1 | a | scopes.rb:10:9:10:9 | a |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:10:4:10:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:10:4:10:9 | self |
 | scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:12:9:12:9 | a |
 | scopes.rb:13:4:13:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:14:9:14:9 | a |
 | scopes.rb:13:7:13:7 | b | scopes.rb:13:7:13:7 | b | scopes.rb:15:9:15:9 | b |
@@ -460,6 +477,14 @@ firstRead
 | scopes.rb:41:1:49:3 | self (M) | scopes.rb:41:1:49:3 | self | scopes.rb:45:5:45:7 | self |
 | scopes.rb:42:2:42:4 | var | scopes.rb:42:2:42:4 | var | scopes.rb:44:5:44:7 | var |
 | scopes.rb:46:5:46:8 | var2 | scopes.rb:46:5:46:8 | var2 | scopes.rb:47:5:47:8 | var2 |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:56:3:56:8 | self |
+| scopes.rb:55:3:55:3 | x | scopes.rb:55:3:55:3 | x | scopes.rb:56:8:56:8 | x |
+| scopes.rb:60:25:60:25 | x | scopes.rb:55:3:55:3 | x | scopes.rb:61:10:61:10 | x |
+| scopes.rb:66:1:73:3 | self (ParameterShadowing) | scopes.rb:66:1:73:3 | self | scopes.rb:72:3:72:8 | self |
+| scopes.rb:67:3:67:3 | x | scopes.rb:67:3:67:3 | x | scopes.rb:72:8:72:8 | x |
+| scopes.rb:68:3:68:4 | xs | scopes.rb:68:3:68:4 | xs | scopes.rb:69:3:69:4 | xs |
+| scopes.rb:69:11:71:5 | <captured entry> self | scopes.rb:66:1:73:3 | self | scopes.rb:70:5:70:10 | self |
+| scopes.rb:69:15:69:15 | x | scopes.rb:69:15:69:15 | x | scopes.rb:70:10:70:10 | x |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:3:3:3:8 | self |
 | ssa.rb:1:7:1:7 | b | ssa.rb:1:7:1:7 | b | ssa.rb:5:6:5:6 | b |
 | ssa.rb:2:3:2:3 | i | ssa.rb:2:3:2:3 | i | ssa.rb:3:8:3:8 | i |
@@ -532,14 +557,14 @@ adjacentReads
 | parameters.rb:25:1:28:3 | self (opt_param) | parameters.rb:25:1:28:3 | self | parameters.rb:26:3:26:11 | self | parameters.rb:27:3:27:11 | self |
 | parameters.rb:25:15:25:18 | name | parameters.rb:25:15:25:18 | name | parameters.rb:25:40:25:43 | name | parameters.rb:26:8:26:11 | name |
 | parameters.rb:54:9:57:3 | <captured entry> self | parameters.rb:1:1:62:1 | self | parameters.rb:55:4:55:9 | self | parameters.rb:56:4:56:9 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:3:4:3:9 | self | scopes.rb:3:9:3:9 | self |
-| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:3:9:3:9 | self | scopes.rb:5:4:5:9 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:3:4:3:9 | self | scopes.rb:3:9:3:9 | self |
+| scopes.rb:2:9:6:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:3:9:3:9 | self | scopes.rb:5:4:5:9 | self |
 | scopes.rb:9:9:18:3 | <captured entry> a | scopes.rb:7:1:7:1 | a | scopes.rb:10:9:10:9 | a | scopes.rb:11:4:11:4 | a |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:10:4:10:9 | self | scopes.rb:12:4:12:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:12:4:12:9 | self | scopes.rb:14:4:14:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:14:4:14:9 | self | scopes.rb:15:4:15:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:15:4:15:9 | self | scopes.rb:16:4:16:9 | self |
-| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:49:4 | self | scopes.rb:16:4:16:9 | self | scopes.rb:17:4:17:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:10:4:10:9 | self | scopes.rb:12:4:12:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:12:4:12:9 | self | scopes.rb:14:4:14:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:14:4:14:9 | self | scopes.rb:15:4:15:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:15:4:15:9 | self | scopes.rb:16:4:16:9 | self |
+| scopes.rb:9:9:18:3 | <captured entry> self | scopes.rb:1:1:73:3 | self | scopes.rb:16:4:16:9 | self | scopes.rb:17:4:17:9 | self |
 | scopes.rb:13:10:13:15 | __synth__2__1 | scopes.rb:13:10:13:15 | __synth__2__1 | scopes.rb:13:11:13:11 | __synth__2__1 | scopes.rb:13:14:13:14 | __synth__2__1 |
 | scopes.rb:13:19:13:32 | __synth__3 | scopes.rb:13:4:13:32 | __synth__3 | scopes.rb:13:4:13:4 | __synth__3 | scopes.rb:13:7:13:7 | __synth__3 |
 | scopes.rb:13:19:13:32 | __synth__3 | scopes.rb:13:4:13:32 | __synth__3 | scopes.rb:13:7:13:7 | __synth__3 | scopes.rb:13:10:13:15 | __synth__3 |
@@ -547,6 +572,10 @@ adjacentReads
 | scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x | scopes.rb:31:10:31:10 | x | scopes.rb:34:7:34:7 | x |
 | scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x | scopes.rb:34:7:34:7 | x | scopes.rb:34:14:34:14 | x |
 | scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x | scopes.rb:34:14:34:14 | x | scopes.rb:37:5:37:5 | x |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:56:3:56:8 | self | scopes.rb:59:5:59:21 | self |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:59:5:59:21 | self | scopes.rb:61:5:61:10 | self |
+| scopes.rb:51:1:64:3 | self (ExceptionVariable) | scopes.rb:51:1:64:3 | self | scopes.rb:61:5:61:10 | self | scopes.rb:63:3:63:8 | self |
+| scopes.rb:60:25:60:25 | x | scopes.rb:55:3:55:3 | x | scopes.rb:61:10:61:10 | x | scopes.rb:63:8:63:8 | x |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:3:3:3:8 | self | ssa.rb:4:3:4:12 | self |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:4:3:4:12 | self | ssa.rb:7:5:7:10 | self |
 | ssa.rb:1:1:16:3 | self (m) | ssa.rb:1:1:16:3 | self | ssa.rb:4:3:4:12 | self | ssa.rb:11:5:11:10 | self |

ruby/ql/test/library-tests/variables/varaccess.expected

@@ -155,43 +155,43 @@ variableAccess
 | parameters.rb:60:16:60:16 | b | parameters.rb:59:23:59:23 | b | parameters.rb:59:1:61:3 | tuples_nested |
 | parameters.rb:60:21:60:21 | c | parameters.rb:59:25:59:25 | c | parameters.rb:59:1:61:3 | tuples_nested |
 | scopes.rb:2:14:2:14 | x | scopes.rb:2:14:2:14 | x | scopes.rb:2:9:6:3 | do ... end |
-| scopes.rb:3:4:3:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:3:9:3:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:3:4:3:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:3:9:3:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:4:4:4:4 | a | scopes.rb:4:4:4:4 | a | scopes.rb:2:9:6:3 | do ... end |
-| scopes.rb:5:4:5:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:5:4:5:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:5:9:5:9 | a | scopes.rb:4:4:4:4 | a | scopes.rb:2:9:6:3 | do ... end |
-| scopes.rb:7:1:7:1 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:8:1:8:6 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:8:6:8:6 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:7:1:7:1 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:8:1:8:6 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:8:6:8:6 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:9:14:9:14 | x | scopes.rb:9:14:9:14 | x | scopes.rb:9:9:18:3 | do ... end |
-| scopes.rb:10:4:10:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:10:9:10:9 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:12:4:12:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:12:9:12:9 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:13:4:13:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:10:4:10:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:10:9:10:9 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:11:4:11:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:12:4:12:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:12:9:12:9 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:13:4:13:4 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:13:7:13:7 | b | scopes.rb:13:7:13:7 | b | scopes.rb:9:9:18:3 | do ... end |
 | scopes.rb:13:11:13:11 | c | scopes.rb:13:11:13:11 | c | scopes.rb:9:9:18:3 | do ... end |
 | scopes.rb:13:14:13:14 | d | scopes.rb:13:14:13:14 | d | scopes.rb:9:9:18:3 | do ... end |
-| scopes.rb:14:4:14:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:14:9:14:9 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:15:4:15:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:14:4:14:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:14:9:14:9 | a | scopes.rb:7:1:7:1 | a | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:15:4:15:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:15:9:15:9 | b | scopes.rb:13:7:13:7 | b | scopes.rb:9:9:18:3 | do ... end |
-| scopes.rb:16:4:16:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:16:4:16:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:16:9:16:9 | c | scopes.rb:13:11:13:11 | c | scopes.rb:9:9:18:3 | do ... end |
-| scopes.rb:17:4:17:9 | self | scopes.rb:1:1:49:4 | self | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:17:4:17:9 | self | scopes.rb:1:1:73:3 | self | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:17:9:17:9 | d | scopes.rb:13:14:13:14 | d | scopes.rb:9:9:18:3 | do ... end |
-| scopes.rb:24:1:24:6 | script | scopes.rb:24:1:24:6 | script | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:28:8:28:8 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:24:1:24:6 | script | scopes.rb:24:1:24:6 | script | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:27:1:27:1 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:28:8:28:8 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:29:3:29:3 | x | scopes.rb:29:3:29:3 | x | scopes.rb:28:1:30:3 | B |
-| scopes.rb:31:10:31:10 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:31:10:31:10 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:32:3:32:3 | x | scopes.rb:32:3:32:3 | x | scopes.rb:31:1:33:3 | class << ... |
-| scopes.rb:34:7:34:7 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:49:4 | scopes.rb |
-| scopes.rb:34:14:34:14 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:34:7:34:7 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:73:3 | scopes.rb |
+| scopes.rb:34:14:34:14 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:35:3:35:3 | x | scopes.rb:35:3:35:3 | x | scopes.rb:34:1:36:3 | C |
-| scopes.rb:37:5:37:5 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:37:5:37:5 | x | scopes.rb:27:1:27:1 | x | scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:38:3:38:3 | x | scopes.rb:38:3:38:3 | x | scopes.rb:37:1:39:3 | foo |
 | scopes.rb:42:2:42:4 | var | scopes.rb:42:2:42:4 | var | scopes.rb:41:1:49:3 | M |
 | scopes.rb:43:2:43:4 | foo | scopes.rb:43:2:43:4 | foo | scopes.rb:41:1:49:3 | M |
@@ -199,6 +199,23 @@ variableAccess
 | scopes.rb:45:5:45:7 | self | scopes.rb:41:1:49:3 | self | scopes.rb:41:1:49:3 | M |
 | scopes.rb:46:5:46:8 | var2 | scopes.rb:46:5:46:8 | var2 | scopes.rb:41:1:49:3 | M |
 | scopes.rb:47:5:47:8 | var2 | scopes.rb:46:5:46:8 | var2 | scopes.rb:41:1:49:3 | M |
+| scopes.rb:55:3:55:3 | x | scopes.rb:55:3:55:3 | x | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:56:3:56:8 | self | scopes.rb:51:1:64:3 | self | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:56:8:56:8 | x | scopes.rb:55:3:55:3 | x | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:59:5:59:21 | self | scopes.rb:51:1:64:3 | self | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:60:25:60:25 | x | scopes.rb:55:3:55:3 | x | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:61:5:61:10 | self | scopes.rb:51:1:64:3 | self | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:61:10:61:10 | x | scopes.rb:55:3:55:3 | x | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:63:3:63:8 | self | scopes.rb:51:1:64:3 | self | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:63:8:63:8 | x | scopes.rb:55:3:55:3 | x | scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:67:3:67:3 | x | scopes.rb:67:3:67:3 | x | scopes.rb:66:1:73:3 | ParameterShadowing |
+| scopes.rb:68:3:68:4 | xs | scopes.rb:68:3:68:4 | xs | scopes.rb:66:1:73:3 | ParameterShadowing |
+| scopes.rb:69:3:69:4 | xs | scopes.rb:68:3:68:4 | xs | scopes.rb:66:1:73:3 | ParameterShadowing |
+| scopes.rb:69:15:69:15 | x | scopes.rb:69:15:69:15 | x | scopes.rb:69:11:71:5 | do ... end |
+| scopes.rb:70:5:70:10 | self | scopes.rb:66:1:73:3 | self | scopes.rb:66:1:73:3 | ParameterShadowing |
+| scopes.rb:70:10:70:10 | x | scopes.rb:69:15:69:15 | x | scopes.rb:69:11:71:5 | do ... end |
+| scopes.rb:72:3:72:8 | self | scopes.rb:66:1:73:3 | self | scopes.rb:66:1:73:3 | ParameterShadowing |
+| scopes.rb:72:8:72:8 | x | scopes.rb:67:3:67:3 | x | scopes.rb:66:1:73:3 | ParameterShadowing |
 | ssa.rb:1:7:1:7 | b | ssa.rb:1:7:1:7 | b | ssa.rb:1:1:16:3 | m |
 | ssa.rb:2:3:2:3 | i | ssa.rb:2:3:2:3 | i | ssa.rb:1:1:16:3 | m |
 | ssa.rb:3:3:3:8 | self | ssa.rb:1:1:16:3 | self | ssa.rb:1:1:16:3 | m |
@@ -350,6 +367,9 @@ explicitWrite
 | scopes.rb:42:2:42:4 | var | scopes.rb:42:2:42:9 | ... = ... |
 | scopes.rb:43:2:43:4 | foo | scopes.rb:43:2:43:13 | ... = ... |
 | scopes.rb:46:5:46:8 | var2 | scopes.rb:46:5:46:13 | ... = ... |
+| scopes.rb:55:3:55:3 | x | scopes.rb:55:3:55:7 | ... = ... |
+| scopes.rb:67:3:67:3 | x | scopes.rb:67:3:67:7 | ... = ... |
+| scopes.rb:68:3:68:4 | xs | scopes.rb:68:3:68:16 | ... = ... |
 | ssa.rb:2:3:2:3 | i | ssa.rb:2:3:2:7 | ... = ... |
 | ssa.rb:6:5:6:5 | i | ssa.rb:6:5:6:9 | ... = ... |
 | ssa.rb:10:5:10:5 | i | ssa.rb:10:5:10:9 | ... = ... |
@@ -400,6 +420,8 @@ implicitWrite
 | parameters.rb:59:25:59:25 | c |
 | scopes.rb:2:14:2:14 | x |
 | scopes.rb:9:14:9:14 | x |
+| scopes.rb:60:25:60:25 | x |
+| scopes.rb:69:15:69:15 | x |
 | ssa.rb:1:7:1:7 | b |
 | ssa.rb:18:8:18:8 | x |
 | ssa.rb:25:8:25:15 | elements |
@@ -550,6 +572,18 @@ readAccess
 | scopes.rb:44:5:44:7 | var |
 | scopes.rb:45:5:45:7 | self |
 | scopes.rb:47:5:47:8 | var2 |
+| scopes.rb:56:3:56:8 | self |
+| scopes.rb:56:8:56:8 | x |
+| scopes.rb:59:5:59:21 | self |
+| scopes.rb:61:5:61:10 | self |
+| scopes.rb:61:10:61:10 | x |
+| scopes.rb:63:3:63:8 | self |
+| scopes.rb:63:8:63:8 | x |
+| scopes.rb:69:3:69:4 | xs |
+| scopes.rb:70:5:70:10 | self |
+| scopes.rb:70:10:70:10 | x |
+| scopes.rb:72:3:72:8 | self |
+| scopes.rb:72:8:72:8 | x |
 | ssa.rb:3:3:3:8 | self |
 | ssa.rb:3:8:3:8 | i |
 | ssa.rb:4:3:4:12 | self |
@@ -647,6 +681,7 @@ captureAccess
 | scopes.rb:15:4:15:9 | self |
 | scopes.rb:16:4:16:9 | self |
 | scopes.rb:17:4:17:9 | self |
+| scopes.rb:70:5:70:10 | self |
 | ssa.rb:26:7:26:10 | elem |
 | ssa.rb:27:5:27:13 | self |
 | ssa.rb:27:10:27:13 | elem |

ruby/ql/test/library-tests/variables/variable.expected

@@ -94,7 +94,7 @@
 | parameters.rb:59:23:59:23 | b |
 | parameters.rb:59:25:59:25 | c |
 | scopes.rb:1:1:1:15 | self |
-| scopes.rb:1:1:49:4 | self |
+| scopes.rb:1:1:73:3 | self |
 | scopes.rb:2:14:2:14 | x |
 | scopes.rb:4:4:4:4 | a |
 | scopes.rb:7:1:7:1 | a |
@@ -124,6 +124,13 @@
 | scopes.rb:42:2:42:4 | var |
 | scopes.rb:43:2:43:4 | foo |
 | scopes.rb:46:5:46:8 | var2 |
+| scopes.rb:51:1:64:3 | self |
+| scopes.rb:52:3:53:5 | self |
+| scopes.rb:55:3:55:3 | x |
+| scopes.rb:66:1:73:3 | self |
+| scopes.rb:67:3:67:3 | x |
+| scopes.rb:68:3:68:4 | xs |
+| scopes.rb:69:15:69:15 | x |
 | ssa.rb:1:1:16:3 | self |
 | ssa.rb:1:1:103:3 | self |
 | ssa.rb:1:7:1:7 | b |

ruby/ql/test/library-tests/variables/varscopes.expected

@@ -47,7 +47,7 @@
 | parameters.rb:54:9:57:3 | do ... end |
 | parameters.rb:59:1:61:3 | tuples_nested |
 | scopes.rb:1:1:1:15 | a |
-| scopes.rb:1:1:49:4 | scopes.rb |
+| scopes.rb:1:1:73:3 | scopes.rb |
 | scopes.rb:2:9:6:3 | do ... end |
 | scopes.rb:9:9:18:3 | do ... end |
 | scopes.rb:26:1:26:12 | A |
@@ -56,6 +56,10 @@
 | scopes.rb:34:1:36:3 | C |
 | scopes.rb:37:1:39:3 | foo |
 | scopes.rb:41:1:49:3 | M |
+| scopes.rb:51:1:64:3 | ExceptionVariable |
+| scopes.rb:52:3:53:5 | MyException |
+| scopes.rb:66:1:73:3 | ParameterShadowing |
+| scopes.rb:69:11:71:5 | do ... end |
 | ssa.rb:1:1:16:3 | m |
 | ssa.rb:1:1:103:3 | ssa.rb |
 | ssa.rb:18:1:23:3 | m1 |

rust/ast-generator/src/main.rs

@@ -45,6 +45,7 @@ fn property_name(type_name: &str, field_name: &str) -> String {
         (_, "ty") => "type_repr",
         ("Function", "body") => "function_body",
         ("ClosureExpr", "body") => "closure_body",
+        ("Impl", "trait_") => "trait_ty",
         _ if field_name.contains("record") => &field_name.replacen("record", "struct", 1),
         _ => field_name,
     };

rust/downgrades/77e9a70be4b0cf5ecb1d4c1d841b2d970715a912/upgrade.properties

@@ -0,0 +1,5 @@
+description: Renamed `impl_trait_ties` to `impl_traits`
+compatibility: full
+
+impl_traits.rel: reorder impl_trait_ties(@impl id, @type_repr trait_ty) id trait_ty
+impl_trait_ties.rel: delete

rust/extractor/src/generated/.generated.list

@@ -1,2 +1,2 @@
 mod.rs 4bcb9def847469aae9d8649461546b7c21ec97cf6e63d3cf394e339915ce65d7 4bcb9def847469aae9d8649461546b7c21ec97cf6e63d3cf394e339915ce65d7
-top.rs ea9c28694da3d0e90d09fc7d31824e35817c34720ea91e7c8bf8e7e74ffe4ee8 ea9c28694da3d0e90d09fc7d31824e35817c34720ea91e7c8bf8e7e74ffe4ee8
+top.rs 2e8e3b4e42b172708bb3a6ec3a92a6577c576887019603ca3d0f045bbdbfdbac 2e8e3b4e42b172708bb3a6ec3a92a6577c576887019603ca3d0f045bbdbfdbac

rust/extractor/src/generated/top.rs

@@ -9451,7 +9451,7 @@ pub struct Impl {
     pub is_default: bool,
     pub is_unsafe: bool,
     pub self_ty: Option<trap::Label<TypeRepr>>,
-    pub trait_: Option<trap::Label<TypeRepr>>,
+    pub trait_ty: Option<trap::Label<TypeRepr>>,
     pub visibility: Option<trap::Label<Visibility>>,
     pub where_clause: Option<trap::Label<WhereClause>>,
 }
@@ -9484,8 +9484,8 @@ impl trap::TrapEntry for Impl {
         if let Some(v) = self.self_ty {
             out.add_tuple("impl_self_ties", vec![id.into(), v.into()]);
         }
-        if let Some(v) = self.trait_ {
-            out.add_tuple("impl_traits", vec![id.into(), v.into()]);
+        if let Some(v) = self.trait_ty {
+            out.add_tuple("impl_trait_ties", vec![id.into(), v.into()]);
         }
         if let Some(v) = self.visibility {
             out.add_tuple("impl_visibilities", vec![id.into(), v.into()]);

rust/extractor/src/translate/generated.rs

@@ -1229,7 +1229,7 @@ impl Translator<'_> {
         let is_default = node.default_token().is_some();
         let is_unsafe = node.unsafe_token().is_some();
         let self_ty = node.self_ty().and_then(|x| self.emit_type(&x));
-        let trait_ = node.trait_().and_then(|x| self.emit_type(&x));
+        let trait_ty = node.trait_().and_then(|x| self.emit_type(&x));
         let visibility = node.visibility().and_then(|x| self.emit_visibility(&x));
         let where_clause = node.where_clause().and_then(|x| self.emit_where_clause(&x));
         let label = self.trap.emit(generated::Impl {
@@ -1241,7 +1241,7 @@ impl Translator<'_> {
             is_default,
             is_unsafe,
             self_ty,
-            trait_,
+            trait_ty,
             visibility,
             where_clause,
         });

rust/ql/.generated.list

@@ -69,7 +69,7 @@ lib/codeql/rust/elements/GenericParam.qll 87adf96aac385f2a182008a7b90aad46cf46d7
 lib/codeql/rust/elements/GenericParamList.qll 25fcaa68bc7798d75974d12607fae0afc7f84d43091b2d0c66a504095ef05667 3b71115c6af0b8e7f84d8c2d5ac9f23595ad2b22dbd19a9ea71906ca99340878
 lib/codeql/rust/elements/IdentPat.qll ad5f202316d4eeee3ca81ea445728f4ad7eb6bb7d81232bc958c22a93d064bf2 7ce2772e391e593d8fd23b2b44e26d0d7e780327ec973fcc9dce52a75fda0e36
 lib/codeql/rust/elements/IfExpr.qll f62153e8098b3eb08b569d4e25c750bc686665651579db4bc9e11dcef8e75d63 55006a55d612f189e73caa02f7b4deda388c692f0a801cdda9f833f2afdca778
-lib/codeql/rust/elements/Impl.qll ce5225fd97b184db7235bcf2561cf23c679de2fc96fecaeb8cbcf7935dd48fbd 3fe755118c3d0b1eb626f359da362ad75dbdcd1e09f09825b10038fb41ddb35c
+lib/codeql/rust/elements/Impl.qll 0d69c9ace5dac87ed095cfd5d4a8baf7e17ebce1132f3a7d6fa2bf4325deff8d d908fc5da7d3a59fb0a286a6ce581bdabdb48c4ac6ecd070455c271c2352208c
 lib/codeql/rust/elements/ImplTraitTypeRepr.qll 1d559b16c659f447a1bde94cc656718f20f133f767060437b755ac81eea9f852 de69c596701f0af4db28c5802d092a39c88a90bf42ea85aea25eecb79417e454
 lib/codeql/rust/elements/IndexExpr.qll 0e2e9f018d06ae72be0fc4ddbc019a9aacd8a06f42b4c4431760bd149e7f2290 2bcfd557abd53a48e48de7915c4f2089107c62dfb3e732a904848248dfd3727b
 lib/codeql/rust/elements/InferTypeRepr.qll 1b8bdcb574a7b6e7dd49f4cfb96655a6ccc355744b424b8c2593fe8218090d53 c20a2a5b0346dc277721deb450e732a47812c8e872ffb60aaba351b1708e9477
@@ -332,7 +332,6 @@ lib/codeql/rust/elements/internal/NeverTypeReprConstructor.qll 2e0a9c75e389e9ef4
 lib/codeql/rust/elements/internal/OffsetOfExprConstructor.qll 616e146562adb3ac0fba4d6f55dd6ce60518ed377c0856f1f09ba49593e7bfab 80518ce90fc6d08011d6f5fc2a543958067739e1b0a6a5f2ed90fc9b1db078f0
 lib/codeql/rust/elements/internal/OffsetOfExprImpl.qll e52d4596068cc54719438121f7d5afcaab04e0c70168ac5e4df1a3a0969817a6 6ab37e659d79e02fb2685d6802ae124157bf14b6f790b31688f437c87f40f52c
 lib/codeql/rust/elements/internal/OrPatConstructor.qll 4ef583e07298487c0c4c6d7c76ffcc04b1e5fe58aba0c1da3e2c8446a9e0c92b 980a6bd176ae5e5b11c134569910c5468ba91f480982d846e222d031a6a05f1a
-lib/codeql/rust/elements/internal/ParamBaseImpl.qll fe11999c728c443c46c992e9bed7a2b3e23afa16ae99592e70054bc57ae371b8 df86fdb23266bdfb9ed8a8f02558a760b67f173943b9d075b081229eb5844f66
 lib/codeql/rust/elements/internal/ParamConstructor.qll b98a2d8969f289fdcc8c0fb11cbd19a3b0c71be038c4a74f5988295a2bae52f0 77d81b31064167945b79b19d9697b57ca24462c3a7cc19e462c4693ce87db532
 lib/codeql/rust/elements/internal/ParamListConstructor.qll 3123142ab3cab46fb53d7f3eff6ba2d3ff7a45b78839a53dc1979a9c6a54920e 165f3d777ea257cfcf142cc4ba9a0ebcd1902eb99842b8a6657c87087f3df6fe
 lib/codeql/rust/elements/internal/ParenExprConstructor.qll 104b67dc3fd53ab52e2a42ffde37f3a3a50647aa7bf35df9ba9528e9670da210 d1f5937756e87a477710c61698d141cdad0ccce8b07ecb51bab00330a1ca9835
@@ -374,7 +373,6 @@ lib/codeql/rust/elements/internal/SliceTypeReprImpl.qll ba1a53a3ecc90a7f54c003fc
 lib/codeql/rust/elements/internal/SourceFileConstructor.qll 1dc559887ea7798774528b5505c8601c61030c17480f7ffca49b68b76fcc0321 75a635b88622e3110b16795bd12ca6fc4af176c92d6e441518d60aa47255edc1
 lib/codeql/rust/elements/internal/SourceFileImpl.qll 829cc59d508c190fecfcfb0e27df232fd0a53cb98a6c6f110aecc7242db6f794 2834ab836557ae294410ccde023cca6ef6315aa4b78a7c238862437cec697583
 lib/codeql/rust/elements/internal/StaticConstructor.qll 6dd7ee3fd16466c407de35b439074b56341fc97a9c36846b725c2eb43fd4a643 5bf5b0e78d0e9eb294a57b91075de6e4b86a9e6335f546c83ec11ab4c51e5679
-lib/codeql/rust/elements/internal/StaticImpl.qll 48071e29c72032b59ad82771d54be92ac0f4c1a68fb1129c5c7991385804d7b1 85c0be8e37a91d6e775b191f0cb52dd8bf70418e6e9947b82c58c40a6d73b406
 lib/codeql/rust/elements/internal/StmtImpl.qll ea99d261f32592ff368cc3a1960864989897c92944f1675549e0753964cb562f 9117b4cdfad56f8fa3bc5d921c2146b4ff0658e8914ac51bf48eb3e68599dd6b
 lib/codeql/rust/elements/internal/StmtListConstructor.qll 435d59019e17a6279110a23d3d5dfbc1d1e16fc358a93a1d688484d22a754866 23fcb60a5cbb66174e459bc10bd7c28ed532fd1ab46f10b9f0c8a6291d3e343f
 lib/codeql/rust/elements/internal/StructConstructor.qll 52921ea6e70421fd08884dc061d0c2dfbbb8dd83d98f1f3c70572cfe57b2a173 dcb3ea8e45ee875525c645fe5d08e6db9013b86bd351c77df4590d0c1439ab9f
@@ -512,7 +510,7 @@ lib/codeql/rust/elements/internal/generated/GenericParam.qll 85ac027a42b3300febc
 lib/codeql/rust/elements/internal/generated/GenericParamList.qll b18fa5fd435d94857c9863bbcc40571af0b1efba1b31ba9159c95568f5c58fce 6e70f1e9a1823d28d60e0e753ac8fbbe8deb10c94365f893b0c8f8ea4061b460
 lib/codeql/rust/elements/internal/generated/IdentPat.qll 1fe5061759848fdc9588b27606efb1187ce9c13d12ad0a2a19666d250dd62db3 87dbc8b88c31079076a896b48e0c483a600d7d11c1c4bf266581bdfc9c93ae98
 lib/codeql/rust/elements/internal/generated/IfExpr.qll 413dd7a20c6b98c0d2ad2e5b50981c14bf96c1a719ace3e341d78926219a5af7 c9a2d44e3baa6a265a29a683ca3c1683352457987c92f599c5771b4f3b4bafff
-lib/codeql/rust/elements/internal/generated/Impl.qll 5afadb7f80c5ffbd5cd3816c6788ccb605fe4cb2d8c8507ec3f212913eac0ab5 761b72a5f35e2e766de6aa87d83b065f49b64f05b91ae47d0afbb20bb61c1003
+lib/codeql/rust/elements/internal/generated/Impl.qll bdc3da08b23ab098e92927a57c2e99eeb78ea8561cf11accc51db3033492b500 4b45be6b0c51f03999619705104574d78c262ed2497921f2ca8696844b17addc
 lib/codeql/rust/elements/internal/generated/ImplTraitTypeRepr.qll e376a2e34ba51df403d42b02afe25140543e3e53aaf04b9ea118eb575acb4644 dc3a7e3eac758423c90a9803cc40dfdf53818bd62ee894982cd636f6b1596dfc
 lib/codeql/rust/elements/internal/generated/IndexExpr.qll cf951fc40f6690e966b4dc78fa9a6221aa5c6cade44759dcb52254f799292d11 1572e71918cc4e0b7e028331b6d98c9db23100a3646cd3874d1915e06ab6211d
 lib/codeql/rust/elements/internal/generated/InferTypeRepr.qll 4f101c1cb1278e919f9195cac4aa0c768e304c1881394b500874e7627e62d6c4 dca3f85d0a78ecc8bf030b4324f0d219ffff60784a2ecf565a4257e888dea0ff
@@ -558,7 +556,7 @@ lib/codeql/rust/elements/internal/generated/ParamList.qll eaa0cd4402d3665013d47e
 lib/codeql/rust/elements/internal/generated/ParenExpr.qll 812d2ff65079277f39f15c084657a955a960a7c1c0e96dd60472a58d56b945eb eb8c607f43e1fcbb41f37a10de203a1db806690e10ff4f04d48ed874189cb0eb
 lib/codeql/rust/elements/internal/generated/ParenPat.qll 24f9dc7fce75827d6fddb856cd48f80168143151b27295c0bab6db5a06567a09 ebadbc6f5498e9ed754b39893ce0763840409a0721036a25b56e1ead7dcc09aa
 lib/codeql/rust/elements/internal/generated/ParenTypeRepr.qll 03f5c5b96a37adeb845352d7fcea3e098da9050e534972d14ac0f70d60a2d776 ed3d6e5d02086523087adebce4e89e35461eb95f2a66d1d4100fe23fc691b126
-lib/codeql/rust/elements/internal/generated/ParentChild.qll b0e3c13b2ca75faaf0d92b2ca3d70cac7b78b3729aaccf635063cc5836c163af a340e8f34a6d7425f38845e789b4aeb83aec90c11429a68ad6632a5aa132fa57
+lib/codeql/rust/elements/internal/generated/ParentChild.qll dc5e9e16e0d43cf25ebdce03b84aa3bf0f52fe0c61de4db4a9887c961290b37e b26f0f2c27b664d0fe53aba35955df31a58adad0963a951039b6c6bbd34f83ea
 lib/codeql/rust/elements/internal/generated/ParenthesizedArgList.qll d901fdc8142a5b8847cc98fc2afcfd16428b8ace4fbffb457e761b5fd3901a77 5dbb0aea5a13f937da666ccb042494af8f11e776ade1459d16b70a4dd193f9fb
 lib/codeql/rust/elements/internal/generated/Pat.qll 3605ac062be2f294ee73336e9669027b8b655f4ad55660e1eab35266275154ee 7f9400db2884d336dd1d21df2a8093759c2a110be9bf6482ce8e80ae0fd74ed4
 lib/codeql/rust/elements/internal/generated/Path.qll 9b12afb46fc5a9ad3a811b05472621bbecccb900c47504feb7f29d96b28421ca bcacbffc36fb3e0c9b26523b5963af0ffa9fd6b19f00a2a31bdb2316071546bd
@@ -573,7 +571,7 @@ lib/codeql/rust/elements/internal/generated/PtrTypeRepr.qll 8d0ea4f6c7f8203340bf
 lib/codeql/rust/elements/internal/generated/PureSynthConstructors.qll e5b8e69519012bbaae29dcb82d53f7f7ecce368c0358ec27ef6180b228a0057f e5b8e69519012bbaae29dcb82d53f7f7ecce368c0358ec27ef6180b228a0057f
 lib/codeql/rust/elements/internal/generated/RangeExpr.qll 23cca03bf43535f33b22a38894f70d669787be4e4f5b8fe5c8f7b964d30e9027 18624cef6c6b679eeace2a98737e472432e0ead354cca02192b4d45330f047c9
 lib/codeql/rust/elements/internal/generated/RangePat.qll 80826a6a6868a803aa2372e31c52a03e1811a3f1f2abdb469f91ca0bfdd9ecb6 34ee1e208c1690cba505dff2c588837c0cd91e185e2a87d1fe673191962276a9
-lib/codeql/rust/elements/internal/generated/Raw.qll 6e32bd7167d3eece2d22f893a92410129b1bd18e59533b1cf82f72f31465b43a bb25c56118df0e2755be2350cf307c19e6c4d85b2a39388c08f2cc1bad303692
+lib/codeql/rust/elements/internal/generated/Raw.qll 6e38ac8ae1fbd7af0dd516f1c37e52e6ef1169103ad7dd998796ff8cd2dbac7a f4a7515e1757404b101ea3c8bb154d11d1babb138cb2afddf1618eab377d9625
 lib/codeql/rust/elements/internal/generated/RefExpr.qll 7d995884e3dc1c25fc719f5d7253179344d63650e217e9ff6530285fe7a57f64 f2c3c12551deea4964b66553fb9b6423ee16fec53bd63db4796191aa60dc6c66
 lib/codeql/rust/elements/internal/generated/RefPat.qll 456ede39837463ee22a630ec7ab6c8630d3664a8ea206fcc6e4f199e92fa564c 5622062765f32930465ba6b170e986706f159f6070f48adee3c20e24e8df4e05
 lib/codeql/rust/elements/internal/generated/RefTypeRepr.qll 5b0663a6d234572fb3e467e276d019415caa95ef006438cc59b7af4e1783161e 0e27c8a8f0e323c0e4d6db01fca821bf07c0864d293cdf96fa891b10820c1e4b
@@ -693,7 +691,7 @@ test/extractor-tests/generated/GenericArgList/GenericArgList.ql 9bd6873e56a381a6
 test/extractor-tests/generated/GenericParamList/GenericParamList.ql 206f270690f5c142777d43cf87b65d6dda5ec9f3953c17ee943fe3d0e7b7761c 38a6e0bbca916778f85b106609df6d5929baed006d55811ec0d71c75fe137e92
 test/extractor-tests/generated/IdentPat/IdentPat.ql 23006eddf0ca1188e11ba5ee25ad62a83157b83e0b99119bf924c7f74fd8e70d 6e572f48f607f0ced309113304019ccc0a828f6ddd71e818369504dcf832a0b5
 test/extractor-tests/generated/IfExpr/IfExpr.ql 540b21838ad3e1ed879b66c1903eb8517d280f99babcbf3c5307c278db42f003 a6f84a7588ce7587936f24375518a365c571210844b99cb614596e14dd5e4dfd
-test/extractor-tests/generated/Impl/Impl.ql a36ea392729a6be3ee0cc0d8871b3682cf8f0c15fb657d4d35f2ca76eeef3a74 1fa345ca3b4c16c740b5684c7fdaf1116d52c2932287703b33143a08e4d7d38e
+test/extractor-tests/generated/Impl/Impl.ql c96ec30d703aa607b7aad9f6eaca1b0069799cdefcc1481f4aa4f7378f477f7f 3528e1502b6f7b323d964630ecfb8255f683486b75300457e2a2d95aa36771f3
 test/extractor-tests/generated/ImplTraitTypeRepr/ImplTraitTypeRepr.ql 311c6c1e18bd74fbcd367f940d2cf91777eaba6b3d6307149beb529216d086fb 16c7c81618d7f49da30b4f026dcacfb23ed130dbfcfa19b5cb44dc6e15101401
 test/extractor-tests/generated/IndexExpr/IndexExpr.ql ecfca80175a78b633bf41684a0f8f5eebe0b8a23f8de9ff27142936687711263 27d4832911f7272376a199550d57d8488e75e0eeeeb7abbfb3b135350a30d277
 test/extractor-tests/generated/InferTypeRepr/InferTypeRepr.ql 6ba01a9e229e7dfdb2878a0bdbeb6c0888c4a068984b820e7a48d4b84995daa2 7120cafd267e956dbb4af5e19d57237275d334ffe5ff0fb635d65d309381aa46

rust/ql/.gitattributes

@@ -334,7 +334,6 @@
 /lib/codeql/rust/elements/internal/OffsetOfExprConstructor.qll linguist-generated
 /lib/codeql/rust/elements/internal/OffsetOfExprImpl.qll linguist-generated
 /lib/codeql/rust/elements/internal/OrPatConstructor.qll linguist-generated
-/lib/codeql/rust/elements/internal/ParamBaseImpl.qll linguist-generated
 /lib/codeql/rust/elements/internal/ParamConstructor.qll linguist-generated
 /lib/codeql/rust/elements/internal/ParamListConstructor.qll linguist-generated
 /lib/codeql/rust/elements/internal/ParenExprConstructor.qll linguist-generated
@@ -376,7 +375,6 @@
 /lib/codeql/rust/elements/internal/SourceFileConstructor.qll linguist-generated
 /lib/codeql/rust/elements/internal/SourceFileImpl.qll linguist-generated
 /lib/codeql/rust/elements/internal/StaticConstructor.qll linguist-generated
-/lib/codeql/rust/elements/internal/StaticImpl.qll linguist-generated
 /lib/codeql/rust/elements/internal/StmtImpl.qll linguist-generated
 /lib/codeql/rust/elements/internal/StmtListConstructor.qll linguist-generated
 /lib/codeql/rust/elements/internal/StructConstructor.qll linguist-generated

rust/ql/lib/codeql/rust/controlflow/internal/ControlFlowGraphImpl.qll

@@ -99,6 +99,8 @@ class FormatTemplateVariableAccessTree extends LeafTree, FormatTemplateVariableA
 class ItemTree extends LeafTree, Item {
   ItemTree() {
     not this instanceof MacroCall and
+    not this instanceof Const and
+    not this instanceof Static and
     this = any(StmtList s).getAStatement()
   }
 }

rust/ql/lib/codeql/rust/controlflow/internal/Scope.qll

@@ -45,3 +45,14 @@ final class CallableScope extends CfgScopeImpl, Callable {
   /** Holds if `scope` is exited when `last` finishes with completion `c`. */
   override predicate scopeLast(AstNode last, Completion c) { last(this.getBody(), last, c) }
 }
+
+/**
+ * A special scope used to represent the context in which `const`s and
+ * `static`s are initialized. We do not actually compute a CFG for such
+ * scopes.
+ */
+final class SourceFileScope extends CfgScopeImpl, SourceFile {
+  override predicate scopeFirst(AstNode first) { none() }
+
+  override predicate scopeLast(AstNode last, Completion c) { none() }
+}

rust/ql/lib/codeql/rust/dataflow/internal/DataFlowImpl.qll

@@ -653,8 +653,22 @@ module RustDataFlowGen<RustDataFlowInputSig Input> implements InputSig<Location>
    */
   predicate jumpStep(Node node1, Node node2) {
     FlowSummaryImpl::Private::Steps::summaryJumpStep(node1.(FlowSummaryNode).getSummaryNode(),
-      node2.(FlowSummaryNode).getSummaryNode()) or
+      node2.(FlowSummaryNode).getSummaryNode())
+    or
     FlowSummaryImpl::Private::Steps::sourceJumpStep(node1.(FlowSummaryNode).getSummaryNode(), node2)
+    or
+    exists(Const c |
+      node1.asExpr() = c.getBody() and
+      node2.asExpr() = c.getAnAccess()
+    )
+    or
+    exists(StaticNode sn, Static s | s = sn.getStatic() |
+      node1 = sn and
+      node2.asExpr() = s.getAnAccess().(StaticReadAccess)
+      or
+      node1.asExpr() = [s.getBody(), s.getAnAccess().(StaticWriteAccess)] and
+      node2 = sn
+    )
   }
 
   pragma[nomagic]

rust/ql/lib/codeql/rust/dataflow/internal/Node.qll

@@ -704,6 +704,17 @@ final class CastNode extends ExprNode {
   CastNode() { none() }
 }
 
+/**
+ * A node in the data flow graph that corresponds to a `static`.
+ */
+class StaticNode extends AstNodeNode, TStaticNode {
+  override Static n;
+
+  StaticNode() { this = TStaticNode(n) }
+
+  Static getStatic() { result = n }
+}
+
 cached
 newtype TNode =
   TExprNode(Expr e) { e.hasEnclosingCfgScope() and Stages::DataFlowStage::ref() } or
@@ -755,4 +766,5 @@ newtype TNode =
     )
   } or
   TClosureSelfReferenceNode(CfgScope c) { lambdaCreationExpr(c) } or
-  TCaptureNode(VariableCapture::Flow::SynthesizedCaptureNode cn)
+  TCaptureNode(VariableCapture::Flow::SynthesizedCaptureNode cn) or
+  TStaticNode(Static s)

rust/ql/lib/codeql/rust/elements/Impl.qll

@@ -13,7 +13,7 @@ import codeql.rust.elements.Visibility
 import codeql.rust.elements.WhereClause
 
 /**
- * An `impl`` block.
+ * An `impl` block.
  *
  * For example:
  * ```rust

rust/ql/lib/codeql/rust/elements/StaticAccess.qll

@@ -0,0 +1,11 @@
+/**
+ * This module provides the public class `StaticAccess`.
+ */
+
+private import internal.StaticImpl
+
+final class StaticAccess = Impl::StaticAccess;
+
+final class StaticWriteAccess = Impl::StaticWriteAccess;
+
+final class StaticReadAccess = Impl::StaticReadAccess;

rust/ql/lib/codeql/rust/elements/internal/AstNodeImpl.qll

@@ -48,15 +48,29 @@ module Impl {
       )
     }
 
+    pragma[nomagic]
+    private predicate isConstOrStatic(File f) {
+      f = this.getFile() and
+      (
+        this instanceof Const
+        or
+        this instanceof Static
+      )
+    }
+
     /** Gets the CFG scope that encloses this node, if any. */
     cached
     CfgScope getEnclosingCfgScope() {
       exists(AstNode p | p = this.getParentNode() |
-        result = p
+        result = p and
+        not result instanceof SourceFile
         or
         not p instanceof CfgScope and
+        not this.isConstOrStatic(_) and
         result = p.getEnclosingCfgScope()
       )
+      or
+      this.isConstOrStatic(result.(SourceFile).getFile())
     }
 
     /** Holds if this node is inside a CFG scope. */

rust/ql/lib/codeql/rust/elements/internal/ConstImpl.qll

@@ -24,7 +24,12 @@ module Impl {
    * const X: i32 = 42;
    * ```
    */
-  class Const extends Generated::Const { }
+  class Const extends Generated::Const {
+    /** Gets an access to this constant item. */
+    ConstAccess getAnAccess() { this = result.getConst() }
+
+    override string toStringImpl() { result = "const " + this.getName().getText() }
+  }
 
   /**
    * A constant access.

rust/ql/lib/codeql/rust/elements/internal/ImplImpl.qll

@@ -4,7 +4,11 @@
  * INTERNAL: Do not use.
  */
 
+private import rust
 private import codeql.rust.elements.internal.generated.Impl
+private import codeql.rust.internal.PathResolution as PathResolution
+private import codeql.rust.internal.typeinference.Type
+private import codeql.rust.internal.typeinference.TypeMention
 
 /**
  * INTERNAL: This module contains the customizable definition of `Impl` and should not
@@ -13,7 +17,7 @@ private import codeql.rust.elements.internal.generated.Impl
 module Impl {
   // the following QLdoc is generated: if you need to edit it, do it in the schema file
   /**
-   * An `impl`` block.
+   * An `impl` block.
    *
    * For example:
    * ```rust
@@ -26,9 +30,9 @@ module Impl {
     override string toStringImpl() {
       exists(string trait |
         (
-          trait = this.getTrait().toAbbreviatedString() + " for "
+          trait = this.getTraitTy().toAbbreviatedString() + " for "
           or
-          not this.hasTrait() and trait = ""
+          not this.hasTraitTy() and trait = ""
         ) and
         result = "impl " + trait + this.getSelfTy().toAbbreviatedString() + " { ... }"
       )
@@ -38,6 +42,40 @@ module Impl {
      * Holds if this is an inherent `impl` block, that is, one that does not implement a trait.
      */
     pragma[nomagic]
-    predicate isInherent() { not this.hasTrait() }
+    predicate isInherent() { not this.hasTraitTy() }
+
+    /**
+     * Gets the type being implemented.
+     *
+     * For example, in
+     *
+     * ```rust
+     * impl MyType { ... }
+     *
+     * impl MyTrait for MyType { ... }
+     * ```
+     *
+     * the type being implemented is in both cases `MyType`.
+     */
+    TypeItem getSelf() {
+      result = this.getSelfTy().(TypeMention).getType().(DataType).getTypeItem()
+    }
+
+    /**
+     * Gets the trait being implemented, if any.
+     *
+     * For example, in
+     *
+     * ```rust
+     * impl MyType { ... }
+     *
+     * impl MyTrait for MyType { ... }
+     * ```
+     *
+     * the trait being implemented is in the second case `MyTrait`.
+     */
+    Trait getTrait() {
+      result = PathResolution::resolvePath(this.getTraitTy().(PathTypeRepr).getPath())
+    }
   }
 }

rust/ql/lib/codeql/rust/elements/internal/ParamBaseImpl.qll

@@ -1,4 +1,3 @@
-// generated by codegen, remove this comment if you wish to edit this file
 /**
  * This module provides a hand-modifiable wrapper around the generated class `ParamBase`.
  *
@@ -6,14 +5,19 @@
  */
 
 private import codeql.rust.elements.internal.generated.ParamBase
+private import codeql.rust.elements.Callable
 
 /**
  * INTERNAL: This module contains the customizable definition of `ParamBase` and should not
  * be referenced directly.
  */
 module Impl {
+  // the following QLdoc is generated: if you need to edit it, do it in the schema file
   /**
    * A normal parameter, `Param`, or a self parameter `SelfParam`.
    */
-  class ParamBase extends Generated::ParamBase { }
+  class ParamBase extends Generated::ParamBase {
+    /** Gets the callable this parameter belongs to. */
+    Callable getCallable() { this = result.getParamList().getAParamBase() }
+  }
 }

rust/ql/lib/codeql/rust/elements/internal/StaticImpl.qll

@@ -1,4 +1,3 @@
-// generated by codegen, remove this comment if you wish to edit this file
 /**
  * This module provides a hand-modifiable wrapper around the generated class `Static`.
  *
@@ -6,12 +5,17 @@
  */
 
 private import codeql.rust.elements.internal.generated.Static
+private import codeql.rust.elements.internal.AstNodeImpl::Impl as AstNodeImpl
+private import codeql.rust.elements.internal.PathExprImpl::Impl as PathExprImpl
+private import codeql.rust.elements.internal.VariableImpl::Impl as VariableImpl
+private import codeql.rust.internal.PathResolution
 
 /**
  * INTERNAL: This module contains the customizable definition of `Static` and should not
  * be referenced directly.
  */
 module Impl {
+  // the following QLdoc is generated: if you need to edit it, do it in the schema file
   /**
    * A static item declaration.
    *
@@ -20,5 +24,43 @@ module Impl {
    * static X: i32 = 42;
    * ```
    */
-  class Static extends Generated::Static { }
+  class Static extends Generated::Static {
+    /** Gets an access to this static item. */
+    StaticAccess getAnAccess() { this = result.getStatic() }
+
+    override string toStringImpl() { result = "static " + this.getName().getText() }
+  }
+
+  /**
+   * A static access.
+   *
+   * For example:
+   * ```rust
+   * static X: i32 = 42;
+   *
+   * fn main() {
+   *     println!("{}", X);
+   * }
+   * ```
+   */
+  class StaticAccess extends AstNodeImpl::AstNode, PathExprImpl::PathExpr {
+    private Static s;
+
+    StaticAccess() { s = resolvePath(this.getPath()) }
+
+    /** Gets the static being accessed. */
+    Static getStatic() { result = s }
+
+    override string getAPrimaryQlClass() { result = "StaticAccess" }
+  }
+
+  /** A static write access. */
+  class StaticWriteAccess extends StaticAccess {
+    StaticWriteAccess() { VariableImpl::assignmentOperationDescendant(_, this) }
+  }
+
+  /** A static read access. */
+  class StaticReadAccess extends StaticAccess {
+    StaticReadAccess() { not this instanceof StaticWriteAccess }
+  }
 }

rust/ql/lib/codeql/rust/elements/internal/VariableImpl.qll

@@ -1,71 +1,13 @@
 private import rust
+private import codeql.namebinding.LocalNameBinding
 private import codeql.rust.controlflow.ControlFlowGraph
 private import codeql.rust.internal.PathResolution as PathResolution
 private import codeql.rust.elements.internal.generated.ParentChild as ParentChild
 private import codeql.rust.elements.internal.AstNodeImpl::Impl as AstNodeImpl
 private import codeql.rust.elements.internal.PathImpl::Impl as PathImpl
 private import codeql.rust.elements.internal.FormatTemplateVariableAccessImpl::Impl as FormatTemplateVariableAccessImpl
-private import codeql.util.DenseRank
 
 module Impl {
-  /**
-   * A variable scope. Either a block `{ ... }`, the guard/rhs
-   * of a match arm, or the body of a closure.
-   */
-  abstract class VariableScope extends AstNode { }
-
-  class BlockExprScope extends VariableScope, BlockExpr { }
-
-  class MatchArmExprScope extends VariableScope {
-    MatchArmExprScope() { this = any(MatchArm arm).getExpr() }
-  }
-
-  class MatchArmGuardScope extends VariableScope {
-    MatchArmGuardScope() { this = any(MatchArm arm).getGuard() }
-  }
-
-  class ClosureBodyScope extends VariableScope {
-    ClosureBodyScope() { this = any(ClosureExpr ce).getBody() }
-  }
-
-  /**
-   * A scope for conditions, which may introduce variables using `let` expressions.
-   *
-   * Such variables are only available in the body guarded by the condition.
-   */
-  class ConditionScope extends VariableScope {
-    private AstNode parent;
-    private AstNode body;
-
-    ConditionScope() {
-      parent =
-        any(IfExpr ie |
-          this = ie.getCondition() and
-          body = ie.getThen()
-        )
-      or
-      parent =
-        any(WhileExpr we |
-          this = we.getCondition() and
-          body = we.getLoopBody()
-        )
-      or
-      parent =
-        any(MatchArm ma |
-          this = ma.getGuard() and
-          body = ma.getExpr()
-        )
-    }
-
-    /** Gets the parent of this condition. */
-    AstNode getParent() { result = parent }
-
-    /**
-     * Gets the body in which variables introduced in this scope are available.
-     */
-    AstNode getBody() { result = body }
-  }
-
   private Pat getAPatAncestor(Pat p) {
     (p instanceof IdentPat or p instanceof OrPat) and
     exists(Pat p0 | result = p0.getParentPat() |
@@ -100,7 +42,7 @@ module Impl {
    */
   cached
   predicate variableDecl(AstNode definingNode, Name name, string text) {
-    Cached::ref() and
+    CachedStage::ref() and
     exists(SelfParam sp |
       name = sp.getName() and
       definingNode = name and
@@ -127,34 +69,204 @@ module Impl {
     )
   }
 
+  /**
+   * `let` chains like
+   *
+   * ```rust
+   * if let x1 = ... && let x2 = ... && ... && let xn = ...  { ... }
+   * ```
+   *
+   * are parsed left-associatively, so the AST for the condition looks like
+   *
+   * ```rust
+   * ((let x1 = ... && let x2 = ...) && ...) && let xn = ...
+   * ```
+   *
+   * This, however, does not work with scoping and shadowing, so we instead treat
+   * `let` chains as if there is just a single root `&&` node with `n` children,
+   * skipping all intermediate `&&` nodes.
+   */
+  private module LetChains {
+    predicate isLetChainAncestor(LogicalAndExpr lae) {
+      lae.getAnOperand() instanceof LetExpr
+      or
+      isLetChainAncestor(lae.getLhs())
+    }
+
+    private predicate isLetChainRoot(LogicalAndExpr root) {
+      isLetChainAncestor(root) and
+      not root = any(LogicalAndExpr lae).getLhs()
+    }
+
+    private predicate leftMostChildOfLetChainRoot(LogicalAndExpr left, LogicalAndExpr root) {
+      isLetChainRoot(root) and
+      left = root.getLhs*() and
+      not left.getLhs() instanceof LogicalAndExpr
+    }
+
+    private AstNode getLetChainChild(LogicalAndExpr sub, LogicalAndExpr root, int i) {
+      leftMostChildOfLetChainRoot(sub, root) and
+      i = 1 and
+      result = sub.getRhs()
+      or
+      exists(LogicalAndExpr mid |
+        exists(getLetChainChild(mid, root, i - 1)) and
+        sub.getLhs() = mid and
+        result = sub.getRhs()
+      )
+    }
+
+    AstNode getLetChainChild(LogicalAndExpr lae, int i) {
+      exists(LogicalAndExpr left |
+        leftMostChildOfLetChainRoot(left, lae) and
+        i = 0 and
+        result = left.getLhs()
+      )
+      or
+      result = getLetChainChild(_, lae, i)
+    }
+  }
+
+  private import LetChains
+
+  private module Input implements LocalNameBindingInputSig<Location> {
+    private import rust as Rust
+
+    predicate cacheRevRef() {
+      (variableDecl(_, _, _) implies any())
+      or
+      (exists(VariableReadAccess a) implies any())
+      or
+      (exists(VariableWriteAccess a) implies any())
+      or
+      (exists(any(Variable v).getParameter()) implies any())
+    }
+
+    class AstNode = Rust::AstNode;
+
+    AstNode getChild(AstNode parent, int index) {
+      result = ParentChild::getImmediateChild(parent, index) and
+      not isLetChainAncestor(parent)
+      or
+      result = getLetChainChild(parent, index)
+      or
+      exists(Format f |
+        f = result.(FormatTemplateVariableAccess).getArgument().getParent() and
+        parent = f.getParent() and
+        index = f.getIndex()
+      )
+    }
+
+    abstract class Conditional extends AstNode {
+      abstract AstNode getCondition();
+
+      abstract AstNode getThen();
+
+      abstract AstNode getElse();
+    }
+
+    private class IfExprConditional extends Conditional instanceof IfExpr {
+      override AstNode getCondition() { result = IfExpr.super.getCondition() }
+
+      override AstNode getThen() { result = IfExpr.super.getThen() }
+
+      override AstNode getElse() { result = IfExpr.super.getElse() }
+    }
+
+    private class WhileExprConditional extends Conditional instanceof WhileExpr {
+      override AstNode getCondition() { result = WhileExpr.super.getCondition() }
+
+      override AstNode getThen() { result = WhileExpr.super.getLoopBody() }
+
+      override AstNode getElse() { none() }
+    }
+
+    private class MatchGuardConditional extends Conditional instanceof MatchGuard {
+      override AstNode getCondition() { result = MatchGuard.super.getCondition() }
+
+      override AstNode getThen() {
+        exists(MatchArm arm | this = arm.getGuard() and result = arm.getExpr())
+      }
+
+      override AstNode getElse() { none() }
+    }
+
+    abstract class SiblingShadowingDecl extends AstNode {
+      abstract AstNode getLhs();
+
+      abstract AstNode getRhs();
+
+      abstract AstNode getElse();
+    }
+
+    private class LetStmtSiblingShadowingDecl extends SiblingShadowingDecl instanceof LetStmt {
+      override AstNode getLhs() { result = LetStmt.super.getPat() }
+
+      override AstNode getRhs() { result = LetStmt.super.getInitializer() }
+
+      override AstNode getElse() { result = LetStmt.super.getLetElse() }
+    }
+
+    private class LetExprSiblingShadowingDecl extends SiblingShadowingDecl instanceof LetExpr {
+      override AstNode getLhs() { result = LetExpr.super.getPat() }
+
+      override AstNode getRhs() { result = LetExpr.super.getScrutinee() }
+
+      override AstNode getElse() { none() }
+    }
+
+    predicate declInScope(AstNode definingNode, string name, AstNode scope) {
+      // local variable
+      exists(Name n | variableDecl(definingNode, n, name) |
+        scope = any(SelfParam self | n = self.getName()).getCallable()
+        or
+        exists(Pat pat, Pat pat0 |
+          pat = getAPatAncestor*(pat0) and
+          (pat0 = definingNode or pat0.(IdentPat).getName() = n)
+        |
+          scope = any(MatchArm arm | pat = arm.getPat())
+          or
+          scope = any(Input::SiblingShadowingDecl let | pat = let.getLhs())
+          or
+          scope = any(ForExpr fe | pat = fe.getPat()).getLoopBody()
+          or
+          scope = any(Param p | pat = p.getPat()).getCallable()
+        )
+      )
+      or
+      // local function; behave as if they are defined at the beginning of the scope
+      definingNode = scope.(BlockExpr).getStmtList().getAStatement() and
+      name = definingNode.(Function).getName().getText()
+    }
+
+    predicate accessCand(AstNode n, string name) {
+      name = n.(PathExpr).getPath().(PathImpl::IdentPath).getName()
+      or
+      name = n.(FormatTemplateVariableAccess).getName()
+    }
+  }
+
+  private import LocalNameBinding<Location, Input>
+
   /** A variable. */
-  class Variable extends MkVariable {
-    private AstNode definingNode;
-    private string text;
-
-    Variable() { this = MkVariable(definingNode, text) }
-
-    /** Gets the name of this variable as a string. */
-    string getText() { result = text }
-
-    /** Gets the location of this variable. */
-    Location getLocation() { result = definingNode.getLocation() }
-
-    /** Gets a textual representation of this variable. */
-    string toString() { result = this.getText() }
+  class Variable extends Local {
+    Variable() { variableDecl(this.getDefiningNode(), _, _) }
 
     /** Gets an access to this variable. */
     VariableAccess getAnAccess() { result.getVariable() = this }
 
+    /** Gets the name of this variable. */
+    string getText() { result = super.getName() }
+
     /**
      * Get the name of this variable.
      *
      * Normally, the name is unique, except when introduced in an or pattern.
      */
-    Name getName() { variableDecl(definingNode, result, text) }
+    Name getName() { variableDecl(this.getDefiningNode(), result, super.getName()) }
 
     /** Gets the block that encloses this variable, if any. */
-    BlockExpr getEnclosingBlock() { result = definingNode.getEnclosingBlock() }
+    BlockExpr getEnclosingBlock() { result = this.getDefiningNode().getEnclosingBlock() }
 
     /** Gets the `self` parameter that declares this variable, if any. */
     SelfParam getSelfParam() { result.getName() = this.getName() }
@@ -173,12 +285,20 @@ module Impl {
     IdentPat getPat() { result.getName() = this.getName() }
 
     /** Gets the enclosing CFG scope for this variable declaration. */
-    CfgScope getEnclosingCfgScope() { result = definingNode.getEnclosingCfgScope() }
+    CfgScope getEnclosingCfgScope() { result = this.getDefiningNode().getEnclosingCfgScope() }
 
-    /** Gets the `let` statement that introduces this variable, if any. */
+    /**
+     * Gets the `let` statement that introduces this variable, if any.
+     *
+     * This is restricted to simple `let` statements of the form `let x = ...;`.
+     */
     LetStmt getLetStmt() { this.getPat() = result.getPat() }
 
-    /** Gets the `let` expression that introduces this variable, if any. */
+    /**
+     * Gets the `let` expression that introduces this variable, if any.
+     *
+     * This is restricted to simple `let` expressions of the form `let x = ...`.
+     */
     LetExpr getLetExpr() { this.getPat() = result.getPat() }
 
     /** Gets the initial value of this variable, if any. */
@@ -193,487 +313,30 @@ module Impl {
     /** Gets the parameter that introduces this variable, if any. */
     cached
     ParamBase getParameter() {
-      Cached::ref() and
+      CachedStage::ref() and
       result = this.getSelfParam()
       or
-      result.(Param).getPat() = getAVariablePatAncestor(this)
+      result.(Param).getPat() = getAPatAncestor*(this.getPat())
     }
 
-    /** Hold is this variable is mutable. */
+    /** Holds if this variable is mutable. */
     predicate isMutable() { this.getPat().isMut() or this.getSelfParam().isMut() }
 
-    /** Hold is this variable is immutable. */
+    /** Holds if this variable is immutable. */
     predicate isImmutable() { not this.isMutable() }
   }
 
-  /**
-   * A path expression that may access a local variable. These are paths that
-   * only consist of a simple name (i.e., without generic arguments,
-   * qualifiers, etc.).
-   */
-  private class VariableAccessCand extends PathExprBase {
-    string name_;
-
-    VariableAccessCand() {
-      name_ = this.(PathExpr).getPath().(PathImpl::IdentPath).getName()
-      or
-      this.(FormatTemplateVariableAccess).getName() = name_
-    }
-
-    string toString() { result = name_ }
-
-    string getName() { result = name_ }
-  }
-
-  pragma[nomagic]
-  private Element getImmediateChildAdj(Element e, int preOrd, int index) {
-    result = ParentChild::getImmediateChild(e, index) and
-    preOrd = 0 and
-    not exists(ConditionScope cs |
-      e = cs.getParent() and
-      result = cs.getBody()
-    )
-    or
-    result = e.(ConditionScope).getBody() and
-    preOrd = 1 and
-    index = 0
-  }
-
-  /**
-   * An adjusted version of `ParentChild::getImmediateChild`, which makes the following
-   * two adjustments:
-   *
-   * 1. For conditions like `if cond body`, instead of letting `body` be the second child
-   *    of `if`, we make it the last child of `cond`. This ensures that variables
-   *    introduced in the `cond` scope are available in `body`.
-   *
-   * 2. A similar adjustment is made for `while` loops: the body of the loop is made a
-   *    child of the loop condition instead of the loop itself.
-   */
-  pragma[nomagic]
-  private Element getImmediateChildAdj(Element e, int index) {
-    result =
-      rank[index + 1](Element res, int preOrd, int i |
-        res = getImmediateChildAdj(e, preOrd, i)
-      |
-        res order by preOrd, i
-      )
-  }
-
-  private Element getImmediateParentAdj(Element e) { e = getImmediateChildAdj(result, _) }
-
-  private AstNode getAnAncestorInVariableScope(AstNode n) {
-    (
-      n instanceof Pat or
-      n instanceof VariableAccessCand or
-      n instanceof LetStmt or
-      n = any(LetExpr le).getScrutinee() or
-      n instanceof VariableScope
-    ) and
-    exists(AstNode n0 |
-      result = getImmediateParentAdj(n0) or
-      result = n0.(FormatTemplateVariableAccess).getArgument().getParent().getParent()
-    |
-      n0 = n
-      or
-      n0 = getAnAncestorInVariableScope(n) and
-      not n0 instanceof VariableScope
-    )
-  }
-
-  /** Gets the immediately enclosing variable scope of `n`. */
-  private VariableScope getEnclosingScope(AstNode n) { result = getAnAncestorInVariableScope(n) }
-
-  /**
-   * Get all the pattern ancestors of this variable up to an including the
-   * root of the pattern.
-   */
-  private Pat getAVariablePatAncestor(Variable v) {
-    result = v.getPat()
-    or
-    exists(Pat mid |
-      mid = getAVariablePatAncestor(v) and
-      result = mid.getParentPat()
-    )
-  }
-
-  /**
-   * Holds if a parameter declares the variable `v` inside variable scope `scope`.
-   */
-  private predicate parameterDeclInScope(Variable v, VariableScope scope) {
-    exists(Callable f |
-      v.getParameter() = f.getParamList().getAParamBase() and
-      scope = f.getBody()
-    )
-  }
-
-  /** A subset of `Element`s for which we want to compute pre-order numbers. */
-  private class RelevantElement extends Element {
-    RelevantElement() {
-      this instanceof VariableScope or
-      this instanceof VariableAccessCand or
-      this instanceof LetStmt or
-      this = any(LetExpr le).getScrutinee() or
-      getImmediateChildAdj(this, _) instanceof RelevantElement
-    }
-
-    pragma[nomagic]
-    private RelevantElement getChild(int index) { result = getImmediateChildAdj(this, index) }
-
-    pragma[nomagic]
-    private RelevantElement getImmediateChildAdjMin(int index) {
-      // A child may have multiple positions for different accessors,
-      // so always use the first
-      result = this.getChild(index) and
-      index = min(int i | result = this.getChild(i) | i)
-    }
-
-    pragma[nomagic]
-    RelevantElement getImmediateChildAdj(int index) {
-      result =
-        rank[index + 1](Element res, int i | res = this.getImmediateChildAdjMin(i) | res order by i)
-    }
-
-    pragma[nomagic]
-    RelevantElement getImmediateLastChild() {
-      exists(int last |
-        result = this.getImmediateChildAdj(last) and
-        not exists(this.getImmediateChildAdj(last + 1))
-      )
-    }
-  }
-
-  /**
-   * Gets the pre-order numbering of `n`, where the immediately enclosing
-   * variable scope of `n` is `scope`.
-   */
-  pragma[nomagic]
-  private int getPreOrderNumbering(VariableScope scope, RelevantElement n) {
-    n = scope and
-    result = 0
-    or
-    exists(RelevantElement parent |
-      not parent instanceof VariableScope
-      or
-      parent = scope
-    |
-      // first child of a previously numbered node
-      result = getPreOrderNumbering(scope, parent) + 1 and
-      n = parent.getImmediateChildAdj(0)
-      or
-      // non-first child of a previously numbered node
-      exists(RelevantElement child, int i |
-        result = getLastPreOrderNumbering(scope, child) + 1 and
-        child = parent.getImmediateChildAdj(i) and
-        n = parent.getImmediateChildAdj(i + 1)
-      )
-    )
-  }
-
-  /**
-   * Gets the pre-order numbering of the _last_ node nested under `n`, where the
-   * immediately enclosing variable scope of `n` (and the last node) is `scope`.
-   */
-  pragma[nomagic]
-  private int getLastPreOrderNumbering(VariableScope scope, RelevantElement n) {
-    exists(RelevantElement leaf |
-      result = getPreOrderNumbering(scope, leaf) and
-      leaf != scope and
-      (
-        not exists(leaf.getImmediateChildAdj(_))
-        or
-        leaf instanceof VariableScope
-      )
-    |
-      n = leaf
-      or
-      n.getImmediateLastChild() = leaf and
-      not n instanceof VariableScope
-    )
-    or
-    exists(RelevantElement mid |
-      mid = n.getImmediateLastChild() and
-      result = getLastPreOrderNumbering(scope, mid) and
-      not mid instanceof VariableScope and
-      not n instanceof VariableScope
-    )
-  }
-
-  /**
-   * Holds if `v` is named `name` and is declared inside variable scope
-   * `scope`. The pre-order numbering of the binding site of `v`, amongst
-   * all nodes nested under `scope`, is `ord`.
-   */
-  private predicate variableDeclInScope(Variable v, VariableScope scope, string name, int ord) {
-    name = v.getText() and
-    (
-      parameterDeclInScope(v, scope) and
-      ord = getPreOrderNumbering(scope, scope)
-      or
-      exists(Pat pat | pat = getAVariablePatAncestor(v) |
-        exists(MatchArm arm |
-          pat = arm.getPat() and
-          ord = getPreOrderNumbering(scope, scope)
-        |
-          scope = arm.getGuard()
-          or
-          not arm.hasGuard() and scope = arm.getExpr()
-        )
-        or
-        exists(LetStmt let |
-          let.getPat() = pat and
-          scope = getEnclosingScope(let) and
-          // for `let` statements, variables are bound _after_ the statement, i.e.
-          // not in the RHS
-          ord = getLastPreOrderNumbering(scope, let) + 1
-        )
-        or
-        exists(LetExpr let, Expr scrutinee |
-          let.getPat() = pat and
-          scrutinee = let.getScrutinee() and
-          scope = getEnclosingScope(scrutinee) and
-          // for `let` expressions, variables are bound _after_ the expression, i.e.
-          // not in the RHS
-          ord = getLastPreOrderNumbering(scope, scrutinee) + 1
-        )
-        or
-        exists(ForExpr fe |
-          fe.getPat() = pat and
-          scope = fe.getLoopBody() and
-          ord = getPreOrderNumbering(scope, scope)
-        )
-      )
-    )
-  }
-
-  /**
-   * Holds if `cand` may access a variable named `name` at pre-order number `ord`
-   * in the variable scope `scope`.
-   *
-   * `nestLevel` is the number of nested scopes that need to be traversed
-   * to reach `scope` from `cand`.
-   */
-  private predicate variableAccessCandInScope(
-    VariableAccessCand cand, VariableScope scope, string name, int nestLevel, int ord
-  ) {
-    name = cand.getName() and
-    (
-      scope = cand
-      or
-      not cand instanceof VariableScope and
-      scope = getEnclosingScope(cand)
-    ) and
-    ord = getPreOrderNumbering(scope, cand) and
-    nestLevel = 0
-    or
-    exists(VariableScope inner |
-      variableAccessCandInScope(cand, inner, name, nestLevel - 1, _) and
-      scope = getEnclosingScope(inner) and
-      // Use the pre-order number of the inner scope as the number of the access. This allows
-      // us to collapse multiple accesses in inner scopes to a single entity
-      ord = getPreOrderNumbering(scope, inner)
-    )
-  }
-
-  private newtype TDefOrAccessCand =
-    TDefOrAccessCandNestedFunction(Function f, BlockExprScope scope) {
-      f = scope.getStmtList().getAStatement()
-    } or
-    TDefOrAccessCandVariable(Variable v) or
-    TDefOrAccessCandVariableAccessCand(VariableAccessCand va)
-
-  /**
-   * A nested function declaration, variable declaration, or variable (or function)
-   * access candidate.
-   *
-   * In order to determine whether a candidate is an actual variable/function access,
-   * we rank declarations and candidates by their position in the AST.
-   *
-   * The ranking must take names into account, but also variable scopes; below a comment
-   * `rank(scope, name, i)` means that the declaration/access on the given line has rank
-   * `i` amongst all declarations/accesses inside variable scope `scope`, for name `name`:
-   *
-   * ```rust
-   * fn f() {           // scope0
-   *     let x = 0;     // rank(scope0, "x", 0)
-   *     use(x);        // rank(scope0, "x", 1)
-   *     let x =        // rank(scope0, "x", 3)
-   *         x + 1;     // rank(scope0, "x", 2)
-   *     let y =        // rank(scope0, "y", 0)
-   *         x;         // rank(scope0, "x", 4)
-   *
-   *     {              // scope1
-   *         use(x);    // rank(scope1, "x", 0), rank(scope0, "x", 4)
-   *         use(y);    // rank(scope1, "y", 0), rank(scope0, "y", 1)
-   *         let x = 2; // rank(scope1, "x", 1)
-   *         use(x);    // rank(scope1, "x", 2), rank(scope0, "x", 4)
-   *     }
-   * }
-   * ```
-   *
-   * Function/variable declarations are only ranked in the scope that they bind into,
-   * while accesses candidates propagate outwards through scopes, as they may access
-   * declarations from outer scopes.
-   *
-   * For an access candidate with ranks `{ rank(scope_i, name, rnk_i) | i in I }` and
-   * declarations `d in D` with ranks `rnk(scope_d, name, rnk_d)`,  the target is
-   * calculated as
-   * ```
-   * max_{i in I} (
-   *   max_{d in D | scope_d = scope_i and rnk_d < rnk_i} (
-   *     d
-   *   )
-   * )
-   * ```
-   *
-   * i.e., its the nearest declaration before the access in the same (or outer) scope
-   * as the access.
-   */
-  abstract private class DefOrAccessCand extends TDefOrAccessCand {
-    abstract string toString();
-
-    abstract Location getLocation();
-
-    pragma[nomagic]
-    abstract predicate rankBy(string name, VariableScope scope, int ord, int kind);
-  }
-
-  abstract private class NestedFunctionOrVariable extends DefOrAccessCand { }
-
-  private class DefOrAccessCandNestedFunction extends NestedFunctionOrVariable,
-    TDefOrAccessCandNestedFunction
-  {
-    private Function f;
-    private BlockExprScope scope_;
-
-    DefOrAccessCandNestedFunction() { this = TDefOrAccessCandNestedFunction(f, scope_) }
-
-    override string toString() { result = f.toString() }
-
-    override Location getLocation() { result = f.getLocation() }
-
-    override predicate rankBy(string name, VariableScope scope, int ord, int kind) {
-      // nested functions behave as if they are defined at the beginning of the scope
-      name = f.getName().getText() and
-      scope = scope_ and
-      ord = 0 and
-      kind = 0
-    }
-  }
-
-  private class DefOrAccessCandVariable extends NestedFunctionOrVariable, TDefOrAccessCandVariable {
-    private Variable v;
-
-    DefOrAccessCandVariable() { this = TDefOrAccessCandVariable(v) }
-
-    override string toString() { result = v.toString() }
-
-    override Location getLocation() { result = v.getLocation() }
-
-    override predicate rankBy(string name, VariableScope scope, int ord, int kind) {
-      variableDeclInScope(v, scope, name, ord) and
-      kind = 1
-    }
-  }
-
-  private class DefOrAccessCandVariableAccessCand extends DefOrAccessCand,
-    TDefOrAccessCandVariableAccessCand
-  {
-    private VariableAccessCand va;
-
-    DefOrAccessCandVariableAccessCand() { this = TDefOrAccessCandVariableAccessCand(va) }
-
-    override string toString() { result = va.toString() }
-
-    override Location getLocation() { result = va.getLocation() }
-
-    override predicate rankBy(string name, VariableScope scope, int ord, int kind) {
-      variableAccessCandInScope(va, scope, name, _, ord) and
-      kind = 2
-    }
-  }
-
-  private module DenseRankInput implements DenseRankInputSig2 {
-    class C1 = VariableScope;
-
-    class C2 = string;
-
-    class Ranked = DefOrAccessCand;
-
-    int getRank(VariableScope scope, string name, DefOrAccessCand v) {
-      v =
-        rank[result](DefOrAccessCand v0, int ord, int kind |
-          v0.rankBy(name, scope, ord, kind)
-        |
-          v0 order by ord, kind
-        )
-    }
-  }
-
-  /**
-   * Gets the rank of `v` amongst all other declarations or access candidates
-   * to a variable named `name` in the variable scope `scope`.
-   */
-  private int rankVariableOrAccess(VariableScope scope, string name, DefOrAccessCand v) {
-    v = DenseRank2<DenseRankInput>::denseRank(scope, name, result + 1)
-  }
-
-  /**
-   * Holds if `v` can reach rank `rnk` in the variable scope `scope`. This is needed to
-   * take shadowing into account, for example in
-   *
-   * ```rust
-   * let x = 0;  // rank 0
-   * use(x);     // rank 1
-   * let x = ""; // rank 2
-   * use(x);     // rank 3
-   * ```
-   *
-   * the declaration at rank 0 can only reach the access at rank 1, while the declaration
-   * at rank 2 can only reach the access at rank 3.
-   */
-  private predicate variableReachesRank(
-    VariableScope scope, string name, NestedFunctionOrVariable v, int rnk
-  ) {
-    rnk = rankVariableOrAccess(scope, name, v)
-    or
-    variableReachesRank(scope, name, v, rnk - 1) and
-    rnk = rankVariableOrAccess(scope, name, TDefOrAccessCandVariableAccessCand(_))
-  }
-
-  private predicate variableReachesCand(
-    VariableScope scope, string name, NestedFunctionOrVariable v, VariableAccessCand cand,
-    int nestLevel
-  ) {
-    exists(int rnk |
-      variableReachesRank(scope, name, v, rnk) and
-      rnk = rankVariableOrAccess(scope, name, TDefOrAccessCandVariableAccessCand(cand)) and
-      variableAccessCandInScope(cand, scope, name, nestLevel, _)
-    )
-  }
-
-  pragma[nomagic]
-  predicate access(string name, NestedFunctionOrVariable v, VariableAccessCand cand) {
-    v =
-      min(NestedFunctionOrVariable v0, int nestLevel |
-        variableReachesCand(_, name, v0, cand, nestLevel)
-      |
-        v0 order by nestLevel
-      )
-  }
-
   /** A variable access. */
-  class VariableAccess extends PathExprBase {
-    private string name;
-    private Variable v;
-
-    VariableAccess() { variableAccess(name, v, this) }
+  class VariableAccess extends LocalAccess {
+    VariableAccess() { this.getLocal() instanceof Variable }
 
     /** Gets the variable being accessed. */
-    Variable getVariable() { result = v }
+    Variable getVariable() { result = super.getLocal() }
 
     /** Holds if this access is a capture. */
-    predicate isCapture() { this.getEnclosingCfgScope() != v.getEnclosingCfgScope() }
+    predicate isCapture() {
+      this.getEnclosingCfgScope() != this.getVariable().getEnclosingCfgScope()
+    }
   }
 
   /** Holds if `e` occurs in the LHS of an assignment operation. */
@@ -682,7 +345,7 @@ module Impl {
     or
     exists(Expr mid |
       assignmentOperationDescendant(ao, mid) and
-      getImmediateParentAdj(e) = mid and
+      mid = e.getParentNode() and
       not mid instanceof DerefExpr and
       not mid instanceof FieldExpr and
       not mid instanceof IndexExpr
@@ -695,7 +358,7 @@ module Impl {
 
     cached
     VariableWriteAccess() {
-      Cached::ref() and
+      CachedStage::ref() and
       assignmentOperationDescendant(ae, this)
     }
 
@@ -707,7 +370,7 @@ module Impl {
   class VariableReadAccess extends VariableAccess {
     cached
     VariableReadAccess() {
-      Cached::ref() and
+      CachedStage::ref() and
       not this instanceof VariableWriteAccess and
       not this = any(RefExpr re).getExpr() and
       not this = any(CompoundAssignmentExpr cae).getLhs()
@@ -715,47 +378,12 @@ module Impl {
   }
 
   /** A nested function access. */
-  class NestedFunctionAccess extends PathExprBase {
+  class NestedFunctionAccess extends LocalAccess {
     private Function f;
 
-    NestedFunctionAccess() { nestedFunctionAccess(_, f, this) }
+    NestedFunctionAccess() { f = super.getLocal().getDefiningNode() }
 
     /** Gets the function being accessed. */
     Function getFunction() { result = f }
   }
-
-  cached
-  private module Cached {
-    cached
-    predicate ref() { 1 = 1 }
-
-    cached
-    predicate backref() {
-      1 = 1
-      or
-      variableDecl(_, _, _)
-      or
-      exists(VariableReadAccess a)
-      or
-      exists(VariableWriteAccess a)
-      or
-      exists(any(Variable v).getParameter())
-    }
-
-    cached
-    newtype TVariable =
-      MkVariable(AstNode definingNode, string name) { variableDecl(definingNode, _, name) }
-
-    cached
-    predicate variableAccess(string name, Variable v, VariableAccessCand cand) {
-      access(name, TDefOrAccessCandVariable(v), cand)
-    }
-
-    cached
-    predicate nestedFunctionAccess(string name, Function f, VariableAccessCand cand) {
-      access(name, TDefOrAccessCandNestedFunction(f, _), cand)
-    }
-  }
-
-  private import Cached
 }

rust/ql/lib/codeql/rust/elements/internal/generated/Impl.qll

@@ -20,7 +20,7 @@ import codeql.rust.elements.WhereClause
  */
 module Generated {
   /**
-   * An `impl`` block.
+   * An `impl` block.
    *
    * For example:
    * ```rust
@@ -109,16 +109,16 @@ module Generated {
     final predicate hasSelfTy() { exists(this.getSelfTy()) }
 
     /**
-     * Gets the trait of this impl, if it exists.
+     * Gets the trait ty of this impl, if it exists.
      */
-    TypeRepr getTrait() {
-      result = Synth::convertTypeReprFromRaw(Synth::convertImplToRaw(this).(Raw::Impl).getTrait())
+    TypeRepr getTraitTy() {
+      result = Synth::convertTypeReprFromRaw(Synth::convertImplToRaw(this).(Raw::Impl).getTraitTy())
     }
 
     /**
-     * Holds if `getTrait()` exists.
+     * Holds if `getTraitTy()` exists.
      */
-    final predicate hasTrait() { exists(this.getTrait()) }
+    final predicate hasTraitTy() { exists(this.getTraitTy()) }
 
     /**
      * Gets the visibility of this impl, if it exists.

rust/ql/lib/codeql/rust/elements/internal/generated/ParentChild.qll

@@ -2328,7 +2328,7 @@ private module Impl {
   private Element getImmediateChildOfImpl(Impl e, int index, string partialPredicateCall) {
     exists(
       int n, int nAttributeMacroExpansion, int nAssocItemList, int nAttr, int nGenericParamList,
-      int nSelfTy, int nTrait, int nVisibility, int nWhereClause
+      int nSelfTy, int nTraitTy, int nVisibility, int nWhereClause
     |
       n = 0 and
       nAttributeMacroExpansion = n + 1 and
@@ -2336,8 +2336,8 @@ private module Impl {
       nAttr = nAssocItemList + e.getNumberOfAttrs() and
       nGenericParamList = nAttr + 1 and
       nSelfTy = nGenericParamList + 1 and
-      nTrait = nSelfTy + 1 and
-      nVisibility = nTrait + 1 and
+      nTraitTy = nSelfTy + 1 and
+      nVisibility = nTraitTy + 1 and
       nWhereClause = nVisibility + 1 and
       (
         none()
@@ -2359,9 +2359,9 @@ private module Impl {
         or
         index = nGenericParamList and result = e.getSelfTy() and partialPredicateCall = "SelfTy()"
         or
-        index = nSelfTy and result = e.getTrait() and partialPredicateCall = "Trait()"
+        index = nSelfTy and result = e.getTraitTy() and partialPredicateCall = "TraitTy()"
         or
-        index = nTrait and result = e.getVisibility() and partialPredicateCall = "Visibility()"
+        index = nTraitTy and result = e.getVisibility() and partialPredicateCall = "Visibility()"
         or
         index = nVisibility and
         result = e.getWhereClause() and

rust/ql/lib/codeql/rust/elements/internal/generated/Raw.qll

@@ -6209,7 +6209,7 @@ module Raw {
 
   /**
    * INTERNAL: Do not use.
-   * An `impl`` block.
+   * An `impl` block.
    *
    * For example:
    * ```rust
@@ -6262,9 +6262,9 @@ module Raw {
     TypeRepr getSelfTy() { impl_self_ties(this, result) }
 
     /**
-     * Gets the trait of this impl, if it exists.
+     * Gets the trait ty of this impl, if it exists.
      */
-    TypeRepr getTrait() { impl_traits(this, result) }
+    TypeRepr getTraitTy() { impl_trait_ties(this, result) }
 
     /**
      * Gets the visibility of this impl, if it exists.
@@ -6280,7 +6280,7 @@ module Raw {
   private Element getImmediateChildOfImpl(Impl e, int index) {
     exists(
       int n, int nAttributeMacroExpansion, int nAssocItemList, int nAttr, int nGenericParamList,
-      int nSelfTy, int nTrait, int nVisibility, int nWhereClause
+      int nSelfTy, int nTraitTy, int nVisibility, int nWhereClause
     |
       n = 0 and
       nAttributeMacroExpansion = n + 1 and
@@ -6288,8 +6288,8 @@ module Raw {
       nAttr = nAssocItemList + e.getNumberOfAttrs() and
       nGenericParamList = nAttr + 1 and
       nSelfTy = nGenericParamList + 1 and
-      nTrait = nSelfTy + 1 and
-      nVisibility = nTrait + 1 and
+      nTraitTy = nSelfTy + 1 and
+      nVisibility = nTraitTy + 1 and
       nWhereClause = nVisibility + 1 and
       (
         none()
@@ -6304,9 +6304,9 @@ module Raw {
         or
         index = nGenericParamList and result = e.getSelfTy()
         or
-        index = nSelfTy and result = e.getTrait()
+        index = nSelfTy and result = e.getTraitTy()
         or
-        index = nTrait and result = e.getVisibility()
+        index = nTraitTy and result = e.getVisibility()
         or
         index = nVisibility and result = e.getWhereClause()
       )

rust/ql/lib/codeql/rust/internal/PathResolution.qll

@@ -659,6 +659,38 @@ private class ConstItemNode extends AssocItemNode instanceof Const {
   override TypeParam getTypeParam(int i) { none() }
 }
 
+private class StaticItemNode extends ItemNode instanceof Static {
+  override string getName() { result = Static.super.getName().getText() }
+
+  override Namespace getNamespace() { result.isValue() }
+
+  override Visibility getVisibility() { result = Static.super.getVisibility() }
+
+  override Attr getAnAttr() { result = Static.super.getAnAttr() }
+
+  override TypeParam getTypeParam(int i) { none() }
+
+  override predicate hasCanonicalPath(Crate c) { this.hasCanonicalPathPrefix(c) }
+
+  bindingset[c]
+  private string getCanonicalPathPart(Crate c, int i) {
+    i = 0 and
+    result = this.getCanonicalPathPrefix(c)
+    or
+    i = 1 and
+    result = "::"
+    or
+    i = 2 and
+    result = this.getName()
+  }
+
+  language[monotonicAggregates]
+  override string getCanonicalPath(Crate c) {
+    this.hasCanonicalPath(c) and
+    result = strictconcat(int i | i in [0 .. 2] | this.getCanonicalPathPart(c, i) order by i)
+  }
+}
+
 private class TypeItemTypeItemNode extends NamedItemNode, TypeItemNode instanceof TypeItem {
   override string getName() { result = TypeItem.super.getName().getText() }
 
@@ -806,7 +838,7 @@ private TypeItemNode resolveBuiltin(TypeRepr tr) {
 final class ImplItemNode extends ImplOrTraitItemNode instanceof Impl {
   Path getSelfPath() { result = super.getSelfTy().(PathTypeRepr).getPath() }
 
-  Path getTraitPath() { result = super.getTrait().(PathTypeRepr).getPath() }
+  Path getTraitPath() { result = super.getTraitTy().(PathTypeRepr).getPath() }
 
   TypeItemNode resolveSelfTyBuiltin() { result = resolveBuiltin(this.(Impl).getSelfTy()) }
 

rust/ql/lib/codeql/rust/internal/typeinference/BlanketImplementation.qll

@@ -42,7 +42,7 @@ private predicate hasFirstNonTrivialTraitBound(TypeParamItemNode tp, Path traitB
  */
 pragma[nomagic]
 predicate isBlanketLike(ImplItemNode i, TypePath blanketSelfPath, TypeParam blanketTypeParam) {
-  i.(Impl).hasTrait() and
+  i.(Impl).hasTraitTy() and
   (
     blanketTypeParam = i.getBlanketImplementationTypeParam() and
     blanketSelfPath.isEmpty()

rust/ql/lib/codeql/rust/internal/typeinference/TypeInference.qll

@@ -174,7 +174,7 @@ private module Input2Common {
     exists(Impl impl |
       abs = impl and
       condition = impl.getSelfTy() and
-      constraint = impl.getTrait()
+      constraint = impl.getTraitTy()
     )
     or
     transitive = true and
@@ -1542,7 +1542,7 @@ private module AssocFunctionResolution {
       boolean hasReceiver
     |
       afc.hasSyntacticInfo(name, arity, typeQualifier, traitQualifier, hasReceiver) and
-      if not afc.hasATrait() and i.(Impl).hasTrait()
+      if not afc.hasATrait() and i.(Impl).hasTraitTy()
       then callVisibleImplTraitCandidate(afc, i)
       else any()
     |
@@ -2532,7 +2532,7 @@ private module AssocFunctionResolution {
       AssocFunctionCallCand afcc, TypeAbstraction abs, AssocFunctionType constraint
     ) {
       potentialInstantiationOf0(afcc, abs, constraint) and
-      if abs.(Impl).hasTrait()
+      if abs.(Impl).hasTraitTy()
       then
         // inherent functions take precedence over trait functions, so only allow
         // trait functions when there are no matching inherent functions
@@ -2584,7 +2584,7 @@ private module AssocFunctionResolution {
       exists(AssocFunctionCall afc, FunctionPosition selfPos |
         afcc = MkAssocFunctionCallCand(afc, selfPos, _, _) and
         blanketLikeCandidate(afc, _, selfPos, abs, constraint, _, _) and
-        if abs.(Impl).hasTrait()
+        if abs.(Impl).hasTraitTy()
         then
           // inherent functions take precedence over trait functions, so only allow
           // trait functions when there are no matching inherent functions

rust/ql/lib/qlpack.yml

@@ -16,6 +16,7 @@ dependencies:
   codeql/tutorial: ${workspace}
   codeql/typeinference: ${workspace}
   codeql/util: ${workspace}
+  codeql/namebinding: ${workspace}
 dataExtensions:
   - /**/*.model.yml
 warnOnImplicitThis: true

rust/ql/lib/rust.dbscheme

@@ -2907,9 +2907,9 @@ impl_self_ties(
 );
 
 #keyset[id]
-impl_traits(
+impl_trait_ties(
   int id: @impl ref,
-  int trait: @type_repr ref
+  int trait_ty: @type_repr ref
 );
 
 #keyset[id]