Kotlin: fix 2.4 registrar build regression

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

MODULE.bazel

@@ -248,6 +248,7 @@ use_repo(
     "kotlin-compiler-2.2.20-Beta2",
     "kotlin-compiler-2.3.0",
     "kotlin-compiler-2.3.20",
+    "kotlin-compiler-2.4.0",
     "kotlin-compiler-embeddable-1.8.0",
     "kotlin-compiler-embeddable-1.9.0-Beta",
     "kotlin-compiler-embeddable-1.9.20-Beta",
@@ -259,6 +260,7 @@ use_repo(
     "kotlin-compiler-embeddable-2.2.20-Beta2",
     "kotlin-compiler-embeddable-2.3.0",
     "kotlin-compiler-embeddable-2.3.20",
+    "kotlin-compiler-embeddable-2.4.0",
     "kotlin-stdlib-1.8.0",
     "kotlin-stdlib-1.9.0-Beta",
     "kotlin-stdlib-1.9.20-Beta",
@@ -270,6 +272,7 @@ use_repo(
     "kotlin-stdlib-2.2.20-Beta2",
     "kotlin-stdlib-2.3.0",
     "kotlin-stdlib-2.3.20",
+    "kotlin-stdlib-2.4.0",
 )
 
 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")

docs/codeql/reusables/supported-versions-compilers.rst

@@ -21,7 +21,7 @@
    Java,"Java 7 to 26 [6]_","javac (OpenJDK and Oracle JDK),
 
    Eclipse compiler for Java (ECJ) [7]_",``.java``
-   Kotlin,"Kotlin 1.8.0 to 2.3.2\ *x*","kotlinc",``.kt``
+   Kotlin,"Kotlin 1.8.0 to 2.4.\ *x*","kotlinc",``.kt``
    JavaScript,ECMAScript 2022 or lower,Not applicable,"``.js``, ``.jsx``, ``.mjs``, ``.es``, ``.es6``, ``.htm``, ``.html``, ``.xhtm``, ``.xhtml``, ``.vue``, ``.hbs``, ``.ejs``, ``.njk``, ``.json``, ``.yaml``, ``.yml``, ``.raml``, ``.xml`` [8]_"
    Python [9]_,"2.7, 3.5, 3.6, 3.7, 3.8, 3.9, 3.10, 3.11, 3.12, 3.13",Not applicable,``.py``
    Ruby [10]_,"up to 3.3",Not applicable,"``.rb``, ``.erb``, ``.gemspec``, ``Gemfile``"

go/ql/lib/change-notes/2026-06-01-non-returning-functions.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* More logging functions are now recognized as not returning or panicking.

go/ql/lib/semmle/go/Concepts.qll

@@ -413,17 +413,13 @@ private class ExternalLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
   }
 }
 
-/**
+private class HeuristicLoggerFunction extends Method {
- * A call to an interface that looks like a logger. It is common to use a
+  string logFunctionPrefix;
- * locally-defined interface for logging to make it easy to changing logging
+
- * library.
+  HeuristicLoggerFunction() {
- */
+    exists(string tp, string name |
-private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
+      this.hasQualifiedName(_, tp, name) and
-  HeuristicLoggerCall() {
+      this.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
-    exists(Method m, string tp, string logFunctionPrefix, string name |
-      m = this.getTarget() and
-      m.hasQualifiedName(_, tp, name) and
-      m.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
     |
       tp.regexpMatch(".*[lL]ogger") and
       logFunctionPrefix =
@@ -435,6 +431,19 @@ private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode
     )
   }
 
+  override predicate mayReturnNormally() { logFunctionPrefix != "Fatal" }
+
+  override predicate mustPanic() { logFunctionPrefix = "Panic" }
+}
+
+/**
+ * A call to an interface that looks like a logger. It is common to use a
+ * locally-defined interface for logging to make it easy to change logging
+ * library.
+ */
+private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
+  HeuristicLoggerCall() { this.getTarget() instanceof HeuristicLoggerFunction }
+
   override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
 }
 

go/ql/lib/semmle/go/frameworks/Glog.qll

@@ -12,17 +12,37 @@ import go
  * forks.
  */
 module Glog {
+  /** Gets a package name for `glog` or `klog` (which is a fork). */
+  string packagePath() {
+    result =
+      package([
+          "github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog", "github.com/barakmich/glog"
+        ], "")
+  }
+
   private class GlogFunction extends Function {
     int firstPrintedArg;
+    string format;
+    string level;
 
     GlogFunction() {
-      exists(string pkg, string fn, string level |
+      exists(string pkg, string context, int nContextArgs, string depth, int nDepthArgs, string fn |
-        pkg = package(["github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog"], "") and
+        pkg = packagePath() and
         level = ["Error", "Exit", "Fatal", "Info", "Warning"] and
         (
-          fn = level + ["", "f", "ln"] and firstPrintedArg = 0
+          context = "" and nContextArgs = 0
           or
-          fn = level + "Depth" and firstPrintedArg = 1
+          context = "Context" and nContextArgs = 1
+        ) and
+        (
+          depth = "" and nDepthArgs = 0
+          or
+          depth = "Depth" and nDepthArgs = 1
+        ) and
+        format = ["", "f", "ln"] and
+        (
+          fn = level + context + depth + format and
+          firstPrintedArg = nContextArgs + nDepthArgs
         )
       |
         this.hasQualifiedName(pkg, fn)
@@ -35,10 +55,15 @@ module Glog {
      * Gets the index of the first argument that may be output, including a format string if one is present.
      */
     int getFirstPrintedArg() { result = firstPrintedArg }
+
+    /** Holds if this function takes a format string. */
+    predicate formatter() { format = "f" }
+
+    override predicate mayReturnNormally() { level != "Fatal" and level != "Exit" }
   }
 
   private class StringFormatter extends StringOps::Formatting::Range instanceof GlogFunction {
-    StringFormatter() { this.getName().matches("%f") }
+    StringFormatter() { this.formatter() }
 
     override int getFormatStringIndex() { result = super.getFirstPrintedArg() }
   }

go/ql/lib/semmle/go/frameworks/Logrus.qll

@@ -28,6 +28,12 @@ module Logrus {
         this.(Method).hasQualifiedName(packagePath(), ["Entry", "Logger"], name)
       )
     }
+
+    override predicate mayReturnNormally() {
+      not exists(string level, string suffix | level = ["Fatal", "Panic"] |
+        this.getName() = level + suffix
+      )
+    }
   }
 
   private class StringFormatters extends StringOps::Formatting::Range instanceof LogFunction {

go/ql/lib/semmle/go/frameworks/Zap.qll

@@ -47,7 +47,7 @@ module Zap {
   }
 
   /** A Zap logging function which always panics. */
-  private class FatalLogMethod extends Method {
+  private class FatalLogMethod extends ZapFunction {
     FatalLogMethod() {
       this.hasQualifiedName(packagePath(), "Logger", "Fatal")
       or
@@ -58,7 +58,7 @@ module Zap {
   }
 
   /** A Zap logging function which always panics. */
-  private class MustPanicLogMethod extends Method {
+  private class MustPanicLogMethod extends ZapFunction {
     MustPanicLogMethod() {
       this.hasQualifiedName(packagePath(), "Logger", "Panic")
       or

go/ql/lib/semmle/go/frameworks/stdlib/Log.qll

@@ -29,18 +29,37 @@ module Log {
   }
 
   private class LogFormatter extends StringOps::Formatting::Range instanceof LogFunction {
-    LogFormatter() { this.getName() = ["Fatalf", "Panicf", "Printf"] }
+    LogFormatter() { this.getName() = ["Fatalf", "Panicf", "Printf", "Panic", "Panicf", "Panicln"] }
 
     override int getFormatStringIndex() { result = 0 }
   }
 
   /** A fatal log function, which calls `os.Exit`. */
   private class FatalLogFunction extends Function {
-    FatalLogFunction() { this.hasQualifiedName("log", ["Fatal", "Fatalf", "Fatalln"]) }
+    FatalLogFunction() {
+      exists(string fn | fn = ["Fatal", "Fatalf", "Fatalln"] |
+        this.hasQualifiedName("log", fn)
+        or
+        this.(Method).hasQualifiedName("log", "Logger", fn)
+      )
+    }
 
     override predicate mayReturnNormally() { none() }
   }
 
+  /** A log function which must panic. */
+  private class PanicLogFunction extends Function {
+    PanicLogFunction() {
+      exists(string fn | fn = ["Panic", "Panicf", "Panicln"] |
+        this.hasQualifiedName("log", fn)
+        or
+        this.(Method).hasQualifiedName("log", "Logger", fn)
+      )
+    }
+
+    override predicate mustPanic() { any() }
+  }
+
   // These models are not implemented using Models-as-Data because they represent reverse flow.
   private class FunctionModels extends TaintTracking::FunctionModel {
     FunctionInput inp;
@@ -63,30 +82,6 @@ module Log {
     FunctionOutput outp;
 
     MethodModels() {
-      // signature: func (*Logger) Fatal(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatal") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Fatalf(format string, v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatalf") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Fatalln(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatalln") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panic(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panic") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panicf(format string, v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panicf") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panicln(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panicln") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
       // signature: func (*Logger) Print(v ...interface{})
       this.hasQualifiedName("log", "Logger", "Print") and
       (inp.isParameter(_) and outp.isReceiver())

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go

@@ -1,54 +1,181 @@
-//go:generate depstubber -vendor github.com/golang/glog "" Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln
+//go:generate depstubber -vendor github.com/golang/glog Level,Verbose Error,ErrorContext,ErrorContextDepth,ErrorContextDepthf,ErrorContextf,ErrorDepth,ErrorDepthf,Errorf,Errorln,Exit,ExitContext,ExitContextDepth,ExitContextDepthf,ExitContextf,ExitDepth,ExitDepthf,Exitf,Exitln,Fatal,FatalContext,FatalContextDepth,FatalContextDepthf,FatalContextf,FatalDepth,FatalDepthf,Fatalf,Fatalln,Info,InfoContext,InfoContextDepth,InfoContextDepthf,InfoContextf,InfoDepth,InfoDepthf,Infof,Infoln,V,VDepth,Warning,WarningContext,WarningContextDepth,WarningContextDepthf,WarningContextf,WarningDepth,WarningDepthf,Warningf,Warningln
-//go:generate depstubber -vendor k8s.io/klog "" Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln
+//go:generate depstubber -vendor k8s.io/klog Level,Verbose Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,V,Warning,WarningDepth,Warningf,Warningln
 
 package main
 
 import (
+	"context"
+
 	"github.com/golang/glog"
 	"k8s.io/klog"
 )
 
-func glogTest() {
+func glogTest(selector int) {
-	glog.Error(text)           // $ logger=text
+	ctx := context.Background()
-	glog.ErrorDepth(0, text)   // $ logger=text
+
-	glog.Errorf(fmt, text)     // $ logger=fmt logger=text
+	glog.Error(text)                           // $ logger=text
-	glog.Errorln(text)         // $ logger=text
+	glog.ErrorContext(ctx, text)               // $ logger=text
-	glog.Exit(text)            // $ logger=text
+	glog.ErrorContextDepth(ctx, 0, text)       // $ logger=text
-	glog.ExitDepth(0, text)    // $ logger=text
+	glog.ErrorContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
-	glog.Exitf(fmt, text)      // $ logger=fmt logger=text
+	glog.ErrorContextf(ctx, fmt, text)         // $ logger=fmt logger=text
-	glog.Exitln(text)          // $ logger=text
+	glog.ErrorDepth(0, text)                   // $ logger=text
-	glog.Fatal(text)           // $ logger=text
+	glog.ErrorDepthf(0, fmt, text)             // $ logger=fmt logger=text
-	glog.FatalDepth(0, text)   // $ logger=text
+	glog.Errorf(fmt, text)                     // $ logger=fmt logger=text
-	glog.Fatalf(fmt, text)     // $ logger=fmt logger=text
+	glog.Errorln(text)                         // $ logger=text
-	glog.Fatalln(text)         // $ logger=text
+	if selector == 1 {
-	glog.Info(text)            // $ logger=text
+		glog.Exit(text) // $ logger=text
-	glog.InfoDepth(0, text)    // $ logger=text
+	}
-	glog.Infof(fmt, text)      // $ logger=fmt logger=text
+	if selector == 2 {
-	glog.Infoln(text)          // $ logger=text
+		glog.ExitContext(ctx, text) // $ logger=text
-	glog.Warning(text)         // $ logger=text
+	}
-	glog.WarningDepth(0, text) // $ logger=text
+	if selector == 3 {
-	glog.Warningf(fmt, text)   // $ logger=fmt logger=text
+		glog.ExitContextDepth(ctx, 0, text) // $ logger=text
-	glog.Warningln(text)       // $ logger=text
+	}
+	if selector == 4 {
+		glog.ExitContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 5 {
+		glog.ExitContextf(ctx, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 6 {
+		glog.ExitDepth(0, text) // $ logger=text
+	}
+	if selector == 7 {
+		glog.ExitDepthf(0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 8 {
+		glog.Exitf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 9 {
+		glog.Exitln(text) // $ logger=text
+	}
+	if selector == 10 {
+		glog.Fatal(text) // $ logger=text
+	}
+	if selector == 11 {
+		glog.FatalContext(ctx, text) // $ logger=text
+	}
+	if selector == 12 {
+		glog.FatalContextDepth(ctx, 0, text) // $ logger=text
+	}
+	if selector == 13 {
+		glog.FatalContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 14 {
+		glog.FatalContextf(ctx, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 15 {
+		glog.FatalDepth(0, text) // $ logger=text
+	}
+	if selector == 16 {
+		glog.FatalDepthf(0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 17 {
+		glog.Fatalf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 18 {
+		glog.Fatalln(text) // $ logger=text
+	}
+	glog.Info(text)                              // $ logger=text
+	glog.InfoContext(ctx, text)                  // $ logger=text
+	glog.InfoContextDepth(ctx, 0, text)          // $ logger=text
+	glog.InfoContextDepthf(ctx, 0, fmt, text)    // $ logger=fmt logger=text
+	glog.InfoContextf(ctx, fmt, text)            // $ logger=fmt logger=text
+	glog.InfoDepth(0, text)                      // $ logger=text
+	glog.InfoDepthf(0, fmt, text)                // $ logger=fmt logger=text
+	glog.Infof(fmt, text)                        // $ logger=fmt logger=text
+	glog.Infoln(text)                            // $ logger=text
+	glog.Warning(text)                           // $ logger=text
+	glog.WarningContext(ctx, text)               // $ logger=text
+	glog.WarningContextDepth(ctx, 0, text)       // $ logger=text
+	glog.WarningContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.WarningContextf(ctx, fmt, text)         // $ logger=fmt logger=text
+	glog.WarningDepth(0, text)                   // $ logger=text
+	glog.WarningDepthf(0, fmt, text)             // $ logger=fmt logger=text
+	glog.Warningf(fmt, text)                     // $ logger=fmt logger=text
+	glog.Warningln(text)                         // $ logger=text
+
+	glog.V(0).Info(text)                           // $ logger=text
+	glog.V(0).InfoContext(ctx, text)               // $ logger=text
+	glog.V(0).InfoContextDepth(ctx, 0, text)       // $ logger=text
+	glog.V(0).InfoContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.V(0).InfoContextf(ctx, fmt, text)         // $ logger=fmt logger=text
+	glog.V(0).InfoDepth(0, text)                   // $ logger=text
+	glog.V(0).InfoDepthf(0, fmt, text)             // $ logger=fmt logger=text
+	glog.V(0).Infof(fmt, text)                     // $ logger=fmt logger=text
+	glog.V(0).Infoln(text)                         // $ logger=text
+	glog.VDepth(0, 0).Info(text)                   // $ logger=text
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	glog.Errorf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Exitf("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorContextf(ctx, "%s: found type %T", text, v)         // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Fatalf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorDepthf(0, "%s: found type %T", text, v)             // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Infof("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.Errorf("%s: found type %T", text, v)                     // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	if selector == 19 {
+		glog.ExitContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 20 {
+		glog.ExitContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 21 {
+		glog.ExitDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 22 {
+		glog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 23 {
+		glog.FatalContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 24 {
+		glog.FatalContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 25 {
+		glog.FatalDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 26 {
+		glog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	glog.InfoContextDepthf(ctx, 0, "%s: found type %T", text, v)      // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.InfoContextf(ctx, "%s: found type %T", text, v)              // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.InfoDepthf(0, "%s: found type %T", text, v)                  // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.Infof("%s: found type %T", text, v)                          // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningContextDepthf(ctx, 0, "%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningContextf(ctx, "%s: found type %T", text, v)           // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningDepthf(0, "%s: found type %T", text, v)               // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.Warningf("%s: found type %T", text, v)                       // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoContextf(ctx, "%s: found type %T", text, v)         // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoDepthf(0, "%s: found type %T", text, v)             // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).Infof("%s: found type %T", text, v)                     // $ logger="%s: found type %T" logger=text type-logger=v
 
-	klog.Error(text)           // $ logger=text
+	klog.Error(text)         // $ logger=text
-	klog.ErrorDepth(0, text)   // $ logger=text
+	klog.ErrorDepth(0, text) // $ logger=text
-	klog.Errorf(fmt, text)     // $ logger=fmt logger=text
+	klog.Errorf(fmt, text)   // $ logger=fmt logger=text
-	klog.Errorln(text)         // $ logger=text
+	klog.Errorln(text)       // $ logger=text
-	klog.Exit(text)            // $ logger=text
+	if selector == 27 {
-	klog.ExitDepth(0, text)    // $ logger=text
+		klog.Exit(text) // $ logger=text
-	klog.Exitf(fmt, text)      // $ logger=fmt logger=text
+	}
-	klog.Exitln(text)          // $ logger=text
+	if selector == 28 {
-	klog.Fatal(text)           // $ logger=text
+		klog.ExitDepth(0, text) // $ logger=text
-	klog.FatalDepth(0, text)   // $ logger=text
+	}
-	klog.Fatalf(fmt, text)     // $ logger=fmt logger=text
+	if selector == 29 {
-	klog.Fatalln(text)         // $ logger=text
+		klog.Exitf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 30 {
+		klog.Exitln(text) // $ logger=text
+	}
+	if selector == 31 {
+		klog.Fatal(text) // $ logger=text
+	}
+	if selector == 32 {
+		klog.FatalDepth(0, text) // $ logger=text
+	}
+	if selector == 33 {
+		klog.Fatalf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 34 {
+		klog.Fatalln(text) // $ logger=text
+	}
 	klog.Info(text)            // $ logger=text
 	klog.InfoDepth(0, text)    // $ logger=text
 	klog.Infof(fmt, text)      // $ logger=fmt logger=text
@@ -57,11 +184,19 @@ func glogTest() {
 	klog.WarningDepth(0, text) // $ logger=text
 	klog.Warningf(fmt, text)   // $ logger=fmt logger=text
 	klog.Warningln(text)       // $ logger=text
+	klog.V(0).Info(text)       // $ logger=text
+	klog.V(0).Infof(fmt, text) // $ logger=fmt logger=text
+	klog.V(0).Infoln(text)     // $ logger=text
 
 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	klog.Errorf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.Errorf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	klog.Exitf("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
+	if selector == 35 {
-	klog.Fatalf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+		klog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
-	klog.Infof("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
+	}
-	klog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	if selector == 36 {
+		klog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	klog.Infof("%s: found type %T", text, v)      // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.Warningf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.V(0).Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
 }

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/go.mod

@@ -3,7 +3,7 @@ module codeql-go-tests/concepts/loggercall
 go 1.15
 
 require (
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+	github.com/golang/glog v1.2.5
 	github.com/sirupsen/logrus v1.7.0
 	k8s.io/klog v1.0.0
 )

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go

@@ -6,5 +6,6 @@ const text = "test"
 var v []byte
 
 func main() {
+	glogTest(len(v))
 	stdlib()
 }

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/github.com/golang/glog/stub.go

@@ -2,47 +2,125 @@
 // This is a simple stub for github.com/golang/glog, strictly for use in testing.
 
 // See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/golang/glog (exports: ; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln)
+// Source: github.com/golang/glog (exports: Level,Verbose; functions: Error,ErrorContext,ErrorContextDepth,ErrorContextDepthf,ErrorContextf,ErrorDepth,ErrorDepthf,Errorf,Errorln,Exit,ExitContext,ExitContextDepth,ExitContextDepthf,ExitContextf,ExitDepth,ExitDepthf,Exitf,Exitln,Fatal,FatalContext,FatalContextDepth,FatalContextDepthf,FatalContextf,FatalDepth,FatalDepthf,Fatalf,Fatalln,Info,InfoContext,InfoContextDepth,InfoContextDepthf,InfoContextf,InfoDepth,InfoDepthf,Infof,Infoln,V,VDepth,Warning,WarningContext,WarningContextDepth,WarningContextDepthf,WarningContextf,WarningDepth,WarningDepthf,Warningf,Warningln)
 
 // Package glog is a stub of github.com/golang/glog, generated by depstubber.
 package glog
 
+import "context"
+
+type Level int32
+
+type Verbose bool
+
 func Error(_ ...interface{}) {}
 
+func ErrorContext(_ context.Context, _ ...interface{}) {}
+
+func ErrorContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func ErrorContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func ErrorContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func ErrorDepth(_ int, _ ...interface{}) {}
 
+func ErrorDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Errorf(_ string, _ ...interface{}) {}
 
 func Errorln(_ ...interface{}) {}
 
 func Exit(_ ...interface{}) {}
 
+func ExitContext(_ context.Context, _ ...interface{}) {}
+
+func ExitContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func ExitContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func ExitContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func ExitDepth(_ int, _ ...interface{}) {}
 
+func ExitDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Exitf(_ string, _ ...interface{}) {}
 
 func Exitln(_ ...interface{}) {}
 
 func Fatal(_ ...interface{}) {}
 
+func FatalContext(_ context.Context, _ ...interface{}) {}
+
+func FatalContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func FatalContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func FatalContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func FatalDepth(_ int, _ ...interface{}) {}
 
+func FatalDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Fatalf(_ string, _ ...interface{}) {}
 
 func Fatalln(_ ...interface{}) {}
 
 func Info(_ ...interface{}) {}
 
+func InfoContext(_ context.Context, _ ...interface{}) {}
+
+func InfoContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func InfoContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func InfoContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func InfoDepth(_ int, _ ...interface{}) {}
 
+func InfoDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Infof(_ string, _ ...interface{}) {}
 
 func Infoln(_ ...interface{}) {}
 
+func V(_ Level) Verbose { return false }
+
+func VDepth(_ int, _ Level) Verbose { return false }
+
 func Warning(_ ...interface{}) {}
 
+func WarningContext(_ context.Context, _ ...interface{}) {}
+
+func WarningContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func WarningContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func WarningContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func WarningDepth(_ int, _ ...interface{}) {}
 
+func WarningDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Warningf(_ string, _ ...interface{}) {}
 
 func Warningln(_ ...interface{}) {}
+
+func (_ Verbose) Info(_ ...interface{}) {}
+
+func (_ Verbose) InfoContext(_ context.Context, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextf(_ context.Context, _ string, _ ...interface{}) {}
+
+func (_ Verbose) InfoDepth(_ int, _ ...interface{}) {}
+
+func (_ Verbose) InfoDepthf(_ int, _ string, _ ...interface{}) {}
+
+func (_ Verbose) Infof(_ string, _ ...interface{}) {}
+
+func (_ Verbose) Infoln(_ ...interface{}) {}

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/k8s.io/klog/stub.go

@@ -2,11 +2,15 @@
 // This is a simple stub for k8s.io/klog, strictly for use in testing.
 
 // See the LICENSE file for information about the licensing of the original library.
-// Source: k8s.io/klog (exports: ; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln)
+// Source: k8s.io/klog (exports: Level,Verbose; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,V,Warning,WarningDepth,Warningf,Warningln)
 
 // Package klog is a stub of k8s.io/klog, generated by depstubber.
 package klog
 
+type Level int32
+
+type Verbose bool
+
 func Error(_ ...interface{}) {}
 
 func ErrorDepth(_ int, _ ...interface{}) {}
@@ -39,6 +43,8 @@ func Infof(_ string, _ ...interface{}) {}
 
 func Infoln(_ ...interface{}) {}
 
+func V(_ Level) Verbose { return false }
+
 func Warning(_ ...interface{}) {}
 
 func WarningDepth(_ int, _ ...interface{}) {}
@@ -46,3 +52,9 @@ func WarningDepth(_ int, _ ...interface{}) {}
 func Warningf(_ string, _ ...interface{}) {}
 
 func Warningln(_ ...interface{}) {}
+
+func (_ Verbose) Info(_ ...interface{}) {}
+
+func (_ Verbose) Infof(_ string, _ ...interface{}) {}
+
+func (_ Verbose) Infoln(_ ...interface{}) {}

go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/modules.txt

@@ -1,4 +1,4 @@
-# github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+# github.com/golang/glog v1.2.5
 ## explicit
 github.com/golang/glog
 # github.com/sirupsen/logrus v1.7.0

go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected

@@ -1,11 +1,21 @@
-| file://:0:0:0:0 | Exit | package os |
+| file://:0:0:0:0 | Exit | os.Exit |
-| file://:0:0:0:0 | Fatal | package log |
+| file://:0:0:0:0 | Fatal | log.Fatal |
-| file://:0:0:0:0 | Fatalf | package log |
+| file://:0:0:0:0 | Fatal | log.Logger.Fatal |
-| file://:0:0:0:0 | Fatalln | package log |
+| file://:0:0:0:0 | Fatalf | log.Fatalf |
-| noretfunctions.go:8:6:8:12 | isNoRet | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Fatalf | log.Logger.Fatalf |
-| noretfunctions.go:20:6:20:22 | noRetUsesLogFatal | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Fatalln | log.Fatalln |
-| noretfunctions.go:24:6:24:23 | noRetUsesLogFatalf | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Fatalln | log.Logger.Fatalln |
-| stmts7.go:10:6:10:15 | canRecover | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Panic | log.Logger.Panic |
-| stmts.go:10:6:10:10 | test5 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Panic | log.Panic |
-| stmts.go:46:6:46:10 | test6 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Panicf | log.Logger.Panicf |
-| stmts.go:112:6:112:10 | test9 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Panicf | log.Panicf |
+| file://:0:0:0:0 | Panicln | log.Logger.Panicln |
+| file://:0:0:0:0 | Panicln | log.Panicln |
+| file://:0:0:0:0 | panic | panic |
+| noretfunctions.go:8:6:8:12 | isNoRet | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.isNoRet |
+| noretfunctions.go:20:6:20:22 | noRetUsesLogFatal | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.noRetUsesLogFatal |
+| noretfunctions.go:24:6:24:23 | noRetUsesLogFatalf | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.noRetUsesLogFatalf |
+| stmts7.go:10:6:10:15 | canRecover | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.canRecover |
+| stmts.go:10:6:10:10 | test5 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test5 |
+| stmts.go:46:6:46:10 | test6 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test6 |
+| stmts.go:112:6:112:10 | test9 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test9 |

go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.ql

@@ -2,4 +2,4 @@ import go
 
 from Function f
 where not f.mayReturnNormally()
-select f, f.getPackage()
+select f, f.getQualifiedName()

go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ql

@@ -9,9 +9,9 @@ import semmle.go.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 import utils.test.InlineFlowTest
 
 module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { sourceNode(src, "qltest") }
+  predicate isSource(DataFlow::Node source) { sourceNode(source, "qltest") }
 
-  predicate isSink(DataFlow::Node src) { sinkNode(src, "qltest") }
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, "qltest") }
 }
 
 import ValueFlowTest<Config>

go/ql/test/library-tests/semmle/go/dataflow/VarArgs/CONSISTENCY/DataFlowConsistency.expected

@@ -0,0 +1,2 @@
+reverseRead
+| main.go:23:3:23:5 | out | Origin of readStep is missing a PostUpdateNode. |

go/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go

@@ -4,7 +4,7 @@ func source() string {
 	return "untrusted data"
 }
 
-func sink(string) {
+func sink(any) {
 }
 
 type A struct {
@@ -19,6 +19,10 @@ func functionWithVarArgsParameter(s ...string) string {
 	return s[1]
 }
 
+func functionWithVarArgsOutParameter(in string, out ...*string) {
+	*out[0] = in
+}
+
 func functionWithSliceOfStructsParameter(s []A) string {
 	return s[1].f
 }
@@ -38,6 +42,12 @@ func main() {
 	sink(functionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to functionWithVarArgsParameter"
 	sink(functionWithVarArgsParameter(s0, s1))    // $ hasValueFlow="call to functionWithVarArgsParameter"
 
+	var out1 *string
+	var out2 *string
+	functionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ MISSING: hasValueFlow="out1"
+	sink(out2) // $ MISSING: hasValueFlow="out2"
+
 	sliceOfStructs := []A{{f: source()}}
 	sink(sliceOfStructs[0].f) // $ hasValueFlow="selection of f"
 

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected

@@ -0,0 +1,2 @@
+invalidModelRow
+testFailures

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml

@@ -0,0 +1,21 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "FunctionWithParameter", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithSliceParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOutParameter", "", "", "Argument[0]", "Argument[1].ArrayElement", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithSliceOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "VariadicSource", "", "", "Argument[0]", "qltest", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "VariadicSink", "", "", "Argument[0]", "qltest", "manual"]

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql

@@ -0,0 +1,22 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import utils.test.InlineFlowTest
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    sourceNode(source, "qltest")
+    or
+    exists(Function fn | fn.hasQualifiedName(_, ["source", "taint"]) |
+      source = fn.getACall().getResult()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sinkNode(sink, "qltest")
+    or
+    exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument())
+  }
+}
+
+import FlowTest<Config, Config>

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod

@@ -0,0 +1,5 @@
+module semmle.go.Packages
+
+go 1.25
+
+require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go

@@ -0,0 +1,56 @@
+package main
+
+import (
+	"github.com/nonexistent/test"
+)
+
+func source() string {
+	return "untrusted data"
+}
+
+func sink(any) {
+}
+
+func main() {
+	s := source()
+	sink(test.FunctionWithParameter(s)) // $ hasValueFlow="call to FunctionWithParameter"
+
+	stringSlice := []string{source()}
+	sink(stringSlice[0]) // $ hasValueFlow="index expression"
+
+	s0 := ""
+	s1 := source()
+	sSlice := []string{s0, s1}
+	sink(test.FunctionWithParameter(sSlice[1]))        // $ hasValueFlow="call to FunctionWithParameter"
+	sink(test.FunctionWithSliceParameter(sSlice))      // $ hasValueFlow="call to FunctionWithSliceParameter"
+	sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+	sink(test.FunctionWithVarArgsParameter(s0, s1))    // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+
+	var out1 *string
+	var out2 *string
+	test.FunctionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ MISSING: hasValueFlow="out1"
+	sink(out2) // $ MISSING: hasValueFlow="out2"
+
+	sliceOfStructs := []test.A{{Field: source()}}
+	sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
+
+	a0 := test.A{Field: ""}
+	a1 := test.A{Field: source()}
+	aSlice := []test.A{a0, a1}
+	sink(test.FunctionWithSliceOfStructsParameter(aSlice))      // $ hasValueFlow="call to FunctionWithSliceOfStructsParameter"
+	sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
+	sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1))    // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
+
+	var variadicSource string
+	test.VariadicSource(&variadicSource)
+	sink(variadicSource)  // $ MISSING: hasTaintFlow="variadicSource"
+	sink(&variadicSource) // $ MISSING: hasTaintFlow="&..."
+
+	var variadicSourcePtr *string
+	test.VariadicSource(variadicSourcePtr)
+	sink(variadicSourcePtr)  // $ MISSING: hasTaintFlow="variadicSourcePtr"
+	sink(*variadicSourcePtr) // $ MISSING: hasTaintFlow="star expression"
+
+	test.VariadicSink(source()) // $ hasTaintFlow="[]type{args}"
+}

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go

@@ -0,0 +1,32 @@
+package test
+
+type A struct {
+	Field string
+}
+
+func FunctionWithParameter(s string) string {
+	return ""
+}
+
+func FunctionWithSliceParameter(s []string) string {
+	return ""
+}
+
+func FunctionWithVarArgsParameter(s ...string) string {
+	return ""
+}
+
+func FunctionWithVarArgsOutParameter(in string, out ...*string) {
+}
+
+func FunctionWithSliceOfStructsParameter(s []A) string {
+	return ""
+}
+
+func FunctionWithVarArgsOfStructsParameter(s ...A) string {
+	return ""
+}
+
+func VariadicSource(s ...*string) {}
+
+func VariadicSink(s ...string) {}

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/modules.txt

@@ -0,0 +1,3 @@
+# github.com/nonexistent/test v0.0.0-20200203000000-0000000000000
+## explicit
+github.com/nonexistent/test

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql

@@ -20,6 +20,9 @@ class SummaryModelTest extends DataFlow::FunctionModel {
     this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsParameter") and
     (inp.isParameter(_) and outp.isResult())
     or
+    this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsOutParameter") and
+    (inp.isParameter(0) and outp.isParameter(any(int i | i >= 1)))
+    or
     this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithSliceOfStructsParameter") and
     (inp.isParameter(0) and outp.isResult())
     or

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/go.mod

@@ -1,5 +1,5 @@
 module semmle.go.Packages
 
-go 1.17
+go 1.25
 
 require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go

@@ -8,7 +8,7 @@ func source() string {
 	return "untrusted data"
 }
 
-func sink(string) {
+func sink(any) {
 }
 
 func main() {
@@ -21,10 +21,17 @@ func main() {
 	s0 := ""
 	s1 := source()
 	sSlice := []string{s0, s1}
-	sink(test.FunctionWithParameter(sSlice[1]))        // $ hasValueFlow="call to FunctionWithParameter"
+	sink(test.FunctionWithParameter(sSlice[1]))           // $ hasValueFlow="call to FunctionWithParameter"
-	sink(test.FunctionWithSliceParameter(sSlice))      // $ hasTaintFlow="call to FunctionWithSliceParameter" MISSING: hasValueFlow="call to FunctionWithSliceParameter"
+	sink(test.FunctionWithSliceParameter(sSlice))         // $ hasTaintFlow="call to FunctionWithSliceParameter" MISSING: hasValueFlow="call to FunctionWithSliceParameter"
-	sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasTaintFlow="call to FunctionWithVarArgsParameter" MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
+	sink(test.FunctionWithVarArgsParameter(sSlice...))    // $ hasTaintFlow="call to FunctionWithVarArgsParameter" MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
-	sink(test.FunctionWithVarArgsParameter(s0, s1))    // $ MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
+	randomFunctionWithMoreThanOneParameter(1, 2, 3, 4, 5) // This is needed to make the next line pass, because we need to have seen a call to a function with at least 2 parameters for ParameterInput to exist with index 1.
+	sink(test.FunctionWithVarArgsParameter(s0, s1))       // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+
+	var out1 *string
+	var out2 *string
+	test.FunctionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ hasValueFlow="out1"
+	sink(out2) // $ hasValueFlow="out2"
 
 	sliceOfStructs := []test.A{{Field: source()}}
 	sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
@@ -37,3 +44,6 @@ func main() {
 	sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ MISSING: hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
 	sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1))    // $ MISSING: hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
 }
+
+func randomFunctionWithMoreThanOneParameter(i1, i2, i3, i4, i5 int) {
+}

go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/vendor/github.com/nonexistent/test/stub.go

@@ -16,6 +16,9 @@ func FunctionWithVarArgsParameter(s ...string) string {
 	return ""
 }
 
+func FunctionWithVarArgsOutParameter(in string, out ...*string) {
+}
+
 func FunctionWithSliceOfStructsParameter(s []A) string {
 	return ""
 }

go/ql/test/library-tests/semmle/go/frameworks/StdlibTaintFlow/Log.go

@@ -15,62 +15,6 @@ func TaintStepTest_LogNew_B0I0O0(sourceCQL interface{}) interface{} {
 	return intoWriter414
 }
 
-func TaintStepTest_LogLoggerFatal_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface518 := sourceCQL.(interface{})
-	var intoLogger650 log.Logger
-	intoLogger650.Fatal(fromInterface518)
-	return intoLogger650
-}
-
-func TaintStepTest_LogLoggerFatalf_B0I0O0(sourceCQL interface{}) interface{} {
-	fromString784 := sourceCQL.(string)
-	var intoLogger957 log.Logger
-	intoLogger957.Fatalf(fromString784, nil)
-	return intoLogger957
-}
-
-func TaintStepTest_LogLoggerFatalf_B0I1O0(sourceCQL interface{}) interface{} {
-	fromInterface520 := sourceCQL.(interface{})
-	var intoLogger443 log.Logger
-	intoLogger443.Fatalf("", fromInterface520)
-	return intoLogger443
-}
-
-func TaintStepTest_LogLoggerFatalln_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface127 := sourceCQL.(interface{})
-	var intoLogger483 log.Logger
-	intoLogger483.Fatalln(fromInterface127)
-	return intoLogger483
-}
-
-func TaintStepTest_LogLoggerPanic_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface989 := sourceCQL.(interface{})
-	var intoLogger982 log.Logger
-	intoLogger982.Panic(fromInterface989)
-	return intoLogger982
-}
-
-func TaintStepTest_LogLoggerPanicf_B0I0O0(sourceCQL interface{}) interface{} {
-	fromString417 := sourceCQL.(string)
-	var intoLogger584 log.Logger
-	intoLogger584.Panicf(fromString417, nil)
-	return intoLogger584
-}
-
-func TaintStepTest_LogLoggerPanicf_B0I1O0(sourceCQL interface{}) interface{} {
-	fromInterface991 := sourceCQL.(interface{})
-	var intoLogger881 log.Logger
-	intoLogger881.Panicf("", fromInterface991)
-	return intoLogger881
-}
-
-func TaintStepTest_LogLoggerPanicln_B0I0O0(sourceCQL interface{}) interface{} {
-	fromInterface186 := sourceCQL.(interface{})
-	var intoLogger284 log.Logger
-	intoLogger284.Panicln(fromInterface186)
-	return intoLogger284
-}
-
 func TaintStepTest_LogLoggerPrint_B0I0O0(sourceCQL interface{}) interface{} {
 	fromInterface908 := sourceCQL.(interface{})
 	var intoLogger137 log.Logger
@@ -125,46 +69,6 @@ func RunAllTaints_Log() {
 		out := TaintStepTest_LogNew_B0I0O0(source)
 		sink(0, out)
 	}
-	{
-		source := newSource(1)
-		out := TaintStepTest_LogLoggerFatal_B0I0O0(source)
-		sink(1, out)
-	}
-	{
-		source := newSource(2)
-		out := TaintStepTest_LogLoggerFatalf_B0I0O0(source)
-		sink(2, out)
-	}
-	{
-		source := newSource(3)
-		out := TaintStepTest_LogLoggerFatalf_B0I1O0(source)
-		sink(3, out)
-	}
-	{
-		source := newSource(4)
-		out := TaintStepTest_LogLoggerFatalln_B0I0O0(source)
-		sink(4, out)
-	}
-	{
-		source := newSource(5)
-		out := TaintStepTest_LogLoggerPanic_B0I0O0(source)
-		sink(5, out)
-	}
-	{
-		source := newSource(6)
-		out := TaintStepTest_LogLoggerPanicf_B0I0O0(source)
-		sink(6, out)
-	}
-	{
-		source := newSource(7)
-		out := TaintStepTest_LogLoggerPanicf_B0I1O0(source)
-		sink(7, out)
-	}
-	{
-		source := newSource(8)
-		out := TaintStepTest_LogLoggerPanicln_B0I0O0(source)
-		sink(8, out)
-	}
 	{
 		source := newSource(9)
 		out := TaintStepTest_LogLoggerPrint_B0I0O0(source)

go/ql/test/query-tests/Security/CWE-117/CONSISTENCY/DataFlowConsistency.expected

@@ -3,9 +3,9 @@ reverseRead
 | LogInjection.go:33:14:33:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | LogInjection.go:34:18:34:20 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
 | LogInjection.go:35:14:35:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:447:14:447:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:551:14:551:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:455:14:455:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:559:14:559:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:463:14:463:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:567:14:567:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:498:14:498:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:602:14:602:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:499:14:499:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:603:14:603:16 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
-| LogInjection.go:724:12:724:14 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |
+| LogInjection.go:828:12:828:14 | implicit dereference | Origin of readStep is missing a PostUpdateNode. |

go/ql/test/query-tests/Security/CWE-117/LogInjection.go

@@ -49,22 +49,22 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		log.Printf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		log.Println("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 
-		if testFlag == "true" {
+		if testFlag == "1" {
 			log.Fatal("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "2" {
 			log.Fatalf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "3" {
 			log.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "4" {
 			log.Panic("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "5" {
 			log.Panicf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		}
-		if testFlag == "true" {
+		if testFlag == "6" {
 			log.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
 		}
 
@@ -72,12 +72,24 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.Print("user is logged in:", username, password)   // $ hasTaintFlow="username" hasTaintFlow="password"
 		logger.Printf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
 		logger.Println("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
-		logger.Fatal("user is logged in:", username, password)   // $ hasTaintFlow="username" hasTaintFlow="password"
+		if testFlag == "7" {
-		logger.Fatalf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
+			logger.Fatal("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
-		logger.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
-		logger.Panic("user is logged in:", username, password)   // $ hasTaintFlow="username" hasTaintFlow="password"
+		if testFlag == "8" {
-		logger.Panicf(formatString, username, password)          // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
+			logger.Fatalf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
-		logger.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "9" {
+			logger.Fatalln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "10" {
+			logger.Panic("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "11" {
+			logger.Panicf(formatString, username, password) // $ hasTaintFlow="formatString" hasTaintFlow="username" hasTaintFlow="password"
+		}
+		if testFlag == "12" {
+			logger.Panicln("user is logged in:", username, password) // $ hasTaintFlow="username" hasTaintFlow="password"
+		}
 	}
 	// k8s.io/klog
 	{
@@ -91,12 +103,24 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		klog.Error(username)     // $ hasTaintFlow="username"
 		klog.Errorf(username)    // $ hasTaintFlow="username"
 		klog.Errorln(username)   // $ hasTaintFlow="username"
-		klog.Fatal(username)     // $ hasTaintFlow="username"
+		if testFlag == "77" {
-		klog.Fatalf(username)    // $ hasTaintFlow="username"
+			klog.Fatal(username) // $ hasTaintFlow="username"
-		klog.Fatalln(username)   // $ hasTaintFlow="username"
+		}
-		klog.Exit(username)      // $ hasTaintFlow="username"
+		if testFlag == "78" {
-		klog.Exitf(username)     // $ hasTaintFlow="username"
+			klog.Fatalf(username) // $ hasTaintFlow="username"
-		klog.Exitln(username)    // $ hasTaintFlow="username"
+		}
+		if testFlag == "79" {
+			klog.Fatalln(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "80" {
+			klog.Exit(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "81" {
+			klog.Exitf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "82" {
+			klog.Exitln(username) // $ hasTaintFlow="username"
+		}
 	}
 	// astaxie/beego
 	{
@@ -161,14 +185,30 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		glog.ErrorDepth(0, username) // $ hasTaintFlow="username"
 		glog.Errorf(username)        // $ hasTaintFlow="username"
 		glog.Errorln(username)       // $ hasTaintFlow="username"
-		glog.Fatal(username)         // $ hasTaintFlow="username"
+		if testFlag == "83" {
-		glog.FatalDepth(0, username) // $ hasTaintFlow="username"
+			glog.Fatal(username) // $ hasTaintFlow="username"
-		glog.Fatalf(username)        // $ hasTaintFlow="username"
+		}
-		glog.Fatalln(username)       // $ hasTaintFlow="username"
+		if testFlag == "84" {
-		glog.Exit(username)          // $ hasTaintFlow="username"
+			glog.FatalDepth(0, username) // $ hasTaintFlow="username"
-		glog.ExitDepth(0, username)  // $ hasTaintFlow="username"
+		}
-		glog.Exitf(username)         // $ hasTaintFlow="username"
+		if testFlag == "85" {
-		glog.Exitln(username)        // $ hasTaintFlow="username"
+			glog.Fatalf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "86" {
+			glog.Fatalln(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "87" {
+			glog.Exit(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "88" {
+			glog.ExitDepth(0, username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "89" {
+			glog.Exitf(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "90" {
+			glog.Exitln(username) // $ hasTaintFlow="username"
+		}
 
 	}
 	// sirupsen/logrus
@@ -179,26 +219,42 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger := logrus.New()
 		entry := logrus.NewEntry(logger)
 
-		logrus.Debug(username)         // $ hasTaintFlow="username"
+		logrus.Debug(username)      // $ hasTaintFlow="username"
-		logrus.Debugf(username, "")    // $ hasTaintFlow="username"
+		logrus.Debugf(username, "") // $ hasTaintFlow="username"
-		logrus.Debugf("", username)    // $ hasTaintFlow="username"
+		logrus.Debugf("", username) // $ hasTaintFlow="username"
-		logrus.Debugln(username)       // $ hasTaintFlow="username"
+		logrus.Debugln(username)    // $ hasTaintFlow="username"
-		logrus.Error(username)         // $ hasTaintFlow="username"
+		logrus.Error(username)      // $ hasTaintFlow="username"
-		logrus.Errorf(username, "")    // $ hasTaintFlow="username"
+		logrus.Errorf(username, "") // $ hasTaintFlow="username"
-		logrus.Errorf("", username)    // $ hasTaintFlow="username"
+		logrus.Errorf("", username) // $ hasTaintFlow="username"
-		logrus.Errorln(username)       // $ hasTaintFlow="username"
+		logrus.Errorln(username)    // $ hasTaintFlow="username"
-		logrus.Fatal(username)         // $ hasTaintFlow="username"
+		if testFlag == "13" {
-		logrus.Fatalf(username, "")    // $ hasTaintFlow="username"
+			logrus.Fatal(username) // $ hasTaintFlow="username"
-		logrus.Fatalf("", username)    // $ hasTaintFlow="username"
+		}
-		logrus.Fatalln(username)       // $ hasTaintFlow="username"
+		if testFlag == "14" {
-		logrus.Info(username)          // $ hasTaintFlow="username"
+			logrus.Fatalf(username, "") // $ hasTaintFlow="username"
-		logrus.Infof(username, "")     // $ hasTaintFlow="username"
+		}
-		logrus.Infof("", username)     // $ hasTaintFlow="username"
+		if testFlag == "15" {
-		logrus.Infoln(username)        // $ hasTaintFlow="username"
+			logrus.Fatalf("", username) // $ hasTaintFlow="username"
-		logrus.Panic(username)         // $ hasTaintFlow="username"
+		}
-		logrus.Panicf(username, "")    // $ hasTaintFlow="username"
+		if testFlag == "16" {
-		logrus.Panicf("", username)    // $ hasTaintFlow="username"
+			logrus.Fatalln(username) // $ hasTaintFlow="username"
-		logrus.Panicln(username)       // $ hasTaintFlow="username"
+		}
+		logrus.Info(username)      // $ hasTaintFlow="username"
+		logrus.Infof(username, "") // $ hasTaintFlow="username"
+		logrus.Infof("", username) // $ hasTaintFlow="username"
+		logrus.Infoln(username)    // $ hasTaintFlow="username"
+		if testFlag == "17" {
+			logrus.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "18" {
+			logrus.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "19" {
+			logrus.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "20" {
+			logrus.Panicln(username) // $ hasTaintFlow="username"
+		}
 		logrus.Print(username)         // $ hasTaintFlow="username"
 		logrus.Printf(username, "")    // $ hasTaintFlow="username"
 		logrus.Printf("", username)    // $ hasTaintFlow="username"
@@ -220,30 +276,46 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logrus.WithField("", username) // $ hasTaintFlow="username"
 		logrus.WithFields(fields)      // $ hasTaintFlow="fields"
 
-		entry.Debug(username)         // $ hasTaintFlow="username"
+		entry.Debug(username)      // $ hasTaintFlow="username"
-		entry.Debugf(username, "")    // $ hasTaintFlow="username"
+		entry.Debugf(username, "") // $ hasTaintFlow="username"
-		entry.Debugf("", username)    // $ hasTaintFlow="username"
+		entry.Debugf("", username) // $ hasTaintFlow="username"
-		entry.Debugln(username)       // $ hasTaintFlow="username"
+		entry.Debugln(username)    // $ hasTaintFlow="username"
-		entry.Error(username)         // $ hasTaintFlow="username"
+		entry.Error(username)      // $ hasTaintFlow="username"
-		entry.Errorf(username, "")    // $ hasTaintFlow="username"
+		entry.Errorf(username, "") // $ hasTaintFlow="username"
-		entry.Errorf("", username)    // $ hasTaintFlow="username"
+		entry.Errorf("", username) // $ hasTaintFlow="username"
-		entry.Errorln(username)       // $ hasTaintFlow="username"
+		entry.Errorln(username)    // $ hasTaintFlow="username"
-		entry.Fatal(username)         // $ hasTaintFlow="username"
+		if testFlag == "21" {
-		entry.Fatalf(username, "")    // $ hasTaintFlow="username"
+			entry.Fatal(username) // $ hasTaintFlow="username"
-		entry.Fatalf("", username)    // $ hasTaintFlow="username"
+		}
-		entry.Fatalln(username)       // $ hasTaintFlow="username"
+		if testFlag == "22" {
-		entry.Info(username)          // $ hasTaintFlow="username"
+			entry.Fatalf(username, "") // $ hasTaintFlow="username"
-		entry.Infof(username, "")     // $ hasTaintFlow="username"
+		}
-		entry.Infof("", username)     // $ hasTaintFlow="username"
+		if testFlag == "23" {
-		entry.Infoln(username)        // $ hasTaintFlow="username"
+			entry.Fatalf("", username) // $ hasTaintFlow="username"
-		entry.Log(0, username)        // $ hasTaintFlow="username"
+		}
-		entry.Logf(0, username, "")   // $ hasTaintFlow="username"
+		if testFlag == "24" {
-		entry.Logf(0, "", username)   // $ hasTaintFlow="username"
+			entry.Fatalln(username) // $ hasTaintFlow="username"
-		entry.Logln(0, username)      // $ hasTaintFlow="username"
+		}
-		entry.Panic(username)         // $ hasTaintFlow="username"
+		entry.Info(username)        // $ hasTaintFlow="username"
-		entry.Panicf(username, "")    // $ hasTaintFlow="username"
+		entry.Infof(username, "")   // $ hasTaintFlow="username"
-		entry.Panicf("", username)    // $ hasTaintFlow="username"
+		entry.Infof("", username)   // $ hasTaintFlow="username"
-		entry.Panicln(username)       // $ hasTaintFlow="username"
+		entry.Infoln(username)      // $ hasTaintFlow="username"
+		entry.Log(0, username)      // $ hasTaintFlow="username"
+		entry.Logf(0, username, "") // $ hasTaintFlow="username"
+		entry.Logf(0, "", username) // $ hasTaintFlow="username"
+		entry.Logln(0, username)    // $ hasTaintFlow="username"
+		if testFlag == "25" {
+			entry.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "26" {
+			entry.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "27" {
+			entry.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "28" {
+			entry.Panicln(username) // $ hasTaintFlow="username"
+		}
 		entry.Print(username)         // $ hasTaintFlow="username"
 		entry.Printf(username, "")    // $ hasTaintFlow="username"
 		entry.Printf("", username)    // $ hasTaintFlow="username"
@@ -265,30 +337,46 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry.WithField("", username) // $ hasTaintFlow="username"
 		entry.WithFields(fields)      // $ hasTaintFlow="fields"
 
-		logger.Debug(username)         // $ hasTaintFlow="username"
+		logger.Debug(username)      // $ hasTaintFlow="username"
-		logger.Debugf(username, "")    // $ hasTaintFlow="username"
+		logger.Debugf(username, "") // $ hasTaintFlow="username"
-		logger.Debugf("", username)    // $ hasTaintFlow="username"
+		logger.Debugf("", username) // $ hasTaintFlow="username"
-		logger.Debugln(username)       // $ hasTaintFlow="username"
+		logger.Debugln(username)    // $ hasTaintFlow="username"
-		logger.Error(username)         // $ hasTaintFlow="username"
+		logger.Error(username)      // $ hasTaintFlow="username"
-		logger.Errorf(username, "")    // $ hasTaintFlow="username"
+		logger.Errorf(username, "") // $ hasTaintFlow="username"
-		logger.Errorf("", username)    // $ hasTaintFlow="username"
+		logger.Errorf("", username) // $ hasTaintFlow="username"
-		logger.Errorln(username)       // $ hasTaintFlow="username"
+		logger.Errorln(username)    // $ hasTaintFlow="username"
-		logger.Fatal(username)         // $ hasTaintFlow="username"
+		if testFlag == "29" {
-		logger.Fatalf(username, "")    // $ hasTaintFlow="username"
+			logger.Fatal(username) // $ hasTaintFlow="username"
-		logger.Fatalf("", username)    // $ hasTaintFlow="username"
+		}
-		logger.Fatalln(username)       // $ hasTaintFlow="username"
+		if testFlag == "30" {
-		logger.Info(username)          // $ hasTaintFlow="username"
+			logger.Fatalf(username, "") // $ hasTaintFlow="username"
-		logger.Infof(username, "")     // $ hasTaintFlow="username"
+		}
-		logger.Infof("", username)     // $ hasTaintFlow="username"
+		if testFlag == "31" {
-		logger.Infoln(username)        // $ hasTaintFlow="username"
+			logger.Fatalf("", username) // $ hasTaintFlow="username"
-		logger.Log(0, username)        // $ hasTaintFlow="username"
+		}
-		logger.Logf(0, username, "")   // $ hasTaintFlow="username"
+		if testFlag == "32" {
-		logger.Logf(0, "", username)   // $ hasTaintFlow="username"
+			logger.Fatalln(username) // $ hasTaintFlow="username"
-		logger.Logln(0, username)      // $ hasTaintFlow="username"
+		}
-		logger.Panic(username)         // $ hasTaintFlow="username"
+		logger.Info(username)        // $ hasTaintFlow="username"
-		logger.Panicf(username, "")    // $ hasTaintFlow="username"
+		logger.Infof(username, "")   // $ hasTaintFlow="username"
-		logger.Panicf("", username)    // $ hasTaintFlow="username"
+		logger.Infof("", username)   // $ hasTaintFlow="username"
-		logger.Panicln(username)       // $ hasTaintFlow="username"
+		logger.Infoln(username)      // $ hasTaintFlow="username"
+		logger.Log(0, username)      // $ hasTaintFlow="username"
+		logger.Logf(0, username, "") // $ hasTaintFlow="username"
+		logger.Logf(0, "", username) // $ hasTaintFlow="username"
+		logger.Logln(0, username)    // $ hasTaintFlow="username"
+		if testFlag == "33" {
+			logger.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "34" {
+			logger.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "35" {
+			logger.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "36" {
+			logger.Panicln(username) // $ hasTaintFlow="username"
+		}
 		logger.Print(username)         // $ hasTaintFlow="username"
 		logger.Printf(username, "")    // $ hasTaintFlow="username"
 		logger.Printf("", username)    // $ hasTaintFlow="username"
@@ -311,26 +399,42 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.WithFields(fields)      // $ hasTaintFlow="fields"
 
 		var fieldlogger logrus.FieldLogger = entry
-		fieldlogger.Debug(username)         // $ hasTaintFlow="username"
+		fieldlogger.Debug(username)      // $ hasTaintFlow="username"
-		fieldlogger.Debugf(username, "")    // $ hasTaintFlow="username"
+		fieldlogger.Debugf(username, "") // $ hasTaintFlow="username"
-		fieldlogger.Debugf("", username)    // $ hasTaintFlow="username"
+		fieldlogger.Debugf("", username) // $ hasTaintFlow="username"
-		fieldlogger.Debugln(username)       // $ hasTaintFlow="username"
+		fieldlogger.Debugln(username)    // $ hasTaintFlow="username"
-		fieldlogger.Error(username)         // $ hasTaintFlow="username"
+		fieldlogger.Error(username)      // $ hasTaintFlow="username"
-		fieldlogger.Errorf(username, "")    // $ hasTaintFlow="username"
+		fieldlogger.Errorf(username, "") // $ hasTaintFlow="username"
-		fieldlogger.Errorf("", username)    // $ hasTaintFlow="username"
+		fieldlogger.Errorf("", username) // $ hasTaintFlow="username"
-		fieldlogger.Errorln(username)       // $ hasTaintFlow="username"
+		fieldlogger.Errorln(username)    // $ hasTaintFlow="username"
-		fieldlogger.Fatal(username)         // $ hasTaintFlow="username"
+		if testFlag == "37" {
-		fieldlogger.Fatalf(username, "")    // $ hasTaintFlow="username"
+			fieldlogger.Fatal(username) // $ hasTaintFlow="username"
-		fieldlogger.Fatalf("", username)    // $ hasTaintFlow="username"
+		}
-		fieldlogger.Fatalln(username)       // $ hasTaintFlow="username"
+		if testFlag == "38" {
-		fieldlogger.Info(username)          // $ hasTaintFlow="username"
+			fieldlogger.Fatalf(username, "") // $ hasTaintFlow="username"
-		fieldlogger.Infof(username, "")     // $ hasTaintFlow="username"
+		}
-		fieldlogger.Infof("", username)     // $ hasTaintFlow="username"
+		if testFlag == "39" {
-		fieldlogger.Infoln(username)        // $ hasTaintFlow="username"
+			fieldlogger.Fatalf("", username) // $ hasTaintFlow="username"
-		fieldlogger.Panic(username)         // $ hasTaintFlow="username"
+		}
-		fieldlogger.Panicf(username, "")    // $ hasTaintFlow="username"
+		if testFlag == "40" {
-		fieldlogger.Panicf("", username)    // $ hasTaintFlow="username"
+			fieldlogger.Fatalln(username) // $ hasTaintFlow="username"
-		fieldlogger.Panicln(username)       // $ hasTaintFlow="username"
+		}
+		fieldlogger.Info(username)      // $ hasTaintFlow="username"
+		fieldlogger.Infof(username, "") // $ hasTaintFlow="username"
+		fieldlogger.Infof("", username) // $ hasTaintFlow="username"
+		fieldlogger.Infoln(username)    // $ hasTaintFlow="username"
+		if testFlag == "41" {
+			fieldlogger.Panic(username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "42" {
+			fieldlogger.Panicf(username, "") // $ hasTaintFlow="username"
+		}
+		if testFlag == "43" {
+			fieldlogger.Panicf("", username) // $ hasTaintFlow="username"
+		}
+		if testFlag == "44" {
+			fieldlogger.Panicln(username) // $ hasTaintFlow="username"
+		}
 		fieldlogger.Print(username)         // $ hasTaintFlow="username"
 		fieldlogger.Printf(username, "")    // $ hasTaintFlow="username"
 		fieldlogger.Printf("", username)    // $ hasTaintFlow="username"
@@ -366,11 +470,11 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger.DPanic(username) // $ hasTaintFlow="username"
 		logger.Debug(username)  // $ hasTaintFlow="username"
 		logger.Error(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "45" {
 			logger.Fatal(username) // $ hasTaintFlow="username"
 		}
 		logger.Info(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "46" {
 			logger.Panic(username) // $ hasTaintFlow="username"
 		}
 		logger.Warn(username)        // $ hasTaintFlow="username"
@@ -382,33 +486,33 @@ func handler(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.DPanic(username) // $ hasTaintFlow="username"
 		sLogger.Debug(username)  // $ hasTaintFlow="username"
 		sLogger.Error(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "47" {
 			sLogger.Fatal(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Info(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "48" {
 			sLogger.Panic(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warn(username)    // $ hasTaintFlow="username"
 		sLogger.DPanicf(username) // $ hasTaintFlow="username"
 		sLogger.Debugf(username)  // $ hasTaintFlow="username"
 		sLogger.Errorf(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "49" {
 			sLogger.Fatalf(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Infof(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "50" {
 			sLogger.Panicf(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warnf(username)   // $ hasTaintFlow="username"
 		sLogger.DPanicw(username) // $ hasTaintFlow="username"
 		sLogger.Debugw(username)  // $ hasTaintFlow="username"
 		sLogger.Errorw(username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "51" {
 			sLogger.Fatalw(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Infow(username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "52" {
 			sLogger.Panicw(username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warnw(username) // $ hasTaintFlow="username"
@@ -515,10 +619,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		verbose.Infof("user %q logged in.\n", username)
 		klog.Infof("user %q logged in.\n", username)
 		klog.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "53" {
 			klog.Fatalf("user %q logged in.\n", username)
 		}
-		if testFlag == " true" {
+		if testFlag == "54" {
 			klog.Exitf("user %q logged in.\n", username)
 		}
 	}
@@ -534,10 +638,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 
 		glog.Infof("user %q logged in.\n", username)
 		glog.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "55" {
 			glog.Fatalf("user %q logged in.\n", username)
 		}
-		if testFlag == " true" {
+		if testFlag == "56" {
 			glog.Exitf("user %q logged in.\n", username)
 		}
 	}
@@ -545,11 +649,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 	{
 		logrus.Debugf("user %q logged in.\n", username)
 		logrus.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "57" {
 			logrus.Fatalf("user %q logged in.\n", username)
 		}
 		logrus.Infof("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "58" {
 			logrus.Panicf("user %q logged in.\n", username)
 		}
 		logrus.Printf("user %q logged in.\n", username)
@@ -561,12 +665,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry := logrus.WithFields(fields)
 		entry.Debugf("user %q logged in.\n", username)
 		entry.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "59" {
 			entry.Fatalf("user %q logged in.\n", username)
 		}
 		entry.Infof("user %q logged in.\n", username)
 		entry.Logf(0, "user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "60" {
 			entry.Panicf("user %q logged in.\n", username)
 		}
 		entry.Printf("user %q logged in.\n", username)
@@ -577,12 +681,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger := entry.Logger
 		logger.Debugf("user %q logged in.\n", username)
 		logger.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "61" {
 			logger.Fatalf("user %q logged in.\n", username)
 		}
 		logger.Infof("user %q logged in.\n", username)
 		logger.Logf(0, "user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "62" {
 			logger.Panicf("user %q logged in.\n", username)
 		}
 		logger.Printf("user %q logged in.\n", username)
@@ -603,11 +707,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.DPanicf("user %q logged in.\n", username)
 		sLogger.Debugf("user %q logged in.\n", username)
 		sLogger.Errorf("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "63" {
 			sLogger.Fatalf("user %q logged in.\n", username)
 		}
 		sLogger.Infof("user %q logged in.\n", username)
-		if testFlag == " true" {
+		if testFlag == "64" {
 			sLogger.Panicf("user %q logged in.\n", username)
 		}
 		sLogger.Warnf("user %q logged in.\n", username)
@@ -620,10 +724,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		verbose.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		klog.Infof("user %#q logged in.\n", username)    // $ hasTaintFlow="username"
 		klog.Errorf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "65" {
 			klog.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
-		if testFlag == " true" {
+		if testFlag == "66" {
 			klog.Exitf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 	}
@@ -639,10 +743,10 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 
 		glog.Infof("user %#q logged in.\n", username)  // $ hasTaintFlow="username"
 		glog.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "67" {
 			glog.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
-		if testFlag == " true" {
+		if testFlag == "68" {
 			glog.Exitf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 	}
@@ -650,11 +754,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 	{
 		logrus.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		logrus.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "69" {
 			logrus.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logrus.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "70" {
 			logrus.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logrus.Printf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
@@ -666,12 +770,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		entry := logrus.WithFields(fields)
 		entry.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		entry.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "71" {
 			entry.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		entry.Infof("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
 		entry.Logf(0, "user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "72" {
 			entry.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		entry.Printf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
@@ -682,12 +786,12 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		logger := entry.Logger
 		logger.Debugf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		logger.Errorf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "73" {
 			logger.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logger.Infof("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
 		logger.Logf(0, "user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "74" {
 			logger.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		logger.Printf("user %#q logged in.\n", username)   // $ hasTaintFlow="username"
@@ -708,11 +812,11 @@ func handlerGood4(req *http.Request, ctx *goproxy.ProxyCtx) {
 		sLogger.DPanicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		sLogger.Debugf("user %#q logged in.\n", username)  // $ hasTaintFlow="username"
 		sLogger.Errorf("user %#q logged in.\n", username)  // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "75" {
 			sLogger.Fatalf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		sLogger.Infof("user %#q logged in.\n", username) // $ hasTaintFlow="username"
-		if testFlag == " true" {
+		if testFlag == "76" {
 			sLogger.Panicf("user %#q logged in.\n", username) // $ hasTaintFlow="username"
 		}
 		sLogger.Warnf("user %#q logged in.\n", username) // $ hasTaintFlow="username"

go/ql/test/query-tests/Security/CWE-312/CleartextLogging.expected

@@ -37,22 +37,22 @@
 | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | passwords.go:26:14:26:23 | selection of password | $@ flows to a logging call. | passwords.go:26:14:26:23 | selection of password | Sensitive data returned by an access to password |
 | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | passwords.go:27:14:27:26 | call to getPassword | $@ flows to a logging call. | passwords.go:27:14:27:26 | call to getPassword | Sensitive data returned by a call to getPassword |
 | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | passwords.go:28:14:28:28 | call to getPassword | $@ flows to a logging call. | passwords.go:28:14:28:28 | call to getPassword | Sensitive data returned by a call to getPassword |
-| passwords.go:32:12:32:19 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:33:13:33:20 | password | passwords.go:21:2:21:9 | definition of password | passwords.go:33:13:33:20 | password | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:34:14:34:35 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:34:14:34:35 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:36:14:36:35 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:36:14:36:35 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:39:14:39:17 | obj1 | passwords.go:37:13:37:13 | x | passwords.go:39:14:39:17 | obj1 | $@ flows to a logging call. | passwords.go:37:13:37:13 | x | Sensitive data returned by an access to password |
+| passwords.go:41:14:41:17 | obj1 | passwords.go:39:13:39:13 | x | passwords.go:41:14:41:17 | obj1 | $@ flows to a logging call. | passwords.go:39:13:39:13 | x | Sensitive data returned by an access to password |
-| passwords.go:44:14:44:17 | obj2 | passwords.go:21:2:21:9 | definition of password | passwords.go:44:14:44:17 | obj2 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:46:14:46:17 | obj2 | passwords.go:21:2:21:9 | definition of password | passwords.go:46:14:46:17 | obj2 | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:51:14:51:27 | fixed_password | passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | $@ flows to a logging call. | passwords.go:50:2:50:15 | definition of fixed_password | Sensitive data returned by an access to fixed_password |
+| passwords.go:53:14:53:27 | fixed_password | passwords.go:52:2:52:15 | definition of fixed_password | passwords.go:53:14:53:27 | fixed_password | $@ flows to a logging call. | passwords.go:52:2:52:15 | definition of fixed_password | Sensitive data returned by an access to fixed_password |
-| passwords.go:89:14:89:26 | utilityObject | passwords.go:87:16:87:36 | call to make | passwords.go:89:14:89:26 | utilityObject | $@ flows to a logging call. | passwords.go:87:16:87:36 | call to make | Sensitive data returned by an access to passwordSet |
+| passwords.go:91:14:91:26 | utilityObject | passwords.go:89:16:89:36 | call to make | passwords.go:91:14:91:26 | utilityObject | $@ flows to a logging call. | passwords.go:89:16:89:36 | call to make | Sensitive data returned by an access to passwordSet |
-| passwords.go:92:23:92:28 | secret | passwords.go:21:2:21:9 | definition of password | passwords.go:92:23:92:28 | secret | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:94:23:94:28 | secret | passwords.go:21:2:21:9 | definition of password | passwords.go:94:23:94:28 | secret | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:102:15:102:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:102:15:102:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:104:15:104:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:104:15:104:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:108:16:108:41 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:108:16:108:41 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:110:16:110:41 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:110:16:110:41 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:113:15:113:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:113:15:113:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:115:15:115:40 | ...+... | passwords.go:21:2:21:9 | definition of password | passwords.go:115:15:115:40 | ...+... | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:117:14:117:45 | ...+... | passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:14:117:45 | ...+... | $@ flows to a logging call. | passwords.go:116:6:116:14 | definition of password1 | Sensitive data returned by an access to password1 |
+| passwords.go:119:14:119:45 | ...+... | passwords.go:118:6:118:14 | definition of password1 | passwords.go:119:14:119:45 | ...+... | $@ flows to a logging call. | passwords.go:118:6:118:14 | definition of password1 | Sensitive data returned by an access to password1 |
-| passwords.go:127:14:127:19 | config | passwords.go:21:2:21:9 | definition of password | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:129:14:129:19 | config | passwords.go:21:2:21:9 | definition of password | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:127:14:127:19 | config | passwords.go:121:13:121:14 | x3 | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:121:13:121:14 | x3 | Sensitive data returned by an access to password |
+| passwords.go:129:14:129:19 | config | passwords.go:123:13:123:14 | x3 | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:123:13:123:14 | x3 | Sensitive data returned by an access to password |
-| passwords.go:127:14:127:19 | config | passwords.go:124:13:124:25 | call to getPassword | passwords.go:127:14:127:19 | config | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword |
+| passwords.go:129:14:129:19 | config | passwords.go:126:13:126:25 | call to getPassword | passwords.go:129:14:129:19 | config | $@ flows to a logging call. | passwords.go:126:13:126:25 | call to getPassword | Sensitive data returned by a call to getPassword |
-| passwords.go:128:14:128:21 | selection of x | passwords.go:21:2:21:9 | definition of password | passwords.go:128:14:128:21 | selection of x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
+| passwords.go:130:14:130:21 | selection of x | passwords.go:21:2:21:9 | definition of password | passwords.go:130:14:130:21 | selection of x | $@ flows to a logging call. | passwords.go:21:2:21:9 | definition of password | Sensitive data returned by an access to password |
-| passwords.go:129:14:129:21 | selection of y | passwords.go:124:13:124:25 | call to getPassword | passwords.go:129:14:129:21 | selection of y | $@ flows to a logging call. | passwords.go:124:13:124:25 | call to getPassword | Sensitive data returned by a call to getPassword |
+| passwords.go:131:14:131:21 | selection of y | passwords.go:126:13:126:25 | call to getPassword | passwords.go:131:14:131:21 | selection of y | $@ flows to a logging call. | passwords.go:126:13:126:25 | call to getPassword | Sensitive data returned by a call to getPassword |
 | protobuf.go:14:14:14:35 | call to GetDescription | protobuf.go:9:2:9:9 | definition of password | protobuf.go:14:14:14:35 | call to GetDescription | $@ flows to a logging call. | protobuf.go:9:2:9:9 | definition of password | Sensitive data returned by an access to password |
 edges
 | klog.go:21:3:26:3 | range statement[1] | klog.go:22:27:22:33 | headers | provenance |  |
@@ -82,95 +82,15 @@ edges
 | main.go:53:11:53:18 | password | main.go:54:12:54:19 | password | provenance |  |
 | main.go:53:11:53:18 | password | main.go:54:12:54:19 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:56:11:56:18 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:56:11:56:18 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:62:12:62:19 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 |
 | main.go:54:12:54:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:68:11:68:18 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:68:11:68:18 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:74:12:74:19 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
 | main.go:54:12:54:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:54:12:54:19 | password | main.go:77:13:77:20 | password | provenance |  |
 | main.go:54:12:54:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
 | main.go:54:12:54:19 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:59:18:59:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:62:12:62:19 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 |
-| main.go:56:11:56:18 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:56:11:56:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:56:11:56:18 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:56:11:56:18 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:62:12:62:19 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:62:12:62:19 | password | provenance | Sink:MaD:7 |
-| main.go:59:18:59:25 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:59:18:59:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:59:18:59:25 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:59:18:59:25 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:65:13:65:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:62:12:62:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:62:12:62:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:62:12:62:19 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:68:11:68:18 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:65:13:65:20 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:65:13:65:20 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:65:13:65:20 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:71:18:71:25 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:68:11:68:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:68:11:68:18 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:68:11:68:18 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:74:12:74:19 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:74:12:74:19 | password | provenance | Sink:MaD:9 |
-| main.go:71:18:71:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:71:18:71:25 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:71:18:71:25 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:74:12:74:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:74:12:74:19 | password | main.go:77:13:77:20 | password | provenance |  |
-| main.go:74:12:74:19 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:74:12:74:19 | password | main.go:80:17:80:24 | password | provenance |  |
-| main.go:77:13:77:20 | password | main.go:79:14:79:21 | password | provenance | Sink:MaD:8 |
-| main.go:77:13:77:20 | password | main.go:80:17:80:24 | password | provenance |  |
 | main.go:80:17:80:24 | password | main.go:82:12:82:19 | password | provenance |  |
 | main.go:80:17:80:24 | password | main.go:83:17:83:24 | password | provenance |  |
 | main.go:80:17:80:24 | password | main.go:86:19:86:26 | password | provenance |  |
@@ -182,46 +102,46 @@ edges
 | passwords.go:8:12:8:12 | definition of x | passwords.go:9:14:9:14 | x | provenance |  |
 | passwords.go:21:2:21:9 | definition of password | passwords.go:25:14:25:21 | password | provenance |  |
 | passwords.go:21:2:21:9 | definition of password | passwords.go:30:8:30:15 | password | provenance |  |
-| passwords.go:21:2:21:9 | definition of password | passwords.go:32:12:32:19 | password | provenance |  |
+| passwords.go:21:2:21:9 | definition of password | passwords.go:33:13:33:20 | password | provenance |  |
-| passwords.go:21:2:21:9 | definition of password | passwords.go:34:28:34:35 | password | provenance |  |
+| passwords.go:21:2:21:9 | definition of password | passwords.go:36:28:36:35 | password | provenance |  |
 | passwords.go:30:8:30:15 | password | passwords.go:8:12:8:12 | definition of x | provenance |  |
-| passwords.go:34:28:34:35 | password | passwords.go:34:14:34:35 | ...+... | provenance | Config |
+| passwords.go:36:28:36:35 | password | passwords.go:36:14:36:35 | ...+... | provenance | Config |
-| passwords.go:34:28:34:35 | password | passwords.go:42:6:42:13 | password | provenance |  |
+| passwords.go:36:28:36:35 | password | passwords.go:44:6:44:13 | password | provenance |  |
-| passwords.go:36:10:38:2 | struct literal | passwords.go:39:14:39:17 | obj1 | provenance |  |
+| passwords.go:38:10:40:2 | struct literal | passwords.go:41:14:41:17 | obj1 | provenance |  |
-| passwords.go:37:13:37:13 | x | passwords.go:36:10:38:2 | struct literal | provenance | Config |
+| passwords.go:39:13:39:13 | x | passwords.go:38:10:40:2 | struct literal | provenance | Config |
-| passwords.go:41:10:43:2 | struct literal | passwords.go:44:14:44:17 | obj2 | provenance |  |
+| passwords.go:43:10:45:2 | struct literal | passwords.go:46:14:46:17 | obj2 | provenance |  |
-| passwords.go:42:6:42:13 | password | passwords.go:41:10:43:2 | struct literal | provenance | Config |
+| passwords.go:44:6:44:13 | password | passwords.go:43:10:45:2 | struct literal | provenance | Config |
-| passwords.go:42:6:42:13 | password | passwords.go:48:11:48:18 | password | provenance |  |
+| passwords.go:44:6:44:13 | password | passwords.go:50:11:50:18 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:92:23:92:28 | secret | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:94:23:94:28 | secret | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:102:33:102:40 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:104:33:104:40 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:108:34:108:41 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:110:34:110:41 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:113:33:113:40 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:115:33:115:40 | password | provenance |  |
-| passwords.go:48:11:48:18 | password | passwords.go:123:13:123:20 | password | provenance |  |
+| passwords.go:50:11:50:18 | password | passwords.go:125:13:125:20 | password | provenance |  |
-| passwords.go:50:2:50:15 | definition of fixed_password | passwords.go:51:14:51:27 | fixed_password | provenance |  |
+| passwords.go:52:2:52:15 | definition of fixed_password | passwords.go:53:14:53:27 | fixed_password | provenance |  |
-| passwords.go:86:19:88:2 | struct literal | passwords.go:89:14:89:26 | utilityObject | provenance |  |
+| passwords.go:88:19:90:2 | struct literal | passwords.go:91:14:91:26 | utilityObject | provenance |  |
-| passwords.go:87:16:87:36 | call to make | passwords.go:86:19:88:2 | struct literal | provenance | Config |
+| passwords.go:89:16:89:36 | call to make | passwords.go:88:19:90:2 | struct literal | provenance | Config |
-| passwords.go:102:33:102:40 | password | passwords.go:102:15:102:40 | ...+... | provenance | Config |
+| passwords.go:104:33:104:40 | password | passwords.go:104:15:104:40 | ...+... | provenance | Config |
-| passwords.go:102:33:102:40 | password | passwords.go:108:34:108:41 | password | provenance |  |
+| passwords.go:104:33:104:40 | password | passwords.go:110:34:110:41 | password | provenance |  |
-| passwords.go:102:33:102:40 | password | passwords.go:113:33:113:40 | password | provenance |  |
+| passwords.go:104:33:104:40 | password | passwords.go:115:33:115:40 | password | provenance |  |
-| passwords.go:102:33:102:40 | password | passwords.go:123:13:123:20 | password | provenance |  |
+| passwords.go:104:33:104:40 | password | passwords.go:125:13:125:20 | password | provenance |  |
-| passwords.go:108:34:108:41 | password | passwords.go:108:16:108:41 | ...+... | provenance | Config |
+| passwords.go:110:34:110:41 | password | passwords.go:110:16:110:41 | ...+... | provenance | Config |
-| passwords.go:108:34:108:41 | password | passwords.go:113:33:113:40 | password | provenance |  |
+| passwords.go:110:34:110:41 | password | passwords.go:115:33:115:40 | password | provenance |  |
-| passwords.go:108:34:108:41 | password | passwords.go:123:13:123:20 | password | provenance |  |
+| passwords.go:110:34:110:41 | password | passwords.go:125:13:125:20 | password | provenance |  |
-| passwords.go:113:33:113:40 | password | passwords.go:113:15:113:40 | ...+... | provenance | Config |
+| passwords.go:115:33:115:40 | password | passwords.go:115:15:115:40 | ...+... | provenance | Config |
-| passwords.go:113:33:113:40 | password | passwords.go:123:13:123:20 | password | provenance |  |
+| passwords.go:115:33:115:40 | password | passwords.go:125:13:125:20 | password | provenance |  |
-| passwords.go:116:6:116:14 | definition of password1 | passwords.go:117:28:117:36 | password1 | provenance |  |
+| passwords.go:118:6:118:14 | definition of password1 | passwords.go:119:28:119:36 | password1 | provenance |  |
-| passwords.go:117:28:117:36 | password1 | passwords.go:117:28:117:45 | call to String | provenance | Config |
+| passwords.go:119:28:119:36 | password1 | passwords.go:119:28:119:45 | call to String | provenance | Config |
-| passwords.go:117:28:117:45 | call to String | passwords.go:117:14:117:45 | ...+... | provenance | Config |
+| passwords.go:119:28:119:45 | call to String | passwords.go:119:14:119:45 | ...+... | provenance | Config |
-| passwords.go:120:12:125:2 | struct literal | passwords.go:127:14:127:19 | config | provenance |  |
+| passwords.go:122:12:127:2 | struct literal | passwords.go:129:14:129:19 | config | provenance |  |
-| passwords.go:120:12:125:2 | struct literal [x] | passwords.go:128:14:128:19 | config [x] | provenance |  |
+| passwords.go:122:12:127:2 | struct literal [x] | passwords.go:130:14:130:19 | config [x] | provenance |  |
-| passwords.go:120:12:125:2 | struct literal [y] | passwords.go:129:14:129:19 | config [y] | provenance |  |
+| passwords.go:122:12:127:2 | struct literal [y] | passwords.go:131:14:131:19 | config [y] | provenance |  |
-| passwords.go:121:13:121:14 | x3 | passwords.go:120:12:125:2 | struct literal | provenance | Config |
+| passwords.go:123:13:123:14 | x3 | passwords.go:122:12:127:2 | struct literal | provenance | Config |
-| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal | provenance | Config |
+| passwords.go:125:13:125:20 | password | passwords.go:122:12:127:2 | struct literal | provenance | Config |
-| passwords.go:123:13:123:20 | password | passwords.go:120:12:125:2 | struct literal [x] | provenance |  |
+| passwords.go:125:13:125:20 | password | passwords.go:122:12:127:2 | struct literal [x] | provenance |  |
-| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal | provenance | Config |
+| passwords.go:126:13:126:25 | call to getPassword | passwords.go:122:12:127:2 | struct literal | provenance | Config |
-| passwords.go:124:13:124:25 | call to getPassword | passwords.go:120:12:125:2 | struct literal [y] | provenance |  |
+| passwords.go:126:13:126:25 | call to getPassword | passwords.go:122:12:127:2 | struct literal [y] | provenance |  |
-| passwords.go:128:14:128:19 | config [x] | passwords.go:128:14:128:21 | selection of x | provenance |  |
+| passwords.go:130:14:130:19 | config [x] | passwords.go:130:14:130:21 | selection of x | provenance |  |
-| passwords.go:129:14:129:19 | config [y] | passwords.go:129:14:129:21 | selection of y | provenance |  |
+| passwords.go:131:14:131:19 | config [y] | passwords.go:131:14:131:21 | selection of y | provenance |  |
 | protobuf.go:9:2:9:9 | definition of password | protobuf.go:12:22:12:29 | password | provenance |  |
 | protobuf.go:12:2:12:6 | implicit dereference [postupdate] [Description] | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | provenance |  |
 | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | protobuf.go:14:14:14:18 | query [pointer, Description] | provenance |  |
@@ -274,20 +194,12 @@ nodes
 | main.go:54:12:54:19 | password | semmle.label | password |
 | main.go:54:12:54:19 | password | semmle.label | password |
 | main.go:56:11:56:18 | password | semmle.label | password |
-| main.go:56:11:56:18 | password | semmle.label | password |
-| main.go:59:18:59:25 | password | semmle.label | password |
 | main.go:59:18:59:25 | password | semmle.label | password |
 | main.go:62:12:62:19 | password | semmle.label | password |
-| main.go:62:12:62:19 | password | semmle.label | password |
-| main.go:65:13:65:20 | password | semmle.label | password |
 | main.go:65:13:65:20 | password | semmle.label | password |
 | main.go:68:11:68:18 | password | semmle.label | password |
-| main.go:68:11:68:18 | password | semmle.label | password |
-| main.go:71:18:71:25 | password | semmle.label | password |
 | main.go:71:18:71:25 | password | semmle.label | password |
 | main.go:74:12:74:19 | password | semmle.label | password |
-| main.go:74:12:74:19 | password | semmle.label | password |
-| main.go:77:13:77:20 | password | semmle.label | password |
 | main.go:77:13:77:20 | password | semmle.label | password |
 | main.go:79:14:79:21 | password | semmle.label | password |
 | main.go:80:17:80:24 | password | semmle.label | password |
@@ -308,43 +220,43 @@ nodes
 | passwords.go:27:14:27:26 | call to getPassword | semmle.label | call to getPassword |
 | passwords.go:28:14:28:28 | call to getPassword | semmle.label | call to getPassword |
 | passwords.go:30:8:30:15 | password | semmle.label | password |
-| passwords.go:32:12:32:19 | password | semmle.label | password |
+| passwords.go:33:13:33:20 | password | semmle.label | password |
-| passwords.go:34:14:34:35 | ...+... | semmle.label | ...+... |
+| passwords.go:36:14:36:35 | ...+... | semmle.label | ...+... |
-| passwords.go:34:28:34:35 | password | semmle.label | password |
+| passwords.go:36:28:36:35 | password | semmle.label | password |
-| passwords.go:36:10:38:2 | struct literal | semmle.label | struct literal |
+| passwords.go:38:10:40:2 | struct literal | semmle.label | struct literal |
-| passwords.go:37:13:37:13 | x | semmle.label | x |
+| passwords.go:39:13:39:13 | x | semmle.label | x |
-| passwords.go:39:14:39:17 | obj1 | semmle.label | obj1 |
+| passwords.go:41:14:41:17 | obj1 | semmle.label | obj1 |
-| passwords.go:41:10:43:2 | struct literal | semmle.label | struct literal |
+| passwords.go:43:10:45:2 | struct literal | semmle.label | struct literal |
-| passwords.go:42:6:42:13 | password | semmle.label | password |
+| passwords.go:44:6:44:13 | password | semmle.label | password |
-| passwords.go:44:14:44:17 | obj2 | semmle.label | obj2 |
+| passwords.go:46:14:46:17 | obj2 | semmle.label | obj2 |
-| passwords.go:48:11:48:18 | password | semmle.label | password |
+| passwords.go:50:11:50:18 | password | semmle.label | password |
-| passwords.go:50:2:50:15 | definition of fixed_password | semmle.label | definition of fixed_password |
+| passwords.go:52:2:52:15 | definition of fixed_password | semmle.label | definition of fixed_password |
-| passwords.go:51:14:51:27 | fixed_password | semmle.label | fixed_password |
+| passwords.go:53:14:53:27 | fixed_password | semmle.label | fixed_password |
-| passwords.go:86:19:88:2 | struct literal | semmle.label | struct literal |
+| passwords.go:88:19:90:2 | struct literal | semmle.label | struct literal |
-| passwords.go:87:16:87:36 | call to make | semmle.label | call to make |
+| passwords.go:89:16:89:36 | call to make | semmle.label | call to make |
-| passwords.go:89:14:89:26 | utilityObject | semmle.label | utilityObject |
+| passwords.go:91:14:91:26 | utilityObject | semmle.label | utilityObject |
-| passwords.go:92:23:92:28 | secret | semmle.label | secret |
+| passwords.go:94:23:94:28 | secret | semmle.label | secret |
-| passwords.go:102:15:102:40 | ...+... | semmle.label | ...+... |
+| passwords.go:104:15:104:40 | ...+... | semmle.label | ...+... |
-| passwords.go:102:33:102:40 | password | semmle.label | password |
+| passwords.go:104:33:104:40 | password | semmle.label | password |
-| passwords.go:108:16:108:41 | ...+... | semmle.label | ...+... |
+| passwords.go:110:16:110:41 | ...+... | semmle.label | ...+... |
-| passwords.go:108:34:108:41 | password | semmle.label | password |
+| passwords.go:110:34:110:41 | password | semmle.label | password |
-| passwords.go:113:15:113:40 | ...+... | semmle.label | ...+... |
+| passwords.go:115:15:115:40 | ...+... | semmle.label | ...+... |
-| passwords.go:113:33:113:40 | password | semmle.label | password |
+| passwords.go:115:33:115:40 | password | semmle.label | password |
-| passwords.go:116:6:116:14 | definition of password1 | semmle.label | definition of password1 |
+| passwords.go:118:6:118:14 | definition of password1 | semmle.label | definition of password1 |
-| passwords.go:117:14:117:45 | ...+... | semmle.label | ...+... |
+| passwords.go:119:14:119:45 | ...+... | semmle.label | ...+... |
-| passwords.go:117:28:117:36 | password1 | semmle.label | password1 |
+| passwords.go:119:28:119:36 | password1 | semmle.label | password1 |
-| passwords.go:117:28:117:45 | call to String | semmle.label | call to String |
+| passwords.go:119:28:119:45 | call to String | semmle.label | call to String |
-| passwords.go:120:12:125:2 | struct literal | semmle.label | struct literal |
+| passwords.go:122:12:127:2 | struct literal | semmle.label | struct literal |
-| passwords.go:120:12:125:2 | struct literal [x] | semmle.label | struct literal [x] |
+| passwords.go:122:12:127:2 | struct literal [x] | semmle.label | struct literal [x] |
-| passwords.go:120:12:125:2 | struct literal [y] | semmle.label | struct literal [y] |
+| passwords.go:122:12:127:2 | struct literal [y] | semmle.label | struct literal [y] |
-| passwords.go:121:13:121:14 | x3 | semmle.label | x3 |
+| passwords.go:123:13:123:14 | x3 | semmle.label | x3 |
-| passwords.go:123:13:123:20 | password | semmle.label | password |
+| passwords.go:125:13:125:20 | password | semmle.label | password |
-| passwords.go:124:13:124:25 | call to getPassword | semmle.label | call to getPassword |
+| passwords.go:126:13:126:25 | call to getPassword | semmle.label | call to getPassword |
-| passwords.go:127:14:127:19 | config | semmle.label | config |
+| passwords.go:129:14:129:19 | config | semmle.label | config |
-| passwords.go:128:14:128:19 | config [x] | semmle.label | config [x] |
+| passwords.go:130:14:130:19 | config [x] | semmle.label | config [x] |
-| passwords.go:128:14:128:21 | selection of x | semmle.label | selection of x |
+| passwords.go:130:14:130:21 | selection of x | semmle.label | selection of x |
-| passwords.go:129:14:129:19 | config [y] | semmle.label | config [y] |
+| passwords.go:131:14:131:19 | config [y] | semmle.label | config [y] |
-| passwords.go:129:14:129:21 | selection of y | semmle.label | selection of y |
+| passwords.go:131:14:131:21 | selection of y | semmle.label | selection of y |
 | protobuf.go:9:2:9:9 | definition of password | semmle.label | definition of password |
 | protobuf.go:12:2:12:6 | implicit dereference [postupdate] [Description] | semmle.label | implicit dereference [postupdate] [Description] |
 | protobuf.go:12:2:12:6 | query [postupdate] [pointer, Description] | semmle.label | query [postupdate] [pointer, Description] |

go/ql/test/query-tests/Security/CWE-312/passwords.go

@@ -16,7 +16,7 @@ func redact(kind, value string) string {
 	return value
 }
 
-func test() {
+func test(selector int) {
 	name := "user"
 	password := "P@ssw0rd" // $ Source
 	x := "horsebatterystapleincorrect"
@@ -29,7 +29,9 @@ func test() {
 
 	myLog(password)
 
-	log.Panic(password) // $ Alert
+	if selector == 1 {
+		log.Panic(password) // $ Alert
+	}
 
 	log.Println(name + ", " + password) // $ Alert
 

java/kotlin-extractor/BUILD.bazel

@@ -53,6 +53,9 @@ _extractor_name_prefix = "%s-%s" % (
     "embeddable" if _for_embeddable else "standalone",
 )
 
+_compiler_plugin_registrar_service_source = "src/main/resources/META-INF/services/org.jetbrains.kotlin.compiler.plugin.CompilerPluginRegistrar"
+_compiler_plugin_registrar_service_target = "META-INF/services/org.jetbrains.kotlin.compiler.plugin.CompilerPluginRegistrar"
+
 py_binary(
     name = "generate_dbscheme",
     srcs = ["generate_dbscheme.py"],
@@ -64,8 +67,14 @@ _resources = [
         r[len("src/main/resources/"):],
     )
     for r in glob(["src/main/resources/**"])
+    if r != _compiler_plugin_registrar_service_source
 ]
 
+_compiler_plugin_registrar_service = (
+    _compiler_plugin_registrar_service_source,
+    _compiler_plugin_registrar_service_target,
+)
+
 kt_javac_options(
     name = "javac-options",
     release = "8",
@@ -91,19 +100,32 @@ kt_javac_options(
         # * `resource_strip_prefix` is unique per jar, so we must also put other resources under the same version prefix
         genrule(
             name = "resources-%s" % v,
-            srcs = [src for src, _ in _resources],
+            srcs = [src for src, _ in _resources] + (
+                [_compiler_plugin_registrar_service[0]] if not version_less(v, "2.4.0") else []
+            ),
             outs = [
                 "%s/com/github/codeql/extractor.name" % v,
             ] + [
                 "%s/%s" % (v, target)
                 for _, target in _resources
-            ],
+            ] + (
+                ["%s/%s" % (
+                    v,
+                    _compiler_plugin_registrar_service[1],
+                )] if not version_less(v, "2.4.0") else []
+            ),
             cmd = "\n".join([
                 "echo %s-%s > $(RULEDIR)/%s/com/github/codeql/extractor.name" % (_extractor_name_prefix, v, v),
             ] + [
                 "cp $(execpath %s) $(RULEDIR)/%s/%s" % (source, v, target)
                 for source, target in _resources
-            ]),
+            ] + (
+                ["cp $(execpath %s) $(RULEDIR)/%s/%s" % (
+                    _compiler_plugin_registrar_service[0],
+                    v,
+                    _compiler_plugin_registrar_service[1],
+                )] if not version_less(v, "2.4.0") else []
+            )),
         ),
         kt_jvm_library(
             name = "%s-%s" % (_extractor_name_prefix, v),

java/kotlin-extractor/dev/wrapper.py

@@ -27,7 +27,7 @@ import shutil
 import io
 import os
 
-DEFAULT_VERSION = "2.3.20"
+DEFAULT_VERSION = "2.4.0"
 
 
 def options():

java/kotlin-extractor/src/main/kotlin/KotlinExtractorComponentRegistrar.kt

@@ -3,32 +3,21 @@
 
 package com.github.codeql
 
-import com.intellij.mock.MockProject
-import com.intellij.openapi.extensions.LoadingOrder
-import org.jetbrains.kotlin.backend.common.extensions.IrGenerationExtension
 import org.jetbrains.kotlin.config.CompilerConfiguration
 
 class KotlinExtractorComponentRegistrar : Kotlin2ComponentRegistrar() {
-    override fun registerProjectComponents(
+    override fun doRegisterExtensions(configuration: CompilerConfiguration) {
-        project: MockProject,
-        configuration: CompilerConfiguration
-    ) {
         val invocationTrapFile = configuration[KEY_INVOCATION_TRAP_FILE]
         if (invocationTrapFile == null) {
             throw Exception("Required argument for TRAP invocation file not given")
         }
-        // Register with LoadingOrder.LAST to ensure the extractor runs after other
+        registerExtractorExtension(
-        // IR generation plugins (like kotlinx.serialization) have generated their code.
-        val extensionPoint = project.extensionArea.getExtensionPoint(IrGenerationExtension.extensionPointName)
-        extensionPoint.registerExtension(
             KotlinExtractorExtension(
                 invocationTrapFile,
                 configuration[KEY_CHECK_TRAP_IDENTICAL] ?: false,
                 configuration[KEY_COMPILATION_STARTTIME],
                 configuration[KEY_EXIT_AFTER_EXTRACTION] ?: false
-            ),
+            )
-            LoadingOrder.LAST,
-            project
         )
     }
 }

java/kotlin-extractor/src/main/kotlin/KotlinFileExtractor.kt

@@ -173,9 +173,9 @@ open class KotlinFileExtractor(
         when (d) {
             is IrFunction ->
                 when (d.name.asString()) {
-                    "toString" -> d.valueParameters.isEmpty()
+                    "toString" -> d.codeQlValueParameters.isEmpty()
-                    "hashCode" -> d.valueParameters.isEmpty()
+                    "hashCode" -> d.codeQlValueParameters.isEmpty()
-                    "equals" -> d.valueParameters.singleOrNull()?.type?.isNullableAny() ?: false
+                    "equals" -> d.codeQlValueParameters.singleOrNull()?.type?.isNullableAny() ?: false
                     else -> false
                 } && isJavaBinaryDeclaration(d)
             else -> false
@@ -721,7 +721,7 @@ open class KotlinFileExtractor(
             (it.type as? IrSimpleType)?.classFqName?.asString() != "kotlin.Deprecated"
         } +
             // Note we lose any arguments to @java.lang.Deprecated that were written in source.
-            IrConstructorCallImpl.fromSymbolOwner(
+            codeQlAnnotationFromSymbolOwner(
                 UNDEFINED_OFFSET,
                 UNDEFINED_OFFSET,
                 jldConstructor.returnType,
@@ -781,13 +781,13 @@ open class KotlinFileExtractor(
         val locId = tw.getLocation(constructorCall)
         tw.writeHasLocation(id, locId)
 
-        for (i in 0 until constructorCall.valueArgumentsCount) {
+        for (i in 0 until constructorCall.codeQlValueArgumentsCount) {
-            val param = constructorCall.symbol.owner.valueParameters[i]
+            val param = constructorCall.symbol.owner.codeQlValueParameters[i]
             val prop =
                 constructorCall.symbol.owner.parentAsClass.declarations
                     .filterIsInstance<IrProperty>()
                     .first { it.name == param.name }
-            val v = constructorCall.getValueArgument(i) ?: param.defaultValue?.expression
+            val v = constructorCall.codeQlGetValueArgument(i) ?: param.defaultValue?.expression
             val getter = prop.getter
             if (getter == null) {
                 logger.warnElement("Expected annotation property to define a getter", prop)
@@ -1115,9 +1115,9 @@ open class KotlinFileExtractor(
                         returnId,
                         0,
                         returnId,
-                        f.valueParameters.size,
+                        f.codeQlValueParameters.size,
                         { argParent, idxOffset ->
-                            f.valueParameters.forEachIndexed { idx, param ->
+                            f.codeQlValueParameters.forEachIndexed { idx, param ->
                                 val syntheticParamId = useValueParameter(param, proxyFunctionId)
                                 extractVariableAccess(
                                     syntheticParamId,
@@ -1695,9 +1695,9 @@ open class KotlinFileExtractor(
                             returnId,
                             0,
                             returnId,
-                            f.valueParameters.size,
+                            f.codeQlValueParameters.size,
                             { argParentId, idxOffset ->
-                                f.valueParameters.mapIndexed { idx, param ->
+                                f.codeQlValueParameters.mapIndexed { idx, param ->
                                     val syntheticParamId = useValueParameter(param, functionId)
                                     extractVariableAccess(
                                         syntheticParamId,
@@ -1792,7 +1792,7 @@ open class KotlinFileExtractor(
         extractBody: Boolean,
         extractMethodAndParameterTypeAccesses: Boolean
     ) {
-        if (f.valueParameters.none { it.defaultValue != null }) return
+        if (f.codeQlValueParameters.none { it.defaultValue != null }) return
 
         val id = getDefaultsMethodLabel(f)
         if (id == null) {
@@ -1800,7 +1800,7 @@ open class KotlinFileExtractor(
             return
         }
         val locId = getLocation(f, null)
-        val extReceiver = f.extensionReceiverParameter
+        val extReceiver = f.codeQlExtensionReceiverParameter
         val dispatchReceiver = if (f.shouldExtractAsStatic) null else f.dispatchReceiverParameter
         val parameterTypes = getDefaultsMethodArgTypes(f)
         val allParamTypeResults =
@@ -1869,7 +1869,7 @@ open class KotlinFileExtractor(
         tw.writeCompiler_generated(id, CompilerGeneratedKinds.DEFAULT_ARGUMENTS_METHOD.kind)
 
         if (extractBody) {
-            val nonSyntheticParams = listOfNotNull(dispatchReceiver) + f.valueParameters
+            val nonSyntheticParams = listOfNotNull(dispatchReceiver) + f.codeQlValueParameters
             // This stack entry represents as if we're extracting the 'real' function `f`, giving
             // the indices of its non-synthetic parameters
             // such that when we extract the default expressions below, any reference to f's nth
@@ -1895,12 +1895,12 @@ open class KotlinFileExtractor(
                     val realParamsVarId = getValueParameterLabel(id, parameterTypes.size - 2)
                     val intType = pluginContext.irBuiltIns.intType
                     val paramIdxOffset =
-                        listOf(dispatchReceiver, f.extensionReceiverParameter).count { it != null }
+                        listOf(dispatchReceiver, f.codeQlExtensionReceiverParameter).count { it != null }
                     extractBlockBody(id, locId).also { blockId ->
                         var nextStmt = 0
                         // For each parameter with a default, sub in the default value if the caller
                         // hasn't supplied a value:
-                        f.valueParameters.forEachIndexed { paramIdx, param ->
+                        f.codeQlValueParameters.forEachIndexed { paramIdx, param ->
                             val defaultVal = param.defaultValue
                             if (defaultVal != null) {
                                 extractIfStmt(locId, blockId, nextStmt++, id).also { ifId ->
@@ -1975,7 +1975,7 @@ open class KotlinFileExtractor(
                                     id
                                 )
                                 tw.writeHasLocation(thisCallId, locId)
-                                f.valueParameters.forEachIndexed { idx, param ->
+                                f.codeQlValueParameters.forEachIndexed { idx, param ->
                                     extractVariableAccess(
                                         tw.getLabelFor<DbParam>(getValueParameterLabel(id, idx)),
                                         param.type,
@@ -2003,9 +2003,9 @@ open class KotlinFileExtractor(
                                     )
                                     .also { thisCallId ->
                                         val realFnIdxOffset =
-                                            if (f.extensionReceiverParameter != null) 1 else 0
+                                            if (f.codeQlExtensionReceiverParameter != null) 1 else 0
                                         val paramMappings =
-                                            f.valueParameters.mapIndexed { idx, param ->
+                                            f.codeQlValueParameters.mapIndexed { idx, param ->
                                                 Triple(
                                                     param.type,
                                                     idx + paramIdxOffset,
@@ -2156,7 +2156,7 @@ open class KotlinFileExtractor(
                         val dispatchReceiver =
                             f.dispatchReceiverParameter?.let { IrGetValueImpl(-1, -1, it.symbol) }
                         val extensionReceiver =
-                            f.extensionReceiverParameter?.let { IrGetValueImpl(-1, -1, it.symbol) }
+                            f.codeQlExtensionReceiverParameter?.let { IrGetValueImpl(-1, -1, it.symbol) }
 
                         extractExpressionBody(overloadId, realFunctionLocId).also { returnId ->
                             extractsDefaultsCall(
@@ -2180,28 +2180,28 @@ open class KotlinFileExtractor(
         if (!f.hasAnnotation(jvmOverloadsFqName)) {
             if (
                 f is IrConstructor &&
-                    f.valueParameters.isNotEmpty() &&
+                    f.codeQlValueParameters.isNotEmpty() &&
-                    f.valueParameters.all { it.defaultValue != null } &&
+                    f.codeQlValueParameters.all { it.defaultValue != null } &&
                     f.parentClassOrNull?.let {
                         // Don't create a default constructor for an annotation class, or a class
                         // that explicitly declares a no-arg constructor.
                         !it.isAnnotationClass &&
                             it.declarations.none { d ->
-                                d is IrConstructor && d.valueParameters.isEmpty()
+                                d is IrConstructor && d.codeQlValueParameters.isEmpty()
                             }
                     } == true
             ) {
                 // Per https://kotlinlang.org/docs/classes.html#creating-instances-of-classes, a
                 // single default overload gets created specifically
                 // when we have all default parameters, regardless of `@JvmOverloads`.
-                extractGeneratedOverload(f.valueParameters.map { _ -> null })
+                extractGeneratedOverload(f.codeQlValueParameters.map { _ -> null })
             }
             return
         }
 
-        val paramList: MutableList<IrValueParameter?> = f.valueParameters.toMutableList()
+        val paramList: MutableList<IrValueParameter?> = f.codeQlValueParameters.toMutableList()
-        for (n in (f.valueParameters.size - 1) downTo 0) {
+        for (n in (f.codeQlValueParameters.size - 1) downTo 0) {
-            if (f.valueParameters[n].defaultValue != null) {
+            if (f.codeQlValueParameters[n].defaultValue != null) {
                 paramList[n] = null // Remove this parameter, to be replaced by a default value
                 extractGeneratedOverload(paramList)
             }
@@ -2327,7 +2327,7 @@ open class KotlinFileExtractor(
             getClassByFqName(pluginContext, it)?.let { annotationClass ->
                 annotationClass.owner.declarations.firstIsInstanceOrNull<IrConstructor>()?.let {
                     annotationConstructor ->
-                    IrConstructorCallImpl.fromSymbolOwner(
+                    codeQlAnnotationFromSymbolOwner(
                         UNDEFINED_OFFSET,
                         UNDEFINED_OFFSET,
                         annotationConstructor.returnType,
@@ -2388,13 +2388,13 @@ open class KotlinFileExtractor(
                             id
                         }
 
-                val extReceiver = f.extensionReceiverParameter
+                val extReceiver = f.codeQlExtensionReceiverParameter
                 // The following parameter order is correct, because member $default methods (where
                 // the order would be [dispatchParam], [extensionParam], normalParams) are not
                 // extracted here
                 val fParameters =
                     listOfNotNull(extReceiver) +
-                        (overriddenAttributes?.valueParameters ?: f.valueParameters)
+                        (overriddenAttributes?.valueParameters ?: f.codeQlValueParameters)
                 val paramTypes =
                     fParameters.mapIndexed { i, vp ->
                         extractValueParameter(
@@ -3069,14 +3069,14 @@ open class KotlinFileExtractor(
             logger.errorElement("Unexpected dispatch receiver found", c)
         }
 
-        if (c.valueArgumentsCount < 1) {
+        if (c.codeQlValueArgumentsCount < 1) {
             logger.errorElement("No arguments found", c)
             return
         }
 
         extractArgument(id, c, callable, enclosingStmt, 0, "Operand null")
 
-        if (c.valueArgumentsCount > 1) {
+        if (c.codeQlValueArgumentsCount > 1) {
             logger.errorElement("Extra arguments found", c)
         }
     }
@@ -3095,21 +3095,21 @@ open class KotlinFileExtractor(
             logger.errorElement("Unexpected dispatch receiver found", c)
         }
 
-        if (c.valueArgumentsCount < 1) {
+        if (c.codeQlValueArgumentsCount < 1) {
             logger.errorElement("No arguments found", c)
             return
         }
 
         extractArgument(id, c, callable, enclosingStmt, 0, "LHS null")
 
-        if (c.valueArgumentsCount < 2) {
+        if (c.codeQlValueArgumentsCount < 2) {
             logger.errorElement("No RHS found", c)
             return
         }
 
         extractArgument(id, c, callable, enclosingStmt, 1, "RHS null")
 
-        if (c.valueArgumentsCount > 2) {
+        if (c.codeQlValueArgumentsCount > 2) {
             logger.errorElement("Extra arguments found", c)
         }
     }
@@ -3122,7 +3122,7 @@ open class KotlinFileExtractor(
         idx: Int,
         msg: String
     ) {
-        val op = c.getValueArgument(idx)
+        val op = c.codeQlGetValueArgument(idx)
         if (op == null) {
             logger.errorElement(msg, c)
         } else {
@@ -3267,8 +3267,8 @@ open class KotlinFileExtractor(
         // and which should be replaced by defaults. The final Object parameter is apparently always
         // null.
         (listOfNotNull(if (f.shouldExtractAsStatic) null else f.dispatchReceiverParameter?.type) +
-                listOfNotNull(f.extensionReceiverParameter?.type) +
+                listOfNotNull(f.codeQlExtensionReceiverParameter?.type) +
-                f.valueParameters.map { it.type } +
+                f.codeQlValueParameters.map { it.type } +
                 listOf(pluginContext.irBuiltIns.intType, getDefaultsMethodLastArgType(f)))
             .map { erase(it) }
 
@@ -3345,7 +3345,7 @@ open class KotlinFileExtractor(
         val overriddenCallTarget =
             (callTarget as? IrSimpleFunction)?.allOverridden(includeSelf = true)?.firstOrNull {
                 it.overriddenSymbols.isEmpty() &&
-                    it.valueParameters.any { p -> p.defaultValue != null }
+                    it.codeQlValueParameters.any { p -> p.defaultValue != null }
             } ?: callTarget
         if (isExternalDeclaration(overriddenCallTarget)) {
             // Likewise, ensure the overridden target gets extracted.
@@ -3419,7 +3419,7 @@ open class KotlinFileExtractor(
         }
 
         val valueArgsWithDummies =
-            valueArguments.zip(callTarget.valueParameters).map { (expr, param) ->
+            valueArguments.zip(callTarget.codeQlValueParameters).map { (expr, param) ->
                 expr ?: IrConstImpl.defaultValueForType(0, 0, param.type)
             }
 
@@ -3529,7 +3529,7 @@ open class KotlinFileExtractor(
         callTarget: IrFunction,
         valueArguments: List<IrExpression?>
     ): Boolean {
-        val varargParam = callTarget.valueParameters.withIndex().find { it.value.isVararg }
+        val varargParam = callTarget.codeQlValueParameters.withIndex().find { it.value.isVararg }
         // If the vararg param is the only one not specified, and it has no default value, then we
         // don't need to call a $default method,
         // as omitting it already implies passing an empty vararg array.
@@ -3805,7 +3805,7 @@ open class KotlinFileExtractor(
     ) =
         extractCallValueArguments(
             callId,
-            (0 until call.valueArgumentsCount).map { call.getValueArgument(it) },
+            (0 until call.codeQlValueArgumentsCount).map { call.codeQlGetValueArgument(it) },
             enclosingStmt,
             enclosingCallable,
             idxOffset
@@ -3874,7 +3874,7 @@ open class KotlinFileExtractor(
                     (owner.parentClassOrNull?.fqNameWhenAvailable?.asString() == type ||
                         (owner.parent is IrExternalPackageFragment &&
                             getFileClassFqName(owner)?.asString() == type)) &&
-                        owner.valueParameters
+                        owner.codeQlValueParameters
                             .map { it.type.classFqName?.asString() }
                             .toTypedArray() contentEquals parameterTypes
                 }
@@ -3926,8 +3926,8 @@ open class KotlinFileExtractor(
         val result =
             javaLangString?.declarations?.findSubType<IrFunction> {
                 it.name.asString() == "valueOf" &&
-                    it.valueParameters.size == 1 &&
+                    it.codeQlValueParameters.size == 1 &&
-                    it.valueParameters[0].type == pluginContext.irBuiltIns.anyNType
+                    it.codeQlValueParameters[0].type == pluginContext.irBuiltIns.anyNType
             }
         if (result == null) {
             logger.error("Couldn't find declaration java.lang.String.valueOf(Object)")
@@ -3951,7 +3951,7 @@ open class KotlinFileExtractor(
     val kotlinNoWhenBranchMatchedConstructor by lazy {
         val result =
             kotlinNoWhenBranchMatchedExn?.declarations?.findSubType<IrConstructor> {
-                it.valueParameters.isEmpty()
+                it.codeQlValueParameters.isEmpty()
             }
         if (result == null) {
             logger.error("Couldn't find no-arg constructor for kotlin.NoWhenBranchMatchedException")
@@ -3990,7 +3990,7 @@ open class KotlinFileExtractor(
             verboseln("No match as function name is ${target.name.asString()} not $fName")
             return false
         }
-        val extensionReceiverParameter = target.extensionReceiverParameter
+        val extensionReceiverParameter = target.codeQlExtensionReceiverParameter
         val targetClass =
             if (extensionReceiverParameter == null) {
                 if (isNullable == true) {
@@ -4098,8 +4098,8 @@ open class KotlinFileExtractor(
             ) {
                 val typeArgs =
                     if (extractMethodTypeArguments)
-                        (0 until c.typeArgumentsCount)
+                        (0 until c.codeQlTypeArgumentsCount)
-                            .map { c.getTypeArgument(it) }
+                            .map { c.codeQlGetTypeArgument(it) }
                             .requireNoNullsOrNull()
                     else listOf()
 
@@ -4116,9 +4116,9 @@ open class KotlinFileExtractor(
                     parent,
                     idx,
                     enclosingStmt,
-                    (0 until c.valueArgumentsCount).map { c.getValueArgument(it) },
+                    (0 until c.codeQlValueArgumentsCount).map { c.codeQlGetValueArgument(it) },
                     c.dispatchReceiver,
-                    c.extensionReceiver,
+                    c.codeQlExtensionReceiver,
                     typeArgs,
                     extractClassTypeArguments,
                     c.superQualifierSymbol
@@ -4126,12 +4126,12 @@ open class KotlinFileExtractor(
             }
 
             fun extractSpecialEnumFunction(fnName: String) {
-                if (c.typeArgumentsCount != 1) {
+                if (c.codeQlTypeArgumentsCount != 1) {
                     logger.errorElement("Expected to find exactly one type argument", c)
                     return
                 }
 
-                val enumType = (c.getTypeArgument(0) as? IrSimpleType)?.classifier?.owner
+                val enumType = (c.codeQlGetTypeArgument(0) as? IrSimpleType)?.classifier?.owner
                 if (enumType == null) {
                     logger.errorElement("Couldn't find type of enum type", c)
                     return
@@ -4178,13 +4178,13 @@ open class KotlinFileExtractor(
                 } else {
                     extractExpressionExpr(receiver, callable, id, 0, enclosingStmt)
                 }
-                if (c.valueArgumentsCount < 1) {
+                if (c.codeQlValueArgumentsCount < 1) {
                     logger.errorElement("No RHS found", c)
                 } else {
-                    if (c.valueArgumentsCount > 1) {
+                    if (c.codeQlValueArgumentsCount > 1) {
                         logger.errorElement("Extra arguments found", c)
                     }
-                    val arg = c.getValueArgument(0)
+                    val arg = c.codeQlGetValueArgument(0)
                     if (arg == null) {
                         logger.errorElement("RHS null", c)
                     } else {
@@ -4205,7 +4205,7 @@ open class KotlinFileExtractor(
                 } else {
                     extractExpressionExpr(receiver, callable, id, 0, enclosingStmt)
                 }
-                if (c.valueArgumentsCount > 0) {
+                if (c.codeQlValueArgumentsCount > 0) {
                     logger.errorElement("Extra arguments found", c)
                 }
             }
@@ -4219,7 +4219,7 @@ open class KotlinFileExtractor(
             }
 
             fun binopExt(id: Label<out DbExpr>) {
-                binopReceiver(id, c.extensionReceiver, "Extension receiver")
+                binopReceiver(id, c.codeQlExtensionReceiver, "Extension receiver")
             }
 
             fun unaryopDisp(id: Label<out DbExpr>) {
@@ -4227,7 +4227,7 @@ open class KotlinFileExtractor(
             }
 
             fun unaryopExt(id: Label<out DbExpr>) {
-                unaryopReceiver(id, c.extensionReceiver, "Extension receiver")
+                unaryopReceiver(id, c.codeQlExtensionReceiver, "Extension receiver")
             }
 
             val dr = c.dispatchReceiver
@@ -4249,7 +4249,7 @@ open class KotlinFileExtractor(
                             parent,
                             idx,
                             enclosingStmt,
-                            listOf(c.extensionReceiver, c.getValueArgument(0)),
+                            listOf(c.codeQlExtensionReceiver, c.codeQlGetValueArgument(0)),
                             null,
                             null
                         )
@@ -4350,7 +4350,7 @@ open class KotlinFileExtractor(
                 // != gets desugared into not and ==. Here we resugar it.
                 c.origin == IrStatementOrigin.EXCLEQ &&
                     isFunction(target, "kotlin", "Boolean", "not") &&
-                    c.valueArgumentsCount == 0 &&
+                    c.codeQlValueArgumentsCount == 0 &&
                     dr != null &&
                     dr is IrCall &&
                     isBuiltinCallInternal(dr, "EQEQ") -> {
@@ -4362,7 +4362,7 @@ open class KotlinFileExtractor(
                 }
                 c.origin == IrStatementOrigin.EXCLEQEQ &&
                     isFunction(target, "kotlin", "Boolean", "not") &&
-                    c.valueArgumentsCount == 0 &&
+                    c.codeQlValueArgumentsCount == 0 &&
                     dr != null &&
                     dr is IrCall &&
                     isBuiltinCallInternal(dr, "EQEQEQ") -> {
@@ -4374,7 +4374,7 @@ open class KotlinFileExtractor(
                 }
                 c.origin == IrStatementOrigin.EXCLEQ &&
                     isFunction(target, "kotlin", "Boolean", "not") &&
-                    c.valueArgumentsCount == 0 &&
+                    c.codeQlValueArgumentsCount == 0 &&
                     dr != null &&
                     dr is IrCall &&
                     isBuiltinCallInternal(dr, "ieee754equals") -> {
@@ -4576,7 +4576,7 @@ open class KotlinFileExtractor(
                             parent,
                             idx,
                             enclosingStmt,
-                            listOf(c.extensionReceiver),
+                            listOf(c.codeQlExtensionReceiver),
                             null,
                             null
                         )
@@ -4596,8 +4596,8 @@ open class KotlinFileExtractor(
                     val locId = tw.getLocation(c)
                     extractExprContext(id, locId, callable, enclosingStmt)
 
-                    if (c.typeArgumentsCount == 1) {
+                    if (c.codeQlTypeArgumentsCount == 1) {
-                        val typeArgument = c.getTypeArgument(0)
+                        val typeArgument = c.codeQlGetTypeArgument(0)
                         if (typeArgument == null) {
                             logger.errorElement("Type argument missing in an arrayOfNulls call", c)
                         } else {
@@ -4618,8 +4618,8 @@ open class KotlinFileExtractor(
                         )
                     }
 
-                    if (c.valueArgumentsCount == 1) {
+                    if (c.codeQlValueArgumentsCount == 1) {
-                        val dim = c.getValueArgument(0)
+                        val dim = c.codeQlGetValueArgument(0)
                         if (dim != null) {
                             extractExpressionExpr(dim, callable, id, 0, enclosingStmt)
                         } else {
@@ -4651,8 +4651,8 @@ open class KotlinFileExtractor(
                             c.type.getArrayElementTypeCodeQL(pluginContext.irBuiltIns)
                         } else {
                             // TODO: is there any reason not to always use getArrayElementTypeCodeQL?
-                            if (c.typeArgumentsCount == 1) {
+                            if (c.codeQlTypeArgumentsCount == 1) {
-                                c.getTypeArgument(0).also {
+                                c.codeQlGetTypeArgument(0).also {
                                     if (it == null) {
                                         logger.errorElement(
                                             "Type argument missing in an arrayOf call",
@@ -4670,7 +4670,7 @@ open class KotlinFileExtractor(
                         }
 
                     val arg =
-                        if (c.valueArgumentsCount == 1) c.getValueArgument(0)
+                        if (c.codeQlValueArgumentsCount == 1) c.codeQlGetValueArgument(0)
                             else {
                                 logger.errorElement(
                                     "Expected to find only one (vararg) argument in ${c.symbol.owner.name.asString()} call",
@@ -4719,7 +4719,7 @@ open class KotlinFileExtractor(
                                 return
                             }
 
-                            val ext = c.extensionReceiver
+                            val ext = c.codeQlExtensionReceiver
                             if (ext == null) {
                                 logger.errorElement(
                                     "No extension receiver found for `KClass::java` call",
@@ -4826,8 +4826,8 @@ open class KotlinFileExtractor(
                     c.origin == IrStatementOrigin.EQ &&
                     c.dispatchReceiver != null -> {
                     val array = c.dispatchReceiver
-                    val arrayIdx = c.getValueArgument(0)
+                    val arrayIdx = c.codeQlGetValueArgument(0)
-                    val assignedValue = c.getValueArgument(1)
+                    val assignedValue = c.codeQlGetValueArgument(1)
 
                     if (array != null && arrayIdx != null && assignedValue != null) {
 
@@ -4882,22 +4882,22 @@ open class KotlinFileExtractor(
                 }
                 isBuiltinCall(c, "<unsafe-coerce>", "kotlin.jvm.internal") -> {
 
-                    if (c.valueArgumentsCount != 1) {
+                    if (c.codeQlValueArgumentsCount != 1) {
                         logger.errorElement(
-                            "Expected to find one argument for a kotlin.jvm.internal.<unsafe-coerce>() call, but found ${c.valueArgumentsCount}",
+                            "Expected to find one argument for a kotlin.jvm.internal.<unsafe-coerce>() call, but found ${c.codeQlValueArgumentsCount}",
                             c
                         )
                         return
                     }
 
-                    if (c.typeArgumentsCount != 2) {
+                    if (c.codeQlTypeArgumentsCount != 2) {
                         logger.errorElement(
-                            "Expected to find two type arguments for a kotlin.jvm.internal.<unsafe-coerce>() call, but found ${c.typeArgumentsCount}",
+                            "Expected to find two type arguments for a kotlin.jvm.internal.<unsafe-coerce>() call, but found ${c.codeQlTypeArgumentsCount}",
                             c
                         )
                         return
                     }
-                    val valueArg = c.getValueArgument(0)
+                    val valueArg = c.codeQlGetValueArgument(0)
                     if (valueArg == null) {
                         logger.errorElement(
                             "Cannot find value argument for a kotlin.jvm.internal.<unsafe-coerce>() call",
@@ -4905,7 +4905,7 @@ open class KotlinFileExtractor(
                         )
                         return
                     }
-                    val typeArg = c.getTypeArgument(1)
+                    val typeArg = c.codeQlGetTypeArgument(1)
                     if (typeArg == null) {
                         logger.errorElement(
                             "Cannot find type argument for a kotlin.jvm.internal.<unsafe-coerce>() call",
@@ -4924,7 +4924,7 @@ open class KotlinFileExtractor(
                     extractExpressionExpr(valueArg, callable, id, 1, enclosingStmt)
                 }
                 isBuiltinCallInternal(c, "dataClassArrayMemberToString") -> {
-                    val arrayArg = c.getValueArgument(0)
+                    val arrayArg = c.codeQlGetValueArgument(0)
                     val realArrayClass = arrayArg?.type?.classOrNull
                     if (realArrayClass == null) {
                         logger.errorElement(
@@ -4936,8 +4936,8 @@ open class KotlinFileExtractor(
                     val realCallee =
                         javaUtilArrays?.declarations?.findSubType<IrFunction> { decl ->
                             decl.name.asString() == "toString" &&
-                                decl.valueParameters.size == 1 &&
+                                decl.codeQlValueParameters.size == 1 &&
-                                decl.valueParameters[0].type.classOrNull?.let {
+                                decl.codeQlValueParameters[0].type.classOrNull?.let {
                                     it == realArrayClass
                                 } == true
                         }
@@ -4962,7 +4962,7 @@ open class KotlinFileExtractor(
                     }
                 }
                 isBuiltinCallInternal(c, "dataClassArrayMemberHashCode") -> {
-                    val arrayArg = c.getValueArgument(0)
+                    val arrayArg = c.codeQlGetValueArgument(0)
                     val realArrayClass = arrayArg?.type?.classOrNull
                     if (realArrayClass == null) {
                         logger.errorElement(
@@ -4974,8 +4974,8 @@ open class KotlinFileExtractor(
                     val realCallee =
                         javaUtilArrays?.declarations?.findSubType<IrFunction> { decl ->
                             decl.name.asString() == "hashCode" &&
-                                decl.valueParameters.size == 1 &&
+                                decl.codeQlValueParameters.size == 1 &&
-                                decl.valueParameters[0].type.classOrNull?.let {
+                                decl.codeQlValueParameters[0].type.classOrNull?.let {
                                     it == realArrayClass
                                 } == true
                         }
@@ -5155,7 +5155,7 @@ open class KotlinFileExtractor(
         val type = useType(eType)
         val isAnonymous = eType.isAnonymous
         val locId = tw.getLocation(e)
-        val valueArgs = (0 until e.valueArgumentsCount).map { e.getValueArgument(it) }
+        val valueArgs = (0 until e.codeQlValueArgumentsCount).map { e.codeQlGetValueArgument(it) }
 
         val id =
             if (
@@ -5211,10 +5211,10 @@ open class KotlinFileExtractor(
                         realCallTarget is IrConstructor &&
                         realCallTarget.parentClassOrNull?.fqNameWhenAvailable?.asString() ==
                             "kotlin.Enum" &&
-                        realCallTarget.valueParameters.size == 2 &&
+                        realCallTarget.codeQlValueParameters.size == 2 &&
-                        realCallTarget.valueParameters[0].type ==
+                        realCallTarget.codeQlValueParameters[0].type ==
                             pluginContext.irBuiltIns.stringType &&
-                        realCallTarget.valueParameters[1].type == pluginContext.irBuiltIns.intType
+                        realCallTarget.codeQlValueParameters[1].type == pluginContext.irBuiltIns.intType
                 ) {
 
                     val id0 =
@@ -5287,7 +5287,7 @@ open class KotlinFileExtractor(
             }
 
             val args =
-                (0 until e.typeArgumentsCount).map { e.getTypeArgument(it) }.requireNoNullsOrNull()
+                (0 until e.codeQlTypeArgumentsCount).map { e.codeQlGetTypeArgument(it) }.requireNoNullsOrNull()
             if (args == null) {
                 logger.warnElement("Found null type argument in enum constructor call", e)
                 return
@@ -5365,7 +5365,7 @@ open class KotlinFileExtractor(
                 // Check for an expression like x = get(x).op(e):
                 val opReceiver = updateRhs.dispatchReceiver
                 if (isExpectedLhs(opReceiver)) {
-                    updateRhs.getValueArgument(0)
+                    updateRhs.codeQlGetValueArgument(0)
                 } else null
             } else null
         }
@@ -5560,7 +5560,7 @@ open class KotlinFileExtractor(
                                     "set"
                                 )
                             ) {
-                                val updateRhs0 = arraySetCall.getValueArgument(1)
+                                val updateRhs0 = arraySetCall.codeQlGetValueArgument(1)
                                 if (updateRhs0 == null) {
                                     logger.errorElement("Update RHS not found", e)
                                     return false
@@ -6403,12 +6403,12 @@ open class KotlinFileExtractor(
                     val ids = getLocallyVisibleFunctionLabels(e.function)
                     val locId = tw.getLocation(e)
 
-                    val ext = e.function.extensionReceiverParameter
+                    val ext = e.function.codeQlExtensionReceiverParameter
                     val parameters =
                         if (ext != null) {
-                            listOf(ext) + e.function.valueParameters
+                            listOf(ext) + e.function.codeQlValueParameters
                         } else {
-                            e.function.valueParameters
+                            e.function.codeQlValueParameters
                         }
 
                     var types = parameters.map { it.type }
@@ -6670,7 +6670,7 @@ open class KotlinFileExtractor(
                 is IrFunction -> {
                     if (
                         ownerParent.dispatchReceiverParameter == owner &&
-                            ownerParent.extensionReceiverParameter != null
+                            ownerParent.codeQlExtensionReceiverParameter != null
                     ) {
 
                         val ownerParent2 = ownerParent.parent
@@ -7089,7 +7089,7 @@ open class KotlinFileExtractor(
             makeReceiverInfo(callableReferenceExpr.dispatchReceiver, 0)
         private val extensionReceiverInfo =
             makeReceiverInfo(
-                callableReferenceExpr.extensionReceiver,
+                callableReferenceExpr.codeQlExtensionReceiver,
                 if (dispatchReceiverInfo == null) 0 else 1
             )
 
@@ -7627,8 +7627,8 @@ open class KotlinFileExtractor(
                     }
 
             val expressionTypeArguments =
-                (0 until propertyReferenceExpr.typeArgumentsCount).mapNotNull {
+                (0 until propertyReferenceExpr.codeQlTypeArgumentsCount).mapNotNull {
-                    propertyReferenceExpr.getTypeArgument(it)
+                    propertyReferenceExpr.codeQlGetTypeArgument(it)
                 }
 
             val idPropertyRef = tw.getFreshIdLabel<DbPropertyref>()
@@ -7829,7 +7829,7 @@ open class KotlinFileExtractor(
 
             if (
                 functionReferenceExpr.dispatchReceiver != null &&
-                    functionReferenceExpr.extensionReceiver != null
+                    functionReferenceExpr.codeQlExtensionReceiver != null
             ) {
                 logger.errorElement(
                     "Unexpected: dispatchReceiver and extensionReceiver are both non-null",
@@ -7840,7 +7840,7 @@ open class KotlinFileExtractor(
 
             if (
                 target.owner.dispatchReceiverParameter != null &&
-                    target.owner.extensionReceiverParameter != null
+                    target.owner.codeQlExtensionReceiverParameter != null
             ) {
                 logger.errorElement(
                     "Unexpected: dispatch and extension parameters are both non-null",
@@ -7899,8 +7899,8 @@ open class KotlinFileExtractor(
                             null
                         }
                 expressionTypeArguments =
-                    (0 until functionReferenceExpr.typeArgumentsCount).mapNotNull {
+                    (0 until functionReferenceExpr.codeQlTypeArgumentsCount).mapNotNull {
-                        functionReferenceExpr.getTypeArgument(it)
+                        functionReferenceExpr.codeQlGetTypeArgument(it)
                     }
                 dispatchReceiverIdx = -1
             }
@@ -7965,7 +7965,7 @@ open class KotlinFileExtractor(
                         functionReferenceExpr,
                         declarationParent,
                         null,
-                        { it.valueParameters.size == 1 }
+                        { it.codeQlValueParameters.size == 1 }
                     ) {
                         // The argument to FunctionReference's constructor is the function arity.
                         extractConstantInteger(
@@ -8572,7 +8572,7 @@ open class KotlinFileExtractor(
         reverse: Boolean = false
     ) {
         val typeArguments =
-            (0 until c.typeArgumentsCount).map { c.getTypeArgument(it) }.requireNoNullsOrNull()
+            (0 until c.codeQlTypeArgumentsCount).map { c.codeQlGetTypeArgument(it) }.requireNoNullsOrNull()
         if (typeArguments == null) {
             logger.errorElement("Found a null type argument for a member access expression", c)
         } else {
@@ -8923,11 +8923,11 @@ open class KotlinFileExtractor(
                     tw.writeVariableBinding(lhsId, fieldId)
 
                     val parameters = mutableListOf<IrValueParameter>()
-                    val extParam = samMember.extensionReceiverParameter
+                    val extParam = samMember.codeQlExtensionReceiverParameter
                     if (extParam != null) {
                         parameters.add(extParam)
                     }
-                    parameters.addAll(samMember.valueParameters)
+                    parameters.addAll(samMember.codeQlValueParameters)
 
                     fun extractArgument(
                         p: IrValueParameter,
@@ -9032,7 +9032,7 @@ open class KotlinFileExtractor(
         elementToReportOn: IrElement,
         declarationParent: IrDeclarationParent,
         compilerGeneratedKindOverride: CompilerGeneratedKinds? = null,
-        superConstructorSelector: (IrFunction) -> Boolean = { it.valueParameters.isEmpty() },
+        superConstructorSelector: (IrFunction) -> Boolean = { it.codeQlValueParameters.isEmpty() },
         extractSuperconstructorArgs: (Label<DbSuperconstructorinvocationstmt>) -> Unit = {},
     ): Label<out DbClassorinterface> {
         // Write class

java/kotlin-extractor/src/main/kotlin/KotlinUsesExtractor.kt

@@ -12,7 +12,7 @@ import org.jetbrains.kotlin.ir.ObsoleteDescriptorBasedAPI
 import org.jetbrains.kotlin.ir.declarations.*
 import org.jetbrains.kotlin.ir.expressions.*
 import org.jetbrains.kotlin.ir.symbols.*
-import org.jetbrains.kotlin.ir.types.addAnnotations
+import com.github.codeql.utils.versions.codeQlAddAnnotations
 import org.jetbrains.kotlin.ir.types.classFqName
 import org.jetbrains.kotlin.ir.types.classifierOrNull
 import org.jetbrains.kotlin.ir.types.classOrNull
@@ -355,7 +355,7 @@ open class KotlinUsesExtractor(
     }
 
     private fun propertySignature(p: IrProperty) =
-        ((p.getter ?: p.setter)?.extensionReceiverParameter?.let {
+        ((p.getter ?: p.setter)?.codeQlExtensionReceiverParameter?.let {
             useType(erase(it.type)).javaResult.signature
         } ?: "")
 
@@ -368,7 +368,7 @@ open class KotlinUsesExtractor(
                 // useDeclarationParent -> useFunction
                 // -> extractFunctionLaterIfExternalFileMember, which would result for `fun <T> f(t:
                 // T) { ... }` for example.
-                (listOfNotNull(d.extensionReceiverParameter) + d.valueParameters)
+                (listOfNotNull(d.codeQlExtensionReceiverParameter) + d.codeQlValueParameters)
                     .map { useType(erase(it.type)).javaResult.signature }
                     .joinToString(separator = ",", prefix = "(", postfix = ")")
             is IrProperty -> propertySignature(d) + externalClassExtractor.propertySignature
@@ -488,8 +488,8 @@ open class KotlinUsesExtractor(
             val result =
                 replacementClass.declarations.findSubType<IrSimpleFunction> { replacementDecl ->
                     replacementDecl.name == f.name &&
-                        replacementDecl.valueParameters.size == f.valueParameters.size &&
+                        replacementDecl.codeQlValueParameters.size == f.codeQlValueParameters.size &&
-                        replacementDecl.valueParameters.zip(f.valueParameters).all {
+                        replacementDecl.codeQlValueParameters.zip(f.codeQlValueParameters).all {
                             erase(it.first.type) == erase(it.second.type)
                         }
                 }
@@ -1265,7 +1265,7 @@ open class KotlinUsesExtractor(
     private fun getWildcardSuppressionDirective(t: IrAnnotationContainer): Boolean? =
         t.getAnnotation(jvmWildcardSuppressionAnnotation)?.let {
             @Suppress("USELESS_CAST") // `as? Boolean` is not needed for Kotlin < 2.1
-            (it.getValueArgument(0) as? CodeQLIrConst<Boolean>)?.value as? Boolean ?: true
+            (it.codeQlGetValueArgument(0) as? CodeQLIrConst<Boolean>)?.value as? Boolean ?: true
         }
 
     private fun addJavaLoweringArgumentWildcards(
@@ -1376,9 +1376,9 @@ open class KotlinUsesExtractor(
             f.parent,
             parentId,
             getFunctionShortName(f).nameInDB,
-            (maybeParameterList ?: f.valueParameters).map { it.type },
+            (maybeParameterList ?: f.codeQlValueParameters).map { it.type },
             getAdjustedReturnType(f),
-            f.extensionReceiverParameter?.type,
+            f.codeQlExtensionReceiverParameter?.type,
             getFunctionTypeParameters(f),
             classTypeArgsIncludingOuterClasses,
             overridesCollectionsMethodWithAlteredParameterTypes(f),
@@ -1401,12 +1401,12 @@ open class KotlinUsesExtractor(
         // The name of the function; normally f.name.asString().
         name: String,
         // The types of the value parameters that the functions takes; normally
-        // f.valueParameters.map { it.type }.
+        // f.codeQlValueParameters.map { it.type }.
         parameterTypes: List<IrType>,
         // The return type of the function; normally f.returnType.
         returnType: IrType,
         // The extension receiver of the function, if any; normally
-        // f.extensionReceiverParameter?.type.
+        // f.codeQlExtensionReceiverParameter?.type.
         extensionParamType: IrType?,
         // The type parameters of the function. This does not include type parameters of enclosing
         // classes.
@@ -1579,7 +1579,7 @@ open class KotlinUsesExtractor(
                 parentClass.fqNameWhenAvailable?.asString() !=
                     "java.util.concurrent.ConcurrentHashMap" ||
                 getFunctionShortName(f).nameInDB != "keySet" ||
-                f.valueParameters.isNotEmpty() ||
+                f.codeQlValueParameters.isNotEmpty() ||
                 f.returnType.classFqName?.asString() != "kotlin.collections.MutableSet"
         ) {
             return f.returnType
@@ -1587,7 +1587,7 @@ open class KotlinUsesExtractor(
 
         val otherKeySet =
             parentClass.declarations.findSubType<IrFunction> {
-                it.name.asString() == "keySet" && it.valueParameters.size == 1
+                it.name.asString() == "keySet" && it.codeQlValueParameters.size == 1
             } ?: return f.returnType
 
         return otherKeySet.returnType.codeQlWithHasQuestionMark(false)
@@ -1695,8 +1695,8 @@ open class KotlinUsesExtractor(
                         javaClass.declarations.findSubType<IrFunction> { decl ->
                             !decl.isFakeOverride &&
                                 decl.name.asString() == jvmName &&
-                                decl.valueParameters.size == f.valueParameters.size &&
+                                decl.codeQlValueParameters.size == f.codeQlValueParameters.size &&
-                                decl.valueParameters.zip(f.valueParameters).all { p ->
+                                decl.codeQlValueParameters.zip(f.codeQlValueParameters).all { p ->
                                     erase(p.first.type).classifierOrNull ==
                                         erase(p.second.type).classifierOrNull
                                 }
@@ -2125,7 +2125,7 @@ open class KotlinUsesExtractor(
                 }
 
                 return if (t.arguments.isNotEmpty())
-                    t.addAnnotations(listOf(RawTypeAnnotation.annotationConstructor))
+                    t.codeQlAddAnnotations(listOf(RawTypeAnnotation.annotationConstructor))
                 else t
             }
         }
@@ -2153,7 +2153,7 @@ open class KotlinUsesExtractor(
         val idxOffset =
             if (
                 declarationParent is IrFunction &&
-                    declarationParent.extensionReceiverParameter != null
+                    declarationParent.codeQlExtensionReceiverParameter != null
             )
             // For extension functions increase the index to match what the java extractor sees:
             1
@@ -2187,7 +2187,7 @@ open class KotlinUsesExtractor(
     // Gets a field's corresponding property's extension receiver type, if any
     fun getExtensionReceiverType(f: IrField) =
         f.correspondingPropertySymbol?.owner?.let {
-            (it.getter ?: it.setter)?.extensionReceiverParameter?.type
+            (it.getter ?: it.setter)?.codeQlExtensionReceiverParameter?.type
         }
 
     fun getFieldLabel(f: IrField): String {
@@ -2222,14 +2222,14 @@ open class KotlinUsesExtractor(
         val setter = p.setter
 
         val func = getter ?: setter
-        val ext = func?.extensionReceiverParameter
+        val ext = func?.codeQlExtensionReceiverParameter
 
         return if (ext == null) {
             "@\"property;{$parentId};${p.name.asString()}\""
         } else {
             val returnType =
                 getter?.returnType
-                    ?: setter?.valueParameters?.singleOrNull()?.type
+                    ?: setter?.codeQlValueParameters?.singleOrNull()?.type
                     ?: pluginContext.irBuiltIns.unitType
             val typeParams = getFunctionTypeParameters(func)
 

java/kotlin-extractor/src/main/kotlin/MetaAnnotationSupport.kt

@@ -1,5 +1,10 @@
 package com.github.codeql
 
+import com.github.codeql.utils.versions.codeQlAnnotationFromSymbolOwner
+import com.github.codeql.utils.versions.codeQlGetValueArgument
+import com.github.codeql.utils.versions.codeQlPutValueArgument
+import com.github.codeql.utils.versions.codeQlSetAnnotations
+import com.github.codeql.utils.versions.codeQlSetDispatchReceiverParameter
 import com.github.codeql.utils.versions.createImplicitParameterDeclarationWithWrappedDescriptor
 import java.lang.annotation.ElementType
 import java.util.HashSet
@@ -95,7 +100,7 @@ class MetaAnnotationSupport(
                     JvmAnnotationNames.REPEATABLE_ANNOTATION
             }
         return if (jvmRepeatable != null) {
-            ((jvmRepeatable.getValueArgument(0) as? IrClassReference)?.symbol as? IrClassSymbol)
+            ((jvmRepeatable.codeQlGetValueArgument(0) as? IrClassReference)?.symbol as? IrClassSymbol)
                 ?.owner
         } else {
             getOrCreateSyntheticRepeatableAnnotationContainer(annotationClass)
@@ -117,12 +122,12 @@ class MetaAnnotationSupport(
             )
             return null
         } else {
-            return IrConstructorCallImpl.fromSymbolOwner(
+            return codeQlAnnotationFromSymbolOwner(
                     containerClass.defaultType,
                     containerConstructor.symbol
                 )
                 .apply {
-                    putValueArgument(
+                    codeQlPutValueArgument(
                         0,
                         IrVarargImpl(
                             UNDEFINED_OFFSET,
@@ -144,7 +149,7 @@ class MetaAnnotationSupport(
 
     // Taken from AdditionalClassAnnotationLowering.kt
     private fun loadAnnotationTargets(targetEntry: IrConstructorCall): Set<KotlinTarget>? {
-        val valueArgument = targetEntry.getValueArgument(0) as? IrVararg ?: return null
+        val valueArgument = targetEntry.codeQlGetValueArgument(0) as? IrVararg ?: return null
         return valueArgument.elements
             .filterIsInstance<IrGetEnumValue>()
             .mapNotNull { KotlinTarget.valueOrNull(it.symbol.owner.name.asString()) }
@@ -230,14 +235,14 @@ class MetaAnnotationSupport(
             )
         }
 
-        return IrConstructorCallImpl.fromSymbolOwner(
+        return codeQlAnnotationFromSymbolOwner(
                 UNDEFINED_OFFSET,
                 UNDEFINED_OFFSET,
                 targetConstructor.returnType,
                 targetConstructor.symbol,
                 0
             )
-            .apply { putValueArgument(0, vararg) }
+            .apply { codeQlPutValueArgument(0, vararg) }
     }
 
     private val javaAnnotationRetention by lazy {
@@ -263,7 +268,7 @@ class MetaAnnotationSupport(
     // Taken from AnnotationCodegen.kt (not available in Kotlin < 1.6.20)
     private fun IrClass.getAnnotationRetention(): KotlinRetention? {
         val retentionArgument =
-            getAnnotation(StandardNames.FqNames.retention)?.getValueArgument(0) as? IrGetEnumValue
+            getAnnotation(StandardNames.FqNames.retention)?.codeQlGetValueArgument(0) as? IrGetEnumValue
                 ?: return null
         val retentionArgumentValue = retentionArgument.symbol.owner
         return KotlinRetention.valueOf(retentionArgumentValue.name.asString())
@@ -283,7 +288,7 @@ class MetaAnnotationSupport(
         val targetConstructor =
             retentionType.declarations.firstIsInstanceOrNull<IrConstructor>() ?: return null
 
-        return IrConstructorCallImpl.fromSymbolOwner(
+        return codeQlAnnotationFromSymbolOwner(
                 UNDEFINED_OFFSET,
                 UNDEFINED_OFFSET,
                 targetConstructor.returnType,
@@ -291,7 +296,7 @@ class MetaAnnotationSupport(
                 0
             )
             .apply {
-                putValueArgument(
+                codeQlPutValueArgument(
                     0,
                     IrGetEnumValueImpl(
                         UNDEFINED_OFFSET,
@@ -333,7 +338,7 @@ class MetaAnnotationSupport(
                             return
                         }
                 val newParam = thisReceiever.copyTo(this)
-                dispatchReceiverParameter = newParam
+                codeQlSetDispatchReceiverParameter(newParam)
                 body =
                     factory
                         .createBlockBody(UNDEFINED_OFFSET, UNDEFINED_OFFSET)
@@ -406,7 +411,7 @@ class MetaAnnotationSupport(
             val repeatableContainerAnnotation =
                 kotlinAnnotationRepeatableContainer?.constructors?.single()
 
-            containerClass.annotations =
+            codeQlSetAnnotations(containerClass,
                 annotationClass.annotations
                     .filter {
                         it.isAnnotationWithEqualFqName(StandardNames.FqNames.retention) ||
@@ -415,7 +420,7 @@ class MetaAnnotationSupport(
                     .map { it.deepCopyWithSymbols(containerClass) } +
                     listOfNotNull(
                         repeatableContainerAnnotation?.let {
-                            IrConstructorCallImpl.fromSymbolOwner(
+                            codeQlAnnotationFromSymbolOwner(
                                 UNDEFINED_OFFSET,
                                 UNDEFINED_OFFSET,
                                 it.returnType,
@@ -424,6 +429,7 @@ class MetaAnnotationSupport(
                             )
                         }
                     )
+            )
 
             containerClass
         }
@@ -462,14 +468,14 @@ class MetaAnnotationSupport(
                 containerClass.symbol,
                 containerClass.defaultType
             )
-        return IrConstructorCallImpl.fromSymbolOwner(
+        return codeQlAnnotationFromSymbolOwner(
                 UNDEFINED_OFFSET,
                 UNDEFINED_OFFSET,
                 repeatableConstructor.returnType,
                 repeatableConstructor.symbol,
                 0
             )
-            .apply { putValueArgument(0, containerReference) }
+            .apply { codeQlPutValueArgument(0, containerReference) }
     }
 
     private val javaAnnotationDocumented by lazy {
@@ -488,7 +494,7 @@ class MetaAnnotationSupport(
             javaAnnotationDocumented?.declarations?.firstIsInstanceOrNull<IrConstructor>()
                 ?: return null
 
-        return IrConstructorCallImpl.fromSymbolOwner(
+        return codeQlAnnotationFromSymbolOwner(
             UNDEFINED_OFFSET,
             UNDEFINED_OFFSET,
             documentedConstructor.returnType,

java/kotlin-extractor/src/main/kotlin/TrapWriter.kt

@@ -1,6 +1,7 @@
 package com.github.codeql
 
 import com.github.codeql.KotlinUsesExtractor.LocallyVisibleFunctionLabels
+import com.github.codeql.utils.versions.codeQlExtensionReceiver
 import com.semmle.extractor.java.PopulateFile
 import com.semmle.util.unicode.UTF8Util
 import java.io.BufferedWriter
@@ -331,7 +332,7 @@ open class FileTrapWriter(
             is IrCall -> {
                 // Calls have incorrect startOffset, so we adjust them:
                 val dr = e.dispatchReceiver?.let { getStartOffset(it) }
-                val er = e.extensionReceiver?.let { getStartOffset(it) }
+                val er = e.codeQlExtensionReceiver?.let { getStartOffset(it) }
                 offsetMinOf(e.startOffset, dr, er)
             }
             else -> e.startOffset

java/kotlin-extractor/src/main/kotlin/comments/CommentExtractor.kt

@@ -2,6 +2,7 @@ package com.github.codeql.comments
 
 import com.github.codeql.*
 import com.github.codeql.utils.isLocalFunction
+import com.github.codeql.utils.versions.codeQlExtensionReceiverParameter
 import com.github.codeql.utils.versions.isDispatchReceiver
 import org.jetbrains.kotlin.ir.IrElement
 import org.jetbrains.kotlin.ir.declarations.*
@@ -11,7 +12,7 @@ import org.jetbrains.kotlin.ir.util.parentClassOrNull
 
 private fun IrValueParameter.isExtensionReceiver(): Boolean {
     val parentFun = parent as? IrFunction ?: return false
-    return parentFun.extensionReceiverParameter == this
+    return parentFun.codeQlExtensionReceiverParameter == this
 }
 
 open class CommentExtractor(

java/kotlin-extractor/src/main/kotlin/utils/JvmNames.kt

@@ -1,6 +1,8 @@
 package com.github.codeql.utils
 
 import com.github.codeql.utils.versions.CodeQLIrConst
+import com.github.codeql.utils.versions.codeQlGetValueArgument
+import com.github.codeql.utils.versions.codeQlValueArgumentsCount
 import org.jetbrains.kotlin.builtins.StandardNames
 import org.jetbrains.kotlin.ir.declarations.IrAnnotationContainer
 import org.jetbrains.kotlin.ir.declarations.IrClass
@@ -76,9 +78,9 @@ private fun getSpecialJvmName(f: IrFunction): String? {
 fun getJvmName(container: IrAnnotationContainer): String? {
     for (a: IrConstructorCall in container.annotations) {
         val t = a.type
-        if (t is IrSimpleType && a.valueArgumentsCount == 1) {
+        if (t is IrSimpleType && a.codeQlValueArgumentsCount == 1) {
             val owner = t.classifier.owner
-            val v = a.getValueArgument(0)
+            val v = a.codeQlGetValueArgument(0)
             if (owner is IrClass) {
                 val aPkg = owner.packageFqName?.asString()
                 val name = owner.name.asString()

java/kotlin-extractor/src/main/kotlin/utils/TypeSubstitution.kt

@@ -18,7 +18,7 @@ import org.jetbrains.kotlin.ir.expressions.IrConstructorCall
 import org.jetbrains.kotlin.ir.expressions.impl.*
 import org.jetbrains.kotlin.ir.symbols.IrTypeParameterSymbol
 import org.jetbrains.kotlin.ir.symbols.impl.DescriptorlessExternalPackageFragmentSymbol
-import org.jetbrains.kotlin.ir.types.addAnnotations
+import com.github.codeql.utils.versions.codeQlAddAnnotations
 import org.jetbrains.kotlin.ir.types.classifierOrNull
 import org.jetbrains.kotlin.ir.types.makeNotNull
 import org.jetbrains.kotlin.ir.types.makeNullable
@@ -192,7 +192,7 @@ object RawTypeAnnotation {
                     addConstructor { isPrimary = true }
                 }
         val constructor = annoClass.constructors.single()
-        IrConstructorCallImpl.fromSymbolOwner(constructor.constructedClassType, constructor.symbol)
+        codeQlAnnotationFromSymbolOwner(constructor.constructedClassType, constructor.symbol)
     }
 }
 
@@ -202,7 +202,7 @@ fun IrType.toRawType(): IrType =
             when (val owner = this.classifier.owner) {
                 is IrClass -> {
                     if (this.arguments.isNotEmpty())
-                        this.addAnnotations(listOf(RawTypeAnnotation.annotationConstructor))
+                        this.codeQlAddAnnotations(listOf(RawTypeAnnotation.annotationConstructor))
                     else this
                 }
                 is IrTypeParameter -> owner.superTypes[0].toRawType()
@@ -215,7 +215,7 @@ fun IrType.toRawType(): IrType =
 fun IrClass.toRawType(): IrType {
     val result = this.typeWith(listOf())
     return if (this.typeParameters.isNotEmpty())
-        result.addAnnotations(listOf(RawTypeAnnotation.annotationConstructor))
+        result.codeQlAddAnnotations(listOf(RawTypeAnnotation.annotationConstructor))
     else result
 }
 

java/kotlin-extractor/src/main/kotlin/utils/versions/v_1_8_0/IrCompat.kt

@@ -0,0 +1,70 @@
+package com.github.codeql.utils.versions
+
+import org.jetbrains.kotlin.ir.declarations.IrFunction
+import org.jetbrains.kotlin.ir.declarations.IrValueParameter
+import org.jetbrains.kotlin.ir.expressions.IrConstructorCall
+import org.jetbrains.kotlin.ir.expressions.IrExpression
+import org.jetbrains.kotlin.ir.expressions.IrMemberAccessExpression
+import org.jetbrains.kotlin.ir.expressions.impl.*
+import org.jetbrains.kotlin.ir.symbols.IrConstructorSymbol
+import org.jetbrains.kotlin.ir.types.IrType
+import org.jetbrains.kotlin.ir.types.addAnnotations
+
+/**
+ * Compatibility accessors for pre-2.4.0 API patterns.
+ * In pre-2.4.0 versions, these delegate directly to the existing APIs.
+ */
+
+// IrFunction: valueParameters
+val IrFunction.codeQlValueParameters: List<IrValueParameter>
+    get() = valueParameters
+
+// IrFunction: extensionReceiverParameter
+val IrFunction.codeQlExtensionReceiverParameter: IrValueParameter?
+    get() = extensionReceiverParameter
+
+// IrMemberAccessExpression: valueArgumentsCount
+val IrMemberAccessExpression<*>.codeQlValueArgumentsCount: Int
+    get() = valueArgumentsCount
+
+// IrMemberAccessExpression: getValueArgument
+fun IrMemberAccessExpression<*>.codeQlGetValueArgument(index: Int): IrExpression? = getValueArgument(index)
+
+// IrMemberAccessExpression: putValueArgument
+fun IrMemberAccessExpression<*>.codeQlPutValueArgument(index: Int, value: IrExpression?) {
+    putValueArgument(index, value)
+}
+
+// IrMemberAccessExpression: extensionReceiver
+val IrMemberAccessExpression<*>.codeQlExtensionReceiver: IrExpression?
+    get() = extensionReceiver
+
+// IrMemberAccessExpression: typeArgumentsCount
+val IrMemberAccessExpression<*>.codeQlTypeArgumentsCount: Int
+    get() = typeArgumentsCount
+
+// IrMemberAccessExpression: getTypeArgument
+fun IrMemberAccessExpression<*>.codeQlGetTypeArgument(index: Int): IrType? = getTypeArgument(index)
+
+// addAnnotations compat: in pre-2.4.0, addAnnotations expects List<IrConstructorCall>
+fun IrType.codeQlAddAnnotations(annotations: List<IrConstructorCall>): IrType =
+    addAnnotations(annotations)
+
+// IrMutableAnnotationContainer.annotations setter: in pre-2.4.0, annotations is var with List<IrConstructorCall>
+fun codeQlSetAnnotations(container: org.jetbrains.kotlin.ir.declarations.IrMutableAnnotationContainer, annotations: List<IrConstructorCall>) {
+    container.annotations = annotations
+}
+
+// IrFunction: set dispatch receiver parameter (pre-2.4.0 it's a var)
+fun IrFunction.codeQlSetDispatchReceiverParameter(param: IrValueParameter?) {
+    dispatchReceiverParameter = param
+}
+
+// In pre-2.4.0, annotations are List<IrConstructorCall> so IrConstructorCallImpl works directly.
+fun codeQlAnnotationFromSymbolOwner(
+    startOffset: Int, endOffset: Int, type: IrType, symbol: IrConstructorSymbol, typeArgumentsCount: Int
+): IrConstructorCall =
+    IrConstructorCallImpl.fromSymbolOwner(startOffset, endOffset, type, symbol, typeArgumentsCount)
+
+fun codeQlAnnotationFromSymbolOwner(type: IrType, symbol: IrConstructorSymbol): IrConstructorCall =
+    IrConstructorCallImpl.fromSymbolOwner(type, symbol)

java/kotlin-extractor/src/main/kotlin/utils/versions/v_1_8_0/Kotlin2ComponentRegistrar.kt

@@ -3,10 +3,32 @@
 
 package com.github.codeql
 
+import com.intellij.mock.MockProject
+import com.intellij.openapi.extensions.LoadingOrder
+import org.jetbrains.kotlin.backend.common.extensions.IrGenerationExtension
 import org.jetbrains.kotlin.compiler.plugin.ComponentRegistrar
 import org.jetbrains.kotlin.compiler.plugin.ExperimentalCompilerApi
+import org.jetbrains.kotlin.config.CompilerConfiguration
 
 @OptIn(ExperimentalCompilerApi::class)
 abstract class Kotlin2ComponentRegistrar : ComponentRegistrar {
     /* Nothing to do; supportsK2 doesn't exist yet. */
+
+    private var project: MockProject? = null
+
+    override fun registerProjectComponents(
+        project: MockProject,
+        configuration: CompilerConfiguration
+    ) {
+        this.project = project
+        doRegisterExtensions(configuration)
+    }
+
+    abstract fun doRegisterExtensions(configuration: CompilerConfiguration)
+
+    fun registerExtractorExtension(extension: IrGenerationExtension) {
+        val p = project ?: throw IllegalStateException("registerExtractorExtension called before registerProjectComponents")
+        val extensionPoint = p.extensionArea.getExtensionPoint(IrGenerationExtension.extensionPointName)
+        extensionPoint.registerExtension(extension, LoadingOrder.LAST, p)
+    }
 }

java/kotlin-extractor/src/main/kotlin/utils/versions/v_1_9_0-Beta/Kotlin2ComponentRegistrar.kt

@@ -3,11 +3,35 @@
 
 package com.github.codeql
 
+import com.intellij.mock.MockProject
+import com.intellij.openapi.extensions.LoadingOrder
+import org.jetbrains.kotlin.backend.common.extensions.IrGenerationExtension
 import org.jetbrains.kotlin.compiler.plugin.ComponentRegistrar
 import org.jetbrains.kotlin.compiler.plugin.ExperimentalCompilerApi
+import org.jetbrains.kotlin.config.CompilerConfiguration
 
 @OptIn(ExperimentalCompilerApi::class)
 abstract class Kotlin2ComponentRegistrar : ComponentRegistrar {
     override val supportsK2: Boolean
         get() = true
+
+    private var project: MockProject? = null
+
+    override fun registerProjectComponents(
+        project: MockProject,
+        configuration: CompilerConfiguration
+    ) {
+        this.project = project
+        doRegisterExtensions(configuration)
+    }
+
+    abstract fun doRegisterExtensions(configuration: CompilerConfiguration)
+
+    fun registerExtractorExtension(extension: IrGenerationExtension) {
+        val p = project ?: throw IllegalStateException("registerExtractorExtension called before registerProjectComponents")
+        // Register with LoadingOrder.LAST to ensure the extractor runs after other
+        // IR generation plugins (like kotlinx.serialization) have generated their code.
+        val extensionPoint = p.extensionArea.getExtensionPoint(IrGenerationExtension.extensionPointName)
+        extensionPoint.registerExtension(extension, LoadingOrder.LAST, p)
+    }
 }

java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_4_0/IrCompat.kt

@@ -0,0 +1,121 @@
+@file:Suppress("DEPRECATION")
+
+package com.github.codeql.utils.versions
+
+import org.jetbrains.kotlin.ir.declarations.IrFunction
+import org.jetbrains.kotlin.ir.declarations.IrValueParameter
+import org.jetbrains.kotlin.ir.expressions.IrAnnotation
+import org.jetbrains.kotlin.ir.expressions.IrConstructorCall
+import org.jetbrains.kotlin.ir.expressions.IrExpression
+import org.jetbrains.kotlin.ir.expressions.IrMemberAccessExpression
+import org.jetbrains.kotlin.ir.expressions.impl.IrAnnotationImpl
+import org.jetbrains.kotlin.ir.expressions.impl.fromSymbolOwner
+import org.jetbrains.kotlin.ir.symbols.IrConstructorSymbol
+import org.jetbrains.kotlin.ir.types.IrType
+import org.jetbrains.kotlin.ir.types.addAnnotations
+
+/**
+ * Compatibility accessors for pre-2.4.0 API patterns.
+ * In 2.4.0, valueParameters/extensionReceiverParameter/extensionReceiver/
+ * getValueArgument/putValueArgument/valueArgumentsCount/typeArgumentsCount/getTypeArgument
+ * have been removed. This file provides the 2.4.0 implementations.
+ */
+
+// IrFunction: valueParameters -> parameters filtered to Regular kind
+val IrFunction.codeQlValueParameters: List<IrValueParameter>
+    get() = parameters.filter { it.kind == org.jetbrains.kotlin.ir.declarations.IrParameterKind.Regular }
+
+// IrFunction: extensionReceiverParameter
+val IrFunction.codeQlExtensionReceiverParameter: IrValueParameter?
+    get() = parameters.firstOrNull { it.kind == org.jetbrains.kotlin.ir.declarations.IrParameterKind.ExtensionReceiver }
+
+// Helper: get the offset of value arguments in the arguments list
+// In 2.4.0, arguments[] includes dispatch/extension receivers before regular params
+private fun IrMemberAccessExpression<*>.valueArgumentOffset(): Int {
+    val owner = symbol.owner as? IrFunction ?: return 0
+    return owner.parameters.count { it.kind != org.jetbrains.kotlin.ir.declarations.IrParameterKind.Regular }
+}
+
+// IrMemberAccessExpression: valueArgumentsCount
+val IrMemberAccessExpression<*>.codeQlValueArgumentsCount: Int
+    get() = arguments.size - valueArgumentOffset()
+
+// IrMemberAccessExpression: getValueArgument
+fun IrMemberAccessExpression<*>.codeQlGetValueArgument(index: Int): IrExpression? = arguments[index + valueArgumentOffset()]
+
+// IrMemberAccessExpression: putValueArgument
+fun IrMemberAccessExpression<*>.codeQlPutValueArgument(index: Int, value: IrExpression?) {
+    arguments[index + valueArgumentOffset()] = value
+}
+
+// IrMemberAccessExpression: extensionReceiver
+// For IrCall/IrFunctionReference, look at symbol.owner (IrFunction) directly.
+// For IrPropertyReference, symbol.owner is IrProperty; use the getter's parameters instead.
+val IrMemberAccessExpression<*>.codeQlExtensionReceiver: IrExpression?
+    get() {
+        val erp = extensionReceiverParameterIndex() ?: return null
+        return arguments[erp]
+    }
+
+private fun IrMemberAccessExpression<*>.extensionReceiverParameterIndex(): Int? {
+    // Direct function owner (IrCall, IrFunctionReference, etc.)
+    (symbol.owner as? IrFunction)?.codeQlExtensionReceiverParameter?.let {
+        return it.indexInParameters
+    }
+    // Property reference: look at getter or setter function
+    (this as? org.jetbrains.kotlin.ir.expressions.IrPropertyReference)?.let { propRef ->
+        propRef.getter?.owner?.codeQlExtensionReceiverParameter?.let {
+            return it.indexInParameters
+        }
+        propRef.setter?.owner?.codeQlExtensionReceiverParameter?.let {
+            return it.indexInParameters
+        }
+    }
+    return null
+}
+
+// IrMemberAccessExpression: typeArgumentsCount
+val IrMemberAccessExpression<*>.codeQlTypeArgumentsCount: Int
+    get() = typeArguments.size
+
+// IrMemberAccessExpression: getTypeArgument
+fun IrMemberAccessExpression<*>.codeQlGetTypeArgument(index: Int): IrType? = typeArguments[index]
+
+// addAnnotations compat: in 2.4.0, addAnnotations expects List<IrAnnotation>
+// IrConstructorCall implements IrAnnotation in 2.4.0, so filterIsInstance is identity
+fun IrType.codeQlAddAnnotations(annotations: List<IrConstructorCall>): IrType =
+    addAnnotations(annotations.filterIsInstance<IrAnnotation>())
+
+// IrMutableAnnotationContainer.annotations setter: in 2.4.0, expects List<IrAnnotation>
+fun codeQlSetAnnotations(container: org.jetbrains.kotlin.ir.declarations.IrMutableAnnotationContainer, annotations: List<IrConstructorCall>) {
+    container.annotations = annotations.filterIsInstance<IrAnnotation>()
+}
+
+// IrFunction: set dispatch receiver parameter
+// In 2.4.0, dispatchReceiverParameter is val; modify the parameters list directly.
+fun IrFunction.codeQlSetDispatchReceiverParameter(param: IrValueParameter?) {
+    val existing = parameters.indexOfFirst { it.kind == org.jetbrains.kotlin.ir.declarations.IrParameterKind.DispatchReceiver }
+    val mutableParams = parameters.toMutableList()
+    if (existing >= 0) {
+        if (param != null) {
+            mutableParams[existing] = param
+        } else {
+            mutableParams.removeAt(existing)
+        }
+    } else if (param != null) {
+        param.kind = org.jetbrains.kotlin.ir.declarations.IrParameterKind.DispatchReceiver
+        mutableParams.add(0, param)
+    }
+    parameters = mutableParams
+}
+
+// In 2.4.0, annotation lists require IrAnnotation instances.
+// Use IrAnnotationImpl.fromSymbolOwner instead of IrConstructorCallImpl.fromSymbolOwner.
+fun codeQlAnnotationFromSymbolOwner(
+    startOffset: Int, endOffset: Int, type: IrType, symbol: IrConstructorSymbol, typeArgumentsCount: Int
+): IrConstructorCall =
+    IrAnnotationImpl.fromSymbolOwner(startOffset, endOffset, type, symbol, typeArgumentsCount)
+
+fun codeQlAnnotationFromSymbolOwner(type: IrType, symbol: IrConstructorSymbol): IrConstructorCall =
+    IrAnnotationImpl.fromSymbolOwner(type, symbol)
+

java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_4_0/Kotlin2ComponentRegistrar.kt

@@ -0,0 +1,45 @@
+package com.github.codeql
+
+import com.intellij.mock.MockProject
+import org.jetbrains.kotlin.backend.common.extensions.IrGenerationExtension
+import org.jetbrains.kotlin.compiler.plugin.CompilerPluginRegistrar
+import org.jetbrains.kotlin.compiler.plugin.ExperimentalCompilerApi
+import org.jetbrains.kotlin.config.CompilerConfiguration
+
+@OptIn(ExperimentalCompilerApi::class)
+@Suppress("DEPRECATION", "DEPRECATION_ERROR")
+abstract class Kotlin2ComponentRegistrar :
+    CompilerPluginRegistrar(),
+    org.jetbrains.kotlin.compiler.plugin.ComponentRegistrar {
+    override val supportsK2: Boolean
+        get() = true
+
+    override val pluginId: String
+        get() = "kotlin-extractor"
+
+    // ComponentRegistrar implementation (legacy path, still called by Kotlin compiler)
+    override fun registerProjectComponents(
+        project: MockProject,
+        configuration: CompilerConfiguration
+    ) {
+        // Registration is done via ExtensionStorage in Kotlin 2.4+.
+        // This legacy entry point remains for compatibility with service discovery.
+    }
+
+    private var extensionStorage: CompilerPluginRegistrar.ExtensionStorage? = null
+
+    override fun ExtensionStorage.registerExtensions(configuration: CompilerConfiguration) {
+        this@Kotlin2ComponentRegistrar.extensionStorage = this
+        doRegisterExtensions(configuration)
+    }
+
+    abstract fun doRegisterExtensions(configuration: CompilerConfiguration)
+
+    protected fun registerExtractorExtension(extension: IrGenerationExtension) {
+        val storage = extensionStorage
+            ?: throw IllegalStateException("registerExtractorExtension called before registerExtensions")
+        with(storage) {
+            IrGenerationExtension.registerExtension(extension)
+        }
+    }
+}

java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_4_0/parameterIndexExcludingReceivers.kt

@@ -0,0 +1,13 @@
+package com.github.codeql.utils.versions
+
+import org.jetbrains.kotlin.ir.declarations.IrFunction
+import org.jetbrains.kotlin.ir.declarations.IrParameterKind
+import org.jetbrains.kotlin.ir.declarations.IrValueParameter
+
+fun parameterIndexExcludingReceivers(vp: IrValueParameter): Int {
+    val offset =
+        (vp.parent as? IrFunction)?.let { f ->
+            f.parameters.count { it.kind == IrParameterKind.DispatchReceiver || it.kind == IrParameterKind.ExtensionReceiver || it.kind == IrParameterKind.Context }
+        } ?: 0
+    return vp.indexInParameters - offset
+}

java/kotlin-extractor/src/main/resources/META-INF/services/org.jetbrains.kotlin.compiler.plugin.CompilerPluginRegistrar

@@ -0,0 +1 @@
+com.github.codeql.KotlinExtractorComponentRegistrar

java/kotlin-extractor/versions.bzl

@@ -11,6 +11,7 @@ VERSIONS = [
     "2.2.20-Beta2",
     "2.3.0",
     "2.3.20",
+    "2.4.0",
 ]
 
 def _version_to_tuple(v):

java/ql/integration-tests/kotlin/all-platforms/diagnostics/kotlin-version-too-new/diagnostics.expected

@@ -1,5 +1,5 @@
 {
-  "markdownMessage": "The Kotlin version installed (`999.999.999`) is too recent for this version of CodeQL. Install a version lower than 2.3.30.",
+  "markdownMessage": "The Kotlin version installed (`999.999.999`) is too recent for this version of CodeQL. Install a version lower than 2.4.10.",
   "severity": "error",
   "source": {
     "extractorName": "java",

java/ql/lib/change-notes/2026-05-07-apache-httpclient-ssrf-sinks.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Improved modeling of Apache HttpClient `execute` method sinks for `java/ssrf` and `java/non-https-url`.

java/ql/lib/change-notes/2026-06-04-kotlin-2.4.0.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Kotlin 2.4.0 can now be analysed.

java/ql/lib/ext/org.apache.http.client.methods.model.yml

@@ -11,7 +11,7 @@ extensions:
       - ["org.apache.http.client.methods", "HttpPost", False, "HttpPost", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "HttpPut", False, "HttpPut", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "HttpRequestBase", True, "setURI", "", "", "Argument[0]", "request-forgery", "manual"]
-      - ["org.apache.http.client.methods", "HttpRequestWrapper", True, "setURI", "(URI)", "", "Argument[0]", "request-forgery", "hq-manual"]
+      - ["org.apache.http.client.methods", "HttpRequestWrapper", True, "setURI", "(URI)", "", "Argument[0]", "request-forgery", "ai-manual"]
       - ["org.apache.http.client.methods", "HttpTrace", False, "HttpTrace", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "RequestBuilder", False, "delete", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "RequestBuilder", False, "get", "", "", "Argument[0]", "request-forgery", "manual"]
@@ -22,3 +22,29 @@ extensions:
       - ["org.apache.http.client.methods", "RequestBuilder", False, "put", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "RequestBuilder", False, "setUri", "", "", "Argument[0]", "request-forgery", "manual"]
       - ["org.apache.http.client.methods", "RequestBuilder", False, "trace", "", "", "Argument[0]", "request-forgery", "manual"]
+  - addsTo:
+      pack: codeql/java-all
+      extensible: summaryModel
+    data:
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "build", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "delete", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "delete", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "get", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "get", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "getUri", "()", "", "Argument[this]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "head", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "head", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "options", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "options", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "patch", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "patch", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "post", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "post", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "put", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "put", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "setUri", "(String)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "setUri", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "setUri", "(URI)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "setUri", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "trace", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
+      - ["org.apache.http.client.methods", "RequestBuilder", True, "trace", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]

java/ql/lib/ext/org.apache.http.client.model.yml

@@ -3,6 +3,11 @@ extensions:
       pack: codeql/java-all
       extensible: sinkModel
     data:
-      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
-      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpHost,HttpRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
       - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler)", "", "Argument[0]", "request-forgery", "ai-manual"]
+      - ["org.apache.http.client", "HttpClient", True, "execute", "(HttpUriRequest,ResponseHandler,HttpContext)", "", "Argument[0]", "request-forgery", "ai-manual"]

java/ql/test/query-tests/security/CWE-918/ApacheHttpClientExecuteSSRF.java

@@ -0,0 +1,45 @@
+import java.io.IOException;
+
+import org.apache.http.HttpHost;
+import org.apache.http.HttpRequest;
+import org.apache.http.client.HttpClient;
+import org.apache.http.client.ResponseHandler;
+import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.client.methods.RequestBuilder;
+import org.apache.http.impl.client.HttpClients;
+import org.apache.http.message.BasicHttpRequest;
+import org.apache.http.protocol.HttpContext;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+public class ApacheHttpClientExecuteSSRF extends HttpServlet {
+
+    protected void doGet(HttpServletRequest request, HttpServletResponse response)
+            throws ServletException, IOException {
+        try {
+
+            String source = request.getParameter("host"); // $ Source
+
+            HttpHost host = new HttpHost(source);
+            HttpRequest req = new BasicHttpRequest("GET", "/");
+            HttpUriRequest uriReq = RequestBuilder.get(source).build(); // $ Alert
+            HttpContext context = null;
+            HttpClient client = HttpClients.createDefault();
+            ResponseHandler<Object> handler = null;
+
+            client.execute(host, req); // $ Alert
+            client.execute(host, req, context); // $ Alert
+            client.execute(host, req, handler); // $ Alert
+            client.execute(host, req, handler, context); // $ Alert
+            client.execute(uriReq); // $ Alert
+            client.execute(uriReq, context); // $ Alert
+            client.execute(uriReq, handler); // $ Alert
+            client.execute(uriReq, handler, context); // $ Alert
+
+        } catch (Exception e) {
+            // TODO: handle exception
+        }
+    }
+}

java/ql/test/query-tests/security/CWE-918/options

@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/javax-validation-constraints:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/apache-cxf
+//semmle-extractor-options: --javac-args -source 11 -target 11 -cp ${testdir}/../../../stubs/javax-validation-constraints:${testdir}/../../../stubs/springframework-5.8.x:${testdir}/../../../stubs/javax-ws-rs-api-2.1.1:${testdir}/../../../stubs/javax-ws-rs-api-3.0.0:${testdir}/../../../stubs/apache-http-4.4.13/:${testdir}/../../../stubs/apache-http-client-4.4.13:${testdir}/../../../stubs/projectreactor-3.4.3/:${testdir}/../../../stubs/postgresql-42.3.3/:${testdir}/../../../stubs/HikariCP-3.4.5/:${testdir}/../../../stubs/spring-jdbc-5.3.8/:${testdir}/../../../stubs/jdbi3-core-3.27.2/:${testdir}/../../../stubs/cargo:${testdir}/../../../stubs/javafx-web:${testdir}/../../../stubs/apache-commons-jelly-1.0.1:${testdir}/../../../stubs/dom4j-2.1.1:${testdir}/../../../stubs/jaxen-1.2.0:${testdir}/../../../stubs/stapler-1.263:${testdir}/../../../stubs/javax-servlet-2.5:${testdir}/../../../stubs/apache-commons-fileupload-1.4:${testdir}/../../../stubs/saxon-xqj-9.x:${testdir}/../../../stubs/apache-commons-beanutils:${testdir}/../../../stubs/apache-commons-lang:${testdir}/../../../stubs/apache-http-5:${testdir}/../../../stubs/playframework-2.6.x:${testdir}/../../../stubs/jaxws-api-2.0:${testdir}/../../../stubs/apache-cxf

java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/HttpClient.java

@@ -0,0 +1,23 @@
+// Generated automatically from org.apache.http.client.HttpClient for testing purposes
+
+package org.apache.http.client;
+
+import java.io.IOException;
+import org.apache.http.HttpHost;
+import org.apache.http.HttpRequest;
+import org.apache.http.HttpResponse;
+import org.apache.http.client.methods.HttpUriRequest;
+import org.apache.http.protocol.HttpContext;
+
+public interface HttpClient {
+    HttpResponse execute(HttpHost target, HttpRequest request) throws IOException;
+    HttpResponse execute(HttpHost target, HttpRequest request, HttpContext context) throws IOException;
+    <T> T execute(HttpHost target, HttpRequest request, ResponseHandler<? extends T> responseHandler) throws IOException;
+    <T> T execute(HttpHost target, HttpRequest request, ResponseHandler<? extends T> responseHandler, HttpContext context)
+            throws IOException;
+    HttpResponse execute(HttpUriRequest request) throws IOException;
+    HttpResponse execute(HttpUriRequest request, HttpContext context) throws IOException;
+    <T> T execute(HttpUriRequest request, ResponseHandler<? extends T> responseHandler) throws IOException;
+    <T> T execute(HttpUriRequest request, ResponseHandler<? extends T> responseHandler, HttpContext context)
+            throws IOException;
+}

java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/client/ResponseHandler.java

@@ -0,0 +1,9 @@
+// Generated automatically from org.apache.http.client.ResponseHandler for testing purposes
+
+package org.apache.http.client;
+
+import org.apache.http.HttpResponse;
+
+public interface ResponseHandler<T> {
+    T handleResponse(HttpResponse response);
+}

java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/CloseableHttpClient.java

@@ -0,0 +1,7 @@
+package org.apache.http.impl.client;
+
+import org.apache.http.client.HttpClient;
+
+public abstract class CloseableHttpClient implements HttpClient {
+
+}

java/ql/test/stubs/apache-http-client-4.4.13/org/apache/http/impl/client/HttpClients.java

@@ -0,0 +1,10 @@
+// Generated automatically from org.apache.http.client.HttpClient for testing purposes
+
+package org.apache.http.impl.client;
+
+import java.io.IOException;
+import org.apache.http.impl.client.CloseableHttpClient;
+
+public final class HttpClients {
+        public static CloseableHttpClient createDefault() { return null; }
+}

javascript/resources/codeql-extractor.yml

@@ -21,13 +21,19 @@ file_coverage_languages:
     scc_languages:
       - TypeScript
       - TypeScript Typings
+  - name: vue
+    display_name: Vue.js component
+    scc_languages:
+      - Vue
 github_api_languages:
   - JavaScript
   - TypeScript
+  - Vue
 scc_languages:
   - JavaScript
   - TypeScript
   - TypeScript Typings
+  - Vue
 file_types:
   - name: javascript
     display_name: JavaScript

python/ql/lib/LegacyPointsTo.qll

@@ -213,11 +213,9 @@ class ExprWithPointsTo extends Expr {
    * Gets what this expression might "refer-to" in the given `context`.
    */
   predicate refersTo(Context context, Object obj, ClassObject cls, AstNode origin) {
-    exists(ControlFlowNode this_, ControlFlowNode origin_ |
+    this.getAFlowNode()
-      this_.getNode() = this and origin_.getNode() = origin
+        .(ControlFlowNodeWithPointsTo)
-    |
+        .refersTo(context, obj, cls, origin.getAFlowNode())
-      this_.(ControlFlowNodeWithPointsTo).refersTo(context, obj, cls, origin_)
-    )
   }
 
   /**
@@ -228,11 +226,7 @@ class ExprWithPointsTo extends Expr {
    */
   pragma[nomagic]
   predicate refersTo(Object obj, AstNode origin) {
-    exists(ControlFlowNode this_, ControlFlowNode origin_ |
+    this.getAFlowNode().(ControlFlowNodeWithPointsTo).refersTo(obj, origin.getAFlowNode())
-      this_.getNode() = this and origin_.getNode() = origin
-    |
-      this_.(ControlFlowNodeWithPointsTo).refersTo(obj, origin_)
-    )
   }
 
   /**
@@ -246,22 +240,16 @@ class ExprWithPointsTo extends Expr {
    * in the given `context`.
    */
   predicate pointsTo(Context context, Value value, AstNode origin) {
-    exists(ControlFlowNode this_, ControlFlowNode origin_ |
+    this.getAFlowNode()
-      this_.getNode() = this and origin_.getNode() = origin
+        .(ControlFlowNodeWithPointsTo)
-    |
+        .pointsTo(context, value, origin.getAFlowNode())
-      this_.(ControlFlowNodeWithPointsTo).pointsTo(context, value, origin_)
-    )
   }
 
   /**
    * Holds if this expression might "point-to" to `value` which is from `origin`.
    */
   predicate pointsTo(Value value, AstNode origin) {
-    exists(ControlFlowNode this_, ControlFlowNode origin_ |
+    this.getAFlowNode().(ControlFlowNodeWithPointsTo).pointsTo(value, origin.getAFlowNode())
-      this_.getNode() = this and origin_.getNode() = origin
-    |
-      this_.(ControlFlowNodeWithPointsTo).pointsTo(value, origin_)
-    )
   }
 
   /**
@@ -487,10 +475,7 @@ class FunctionMetricsWithPointsTo extends FunctionMetrics {
     not non_coupling_method(result) and
     exists(Call call | call.getScope() = this |
       exists(FunctionObject callee | callee.getFunction() = result |
-        exists(CallNode call_ |
+        call.getAFlowNode().getFunction().(ControlFlowNodeWithPointsTo).refersTo(callee)
-          call_.getNode() = call and
-          call_.getFunction().(ControlFlowNodeWithPointsTo).refersTo(callee)
-        )
       )
       or
       exists(Attribute a | call.getFunc() = a |

python/ql/lib/analysis/DefinitionTracking.qll

@@ -64,7 +64,7 @@ private predicate jump_to_defn(ControlFlowNode use, Definition defn) {
 private predicate preferred_jump_to_defn(Expr use, Definition def) {
   not use instanceof ClassExpr and
   not use instanceof FunctionExpr and
-  exists(ControlFlowNode useNode | useNode.getNode() = use | jump_to_defn(useNode, def))
+  jump_to_defn(use.getAFlowNode(), def)
 }
 
 private predicate unique_jump_to_defn(Expr use, Definition def) {
@@ -452,7 +452,7 @@ private predicate self_parameter_jump_to_defn_attribute(
  * This exists primarily for testing use `getPreferredDefinition()` instead.
  */
 Definition getADefinition(Expr use) {
-  exists(ControlFlowNode useNode | useNode.getNode() = use | jump_to_defn(useNode, result)) and
+  jump_to_defn(use.getAFlowNode(), result) and
   not use instanceof Call and
   not use.isArtificial() and
   // Not the use itself

python/ql/lib/change-notes/2026-05-19-deprecate-getAFlowNode.md

@@ -1,5 +0,0 @@
----
-category: deprecated
----
-* The `AstNode.getAFlowNode()` predicate has been deprecated. Use `ControlFlowNode.getNode()` from the other direction instead: replace `e.getAFlowNode() = n` with `n.getNode() = e`. This is a preparatory step towards migrating the dataflow library off the legacy CFG; it has no semantic effect.
-

python/ql/lib/change-notes/2026-06-01-decorator-predicate-simplification.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Simplified the internal predicates that detect `@staticmethod`, `@classmethod` and `@property` decorators to match the decorator's AST `Name` directly, rather than going through the CFG and requiring the name to resolve globally. Code that shadows these three builtin decorators at the module-scope will now be classified by the decorator name alone; in practice, shadowing these names is extremely rare and the call-graph results are unchanged.

python/ql/lib/change-notes/2026-06-01-deprecate-getAReturnValueFlowNode.md

@@ -1,4 +0,0 @@
----
-category: deprecated
----
-* The `Function.getAReturnValueFlowNode()` predicate has been deprecated. Bind a `Return` node explicitly instead — `exists(Return ret | ret.getScope() = f and n.getNode() = ret.getValue())`. This is a preparatory step towards migrating the dataflow library off the legacy CFG; it has no semantic effect.

python/ql/lib/semmle/python/AstExtended.qll

@@ -16,26 +16,21 @@ abstract class AstNode extends AstNode_ {
   /** Gets the scope that this node occurs in */
   abstract Scope getScope();
 
-  /** Gets the location for this AST node */
-  cached
-  Location getLocation() { none() }
-
   /**
-   * DEPRECATED: use `ControlFlowNode.getNode()` from the other direction instead;
-   * that is, replace `e.getAFlowNode() = n` with `n.getNode() = e`. This API is
-   * being removed to untangle the AST and CFG hierarchies in preparation for
-   * migrating the dataflow library off the legacy CFG.
-   *
    * Gets a flow node corresponding directly to this node.
    * NOTE: For some statements and other purely syntactic elements,
-   * there may not be a `ControlFlowNode`.
+   * there may not be a `ControlFlowNode`
    */
   cached
-  deprecated ControlFlowNode getAFlowNode() {
+  ControlFlowNode getAFlowNode() {
     Stages::AST::ref() and
     py_flow_bb_node(result, this, _, _)
   }
 
+  /** Gets the location for this AST node */
+  cached
+  Location getLocation() { none() }
+
   /**
    * Whether this syntactic element is artificial, that is it is generated
    * by the compiler and is not present in the source

python/ql/lib/semmle/python/Exprs.qll

@@ -28,9 +28,7 @@ class Expr extends Expr_, AstNode {
   /** Whether this expression may have a side effect (as determined purely from its syntax) */
   predicate hasSideEffects() {
     /* If an exception raised by this expression handled, count that as a side effect */
-    exists(ControlFlowNode n | n.getNode() = this |
+    this.getAFlowNode().getASuccessor().getNode() instanceof ExceptStmt
-      n.getASuccessor().getNode() instanceof ExceptStmt
-    )
     or
     this.getASubExpression().hasSideEffects()
   }
@@ -70,6 +68,8 @@ class Attribute extends Attribute_ {
   /* syntax: Expr.name */
   override Expr getASubExpression() { result = this.getObject() }
 
+  override AttrNode getAFlowNode() { result = super.getAFlowNode() }
+
   /** Gets the name of this attribute. That is the `name` in `obj.name` */
   string getName() { result = Attribute_.super.getAttr() }
 
@@ -96,6 +96,8 @@ class Subscript extends Subscript_ {
   }
 
   Expr getObject() { result = Subscript_.super.getValue() }
+
+  override SubscriptNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** A call expression, such as `func(...)` */
@@ -111,6 +113,8 @@ class Call extends Call_ {
 
   override string toString() { result = this.getFunc().toString() + "()" }
 
+  override CallNode getAFlowNode() { result = super.getAFlowNode() }
+
   /** Gets a tuple (*) argument of this call. */
   Expr getStarargs() { result = this.getAPositionalArg().(Starred).getValue() }
 
@@ -196,6 +200,8 @@ class IfExp extends IfExp_ {
   override Expr getASubExpression() {
     result = this.getTest() or result = this.getBody() or result = this.getOrelse()
   }
+
+  override IfExprNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** A starred expression, such as the `*rest` in the assignment `first, *rest = seq` */
@@ -404,6 +410,8 @@ class PlaceHolder extends PlaceHolder_ {
   override Expr getASubExpression() { none() }
 
   override string toString() { result = "$" + this.getId() }
+
+  override NameNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** A tuple expression such as `( 1, 3, 5, 7, 9 )` */
@@ -470,6 +478,8 @@ class Name extends Name_ {
 
   override string toString() { result = this.getId() }
 
+  override NameNode getAFlowNode() { result = super.getAFlowNode() }
+
   override predicate isArtificial() {
     /* Artificial variable names in comprehensions all start with "." */
     this.getId().charAt(0) = "."
@@ -575,6 +585,8 @@ abstract class NameConstant extends Name, ImmutableLiteral {
 
   override predicate isConstant() { any() }
 
+  override NameConstantNode getAFlowNode() { result = Name.super.getAFlowNode() }
+
   override predicate isArtificial() { none() }
 }
 

python/ql/lib/semmle/python/Flow.qll

@@ -555,27 +555,27 @@ class DefinitionNode extends ControlFlowNode {
   cached
   DefinitionNode() {
     Stages::AST::ref() and
-    exists(Assign a | this.getNode() = a.getATarget())
+    exists(Assign a | a.getATarget().getAFlowNode() = this)
     or
-    exists(AssignExpr a | this.getNode() = a.getTarget())
+    exists(AssignExpr a | a.getTarget().getAFlowNode() = this)
     or
-    exists(AnnAssign a | this.getNode() = a.getTarget() and exists(a.getValue()))
+    exists(AnnAssign a | a.getTarget().getAFlowNode() = this and exists(a.getValue()))
     or
-    exists(Alias a | this.getNode() = a.getAsname())
+    exists(Alias a | a.getAsname().getAFlowNode() = this)
     or
     augstore(_, this)
     or
     // `x, y = 1, 2` where LHS is a combination of list or tuples
-    exists(Assign a | this.getNode() = list_or_tuple_nested_element(a.getATarget()))
+    exists(Assign a | list_or_tuple_nested_element(a.getATarget()).getAFlowNode() = this)
     or
-    exists(For for | this.getNode() = for.getTarget())
+    exists(For for | for.getTarget().getAFlowNode() = this)
     or
-    exists(Parameter param | this.getNode() = param.asName() and exists(param.getDefault()))
+    exists(Parameter param | this = param.asName().getAFlowNode() and exists(param.getDefault()))
   }
 
   /** flow node corresponding to the value assigned for the definition corresponding to this flow node */
   ControlFlowNode getValue() {
-    result.getNode() = assigned_value(this.getNode()) and
+    result = assigned_value(this.getNode()).getAFlowNode() and
     (
       result.getBasicBlock().dominates(this.getBasicBlock())
       or
@@ -584,7 +584,7 @@ class DefinitionNode extends ControlFlowNode {
       // since the default value for a parameter is evaluated in the same basic block as
       // the function definition, but the parameter belongs to the basic block of the function,
       // there is no dominance relationship between the two.
-      exists(Parameter param | this.getNode() = param.asName())
+      exists(Parameter param | this = param.asName().getAFlowNode())
     )
   }
 }
@@ -901,7 +901,7 @@ class ExceptFlowNode extends ControlFlowNode {
     exists(ExceptStmt ex |
       this.getBasicBlock().dominates(result.getBasicBlock()) and
       ex = this.getNode() and
-      result.getNode() = ex.getType()
+      result = ex.getType().getAFlowNode()
     )
   }
 
@@ -913,7 +913,7 @@ class ExceptFlowNode extends ControlFlowNode {
     exists(ExceptStmt ex |
       this.getBasicBlock().dominates(result.getBasicBlock()) and
       ex = this.getNode() and
-      result.getNode() = ex.getName()
+      result = ex.getName().getAFlowNode()
     )
   }
 }
@@ -928,7 +928,7 @@ class ExceptGroupFlowNode extends ControlFlowNode {
    */
   ControlFlowNode getType() {
     this.getBasicBlock().dominates(result.getBasicBlock()) and
-    result.getNode() = this.getNode().(ExceptGroupStmt).getType()
+    result = this.getNode().(ExceptGroupStmt).getType().getAFlowNode()
   }
 
   /**
@@ -937,7 +937,7 @@ class ExceptGroupFlowNode extends ControlFlowNode {
    */
   ControlFlowNode getName() {
     this.getBasicBlock().dominates(result.getBasicBlock()) and
-    result.getNode() = this.getNode().(ExceptGroupStmt).getName()
+    result = this.getNode().(ExceptGroupStmt).getName().getAFlowNode()
   }
 }
 

python/ql/lib/semmle/python/Function.qll

@@ -153,16 +153,8 @@ class Function extends Function_, Scope, AstNode {
 
   override predicate contains(AstNode inner) { Scope.super.contains(inner) }
 
-  /**
+  /** Gets a control flow node for a return value of this function */
-   * DEPRECATED: bind a `Return` node explicitly instead, e.g.
+  ControlFlowNode getAReturnValueFlowNode() {
-   * `exists(Return ret | ret.getScope() = this and n.getNode() = ret.getValue())`.
-   * This API is being phased out together with `AstNode.getAFlowNode()` to
-   * untangle the AST and CFG hierarchies in preparation for migrating the
-   * dataflow library off the legacy CFG.
-   *
-   * Gets a control flow node for a return value of this function.
-   */
-  deprecated ControlFlowNode getAReturnValueFlowNode() {
     exists(Return ret |
       ret.getScope() = this and
       ret.getValue() = result.getNode()

python/ql/lib/semmle/python/Import.qll

@@ -162,6 +162,8 @@ class ImportMember extends ImportMember_ {
   string getImportedModuleName() {
     result = this.getModule().(ImportExpr).getImportedModuleName() + "." + this.getName()
   }
+
+  override ImportMemberNode getAFlowNode() { result = super.getAFlowNode() }
 }
 
 /** An import statement */

python/ql/lib/semmle/python/SelfAttribute.qll

@@ -46,23 +46,20 @@ class SelfAttributeRead extends SelfAttribute {
   }
 
   predicate guardedByHasattr() {
-    exists(Variable var, ControlFlowNode n, ControlFlowNode this_, ControlFlowNode obj_ |
+    exists(Variable var, ControlFlowNode n |
-      this_.getNode() = this and obj_.getNode() = this.getObject()
+      var.getAUse() = this.getObject().getAFlowNode() and
-    |
-      var.getAUse() = obj_ and
       hasattr(n, var.getAUse(), this.getName()) and
-      n.strictlyDominates(this_)
+      n.strictlyDominates(this.getAFlowNode())
     )
   }
 
   pragma[noinline]
   predicate locallyDefined() {
-    exists(SelfAttributeStore store, ControlFlowNode store_, ControlFlowNode this_ |
+    exists(SelfAttributeStore store |
-      store_.getNode() = store and this_.getNode() = this
-    |
       this.getName() = store.getName() and
-      this.getScope() = store.getScope() and
+      this.getScope() = store.getScope()
-      store_.strictlyDominates(this_)
+    |
+      store.getAFlowNode().strictlyDominates(this.getAFlowNode())
     )
   }
 }

python/ql/lib/semmle/python/dataflow/new/BarrierGuards.qll

@@ -5,30 +5,24 @@ private import semmle.python.dataflow.new.DataFlow
 
 private predicate constCompare(DataFlow::GuardNode g, ControlFlowNode node, boolean branch) {
   exists(CompareNode cn | cn = g |
-    exists(ImmutableLiteral const, Cmpop op, ControlFlowNode c |
+    exists(ImmutableLiteral const, Cmpop op |
-      c.getNode() = const and
+      op = any(Eq eq) and branch = true
-      (
-        op = any(Eq eq) and branch = true
-        or
-        op = any(NotEq ne) and branch = false
-      )
-    |
-      cn.operands(c, op, node)
       or
-      cn.operands(node, op, c)
+      op = any(NotEq ne) and branch = false
+    |
+      cn.operands(const.getAFlowNode(), op, node)
+      or
+      cn.operands(node, op, const.getAFlowNode())
     )
     or
-    exists(NameConstant const, Cmpop op, ControlFlowNode c |
+    exists(NameConstant const, Cmpop op |
-      c.getNode() = const and
+      op = any(Is is_) and branch = true
-      (
-        op = any(Is is_) and branch = true
-        or
-        op = any(IsNot isn) and branch = false
-      )
-    |
-      cn.operands(c, op, node)
       or
-      cn.operands(node, op, c)
+      op = any(IsNot isn) and branch = false
+    |
+      cn.operands(const.getAFlowNode(), op, node)
+      or
+      cn.operands(node, op, const.getAFlowNode())
     )
     or
     exists(IterableNode const_iterable, Cmpop op |

python/ql/lib/semmle/python/dataflow/new/internal/Attributes.qll

@@ -228,7 +228,7 @@ private class ClassDefinitionAsAttrWrite extends AttrWrite, CfgNode {
 
   override Node getValue() { result.asCfgNode() = node.getValue() }
 
-  override Node getObject() { result.asCfgNode().getNode() = cls }
+  override Node getObject() { result.asCfgNode() = cls.getAFlowNode() }
 
   override ExprNode getAttributeNameExpr() { none() }
 

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowDispatch.qll

@@ -256,12 +256,9 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
  */
 overlay[local]
 predicate isStaticmethod(Function func) {
-  // The decorator is *syntactically* a `Name` "staticmethod" — we don't
+  exists(NameNode id | id.getId() = "staticmethod" and id.isGlobal() |
-  // care which variable it resolves to. `staticmethod` is a builtin and
+    func.getADecorator() = id.getNode()
-  // is almost never shadowed in a module-level scope; even if a class
+  )
-  // redefines `staticmethod` in its body, the class body has not started
-  // executing yet at the decorator position, so Python uses the builtin.
-  func.getADecorator().(Name).getId() = "staticmethod"
 }
 
 /**
@@ -271,9 +268,9 @@ predicate isStaticmethod(Function func) {
  */
 overlay[local]
 predicate isClassmethod(Function func) {
-  // See `isStaticmethod` for the rationale for matching on the AST `Name`
+  exists(NameNode id | id.getId() = "classmethod" and id.isGlobal() |
-  // rather than going via the CFG and `isGlobal()`.
+    func.getADecorator() = id.getNode()
-  func.getADecorator().(Name).getId() = "classmethod"
+  )
   or
   exists(Class cls |
     cls.getAMethod() = func and
@@ -288,8 +285,9 @@ predicate isClassmethod(Function func) {
 /** Holds if the function `func` has a `property` decorator. */
 overlay[local]
 predicate hasPropertyDecorator(Function func) {
-  // See `isStaticmethod` for the rationale for matching on the AST `Name`.
+  exists(NameNode id | id.getId() = "property" and id.isGlobal() |
-  func.getADecorator().(Name).getId() = "property"
+    func.getADecorator() = id.getNode()
+  )
 }
 
 /**
@@ -1913,8 +1911,8 @@ abstract class ReturnNode extends Node {
 class ExtractedReturnNode extends ReturnNode, CfgNode {
   // See `TaintTrackingImplementation::returnFlowStep`
   ExtractedReturnNode() {
-    node.getNode() = any(Return ret).getValue() or
+    node = any(Return ret).getValue().getAFlowNode() or
-    node.getNode() = any(Yield yield)
+    node = any(Yield yield).getAFlowNode()
   }
 
   override ReturnKind getKind() { any() }
@@ -1932,7 +1930,7 @@ class ExtractedReturnNode extends ReturnNode, CfgNode {
 class YieldNodeInContextManagerFunction extends ReturnNode, CfgNode {
   YieldNodeInContextManagerFunction() {
     hasContextmanagerDecorator(node.getScope()) and
-    node.getNode() = any(Yield yield).getValue()
+    node = any(Yield yield).getValue().getAFlowNode()
   }
 
   override ReturnKind getKind() { any() }

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll

@@ -185,8 +185,8 @@ private predicate synthDictSplatArgumentNodeStoreStep(
  */
 predicate yieldStoreStep(Node nodeFrom, Content c, Node nodeTo) {
   exists(Yield yield |
-    nodeTo.asCfgNode().getNode() = yield and
+    nodeTo.asCfgNode() = yield.getAFlowNode() and
-    nodeFrom.asCfgNode().getNode() = yield.getValue() and
+    nodeFrom.asCfgNode() = yield.getValue().getAFlowNode() and
     // TODO: Consider if this will also need to transfer dictionary content
     // once dictionary comprehensions are supported.
     c instanceof ListElementContent

python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPublic.qll

@@ -485,7 +485,7 @@ class ModuleVariableNode extends Node, TModuleVariableNode {
 
   /** Gets a node that reads this variable, excluding reads that happen through `from ... import *`. */
   Node getALocalRead() {
-    result.asCfgNode().getNode() = var.getALoad() and
+    result.asCfgNode() = var.getALoad().getAFlowNode() and
     not result.getScope() = mod
   }
 

python/ql/lib/semmle/python/dataflow/new/internal/ImportResolution.qll

@@ -9,19 +9,7 @@ private import semmle.python.dataflow.new.DataFlow
 private import semmle.python.dataflow.new.internal.ImportStar
 private import semmle.python.dataflow.new.TypeTracking
 private import semmle.python.dataflow.new.internal.DataFlowPrivate
-
+private import semmle.python.essa.SsaDefinitions
-/**
- * Holds if `init` is a package's `__init__.py` and `var` is a global variable in
- * `init` whose name matches a submodule of the package.
- *
- * Inlined from `SsaSource::init_module_submodule_defn` to avoid pulling
- * `semmle.python.essa.SsaDefinitions` into the new dataflow stack.
- */
-private predicate initModuleSubmoduleDefn(GlobalVariable var, Module init) {
-  init.isPackageInit() and
-  exists(init.getPackage().getSubModule(var.getId())) and
-  var.getScope() = init
-}
 
 /**
  * Python modules and the way imports are resolved are... complicated. Here's a crash course in how
@@ -338,7 +326,7 @@ module ImportResolution {
     // imported yet.
     exists(string submodule, Module package, EssaVariable var |
       submodule = var.getName() and
-      initModuleSubmoduleDefn(var.getSourceVariable(), package) and
+      SsaSource::init_module_submodule_defn(var.getSourceVariable(), package.getEntryNode()) and
       m = getModuleFromName(package.getPackageName() + "." + submodule) and
       result.asCfgNode() = var.getDefinition().(EssaNodeDefinition).getDefiningNode()
     )

python/ql/lib/semmle/python/dataflow/new/internal/TypeTrackingImpl.qll

@@ -94,10 +94,8 @@ private module SummaryTypeTrackerInput implements SummaryTypeTracker::Input {
   Node returnOf(Node callable, SummaryComponent return) {
     return = FlowSummaryImpl::Private::SummaryComponent::return() and
     // `result` should be the return value of a callable expression (lambda or function) referenced by `callable`
-    exists(Return ret |
+    result.asCfgNode() =
-      ret.getScope() = callable.getALocalSource().asExpr().(CallableExpr).getInnerScope() and
+      callable.getALocalSource().asExpr().(CallableExpr).getInnerScope().getAReturnValueFlowNode()
-      result.asCfgNode().getNode() = ret.getValue()
-    )
   }
 
   // Relating callables to nodes

python/ql/lib/semmle/python/dataflow/new/internal/VariableCapture.qll

@@ -61,7 +61,7 @@ private module CaptureInput implements Shared::InputSig<Location, Cfg::BasicBloc
   class VariableWrite extends ControlFlowNode {
     CapturedVariable v;
 
-    VariableWrite() { exists(DefinitionNode d | d.getNode() = v.getAStore() | this = d.getValue()) }
+    VariableWrite() { this = v.getAStore().getAFlowNode().(DefinitionNode).getValue() }
 
     CapturedVariable getVariable() { result = v }
 
@@ -71,7 +71,7 @@ private module CaptureInput implements Shared::InputSig<Location, Cfg::BasicBloc
   class VariableRead extends Expr {
     CapturedVariable v;
 
-    VariableRead() { this.getNode() = v.getALoad() }
+    VariableRead() { this = v.getALoad().getAFlowNode() }
 
     CapturedVariable getVariable() { result = v }
   }

python/ql/lib/semmle/python/dataflow/old/Implementation.qll

@@ -448,7 +448,8 @@ class TaintTrackingImplementation extends string instanceof TaintTracking::Confi
       context = TNoParam() and
       src = TTaintTrackingNode_(retval, TNoParam(), path, kind, this) and
       node.asCfgNode() = call and
-      retval.asCfgNode().getNode() = any(Return ret | ret.getScope() = pyfunc.getScope()).getValue()
+      retval.asCfgNode() =
+        any(Return ret | ret.getScope() = pyfunc.getScope()).getValue().getAFlowNode()
     ) and
     edgeLabel = "return"
   }
@@ -470,7 +471,8 @@ class TaintTrackingImplementation extends string instanceof TaintTracking::Confi
       this.callContexts(call, src, pyfunc, context, callee) and
       retnode = TTaintTrackingNode_(retval, callee, path, kind, this) and
       node.asCfgNode() = call and
-      retval.asCfgNode().getNode() = any(Return ret | ret.getScope() = pyfunc.getScope()).getValue()
+      retval.asCfgNode() =
+        any(Return ret | ret.getScope() = pyfunc.getScope()).getValue().getAFlowNode()
     ) and
     edgeLabel = "call"
   }
@@ -714,10 +716,8 @@ private class EssaTaintTracking extends string instanceof TaintTracking::Configu
       src = TTaintTrackingNode_(srcnode, context, path, srckind, this) and
       path.noAttribute()
     |
-      srcnode.asCfgNode().getNode() = assign.getValue() and
+      assign.getValue().getAFlowNode() = srcnode.asCfgNode() and
-      exists(SequenceNode left_parent | left_parent.getNode() = assign.getATarget() |
+      depth = iterable_unpacking_descent(assign.getATarget().getAFlowNode(), defn.getDefiningNode()) and
-        depth = iterable_unpacking_descent(left_parent, defn.getDefiningNode())
-      ) and
       kind = taint_at_depth(srckind, depth)
     )
   }
@@ -964,7 +964,7 @@ private TaintKind taint_at_depth(SequenceKind parent_kind, int depth) {
  * - with `left_defn` = `*y`, `left_parent` = `((x, *y), ...)`, result = 1
  */
 int iterable_unpacking_descent(SequenceNode left_parent, ControlFlowNode left_defn) {
-  exists(Assign a | left_parent.getNode() = a.getATarget().getASubExpression*()) and
+  exists(Assign a | a.getATarget().getASubExpression*().getAFlowNode() = left_parent) and
   left_parent.getAnElement() = left_defn and
   // Handle `a, *b = some_iterable`
   if left_defn instanceof StarredNode then result = 0 else result = 1

python/ql/lib/semmle/python/essa/SsaDefinitions.qll

@@ -56,7 +56,7 @@ module SsaSource {
   predicate with_definition(Variable v, ControlFlowNode defn) {
     exists(With with, Name var |
       with.getOptionalVars() = var and
-      defn.getNode() = var
+      var.getAFlowNode() = defn
     |
       var = v.getAStore()
     )
@@ -67,7 +67,7 @@ module SsaSource {
   predicate pattern_capture_definition(Variable v, ControlFlowNode defn) {
     exists(MatchCapturePattern capture, Name var |
       capture.getVariable() = var and
-      defn.getNode() = var
+      var.getAFlowNode() = defn
     |
       var = v.getAStore()
     )
@@ -78,7 +78,7 @@ module SsaSource {
   predicate pattern_alias_definition(Variable v, ControlFlowNode defn) {
     exists(MatchAsPattern pattern, Name var |
       pattern.getAlias() = var and
-      defn.getNode() = var
+      var.getAFlowNode() = defn
     |
       var = v.getAStore()
     )

python/ql/lib/semmle/python/frameworks/Bottle.qll

@@ -59,7 +59,7 @@ module Bottle {
 
         override Parameter getARoutedParameter() { none() }
 
-        override Function getARequestHandler() { node.getNode() = result.getADecorator() }
+        override Function getARequestHandler() { result.getADecorator().getAFlowNode() = node }
       }
     }
 
@@ -73,10 +73,7 @@ module Bottle {
       /** A response returned by a view callable. */
       class BottleReturnResponse extends Http::Server::HttpResponse::Range {
         BottleReturnResponse() {
-          exists(Return ret |
+          this.asCfgNode() = any(View::ViewCallable vc).getAReturnValueFlowNode()
-            ret.getScope() = any(View::ViewCallable vc) and
-            this.asCfgNode().getNode() = ret.getValue()
-          )
         }
 
         override DataFlow::Node getBody() { result = this }

python/ql/lib/semmle/python/frameworks/Django.qll

@@ -2872,10 +2872,7 @@ module PrivateDjango {
     DataFlow::CfgNode
   {
     DjangoRedirectViewGetRedirectUrlReturn() {
-      exists(Return ret |
+      node = any(GetRedirectUrlFunction f).getAReturnValueFlowNode()
-        ret.getScope() = any(GetRedirectUrlFunction f) and
-        node.getNode() = ret.getValue()
-      )
     }
 
     override DataFlow::Node getRedirectLocation() { result = this }

python/ql/lib/semmle/python/frameworks/FastApi.qll

@@ -129,7 +129,7 @@ module FastApi {
       result in [this.getArg(0), this.getArgByName("path")]
     }
 
-    override Function getARequestHandler() { node.getNode() = result.getADecorator() }
+    override Function getARequestHandler() { result.getADecorator().getAFlowNode() = node }
 
     override string getFramework() { result = "FastAPI" }
 
@@ -309,10 +309,7 @@ module FastApi {
       FastApiRouteSetup routeSetup;
 
       FastApiRequestHandlerReturn() {
-        exists(Return ret |
+        node = routeSetup.getARequestHandler().getAReturnValueFlowNode()
-          ret.getScope() = routeSetup.getARequestHandler() and
-          node.getNode() = ret.getValue()
-        )
       }
 
       override DataFlow::Node getBody() { result = this }

python/ql/lib/semmle/python/frameworks/Flask.qll

@@ -371,7 +371,7 @@ module Flask {
       result in [this.getArg(0), this.getArgByName("rule")]
     }
 
-    override Function getARequestHandler() { node.getNode() = result.getADecorator() }
+    override Function getARequestHandler() { result.getADecorator().getAFlowNode() = node }
   }
 
   /**
@@ -536,7 +536,7 @@ module Flask {
     FlaskRouteHandlerReturn() {
       exists(Function routeHandler |
         routeHandler = any(FlaskRouteSetup rs).getARequestHandler() and
-        exists(Return ret | ret.getScope() = routeHandler and node.getNode() = ret.getValue()) and
+        node = routeHandler.getAReturnValueFlowNode() and
         not this instanceof Flask::Response::InstanceSource
       )
     }

python/ql/lib/semmle/python/frameworks/FlaskAdmin.qll

@@ -38,7 +38,7 @@ private module FlaskAdmin {
       result in [this.getArg(0), this.getArgByName("url")]
     }
 
-    override Function getARequestHandler() { node.getNode() = result.getADecorator() }
+    override Function getARequestHandler() { result.getADecorator().getAFlowNode() = node }
   }
 
   /**
@@ -71,7 +71,7 @@ private module FlaskAdmin {
 
     override Function getARequestHandler() {
       exists(Flask::FlaskViewClass cls |
-        node.getNode() = cls.getADecorator() and
+        cls.getADecorator().getAFlowNode() = node and
         result = cls.getARequestHandler()
       )
     }

python/ql/lib/semmle/python/frameworks/Pyramid.qll

@@ -166,10 +166,7 @@ module Pyramid {
     /** A response returned by a view callable. */
     private class PyramidReturnResponse extends Http::Server::HttpResponse::Range {
       PyramidReturnResponse() {
-        exists(Return ret |
+        this.asCfgNode() = any(View::ViewCallable vc).getAReturnValueFlowNode() and
-          ret.getScope() = any(View::ViewCallable vc) and
-          this.asCfgNode().getNode() = ret.getValue()
-        ) and
         not this = instance()
       }
 

python/ql/lib/semmle/python/frameworks/Stdlib.qll

@@ -2254,9 +2254,8 @@ module StdlibPrivate {
       DataFlow::CfgNode
     {
       WsgirefSimpleServerApplicationReturn() {
-        exists(WsgirefSimpleServerApplication requestHandler, Return ret |
+        exists(WsgirefSimpleServerApplication requestHandler |
-          ret.getScope() = requestHandler and
+          node = requestHandler.getAReturnValueFlowNode()
-          node.getNode() = ret.getValue()
         )
       }
 

python/ql/lib/semmle/python/frameworks/Twisted.qll

@@ -182,10 +182,7 @@ private module Twisted {
     DataFlow::CfgNode
   {
     TwistedResourceRenderMethodReturn() {
-      exists(Return ret |
+      this.asCfgNode() = any(TwistedResourceRenderMethod meth).getAReturnValueFlowNode()
-        ret.getScope() = any(TwistedResourceRenderMethod meth) and
-        this.asCfgNode().getNode() = ret.getValue()
-      )
     }
 
     override DataFlow::Node getBody() { result = this }

python/ql/lib/semmle/python/internal/CachedStages.qll

@@ -77,7 +77,7 @@ module Stages {
       or
       exists(any(AstExtended::AstNode n).getParentNode())
       or
-      exists(PyFlow::ControlFlowNode cfg, AstExtended::AstNode n | cfg.getNode() = n)
+      exists(any(AstExtended::AstNode n).getAFlowNode())
       or
       exists(any(PyFlow::BasicBlock b).getImmediateDominator())
       or