Fix changelog copy errors in change-notes and CHANGELOG.md files (codeql-cli-2.25.6)

Merge pull request #21968 from jketema/jketema/namequalifiers
C++: Fix `NameQualifyingElement` db inconsistency
2026-06-12 00:11:07 +02:00 · 2026-06-11 22:45:33 +02:00 · 2026-06-11 15:11:51 +02:00 · 2026-06-11 13:27:06 +01:00 · 2026-06-11 07:15:54 +02:00 · 2026-06-11 07:15:09 +02:00
507 changed files with 33973 additions and 6872 deletions
--- a/.github/workflows/go-version-update.yml
+++ b/.github/workflows/go-version-update.yml
@@ -0,0 +1,208 @@
+name: Update Go version
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 3 * * 1"  # Run weekly on Mondays at 3 AM UTC (1 = Monday)
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  update-go-version:
+    name: Check and update Go version
+    if: github.repository == 'github/codeql'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+
+      - name: Set up Git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+      - name: Fetch latest Go version
+        id: fetch-version
+        run: |
+          LATEST_GO_VERSION=$(curl -s https://go.dev/dl/?mode=json | jq -r '.[0].version')
+          
+          if [ -z "$LATEST_GO_VERSION" ] || [ "$LATEST_GO_VERSION" = "null" ]; then
+            echo "Error: Failed to fetch latest Go version from go.dev"
+            exit 1
+          fi
+          
+          echo "Latest Go version from go.dev: $LATEST_GO_VERSION"
+          echo "version=$LATEST_GO_VERSION" >> $GITHUB_OUTPUT
+          
+          # Extract version numbers (e.g., go1.26.0 -> 1.26.0)
+          LATEST_VERSION_NUM=$(echo $LATEST_GO_VERSION | sed 's/^go//')
+          echo "version_num=$LATEST_VERSION_NUM" >> $GITHUB_OUTPUT
+          
+          # Extract major.minor version (e.g., 1.26.0 -> 1.26)
+          LATEST_MAJOR_MINOR=$(echo $LATEST_VERSION_NUM | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
+          echo "major_minor=$LATEST_MAJOR_MINOR" >> $GITHUB_OUTPUT
+
+      - name: Check current Go version
+        id: current-version
+        run: |
+          CURRENT_VERSION=$(sed -n 's/.*go_sdk\.download(version = \"\([^\"]*\)\".*/\1/p' MODULE.bazel)
+          
+          if [ -z "$CURRENT_VERSION" ]; then
+            echo "Error: Could not extract Go version from MODULE.bazel"
+            exit 1
+          fi
+          
+          echo "Current Go version in MODULE.bazel: $CURRENT_VERSION"
+          echo "version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          
+          # Extract major.minor version
+          CURRENT_MAJOR_MINOR=$(echo $CURRENT_VERSION | sed -E 's/^([0-9]+\.[0-9]+).*/\1/')
+          echo "major_minor=$CURRENT_MAJOR_MINOR" >> $GITHUB_OUTPUT
+
+      - name: Compare versions
+        id: compare
+        run: |
+          LATEST="${{ steps.fetch-version.outputs.version_num }}"
+          CURRENT="${{ steps.current-version.outputs.version }}"
+          
+          echo "Latest: $LATEST"
+          echo "Current: $CURRENT"
+          
+          if [ "$LATEST" = "$CURRENT" ]; then
+            echo "Go version is up to date"
+            echo "needs_update=false" >> $GITHUB_OUTPUT
+          else
+            echo "Go version needs update from $CURRENT to $LATEST"
+            echo "needs_update=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Update Go version in files
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
+          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
+          CURRENT_MAJOR_MINOR="${{ steps.current-version.outputs.major_minor }}"
+          
+          echo "Updating from $CURRENT_VERSION to $LATEST_VERSION_NUM"
+          
+          # Escape dots in current version strings for use in sed patterns
+          CURRENT_VERSION_ESCAPED=$(echo "$CURRENT_VERSION" | sed 's/\./\\./g')
+          CURRENT_MAJOR_MINOR_ESCAPED=$(echo "$CURRENT_MAJOR_MINOR" | sed 's/\./\\./g')
+          
+          # Update MODULE.bazel
+          sed -i "s/go_sdk\.download(version = \"$CURRENT_VERSION_ESCAPED\")/go_sdk.download(version = \"$LATEST_VERSION_NUM\")/" MODULE.bazel
+          if ! grep -q "go_sdk.download(version = \"$LATEST_VERSION_NUM\")" MODULE.bazel; then
+            echo "Error: Failed to update MODULE.bazel"
+            exit 1
+          fi
+          
+          # Update go/extractor/go.mod
+          if ! sed -i "s/^go $CURRENT_MAJOR_MINOR_ESCAPED\$/go $LATEST_MAJOR_MINOR/" go/extractor/go.mod; then
+            echo "Warning: Failed to update go directive in go.mod"
+          fi
+          if ! sed -i "s/^toolchain go$CURRENT_VERSION_ESCAPED\$/toolchain go$LATEST_VERSION_NUM/" go/extractor/go.mod; then
+            echo "Warning: Failed to update toolchain in go.mod"
+          fi
+          
+          # Update go/extractor/autobuilder/build-environment.go
+          if ! sed -i "s/var maxGoVersion = util\.NewSemVer(\"$CURRENT_MAJOR_MINOR_ESCAPED\")/var maxGoVersion = util.NewSemVer(\"$LATEST_MAJOR_MINOR\")/" go/extractor/autobuilder/build-environment.go; then
+            echo "Warning: Failed to update build-environment.go"
+          fi
+          
+          # Update go/actions/test/action.yml
+          if ! sed -i "s/default: \"~$CURRENT_VERSION_ESCAPED\"/default: \"~$LATEST_VERSION_NUM\"/" go/actions/test/action.yml; then
+            echo "Warning: Failed to update action.yml"
+          fi
+          
+          # Show what changed
+          git diff
+
+      - name: Check for changes
+        id: check-changes
+        if: steps.compare.outputs.needs_update == 'true'
+        run: |
+          if git diff --quiet; then
+            echo "No changes detected"
+            echo "has_changes=false" >> $GITHUB_OUTPUT
+          else
+            echo "Changes detected"
+            echo "has_changes=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check for existing PR
+        if: steps.check-changes.outputs.has_changes == 'true'
+        id: check-pr
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          PR_NUMBER=$(gh pr list --head "$BRANCH_NAME" --state open --json number --jq '.[0].number')
+          
+          if [ -n "$PR_NUMBER" ]; then
+            echo "Existing PR found: #$PR_NUMBER"
+            echo "pr_exists=true" >> $GITHUB_OUTPUT
+            echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
+          else
+            echo "No existing PR found"
+            echo "pr_exists=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Commit and push changes
+        if: steps.check-changes.outputs.has_changes == 'true'
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          LATEST_MAJOR_MINOR="${{ steps.fetch-version.outputs.major_minor }}"
+          
+          # Create or switch to branch
+          git checkout -B "$BRANCH_NAME"
+          
+          # Stage and commit changes
+          git add MODULE.bazel go/extractor/go.mod go/extractor/autobuilder/build-environment.go go/actions/test/action.yml
+          git commit -m "Go: Update to $LATEST_VERSION_NUM"
+          
+          # Push changes
+          git push --force-with-lease origin "$BRANCH_NAME"
+
+      - name: Create or update PR
+        if: steps.check-changes.outputs.has_changes == 'true'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          BRANCH_NAME="workflow/go-version-update"
+          LATEST_VERSION_NUM="${{ steps.fetch-version.outputs.version_num }}"
+          CURRENT_VERSION="${{ steps.current-version.outputs.version }}"
+          
+          PR_TITLE="Go: Update to $LATEST_VERSION_NUM"
+          
+          PR_BODY=$(cat <<EOF
+          This PR updates Go from $CURRENT_VERSION to $LATEST_VERSION_NUM.
+
+          Updated files:
+          - \`MODULE.bazel\` - go_sdk.download version
+          - \`go/extractor/go.mod\` - go directive and toolchain
+          - \`go/extractor/autobuilder/build-environment.go\` - maxGoVersion (only if MAJOR.MINOR changes)
+          - \`go/actions/test/action.yml\` - default go-test-version
+
+          This PR was automatically created by the [Go version update workflow](https://github.com/${{ github.repository }}/blob/main/.github/workflows/go-version-update.yml).
+          EOF
+          )
+          
+          if [ "${{ steps.check-pr.outputs.pr_exists }}" = "true" ]; then
+            echo "Updating existing PR #${{ steps.check-pr.outputs.pr_number }}"
+            gh pr edit "${{ steps.check-pr.outputs.pr_number }}" --title "$PR_TITLE" --body "$PR_BODY"
+          else
+            echo "Creating new PR"
+            gh pr create \
+              --title "$PR_TITLE" \
+              --body "$PR_BODY" \
+              --base main \
+              --head "$BRANCH_NAME" \
+              --label "Go"
+          fi
--- a/MODULE.bazel
+++ b/MODULE.bazel
@@ -273,7 +273,7 @@ use_repo(
 )

 go_sdk = use_extension("@rules_go//go:extensions.bzl", "go_sdk")
-go_sdk.download(version = "1.26.0")
+go_sdk.download(version = "1.26.4")

 go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
--- a/actions/ql/lib/CHANGELOG.md
+++ b/actions/ql/lib/CHANGELOG.md
@@ -2,7 +2,7 @@

 ### Minor Analysis Improvements

-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.

 ## 0.4.36

--- a/actions/ql/lib/change-notes/released/0.4.37.md
+++ b/actions/ql/lib/change-notes/released/0.4.37.md
@@ -2,4 +2,4 @@

 ### Minor Analysis Improvements

-* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, include regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a sha1 or sha256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+* The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like `^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
--- a/actions/ql/src/CHANGELOG.md
+++ b/actions/ql/src/CHANGELOG.md
@@ -15,7 +15,7 @@

 ### Bug Fixes

-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
+* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on a minor point, added one more listed resource and added one more recommendation for things to check.

 ## 0.6.28

--- a/actions/ql/src/change-notes/released/0.6.29.md
+++ b/actions/ql/src/change-notes/released/0.6.29.md
@@ -15,4 +15,4 @@

 ### Bug Fixes

-* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on in minor point, added one more listed resource and added one more recommendation for things to check.
+* Adjusted (minor) help file descriptions for queries: `actions/untrusted-checkout/critical`, `actions/untrusted-checkout/high`, `actions/untrusted-checkout/medium`. Clarified wording on a minor point, added one more listed resource and added one more recommendation for things to check.
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -11,10 +11,6 @@
    "java/ql/lib/semmle/code/java/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/SignAnalysisCommon.qll"
  ],
-  "Bound Java/C#": [
-    "java/ql/lib/semmle/code/java/dataflow/Bound.qll",
-    "csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll"
-  ],
  "ModulusAnalysis Java/C#": [
    "java/ql/lib/semmle/code/java/dataflow/ModulusAnalysis.qll",
    "csharp/ql/lib/semmle/code/csharp/dataflow/ModulusAnalysis.qll"
--- a/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/old.dbscheme
+++ b/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/old.dbscheme
--- a/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/semmlecode.cpp.dbscheme
+++ b/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/semmlecode.cpp.dbscheme
--- a/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/upgrade.properties
+++ b/cpp/downgrades/0853f43dc8c08deecb473c54a2b70da8597f1ab5/upgrade.properties
@@ -0,0 +1,2 @@
+description: Fix NameQualifier inconsistency
+compatibility: full
--- a/cpp/ql/lib/semmle/code/cpp/Type.qll
+++ b/cpp/ql/lib/semmle/code/cpp/Type.qll
@@ -1071,7 +1071,7 @@ class NullPointerType extends BuiltInType {
 * const float fa[40];
 * ```
 */
-class DerivedType extends Type, @derivedtype {
+class DerivedType extends Type, NameQualifyingElement, @derivedtype {
  override string toString() { result = this.getName() }

  override string getName() { derivedtypes(underlyingElement(this), result, _, _) }
--- a/cpp/ql/lib/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/semmlecode.cpp.dbscheme
@@ -1430,7 +1430,8 @@ specialnamequalifyingelements(
@namequalifyingelement = @namespace
                       | @specialnamequalifyingelement
                       | @usertype
-                       | @decltype;
+                       | @decltype
+                       | @derivedtype;

 namequalifiers(
    unique int id: @namequalifier,
--- a/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/old.dbscheme
+++ b/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/old.dbscheme
--- a/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/semmlecode.cpp.dbscheme
+++ b/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/semmlecode.cpp.dbscheme
--- a/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties
+++ b/cpp/ql/lib/upgrades/ef8d209a22e27413aaaeff4446f0ecb9fa2c227b/upgrade.properties
@@ -0,0 +1,2 @@
+description: Fix NameQualifier inconsistency
+compatibility: full
--- a/cpp/ql/test/library-tests/name_qualifiers/NameQualifiers1.expected
+++ b/cpp/ql/test/library-tests/name_qualifiers/NameQualifiers1.expected
@@ -1,3 +1,7 @@
+| inconsistency2.cpp:3:3:3:5 | T:: | inconsistency2.cpp:3:3:3:6 | x | inconsistency2.cpp:2:20:2:20 | T |
+| inconsistency2.cpp:3:3:3:11 | const s:: | inconsistency2.cpp:3:3:3:6 | x | file://:0:0:0:0 | const s |
+| inconsistency.cpp:7:20:7:22 | S:: | inconsistency.cpp:7:20:7:23 | (int)... | inconsistency.cpp:4:8:4:8 | S |
+| inconsistency.cpp:7:20:7:22 | S:: | inconsistency.cpp:7:20:7:23 | A | inconsistency.cpp:4:8:4:8 | S |
 | name_qualifiers.cpp:29:7:29:8 | :: | name_qualifiers.cpp:29:7:29:9 | x | file://:0:0:0:0 | (global namespace) |
 | name_qualifiers.cpp:31:7:31:10 | N1:: | name_qualifiers.cpp:31:7:31:12 | nx | name_qualifiers.cpp:4:11:4:12 | N1 |
 | name_qualifiers.cpp:34:7:34:8 | :: | name_qualifiers.cpp:34:9:34:12 | N1:: | file://:0:0:0:0 | (global namespace) |
--- a/cpp/ql/test/library-tests/name_qualifiers/NameQualifiers1.ql
+++ b/cpp/ql/test/library-tests/name_qualifiers/NameQualifiers1.ql
@@ -1,7 +1,5 @@
 import cpp

 from NameQualifier nq, Location l
-where
-  l = nq.getQualifiedElement().getLocation() and
-  l.getFile().getShortName() = "name_qualifiers"
+where l = nq.getQualifiedElement().getLocation()
 select nq, nq.getQualifiedElement(), nq.getQualifyingElement()
--- a/cpp/ql/test/library-tests/name_qualifiers/inconsistency.cpp
+++ b/cpp/ql/test/library-tests/name_qualifiers/inconsistency.cpp
@@ -1,8 +1,8 @@
 // This file is present to test whether name-qualifying an enum constant leads to a database inconsistency.
-// As such, there is no QL part of the test.
+

 struct S { enum E { A }; };

-static int f() {
+static void f() {
  switch(0) { case S::A: break; }
 }
--- a/cpp/ql/test/library-tests/name_qualifiers/inconsistency2.cpp
+++ b/cpp/ql/test/library-tests/name_qualifiers/inconsistency2.cpp
@@ -0,0 +1,12 @@
+namespace {
+template <typename T> T f() {
+  T::x;
+  return {};
+}
+struct s {
+  static int x;
+};
+struct t {
+  s x = f<const s>();
+};
+}
--- a/csharp/ql/lib/qlpack.yml
+++ b/csharp/ql/lib/qlpack.yml
@@ -9,6 +9,7 @@ dependencies:
  codeql/controlflow: ${workspace}
  codeql/dataflow: ${workspace}
  codeql/mad: ${workspace}
+  codeql/rangeanalysis: ${workspace}
  codeql/ssa: ${workspace}
  codeql/threat-models: ${workspace}
  codeql/tutorial: ${workspace}
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/Bound.qll
@@ -4,67 +4,31 @@
 overlay[local?]
 module;

-private import internal.rangeanalysis.BoundSpecific
+private import csharp as CS
+private import semmle.code.csharp.dataflow.SSA::Ssa
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils as CU
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as RU
+private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU
+private import codeql.rangeanalysis.Bound as SharedBound

-private newtype TBound =
-  TBoundZero() or
-  TBoundSsa(SsaVariable v) { v.getSourceVariable().getType() instanceof IntegralType } or
-  TBoundExpr(Expr e) {
-    interestingExprBound(e) and
-    not exists(SsaVariable v | e = v.getAUse())
-  }
+/** Provides C#-specific definitions for bounds. */
+private module BoundDefs implements SharedBound::BoundDefinitions<CS::Location> {
+  class Type = CS::Type;

-/**
- * A bound that may be inferred for an expression plus/minus an integer delta.
- */
-abstract class Bound extends TBound {
-  /** Gets a textual representation of this bound. */
-  abstract string toString();
+  class SsaVariable = SU::SsaVariable;

-  /** Gets an expression that equals this bound plus `delta`. */
-  abstract Expr getExpr(int delta);
+  class SsaSourceVariable = SourceVariable;

-  /** Gets an expression that equals this bound. */
-  Expr getExpr() { result = this.getExpr(0) }
+  class Expr = CS::ControlFlowNodes::ExprNode;

-  /** Gets the location of this bound. */
-  abstract Location getLocation();
+  class IntegralType = CS::IntegralType;
+
+  class ConstantIntegerExpr = CU::ConstantIntegerExpr;
+
+  /** Holds if `e` is a bound expression and it is not an SSA variable read. */
+  predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) }
 }

-/**
- * The bound that corresponds to the integer 0. This is used to represent all
- * integer bounds as bounds are always accompanied by an added integer delta.
- */
-class ZeroBound extends Bound, TBoundZero {
-  override string toString() { result = "0" }
+module BoundImpl = SharedBound::Bound<CS::Location, BoundDefs>;

-  override Expr getExpr(int delta) { result.(ConstantIntegerExpr).getIntValue() = delta }
-
-  override Location getLocation() { result.hasLocationInfo("", 0, 0, 0, 0) }
-}
-
-/**
- * A bound corresponding to the value of an SSA variable.
- */
-class SsaBound extends Bound, TBoundSsa {
-  /** Gets the SSA variable that equals this bound. */
-  SsaVariable getSsa() { this = TBoundSsa(result) }
-
-  override string toString() { result = this.getSsa().toString() }
-
-  override Expr getExpr(int delta) { result = this.getSsa().getAUse() and delta = 0 }
-
-  override Location getLocation() { result = this.getSsa().getLocation() }
-}
-
-/**
- * A bound that corresponds to the value of a specific expression that might be
- * interesting, but isn't otherwise represented by the value of an SSA variable.
- */
-class ExprBound extends Bound, TBoundExpr {
-  override string toString() { result = this.getExpr().toString() }
-
-  override Expr getExpr(int delta) { this = TBoundExpr(result) and delta = 0 }
-
-  override Location getLocation() { result = this.getExpr().getLocation() }
-}
+import BoundImpl
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/BoundSpecific.qll
@@ -1,22 +0,0 @@
-/**
- * Provides C#-specific definitions for bounds.
- */
-
-private import csharp as CS
-private import semmle.code.csharp.dataflow.SSA::Ssa as Ssa
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.ConstantUtils as CU
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.RangeUtils as RU
-private import semmle.code.csharp.dataflow.internal.rangeanalysis.SsaUtils as SU
-
-class SsaVariable = SU::SsaVariable;
-
-class Expr = CS::ControlFlowNodes::ExprNode;
-
-class Location = CS::Location;
-
-class IntegralType = CS::IntegralType;
-
-class ConstantIntegerExpr = CU::ConstantIntegerExpr;
-
-/** Holds if `e` is a bound expression and it is not an SSA variable read. */
-predicate interestingExprBound(Expr e) { CU::systemArrayLengthAccess(e.getExpr()) }
--- a/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.6.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/codeql-cli-2.25.6.rst
@@ -0,0 +1,139 @@
+.. _codeql-cli-2.25.6:
+
+==========================
+CodeQL 2.25.6 (2026-06-04)
+==========================
+
+.. contents:: Contents
+   :depth: 2
+   :local:
+   :backlinks: none
+
+This is an overview of changes in the CodeQL CLI and relevant CodeQL query and library packs. For additional updates on changes to the CodeQL code scanning experience, check out the `code scanning section on the GitHub blog <https://github.blog/tag/code-scanning/>`__, `relevant GitHub Changelog updates <https://github.blog/changelog/label/application-security/>`__, `changes in the CodeQL extension for Visual Studio Code <https://marketplace.visualstudio.com/items/GitHub.vscode-codeql/changelog>`__, and the `CodeQL Action changelog <https://github.com/github/codeql-action/blob/main/CHANGELOG.md>`__.
+
+Security Coverage
+-----------------
+
+CodeQL 2.25.6 runs a total of 496 security queries when configured with the Default suite (covering 169 CWE). The Extended suite enables an additional 131 queries (covering 32 more CWE).
+
+CodeQL CLI
+----------
+
+Improvements
+~~~~~~~~~~~~
+
+*   When the :code:`git` executable is available, CodeQL can now obtain configuration and queries from SHA-256 Git repositories, and infer Git metadata about them.
+
+Miscellaneous
+~~~~~~~~~~~~~
+
+*   The build of Eclipse Temurin OpenJDK that is used to run the CodeQL CLI has been updated to version 21.0.11.
+
+Query Packs
+-----------
+
+Bug Fixes
+~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Adjusted (minor) help file descriptions for queries: :code:`actions/untrusted-checkout/critical`, :code:`actions/untrusted-checkout/high`, :code:`actions/untrusted-checkout/medium`. Clarified wording on a minor point, added one more listed resource and added one more recommendation for things to check.
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Adjusted :code:`actions/untrusted-checkout/critical` to align more with other untrusted resource queries, where the alert location is the location where the artifact is obtained from (the checkout point). This aligns with the other 2 related queries. This will cause the same alerts to re-open for closed alerts of this query.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Altered the alert message for clarity for queries: :code:`actions/untrusted-checkout/critical`, :code:`actions/untrusted-checkout/high`.
+*   The :code:`actions/unpinned-tag` query now recognizes 64-character SHA-256 commit hashes as properly pinned references, in addition to 40-character SHA-1 hashes.
+
+Query Metadata Changes
+~~~~~~~~~~~~~~~~~~~~~~
+
+GitHub Actions
+""""""""""""""
+
+*   Reversed adjustment of the name of :code:`actions/untrusted-checkout/high`, but kept the portion of the previous change for the word "trusted" to "privileged". Added a missing "a" to phrasing in :code:`actions/untrusted-checkout/high` and :code:`actions/untrusted-checkout/medium`.
+
+Language Libraries
+------------------
+
+Major Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Swift
+"""""
+
+*   Upgraded to allow analysis of Swift 6.3.2.
+
+Minor Analysis Improvements
+~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added flow source models for :code:`scanf_s` and related functions.
+*   Added a :code:`Call` column to :code:`LocalFlowSourceFunction::hasLocalFlowSource` and :code:`RemoteFlowSourceFunction::hasRemoteFlowSource`. The old predicates without a :code:`Call` column continue to be supported.
+
+C#
+""
+
+*   Full support for C# 14 / .NET 10. All new language features are now supported by the extractor. The QL library and data flow analysis now support the new C# 14 language constructs and include generated Models as Data (MaD) models for the .NET 10 runtime.
+*   C# 14: Added support for user-defined instance increment/decrement operators.
+
+Java/Kotlin
+"""""""""""
+
+*   Added LLM-generated source and sink models for :code:`org.apache.avro`.
+
+JavaScript/TypeScript
+"""""""""""""""""""""
+
+*   The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example :code:`js/clear-text-logging`) may find more correct results and fewer false positive results after these changes.
+
+Python
+""""""
+
+*   The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example :code:`py/clear-text-logging-sensitive-data`) may find more correct results and fewer false positive results after these changes.
+
+Swift
+"""""
+
+*   The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example :code:`swift/cleartext-logging`) may find more correct results and fewer false positive results after these changes.
+
+GitHub Actions
+""""""""""""""
+
+*   The GitHub Actions analysis now recognizes more Bash regex checks that restrict a value to alphanumeric characters, including regexes like :code:`^[0-9a-zA-Z]{40}([0-9a-zA-Z]{24})?$` which check for a SHA-1 or SHA-256 hash. This may reduce false positive results where command output is validated with grouped or optional alphanumeric patterns before being used.
+
+Rust
+""""
+
+*   The sensitive data heuristics used to identify code that handles passwords and private data have been improved. Most of the changes permit more variations of established patterns, thereby finding more sensitive data. Queries that use the sensitive data library (for example :code:`rust/cleartext-logging`) may find more correct results and fewer false positive results after these changes.
+
+Deprecated APIs
+~~~~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   The :code:`UsingAliasTypedefType` class has been deprecated. Use :code:`TypeAliasType` instead.
+
+New Features
+~~~~~~~~~~~~
+
+C/C++
+"""""
+
+*   Added a :code:`getOriginalTemplate` predicate to :code:`TemplateClass`, :code:`TemplateFunction`, :code:`TemplateVariable`, and :code:`AliasTemplateType`, which yields the class member template the template was generated from. The predicates only have results for templates that are members of class template instantiations.
+*   Added :code:`AliasTemplateType` and :code:`AliasTemplateInstantiationType` classes, representing C++ alias templates and their instantiations.
--- a/docs/codeql/codeql-overview/codeql-changelog/index.rst
+++ b/docs/codeql/codeql-overview/codeql-changelog/index.rst
@@ -11,6 +11,7 @@ A list of queries for each suite and language `is available here <https://docs.g
 .. toctree::
   :maxdepth: 1

+   codeql-cli-2.25.6
   codeql-cli-2.25.5
   codeql-cli-2.25.4
   codeql-cli-2.25.3
--- a/go/actions/test/action.yml
+++ b/go/actions/test/action.yml
@@ -4,7 +4,7 @@ inputs:
  go-test-version:
    description: Which Go version to use for running the tests
    required: false
-    default: "~1.26.0"
+    default: "~1.26.4"
  run-code-checks:
    description: Whether to run formatting, code and qhelp generation checks
    required: false
--- a/go/extractor/go.mod
+++ b/go/extractor/go.mod
@@ -2,14 +2,14 @@ module github.com/github/codeql-go/extractor

 go 1.26

-toolchain go1.26.0
+toolchain go1.26.4

 // when updating this, run
 //    bazel run @rules_go//go -- mod tidy
 // when adding or removing dependencies, run
 //    bazel mod tidy
 require (
-	golang.org/x/mod v0.36.0
+	golang.org/x/mod v0.37.0
 	golang.org/x/tools v0.45.0
 )

--- a/go/extractor/go.sum
+++ b/go/extractor/go.sum
@@ -6,8 +6,8 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
-golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
-golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
+golang.org/x/mod v0.37.0 h1:vF1DjpVEshcIqoEaauuHebaLk1O1forxjxBaVn884JQ=
+golang.org/x/mod v0.37.0/go.mod h1:m8S8VeM9r4dzDwjrKO0a1sZP3YjeMamRRlD+fmR2Q/0=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
--- a/go/ql/lib/change-notes/2026-06-01-non-returning-functions.md
+++ b/go/ql/lib/change-notes/2026-06-01-non-returning-functions.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* More logging functions are now recognized as not returning or panicking.
--- a/go/ql/lib/semmle/go/Concepts.qll
+++ b/go/ql/lib/semmle/go/Concepts.qll
@@ -413,17 +413,13 @@ private class ExternalLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
  }
 }

-/**
- * A call to an interface that looks like a logger. It is common to use a
- * locally-defined interface for logging to make it easy to changing logging
- * library.
- */
-private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
-  HeuristicLoggerCall() {
-    exists(Method m, string tp, string logFunctionPrefix, string name |
-      m = this.getTarget() and
-      m.hasQualifiedName(_, tp, name) and
-      m.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
+private class HeuristicLoggerFunction extends Method {
+  string logFunctionPrefix;
+
+  HeuristicLoggerFunction() {
+    exists(string tp, string name |
+      this.hasQualifiedName(_, tp, name) and
+      this.getReceiverBaseType().getUnderlyingType() instanceof InterfaceType
    |
      tp.regexpMatch(".*[lL]ogger") and
      logFunctionPrefix =
@@ -435,6 +431,19 @@ private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode
    )
  }

+  override predicate mayReturnNormally() { logFunctionPrefix != "Fatal" }
+
+  override predicate mustPanic() { logFunctionPrefix = "Panic" }
+}
+
+/**
+ * A call to an interface that looks like a logger. It is common to use a
+ * locally-defined interface for logging to make it easy to change logging
+ * library.
+ */
+private class HeuristicLoggerCall extends LoggerCall::Range, DataFlow::CallNode {
+  HeuristicLoggerCall() { this.getTarget() instanceof HeuristicLoggerFunction }
+
  override DataFlow::Node getAMessageComponent() { result = this.getASyntacticArgument() }
 }

--- a/go/ql/lib/semmle/go/frameworks/Glog.qll
+++ b/go/ql/lib/semmle/go/frameworks/Glog.qll
@@ -12,17 +12,37 @@ import go
 * forks.
 */
 module Glog {
+  /** Gets a package name for `glog` or `klog` (which is a fork). */
+  string packagePath() {
+    result =
+      package([
+          "github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog", "github.com/barakmich/glog"
+        ], "")
+  }
+
  private class GlogFunction extends Function {
    int firstPrintedArg;
+    string format;
+    string level;

    GlogFunction() {
-      exists(string pkg, string fn, string level |
-        pkg = package(["github.com/golang/glog", "gopkg.in/glog", "k8s.io/klog"], "") and
+      exists(string pkg, string context, int nContextArgs, string depth, int nDepthArgs, string fn |
+        pkg = packagePath() and
        level = ["Error", "Exit", "Fatal", "Info", "Warning"] and
        (
-          fn = level + ["", "f", "ln"] and firstPrintedArg = 0
+          context = "" and nContextArgs = 0
          or
-          fn = level + "Depth" and firstPrintedArg = 1
+          context = "Context" and nContextArgs = 1
+        ) and
+        (
+          depth = "" and nDepthArgs = 0
+          or
+          depth = "Depth" and nDepthArgs = 1
+        ) and
+        format = ["", "f", "ln"] and
+        (
+          fn = level + context + depth + format and
+          firstPrintedArg = nContextArgs + nDepthArgs
        )
      |
        this.hasQualifiedName(pkg, fn)
@@ -35,10 +55,15 @@ module Glog {
     * Gets the index of the first argument that may be output, including a format string if one is present.
     */
    int getFirstPrintedArg() { result = firstPrintedArg }
+
+    /** Holds if this function takes a format string. */
+    predicate formatter() { format = "f" }
+
+    override predicate mayReturnNormally() { level != "Fatal" and level != "Exit" }
  }

  private class StringFormatter extends StringOps::Formatting::Range instanceof GlogFunction {
-    StringFormatter() { this.getName().matches("%f") }
+    StringFormatter() { this.formatter() }

    override int getFormatStringIndex() { result = super.getFirstPrintedArg() }
  }
--- a/go/ql/lib/semmle/go/frameworks/Logrus.qll
+++ b/go/ql/lib/semmle/go/frameworks/Logrus.qll
@@ -28,6 +28,12 @@ module Logrus {
        this.(Method).hasQualifiedName(packagePath(), ["Entry", "Logger"], name)
      )
    }
+
+    override predicate mayReturnNormally() {
+      not exists(string level, string suffix | level = ["Fatal", "Panic"] |
+        this.getName() = level + suffix
+      )
+    }
  }

  private class StringFormatters extends StringOps::Formatting::Range instanceof LogFunction {
--- a/go/ql/lib/semmle/go/frameworks/Zap.qll
+++ b/go/ql/lib/semmle/go/frameworks/Zap.qll
@@ -47,7 +47,7 @@ module Zap {
  }

  /** A Zap logging function which always panics. */
-  private class FatalLogMethod extends Method {
+  private class FatalLogMethod extends ZapFunction {
    FatalLogMethod() {
      this.hasQualifiedName(packagePath(), "Logger", "Fatal")
      or
@@ -58,7 +58,7 @@ module Zap {
  }

  /** A Zap logging function which always panics. */
-  private class MustPanicLogMethod extends Method {
+  private class MustPanicLogMethod extends ZapFunction {
    MustPanicLogMethod() {
      this.hasQualifiedName(packagePath(), "Logger", "Panic")
      or
--- a/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll
+++ b/go/ql/lib/semmle/go/frameworks/stdlib/Log.qll
@@ -29,18 +29,37 @@ module Log {
  }

  private class LogFormatter extends StringOps::Formatting::Range instanceof LogFunction {
-    LogFormatter() { this.getName() = ["Fatalf", "Panicf", "Printf"] }
+    LogFormatter() { this.getName() = ["Fatalf", "Panicf", "Printf", "Panic", "Panicf", "Panicln"] }

    override int getFormatStringIndex() { result = 0 }
  }

  /** A fatal log function, which calls `os.Exit`. */
  private class FatalLogFunction extends Function {
-    FatalLogFunction() { this.hasQualifiedName("log", ["Fatal", "Fatalf", "Fatalln"]) }
+    FatalLogFunction() {
+      exists(string fn | fn = ["Fatal", "Fatalf", "Fatalln"] |
+        this.hasQualifiedName("log", fn)
+        or
+        this.(Method).hasQualifiedName("log", "Logger", fn)
+      )
+    }

    override predicate mayReturnNormally() { none() }
  }

+  /** A log function which must panic. */
+  private class PanicLogFunction extends Function {
+    PanicLogFunction() {
+      exists(string fn | fn = ["Panic", "Panicf", "Panicln"] |
+        this.hasQualifiedName("log", fn)
+        or
+        this.(Method).hasQualifiedName("log", "Logger", fn)
+      )
+    }
+
+    override predicate mustPanic() { any() }
+  }
+
  // These models are not implemented using Models-as-Data because they represent reverse flow.
  private class FunctionModels extends TaintTracking::FunctionModel {
    FunctionInput inp;
@@ -63,30 +82,6 @@ module Log {
    FunctionOutput outp;

    MethodModels() {
-      // signature: func (*Logger) Fatal(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatal") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Fatalf(format string, v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatalf") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Fatalln(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Fatalln") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panic(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panic") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panicf(format string, v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panicf") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
-      // signature: func (*Logger) Panicln(v ...interface{})
-      this.hasQualifiedName("log", "Logger", "Panicln") and
-      (inp.isParameter(_) and outp.isReceiver())
-      or
      // signature: func (*Logger) Print(v ...interface{})
      this.hasQualifiedName("log", "Logger", "Print") and
      (inp.isParameter(_) and outp.isReceiver())
--- a/go/ql/src/experimental/CWE-525/WebCacheDeception.ql
+++ b/go/ql/src/experimental/CWE-525/WebCacheDeception.ql
@@ -1,4 +1,4 @@
-/*
+/**
 * @name Web Cache Deception
 * @description A caching system has been detected on the application and is vulnerable to web cache deception. By manipulating the URL it is possible to force the application to cache pages that are only accessible by an authenticated user. Once cached, these pages can be accessed by an unauthenticated user.
 * @kind problem
--- a/go/ql/test/experimental/CWE-090/LDAPInjection.go
+++ b/go/ql/test/experimental/CWE-090/LDAPInjection.go
@@ -54,31 +54,31 @@ func main() {}
 // bad is an example of a bad implementation
 func (ld *Ldap) bad(req *http.Request) {
 	// ...
-	untrusted := req.UserAgent()
+	untrusted := req.UserAgent() // $ Source
 	goldap.NewSearchRequest(
-		untrusted, // BAD: untrusted dn
+		untrusted, // $ Alert // BAD: untrusted dn
 		goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
-		"(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter
-		[]string{"dn", "cn", untrusted},                   // BAD: untrusted attribute
+		"(&(objectClass=organizationalPerson))"+untrusted, // $ Alert // BAD: untrusted filter
+		[]string{"dn", "cn", untrusted},                   // $ Alert // BAD: untrusted attribute
 		nil,
 	)
 	goldapv3.NewSearchRequest(
-		untrusted, // BAD: untrusted dn
+		untrusted, // $ Alert // BAD: untrusted dn
 		goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
-		"(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter
-		[]string{"dn", "cn", untrusted},                   // BAD: untrusted attribute
+		"(&(objectClass=organizationalPerson))"+untrusted, // $ Alert // BAD: untrusted filter
+		[]string{"dn", "cn", untrusted},                   // $ Alert // BAD: untrusted attribute
 		nil,
 	)
 	gopkgldapv2.NewSearchRequest(
-		untrusted, // BAD: untrusted dn
+		untrusted, // $ Alert // BAD: untrusted dn
 		goldap.ScopeWholeSubtree, goldap.NeverDerefAliases, 0, 0, false,
-		"(&(objectClass=organizationalPerson))"+untrusted, // BAD: untrusted filter
-		[]string{"dn", "cn", untrusted},                   // BAD: untrusted attribute
+		"(&(objectClass=organizationalPerson))"+untrusted, // $ Alert // BAD: untrusted filter
+		[]string{"dn", "cn", untrusted},                   // $ Alert // BAD: untrusted attribute
 		nil,
 	)
 	client := &ldapclient.LDAPClient{}
-	client.Authenticate(untrusted, "123456") // BAD: untrusted filter
-	client.GetGroupsOfUser(untrusted)        // BAD: untrusted filter
+	client.Authenticate(untrusted, "123456") // $ Alert // BAD: untrusted filter
+	client.GetGroupsOfUser(untrusted)        // $ Alert // BAD: untrusted filter
 	// ...
 }

--- a/go/ql/test/experimental/CWE-090/LDAPInjection.qlref
+++ b/go/ql/test/experimental/CWE-090/LDAPInjection.qlref
@@ -1,2 +1,4 @@
 query: experimental/CWE-090/LDAPInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-203/Timing.qlref
+++ b/go/ql/test/experimental/CWE-203/Timing.qlref
@@ -1,2 +1,4 @@
 query: experimental/CWE-203/Timing.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-203/timing.go
+++ b/go/ql/test/experimental/CWE-203/timing.go
@@ -12,9 +12,9 @@ func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	secret := "MySuperSecretPasscode"
 	secretHeader := "X-Secret"

-	headerSecret := req.Header.Get(secretHeader)
+	headerSecret := req.Header.Get(secretHeader) // $ Source
 	secretStr := string(secret)
-	if len(headerSecret) != 0 && headerSecret != secretStr {
+	if len(headerSecret) != 0 && headerSecret != secretStr { // $ Alert
 		return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
 	}
 	return nil, nil
@@ -25,9 +25,9 @@ func bad2(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	secret := "MySuperSecretPasscode"
 	secretHeader := "X-Secret"

-	headerSecret := req.Header.Get(secretHeader)
+	headerSecret := req.Header.Get(secretHeader) // $ Source
 	secretStr := string(secret)
-	if len(headerSecret) != 0 && strings.Compare(headerSecret, secretStr) != 0 {
+	if len(headerSecret) != 0 && strings.Compare(headerSecret, secretStr) != 0 { // $ Alert
 		return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
 	}
 	return nil, nil
@@ -38,8 +38,8 @@ func bad4(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	secret := "MySuperSecretPasscode"
 	secretHeader := "X-Secret"

-	headerSecret := req.Header.Get(secretHeader)
-	if len(secret) != 0 && headerSecret != "SecretStringLiteral" {
+	headerSecret := req.Header.Get(secretHeader)                   // $ Source
+	if len(secret) != 0 && headerSecret != "SecretStringLiteral" { // $ Alert
 		return nil, fmt.Errorf("header %s=%s did not match expected secret", secretHeader, headerSecret)
 	}
 	return nil, nil
--- a/go/ql/test/experimental/CWE-285/PamAuthBypass.qlref
+++ b/go/ql/test/experimental/CWE-285/PamAuthBypass.qlref
@@ -1 +1,2 @@
-experimental/CWE-285/PamAuthBypass.ql
+query: experimental/CWE-285/PamAuthBypass.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-285/main.go
+++ b/go/ql/test/experimental/CWE-285/main.go
@@ -9,7 +9,7 @@ import (
 func bad() error {
 	t, _ := pam.StartFunc("", "", func(s pam.Style, msg string) (string, error) {
 		return "", nil
-	})
+	}) // $ Alert
 	return t.Authenticate(0)

 }
--- a/go/ql/test/experimental/CWE-287/ImproperLdapAuth.go
+++ b/go/ql/test/experimental/CWE-287/ImproperLdapAuth.go
@@ -15,7 +15,7 @@ func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	ldapServer := "ldap.example.com"
 	ldapPort := 389
 	bindDN := "cn=admin,dc=example,dc=com"
-	bindPassword := req.URL.Query()["password"][0]
+	bindPassword := req.URL.Query()["password"][0] // $ Source

 	// Connect to the LDAP server
 	l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort))
@@ -25,7 +25,7 @@ func bad(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	defer l.Close()

 	// BAD: user input is not sanetized
-	err = l.Bind(bindDN, bindPassword)
+	err = l.Bind(bindDN, bindPassword) // $ Alert
 	if err != nil {
 		return fmt.Errorf("LDAP bind failed: %v", err), err
 	}
@@ -84,7 +84,7 @@ func bad2(req *http.Request) {
 	ldapPort := 389
 	bindDN := "cn=admin,dc=example,dc=com"
 	// BAD : empty password
-	bindPassword := ""
+	bindPassword := "" // $ Source

 	// Connect to the LDAP server
 	l, err := ldap.Dial("tcp", fmt.Sprintf("%s:%d", ldapServer, ldapPort))
@@ -94,7 +94,7 @@ func bad2(req *http.Request) {
 	defer l.Close()

 	// BAD : bindPassword is empty
-	err = l.Bind(bindDN, bindPassword)
+	err = l.Bind(bindDN, bindPassword) // $ Alert
 	if err != nil {
 		log.Fatalf("LDAP bind failed: %v", err)
 	}
--- a/go/ql/test/experimental/CWE-287/ImproperLdapAuth.qlref
+++ b/go/ql/test/experimental/CWE-287/ImproperLdapAuth.qlref
@@ -1,2 +1,4 @@
 query: experimental/CWE-287/ImproperLdapAuth.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected
+++ b/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.expected
@@ -1,3 +1,6 @@
+#select
+| go-jose.v3.go:24:32:24:37 | JwtKey | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:24:32:24:37 | JwtKey | This  $@. | go-jose.v3.go:13:21:13:33 | "AllYourBase" | Constant Key is used as JWT Secret key |
+| golang-jwt-v5.go:27:9:27:15 | JwtKey1 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | This  $@. | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | Constant Key is used as JWT Secret key |
 edges
 | go-jose.v3.go:13:14:13:34 | type conversion | go-jose.v3.go:24:32:24:37 | JwtKey | provenance |  |
 | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:13:14:13:34 | type conversion | provenance |  |
@@ -11,6 +14,3 @@ nodes
 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | semmle.label | "AllYourBase" |
 | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | semmle.label | JwtKey1 |
 subpaths
-#select
-| go-jose.v3.go:24:32:24:37 | JwtKey | go-jose.v3.go:13:21:13:33 | "AllYourBase" | go-jose.v3.go:24:32:24:37 | JwtKey | This  $@. | go-jose.v3.go:13:21:13:33 | "AllYourBase" | Constant Key is used as JWT Secret key |
-| golang-jwt-v5.go:27:9:27:15 | JwtKey1 | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | golang-jwt-v5.go:27:9:27:15 | JwtKey1 | This  $@. | golang-jwt-v5.go:19:22:19:34 | "AllYourBase" | Constant Key is used as JWT Secret key |
--- a/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref
+++ b/go/ql/test/experimental/CWE-321-V2/HardCodedKeys.qlref
@@ -1 +1,2 @@
-experimental/CWE-321-V2/HardCodedKeys.ql
+query: experimental/CWE-321-V2/HardCodedKeys.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go
+++ b/go/ql/test/experimental/CWE-321-V2/go-jose.v3.go
@@ -10,7 +10,7 @@ import (
 )

 // NOT OK
-var JwtKey = []byte("AllYourBase")
+var JwtKey = []byte("AllYourBase") // $ Source

 func main2(r *http.Request) {
 	signedToken := r.URL.Query().Get("signedToken")
@@ -21,7 +21,7 @@ func verifyJWT(signedToken string) {
 	fmt.Println("verifying JWT")
 	DecodedToken, _ := jwt.ParseSigned(signedToken)
 	out := CustomerInfo{}
-	if err := DecodedToken.Claims(JwtKey, &out); err != nil {
+	if err := DecodedToken.Claims(JwtKey, &out); err != nil { // $ Alert
 		panic(err)
 	}
 	fmt.Printf("%v\n", out)
--- a/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go
+++ b/go/ql/test/experimental/CWE-321-V2/golang-jwt-v5.go
@@ -16,7 +16,7 @@ type CustomerInfo struct {
 }

 // BAD constant key
-var JwtKey1 = []byte("AllYourBase")
+var JwtKey1 = []byte("AllYourBase") // $ Source

 func main1(r *http.Request) {
 	signedToken := r.URL.Query().Get("signedToken")
@@ -24,7 +24,7 @@ func main1(r *http.Request) {
 }

 func LoadJwtKey(token *jwt.Token) (interface{}, error) {
-	return JwtKey1, nil
+	return JwtKey1, nil // $ Alert
 }

 func verifyJWT_golangjwt(signedToken string) {
--- a/go/ql/test/experimental/CWE-369/DivideByZero.go
+++ b/go/ql/test/experimental/CWE-369/DivideByZero.go
@@ -7,37 +7,37 @@ import (
 )

 func myHandler1(w http.ResponseWriter, r *http.Request) {
-	param1 := r.URL.Query()["param1"][0]
+	param1 := r.URL.Query()["param1"][0] // $ Source
 	value, _ := strconv.Atoi(param1)
-	out := 1337 / value
+	out := 1337 / value // $ Alert
 	fmt.Println(out)
 }

 func myHandler2(w http.ResponseWriter, r *http.Request) {
-	param1 := r.URL.Query()["param1"][0]
+	param1 := r.URL.Query()["param1"][0] // $ Source
 	value := int(param1[0])
-	out := 1337 / value
+	out := 1337 / value // $ Alert
 	fmt.Println(out)
 }

 func myHandler3(w http.ResponseWriter, r *http.Request) {
-	param1 := r.URL.Query()["param1"][0]
+	param1 := r.URL.Query()["param1"][0] // $ Source
 	value, _ := strconv.ParseInt(param1, 10, 64)
-	out := 1337 / value
+	out := 1337 / value // $ Alert
 	fmt.Println(out)
 }

 func myHandler4(w http.ResponseWriter, r *http.Request) {
-	param1 := r.URL.Query()["param1"][0]
+	param1 := r.URL.Query()["param1"][0] // $ Source
 	value, _ := strconv.ParseFloat(param1, 32)
-	out := 1337 / value
+	out := 1337 / value // $ Alert
 	fmt.Println(out)
 }

 func myHandler5(w http.ResponseWriter, r *http.Request) {
-	param1 := r.URL.Query()["param1"][0]
+	param1 := r.URL.Query()["param1"][0] // $ Source
 	value, _ := strconv.ParseUint(param1, 10, 64)
-	out := 1337 / value
+	out := 1337 / value // $ Alert
 	fmt.Println(out)
 }

@@ -51,10 +51,10 @@ func myHandler6(w http.ResponseWriter, r *http.Request) {
 }

 func myHandler7(w http.ResponseWriter, r *http.Request) {
-	param1 := r.URL.Query()["param1"][0]
+	param1 := r.URL.Query()["param1"][0] // $ Source
 	value := int(param1[0])
 	if value >= 0 {
-		out := 1337 / value
+		out := 1337 / value // $ Alert
 		fmt.Println(out)
 	}
 }
--- a/go/ql/test/experimental/CWE-369/DivideByZero.qlref
+++ b/go/ql/test/experimental/CWE-369/DivideByZero.qlref
@@ -1,2 +1,4 @@
 query: experimental/CWE-369/DivideByZero.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.expected
+++ b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.expected
@@ -1,3 +1,7 @@
+#select
+| DatabaseCallInLoop.go:9:3:9:41 | call to First | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First | This calls call to First in a $@. | DatabaseCallInLoop.go:7:2:11:2 | range statement | loop |
+| test.go:11:2:11:13 | call to Take | test.go:20:2:22:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:20:2:22:2 | for statement | loop |
+| test.go:11:2:11:13 | call to Take | test.go:24:2:26:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:24:2:26:2 | for statement | loop |
 edges
 | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First |
 | test.go:10:1:12:1 | function declaration | test.go:11:2:11:13 | call to Take |
@@ -7,7 +11,3 @@ edges
 | test.go:21:3:21:14 | call to runQuery | test.go:10:1:12:1 | function declaration |
 | test.go:24:2:26:2 | for statement | test.go:25:3:25:17 | call to runRunQuery |
 | test.go:25:3:25:17 | call to runRunQuery | test.go:14:1:16:1 | function declaration |
-#select
-| DatabaseCallInLoop.go:9:3:9:41 | call to First | DatabaseCallInLoop.go:7:2:11:2 | range statement | DatabaseCallInLoop.go:9:3:9:41 | call to First | This calls call to First in a $@. | DatabaseCallInLoop.go:7:2:11:2 | range statement | loop |
-| test.go:11:2:11:13 | call to Take | test.go:20:2:22:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:20:2:22:2 | for statement | loop |
-| test.go:11:2:11:13 | call to Take | test.go:24:2:26:2 | for statement | test.go:11:2:11:13 | call to Take | This calls call to Take in a $@. | test.go:24:2:26:2 | for statement | loop |
--- a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.go
+++ b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.go
@@ -6,8 +6,8 @@ func getUsers(db *gorm.DB, names []string) []User {
 	res := make([]User, 0, len(names))
 	for _, name := range names {
 		var user User
-		db.Where("name = ?", name).First(&user)
+		db.Where("name = ?", name).First(&user) // $ Alert
 		res = append(res, user)
-	}
+	} // $ Source
 	return res
 }
--- a/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref
+++ b/go/ql/test/experimental/CWE-400/DatabaseCallInLoop.qlref
@@ -1 +1,2 @@
-experimental/CWE-400/DatabaseCallInLoop.ql
+query: experimental/CWE-400/DatabaseCallInLoop.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-400/test.go
+++ b/go/ql/test/experimental/CWE-400/test.go
@@ -8,7 +8,7 @@ type User struct {
 }

 func runQuery(db *gorm.DB) {
-	db.Take(nil)
+	db.Take(nil) // $ Alert
 }

 func runRunQuery(db *gorm.DB) {
@@ -19,9 +19,9 @@ func main() {
 	var db *gorm.DB
 	for i := 0; i < 10; i++ {
 		runQuery(db)
-	}
+	} // $ Source

 	for i := 10; i > 0; i-- {
 		runRunQuery(db)
-	}
+	} // $ Source
 }
--- a/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref
+++ b/go/ql/test/experimental/CWE-522-DecompressionBombs/DecompressionBombs.qlref
@@ -1,2 +1,4 @@
 query: experimental/CWE-522-DecompressionBombs/DecompressionBombs.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-522-DecompressionBombs/test.go
+++ b/go/ql/test/experimental/CWE-522-DecompressionBombs/test.go
@@ -56,41 +56,41 @@ func main() {
 func DecompressHandler(w http.ResponseWriter, request *http.Request) {
 	GZipOpenReaderSafe(request.PostFormValue("test"))
 	ZipOpenReaderSafe(request.PostFormValue("test"))
-	ZipOpenReader(request.FormValue("filepath"))
-	ZipNewReader(request.Body)
-	ZipNewReaderKlauspost(request.Body)
-	Bzip2Dsnet(request.Body)
+	ZipOpenReader(request.FormValue("filepath")) // $ Source
+	ZipNewReader(request.Body)                   // $ Source
+	ZipNewReaderKlauspost(request.Body)          // $ Source
+	Bzip2Dsnet(request.Body)                     // $ Source
 	Bzip2DsnetSafe(request.Body)
-	Bzip2(request.Body)
+	Bzip2(request.Body) // $ Source
 	Bzip2Safe(request.Body)
-	Flate(request.Body)
+	Flate(request.Body) // $ Source
 	FlateSafe(request.Body)
-	FlateKlauspost(request.Body)
+	FlateKlauspost(request.Body) // $ Source
 	FlateKlauspostSafe(request.Body)
-	FlateDsnet(request.Body)
+	FlateDsnet(request.Body) // $ Source
 	FlateDsnetSafe(request.Body)
-	ZlibKlauspost(request.Body)
+	ZlibKlauspost(request.Body) // $ Source
 	ZlibKlauspostSafe(request.Body)
-	Zlib(request.Body)
+	Zlib(request.Body) // $ Source
 	ZlibSafe(request.Body)
-	Snappy(request.Body)
+	Snappy(request.Body) // $ Source
 	SnappySafe(request.Body)
-	SnappyKlauspost(request.Body)
+	SnappyKlauspost(request.Body) // $ Source
 	SnappyKlauspostSafe(request.Body)
-	S2(request.Body)
+	S2(request.Body) // $ Source
 	S2Safe(request.Body)
-	Gzip(request.Body)
+	Gzip(request.Body) // $ Source
 	GzipSafe(request.Body)
-	GZipIoReader(request.Body, "dest")
-	GzipKlauspost(request.Body)
+	GZipIoReader(request.Body, "dest") // $ Source
+	GzipKlauspost(request.Body)        // $ Source
 	GzipKlauspostSafe(request.Body)
-	PzipKlauspost(request.Body)
+	PzipKlauspost(request.Body) // $ Source
 	PzipKlauspostSafe(request.Body)
-	Zstd_Klauspost(request.Body)
+	Zstd_Klauspost(request.Body) // $ Source
 	Zstd_KlauspostSafe(request.Body)
-	Zstd_DataDog(request.Body)
+	Zstd_DataDog(request.Body) // $ Source
 	Zstd_DataDogSafe(request.Body)
-	Xz(request.Body)
+	Xz(request.Body) // $ Source
 	XzSafe(request.Body)
 }

@@ -131,7 +131,7 @@ func ZipOpenReader(filename string) {
 	for _, f := range zipReader.File {
 		rc, _ := f.Open()
 		for {
-			result, _ := io.CopyN(os.Stdout, rc, 68) // $ hasValueFlow="rc"
+			result, _ := io.CopyN(os.Stdout, rc, 68) // $ hasValueFlow="rc" Alert
 			if result == 0 {
 				_ = rc.Close()
 				break
@@ -144,7 +144,7 @@ func ZipOpenReader(filename string) {
 	for _, f := range zipKlauspostReader.File {
 		rc, _ := f.Open()
 		for {
-			result, _ := io.CopyN(os.Stdout, rc, 68) // $ hasValueFlow="rc"
+			result, _ := io.CopyN(os.Stdout, rc, 68) // $ hasValueFlow="rc" Alert
 			if result == 0 {
 				_ = rc.Close()
 				break
@@ -161,7 +161,7 @@ func ZipNewReader(file io.Reader) {
 	for _, file := range zipReader.File {
 		fileWriter := bytes.NewBuffer([]byte{})
 		fileReaderCloser, _ := file.Open()
-		result, _ := io.Copy(fileWriter, fileReaderCloser) // $ hasValueFlow="fileReaderCloser"
+		result, _ := io.Copy(fileWriter, fileReaderCloser) // $ hasValueFlow="fileReaderCloser" Alert
 		fmt.Print(result)
 	}
 }
@@ -173,7 +173,7 @@ func ZipNewReaderKlauspost(file io.Reader) {
 		fileWriter := bytes.NewBuffer([]byte{})
 		// file.OpenRaw()
 		fileReaderCloser, _ := file.Open()
-		result, _ := io.Copy(fileWriter, fileReaderCloser) // $ hasValueFlow="fileReaderCloser"
+		result, _ := io.Copy(fileWriter, fileReaderCloser) // $ hasValueFlow="fileReaderCloser" Alert
 		fmt.Print(result)
 	}
 }
@@ -183,7 +183,7 @@ func Bzip2Dsnet(file io.Reader) {

 	bzip2Reader, _ := bzip2Dsnet.NewReader(file, &bzip2Dsnet.ReaderConfig{})
 	var out []byte = make([]byte, 70)
-	bzip2Reader.Read(out) // $ hasValueFlow="bzip2Reader"
+	bzip2Reader.Read(out) // $ hasValueFlow="bzip2Reader" Alert
 	tarRead = tar.NewReader(bzip2Reader)

 	TarDecompressor(tarRead)
@@ -210,7 +210,7 @@ func Bzip2(file io.Reader) {

 	bzip2Reader := bzip2.NewReader(file)
 	var out []byte = make([]byte, 70)
-	bzip2Reader.Read(out) // $ hasValueFlow="bzip2Reader"
+	bzip2Reader.Read(out) // $ hasValueFlow="bzip2Reader" Alert
 	tarRead = tar.NewReader(bzip2Reader)

 	TarDecompressor(tarRead)
@@ -235,7 +235,7 @@ func Flate(file io.Reader) {

 	flateReader := flate.NewReader(file)
 	var out []byte = make([]byte, 70)
-	flateReader.Read(out) // $ hasValueFlow="flateReader"
+	flateReader.Read(out) // $ hasValueFlow="flateReader" Alert
 	tarRead = tar.NewReader(flateReader)

 	TarDecompressor(tarRead)
@@ -260,7 +260,7 @@ func FlateKlauspost(file io.Reader) {

 	flateReader := flateKlauspost.NewReader(file)
 	var out []byte = make([]byte, 70)
-	flateReader.Read(out) // $ hasValueFlow="flateReader"
+	flateReader.Read(out) // $ hasValueFlow="flateReader" Alert
 	tarRead = tar.NewReader(flateReader)

 	TarDecompressor(tarRead)
@@ -285,7 +285,7 @@ func FlateDsnet(file io.Reader) {

 	flateReader, _ := flateDsnet.NewReader(file, &flateDsnet.ReaderConfig{})
 	var out []byte = make([]byte, 70)
-	flateReader.Read(out) // $ hasValueFlow="flateReader"
+	flateReader.Read(out) // $ hasValueFlow="flateReader" Alert
 	tarRead = tar.NewReader(flateReader)

 	TarDecompressor(tarRead)
@@ -310,7 +310,7 @@ func ZlibKlauspost(file io.Reader) {

 	zlibReader, _ := zlibKlauspost.NewReader(file)
 	var out []byte = make([]byte, 70)
-	zlibReader.Read(out) // $ hasValueFlow="zlibReader"
+	zlibReader.Read(out) // $ hasValueFlow="zlibReader" Alert
 	tarRead = tar.NewReader(zlibReader)

 	TarDecompressor(tarRead)
@@ -335,7 +335,7 @@ func Zlib(file io.Reader) {

 	zlibReader, _ := zlib.NewReader(file)
 	var out []byte = make([]byte, 70)
-	zlibReader.Read(out) // $ hasValueFlow="zlibReader"
+	zlibReader.Read(out) // $ hasValueFlow="zlibReader" Alert
 	tarRead = tar.NewReader(zlibReader)

 	TarDecompressor(tarRead)
@@ -360,8 +360,8 @@ func Snappy(file io.Reader) {

 	snappyReader := snappy.NewReader(file)
 	var out []byte = make([]byte, 70)
-	snappyReader.Read(out)  // $ hasValueFlow="snappyReader"
-	snappyReader.ReadByte() // $ hasValueFlow="snappyReader"
+	snappyReader.Read(out)  // $ hasValueFlow="snappyReader" Alert
+	snappyReader.ReadByte() // $ hasValueFlow="snappyReader" Alert
 	tarRead = tar.NewReader(snappyReader)

 	TarDecompressor(tarRead)
@@ -386,10 +386,10 @@ func SnappyKlauspost(file io.Reader) {

 	snappyReader := snappyKlauspost.NewReader(file)
 	var out []byte = make([]byte, 70)
-	snappyReader.Read(out) // $ hasValueFlow="snappyReader"
+	snappyReader.Read(out) // $ hasValueFlow="snappyReader" Alert
 	var buf bytes.Buffer
-	snappyReader.DecodeConcurrent(&buf, 2) // $ hasValueFlow="snappyReader"
-	snappyReader.ReadByte()                // $ hasValueFlow="snappyReader"
+	snappyReader.DecodeConcurrent(&buf, 2) // $ hasValueFlow="snappyReader" Alert
+	snappyReader.ReadByte()                // $ hasValueFlow="snappyReader" Alert
 	tarRead = tar.NewReader(snappyReader)

 	TarDecompressor(tarRead)
@@ -414,10 +414,10 @@ func S2(file io.Reader) {

 	s2Reader := s2.NewReader(file)
 	var out []byte = make([]byte, 70)
-	s2Reader.Read(out)  // $ hasValueFlow="s2Reader"
-	s2Reader.ReadByte() // $ hasValueFlow="s2Reader"
+	s2Reader.Read(out)  // $ hasValueFlow="s2Reader" Alert
+	s2Reader.ReadByte() // $ hasValueFlow="s2Reader" Alert
 	var buf bytes.Buffer
-	s2Reader.DecodeConcurrent(&buf, 2) // $ hasValueFlow="s2Reader"
+	s2Reader.DecodeConcurrent(&buf, 2) // $ hasValueFlow="s2Reader" Alert
 	tarRead = tar.NewReader(s2Reader)

 	TarDecompressor(tarRead)
@@ -442,14 +442,14 @@ func GZipIoReader(src io.Reader, dst string) {
 	dstF, _ := os.OpenFile(dst, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0755)
 	defer dstF.Close()
 	newSrc := io.Reader(gzipReader)
-	_, _ = io.Copy(dstF, newSrc) // $ hasValueFlow="newSrc"
+	_, _ = io.Copy(dstF, newSrc) // $ hasValueFlow="newSrc" Alert
 }
 func Gzip(file io.Reader) {
 	var tarRead *tar.Reader

 	gzipReader, _ := gzip.NewReader(file)
 	var out []byte = make([]byte, 70)
-	gzipReader.Read(out) // $ hasValueFlow="gzipReader"
+	gzipReader.Read(out) // $ hasValueFlow="gzipReader" Alert
 	tarRead = tar.NewReader(gzipReader)

 	TarDecompressor(tarRead)
@@ -474,9 +474,9 @@ func GzipKlauspost(file io.Reader) {

 	gzipReader, _ := gzipKlauspost.NewReader(file)
 	var out []byte = make([]byte, 70)
-	gzipReader.Read(out) // $ hasValueFlow="gzipReader"
+	gzipReader.Read(out) // $ hasValueFlow="gzipReader" Alert
 	var buf bytes.Buffer
-	gzipReader.WriteTo(&buf) // $ hasValueFlow="gzipReader"
+	gzipReader.WriteTo(&buf) // $ hasValueFlow="gzipReader" Alert
 	tarRead = tar.NewReader(gzipReader)

 	TarDecompressor(tarRead)
@@ -501,9 +501,9 @@ func PzipKlauspost(file io.Reader) {

 	pgzipReader, _ := pgzipKlauspost.NewReader(file)
 	var out []byte = make([]byte, 70)
-	pgzipReader.Read(out) // $ hasValueFlow="pgzipReader"
+	pgzipReader.Read(out) // $ hasValueFlow="pgzipReader" Alert
 	var buf bytes.Buffer
-	pgzipReader.WriteTo(&buf) // $ hasValueFlow="pgzipReader"
+	pgzipReader.WriteTo(&buf) // $ hasValueFlow="pgzipReader" Alert
 	tarRead = tar.NewReader(pgzipReader)

 	TarDecompressor(tarRead)
@@ -528,11 +528,11 @@ func Zstd_Klauspost(file io.Reader) {

 	zstdReader, _ := zstdKlauspost.NewReader(file)
 	var out []byte = make([]byte, 70)
-	zstdReader.Read(out) // $ hasValueFlow="zstdReader"
+	zstdReader.Read(out) // $ hasValueFlow="zstdReader" Alert
 	var buf bytes.Buffer
-	zstdReader.WriteTo(&buf) // $ hasValueFlow="zstdReader"
+	zstdReader.WriteTo(&buf) // $ hasValueFlow="zstdReader" Alert
 	var src []byte
-	zstdReader.DecodeAll(src, nil) // $ hasValueFlow="zstdReader"
+	zstdReader.DecodeAll(src, nil) // $ hasValueFlow="zstdReader" Alert
 	tarRead = tar.NewReader(zstdReader)

 	TarDecompressor(tarRead)
@@ -557,7 +557,7 @@ func Zstd_DataDog(file io.Reader) {

 	zstdReader := zstdDataDog.NewReader(file)
 	var out []byte = make([]byte, 70)
-	zstdReader.Read(out) // $ hasValueFlow="zstdReader"
+	zstdReader.Read(out) // $ hasValueFlow="zstdReader" Alert
 	tarRead = tar.NewReader(zstdReader)

 	TarDecompressor(tarRead)
@@ -582,7 +582,7 @@ func Xz(file io.Reader) {

 	xzReader, _ := xz.NewReader(file)
 	var out []byte = make([]byte, 70)
-	xzReader.Read(out) // $ hasValueFlow="xzReader"
+	xzReader.Read(out) // $ hasValueFlow="xzReader" Alert
 	tarRead = tar.NewReader(xzReader)
 	fmt.Println(io.SeekStart)

@@ -618,7 +618,7 @@ func TarDecompressor(tarRead *tar.Reader) {
 		if cur.Typeflag != tar.TypeReg {
 			continue
 		}
-		data, _ := io.ReadAll(tarRead) // $ hasValueFlow="tarRead"
+		data, _ := io.ReadAll(tarRead) // $ hasValueFlow="tarRead" Alert
 		files[cur.Name] = &fstest.MapFile{Data: data}
 	}
 	fmt.Print(files)
@@ -626,7 +626,7 @@ func TarDecompressor(tarRead *tar.Reader) {

 func TarDecompressor2(tarRead *tar.Reader) {
 	var tarOut []byte = make([]byte, 70)
-	tarRead.Read(tarOut) // $ hasValueFlow="tarRead"
+	tarRead.Read(tarOut) // $ hasValueFlow="tarRead" Alert
 	fmt.Println("do sth with output:", tarOut)
 }

--- a/go/ql/test/experimental/CWE-525/WebCacheDeception.qlref
+++ b/go/ql/test/experimental/CWE-525/WebCacheDeception.qlref
@@ -1 +1,2 @@
-experimental/CWE-525/WebCacheDeception.ql
+query: experimental/CWE-525/WebCacheDeception.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-525/WebCacheDeceptionBad.go
+++ b/go/ql/test/experimental/CWE-525/WebCacheDeceptionBad.go
@@ -79,7 +79,7 @@ func badRoutingNet() {

 	http.Handle("/assets/", http.StripPrefix("/assets/", http.FileServer(http.Dir("assets/"))))

-	http.HandleFunc("/adminusers/", ShowAdminPageCache)
+	http.HandleFunc("/adminusers/", ShowAdminPageCache) // $ Alert
 	err := http.ListenAndServe(":1337", nil)
 	if err != nil {
 		log.Fatal("ListenAndServe: ", err)
--- a/go/ql/test/experimental/CWE-525/WebCacheDeceptionFiber.go
+++ b/go/ql/test/experimental/CWE-525/WebCacheDeceptionFiber.go
@@ -12,12 +12,12 @@ func badRouting() {
 	log.Println("We are logging in Golang!")

 	// GET /api/register
-	app.Get("/api/*", func(c *fiber.Ctx) error {
+	app.Get("/api/*", func(c *fiber.Ctx) error { // $ Alert
 		msg := fmt.Sprintf("✋")
 		return c.SendString(msg) // => ✋ register
 	})

-	app.Post("/api/*", func(c *fiber.Ctx) error {
+	app.Post("/api/*", func(c *fiber.Ctx) error { // $ Alert
 		msg := fmt.Sprintf("✋")
 		return c.SendString(msg) // => ✋ register
 	})
--- a/go/ql/test/experimental/CWE-525/WebCacheDeceptionGoChi.go
+++ b/go/ql/test/experimental/CWE-525/WebCacheDeceptionGoChi.go
@@ -10,7 +10,7 @@ import (
 func badRoutingChi() {
 	r := chi.NewRouter()
 	r.Use(middleware.Logger)
-	r.Get("/*", func(w http.ResponseWriter, r *http.Request) {
+	r.Get("/*", func(w http.ResponseWriter, r *http.Request) { // $ Alert
 		w.Write([]byte("welcome"))
 	})
 	http.ListenAndServe(":3000", r)
--- a/go/ql/test/experimental/CWE-525/WebCacheDeceptionHTTPRouter.go
+++ b/go/ql/test/experimental/CWE-525/WebCacheDeceptionHTTPRouter.go
@@ -18,7 +18,7 @@ func Hello(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {

 func badHTTPRouter() {
 	router := httprouter.New()
-	router.GET("/test/*test", Index)
+	router.GET("/test/*test", Index) // $ Alert
 	router.GET("/hello/:name", Hello)

 	log.Fatal(http.ListenAndServe(":8082", router))
--- a/go/ql/test/experimental/CWE-74/Dsn.go
+++ b/go/ql/test/experimental/CWE-74/Dsn.go
@@ -23,10 +23,10 @@ func good() (interface{}, error) {
 }

 func bad() interface{} {
-	name2 := os.Args[1:]
+	name2 := os.Args[1:] // $ Source[go/dsn-injection-local]
 	// This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files.
 	dbDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?charset=utf8", "username", "password", "127.0.0.1", 3306, name2[0])
-	db, _ := sql.Open("mysql", dbDSN)
+	db, _ := sql.Open("mysql", dbDSN) // $ Alert[go/dsn-injection-local]
 	return db
 }

@@ -44,10 +44,10 @@ func good2(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 }

 func bad2(w http.ResponseWriter, req *http.Request) interface{} {
-	name := req.FormValue("name")
+	name := req.FormValue("name") // $ Source[go/dsn-injection]
 	// This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files.
 	dbDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?charset=utf8", "username", "password", "127.0.0.1", 3306, name)
-	db, _ := sql.Open("mysql", dbDSN)
+	db, _ := sql.Open("mysql", dbDSN) // $ Alert[go/dsn-injection]
 	return db
 }

@@ -60,12 +60,12 @@ func (Config) Parse([]string) error { return nil }

 func RegexFuncModelTest(w http.ResponseWriter, req *http.Request) (interface{}, error) {
 	cfg := NewConfig()
-	err := cfg.Parse(os.Args[1:]) // This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files.
+	err := cfg.Parse(os.Args[1:]) // $ Source[go/dsn-injection-local] // This is bad. `name` can be something like `test?allowAllFiles=true&` which will allow an attacker to access local files.
 	if err != nil {
 		return nil, err
 	}
 	dbDSN := fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?charset=utf8", "username", "password", "127.0.0.1", 3306, cfg.dsn)
-	db, _ := sql.Open("mysql", dbDSN)
+	db, _ := sql.Open("mysql", dbDSN) // $ Alert[go/dsn-injection-local]
 	return db, nil
 }

--- a/go/ql/test/experimental/CWE-74/DsnInjection.qlref
+++ b/go/ql/test/experimental/CWE-74/DsnInjection.qlref
@@ -1,2 +1,4 @@
 query: experimental/CWE-74/DsnInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-74/DsnInjectionLocal.qlref
+++ b/go/ql/test/experimental/CWE-74/DsnInjectionLocal.qlref
@@ -1,2 +1,4 @@
 query: experimental/CWE-74/DsnInjectionLocal.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref
+++ b/go/ql/test/experimental/CWE-807/SensitiveConditionBypass.qlref
@@ -1 +1,2 @@
-experimental/CWE-807/SensitiveConditionBypass.ql
+query: experimental/CWE-807/SensitiveConditionBypass.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-807/SensitiveConditionBypassBad.go
+++ b/go/ql/test/experimental/CWE-807/SensitiveConditionBypassBad.go
@@ -4,7 +4,7 @@ import "net/http"

 func example(w http.ResponseWriter, r *http.Request) {
 	test2 := "test"
-	if r.Header.Get("X-Password") != test2 {
+	if r.Header.Get("X-Password") != test2 { // $ Alert
 		login()
 	}
 }
--- a/go/ql/test/experimental/CWE-807/condition.go
+++ b/go/ql/test/experimental/CWE-807/condition.go
@@ -13,7 +13,7 @@ const test = "localhost"

 // Should alert as authkey is sensitive
 func ex1(w http.ResponseWriter, r *http.Request) {
-	if r.Header.Get("Origin") != test {
+	if r.Header.Get("Origin") != test { // $ Alert
 		authkey := "randomDatta"
 		io.WriteString(w, authkey)
 	}
@@ -22,7 +22,7 @@ func ex1(w http.ResponseWriter, r *http.Request) {
 // Should alert as authkey is sensitive
 func ex2(w http.ResponseWriter, r *http.Request) {
 	test2 := "test"
-	if r.Header.Get("Origin") != test2 {
+	if r.Header.Get("Origin") != test2 { // $ Alert
 		authkey := "randomDatta2"
 		io.WriteString(w, authkey)
 	}
@@ -31,7 +31,7 @@ func ex2(w http.ResponseWriter, r *http.Request) {
 // Should alert as login() is sensitive
 func ex3(w http.ResponseWriter, r *http.Request) {
 	test2 := "test"
-	if r.Header.Get("Origin") != test2 {
+	if r.Header.Get("Origin") != test2 { // $ Alert
 		login()
 	}
 }
--- a/go/ql/test/experimental/CWE-840/ConditionalBypass.qlref
+++ b/go/ql/test/experimental/CWE-840/ConditionalBypass.qlref
@@ -1 +1,2 @@
-experimental/CWE-840/ConditionalBypass.ql
+query: experimental/CWE-840/ConditionalBypass.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/CWE-840/ConditionalBypassBad.go
+++ b/go/ql/test/experimental/CWE-840/ConditionalBypassBad.go
@@ -6,7 +6,7 @@ import (

 func exampleHandlerBad(w http.ResponseWriter, r *http.Request) {
 	// BAD: the Origin and Host headers are user controlled
-	if r.Header.Get("Origin") != "http://"+r.Host {
+	if r.Header.Get("Origin") != "http://"+r.Host { // $ Alert
 		//do something
 	}
 }
--- a/go/ql/test/experimental/CWE-840/condition.go
+++ b/go/ql/test/experimental/CWE-840/condition.go
@@ -6,14 +6,14 @@ import (

 // BAD: taken from https://www.gorillatoolkit.org/pkg/websocket
 func ex1(w http.ResponseWriter, r *http.Request) {
-	if r.Header.Get("Origin") != "http://"+r.Host {
+	if r.Header.Get("Origin") != "http://"+r.Host { // $ Alert
 		//do something
 	}
 }

 // BAD: both operands are from remote sources
 func ex2(w http.ResponseWriter, r *http.Request) {
-	if r.Header.Get("Origin") != "http://"+r.Header.Get("Header") {
+	if r.Header.Get("Origin") != "http://"+r.Header.Get("Header") { // $ Alert
 		//do something
 	}
 }
--- a/go/ql/test/experimental/InconsistentCode/DeferInLoop.go
+++ b/go/ql/test/experimental/InconsistentCode/DeferInLoop.go
@@ -5,7 +5,7 @@ import "os"
 func openFiles(filenames []string) {
 	for _, filename := range filenames {
 		file, err := os.Open(filename)
-		defer file.Close()
+		defer file.Close() // $ Alert[go/examples/deferinloop]
 		if err != nil {
 			// handle error
 		}
--- a/go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref
+++ b/go/ql/test/experimental/InconsistentCode/DeferInLoop.qlref
@@ -1 +1,2 @@
-experimental/InconsistentCode/DeferInLoop.ql
+query: experimental/InconsistentCode/DeferInLoop.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.go
+++ b/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.go
@@ -4,6 +4,6 @@ import "gorm.io/gorm"

 func getUserId(db *gorm.DB, name string) int64 {
 	var user User
-	db.Where("name = ?", name).First(&user)
+	db.Where("name = ?", name).First(&user) // $ Alert[go/examples/gorm-error-not-checked]
 	return user.Id
 }
--- a/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.qlref
+++ b/go/ql/test/experimental/InconsistentCode/GORMErrorNotChecked.qlref
@@ -1 +1,2 @@
-experimental/InconsistentCode/GORMErrorNotChecked.ql
+query: experimental/InconsistentCode/GORMErrorNotChecked.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/experimental/InconsistentCode/test.go
+++ b/go/ql/test/experimental/InconsistentCode/test.go
@@ -3,24 +3,24 @@ package main
 func test() {
 	var xs []int
 	for _ = range xs {
-		defer test() // not ok
+		defer test() // $ Alert[go/examples/deferinloop] // not ok
 	}

 	for _ = range xs {
 		if true {
-			defer test() // not ok
+			defer test() // $ Alert[go/examples/deferinloop] // not ok
 		}
 	}

 	for i := 0; i < 10; i++ {
-		defer test()
+		defer test() // $ Alert[go/examples/deferinloop]
 	}

 	for true {
-		defer test() // not ok
+		defer test() // $ Alert[go/examples/deferinloop] // not ok
 	}

 	for false {
-		defer test() // fine but caught
+		defer test() // $ Alert[go/examples/deferinloop] // fine but caught
 	}
 }
--- a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.expected
+++ b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.expected
@@ -1,3 +1,15 @@
+#select
+| WrongUsageOfUnsafe.go:77:16:77:55 | type conversion | WrongUsageOfUnsafe.go:77:27:77:54 | type conversion | WrongUsageOfUnsafe.go:77:16:77:55 | type conversion | $@. | WrongUsageOfUnsafe.go:77:27:77:54 | type conversion | Dangerous array type casting to [8]uint8 from an index expression ([8]uint8)[2] (the destination type is 2 elements longer) |
+| WrongUsageOfUnsafe.go:111:16:111:59 | type conversion | WrongUsageOfUnsafe.go:111:31:111:58 | type conversion | WrongUsageOfUnsafe.go:111:16:111:59 | type conversion | $@. | WrongUsageOfUnsafe.go:111:31:111:58 | type conversion | Dangerous array type casting to [17]uint8 from an index expression ([8]uint8)[0] (the destination type is 9 elements longer) |
+| WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | $@. | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
+| WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | $@. | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
+| WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | $@. | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | Dangerous array type casting to [17]string from [8]string |
+| WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | $@. | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | Dangerous type up-casting to [17]uint8 from struct type |
+| WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | $@. | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
+| WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | $@. | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
+| WrongUsageOfUnsafe.go:256:16:256:53 | type conversion | WrongUsageOfUnsafe.go:256:28:256:52 | type conversion | WrongUsageOfUnsafe.go:256:16:256:53 | type conversion | $@. | WrongUsageOfUnsafe.go:256:28:256:52 | type conversion | Dangerous array type casting to [4]int64 from [1]int64 |
+| WrongUsageOfUnsafe.go:274:16:274:50 | type conversion | WrongUsageOfUnsafe.go:274:25:274:49 | type conversion | WrongUsageOfUnsafe.go:274:16:274:50 | type conversion | $@. | WrongUsageOfUnsafe.go:274:25:274:49 | type conversion | Dangerous numeric type casting to int64 from int8 |
+| WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | $@. | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | Dangerous numeric type casting to int from int8 |
 edges
 | WrongUsageOfUnsafe.go:17:24:17:48 | type conversion | WrongUsageOfUnsafe.go:17:13:17:49 | type conversion | provenance |  |
 | WrongUsageOfUnsafe.go:34:24:34:51 | type conversion | WrongUsageOfUnsafe.go:34:13:34:52 | type conversion | provenance |  |
@@ -48,15 +60,3 @@ nodes
 | WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | semmle.label | type conversion |
 | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | semmle.label | type conversion |
 subpaths
-#select
-| WrongUsageOfUnsafe.go:77:16:77:55 | type conversion | WrongUsageOfUnsafe.go:77:27:77:54 | type conversion | WrongUsageOfUnsafe.go:77:16:77:55 | type conversion | $@. | WrongUsageOfUnsafe.go:77:27:77:54 | type conversion | Dangerous array type casting to [8]uint8 from an index expression ([8]uint8)[2] (the destination type is 2 elements longer) |
-| WrongUsageOfUnsafe.go:111:16:111:59 | type conversion | WrongUsageOfUnsafe.go:111:31:111:58 | type conversion | WrongUsageOfUnsafe.go:111:16:111:59 | type conversion | $@. | WrongUsageOfUnsafe.go:111:31:111:58 | type conversion | Dangerous array type casting to [17]uint8 from an index expression ([8]uint8)[0] (the destination type is 9 elements longer) |
-| WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | WrongUsageOfUnsafe.go:129:16:129:56 | type conversion | $@. | WrongUsageOfUnsafe.go:129:31:129:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
-| WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | WrongUsageOfUnsafe.go:149:16:149:56 | type conversion | $@. | WrongUsageOfUnsafe.go:149:31:149:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
-| WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | WrongUsageOfUnsafe.go:166:16:166:58 | type conversion | $@. | WrongUsageOfUnsafe.go:166:33:166:57 | type conversion | Dangerous array type casting to [17]string from [8]string |
-| WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | WrongUsageOfUnsafe.go:189:16:189:56 | type conversion | $@. | WrongUsageOfUnsafe.go:189:31:189:55 | type conversion | Dangerous type up-casting to [17]uint8 from struct type |
-| WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | WrongUsageOfUnsafe.go:211:16:211:61 | type conversion | $@. | WrongUsageOfUnsafe.go:211:31:211:60 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
-| WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | WrongUsageOfUnsafe.go:243:9:243:27 | type conversion | $@. | WrongUsageOfUnsafe.go:227:31:227:55 | type conversion | Dangerous array type casting to [17]uint8 from [8]uint8 |
-| WrongUsageOfUnsafe.go:256:16:256:53 | type conversion | WrongUsageOfUnsafe.go:256:28:256:52 | type conversion | WrongUsageOfUnsafe.go:256:16:256:53 | type conversion | $@. | WrongUsageOfUnsafe.go:256:28:256:52 | type conversion | Dangerous array type casting to [4]int64 from [1]int64 |
-| WrongUsageOfUnsafe.go:274:16:274:50 | type conversion | WrongUsageOfUnsafe.go:274:25:274:49 | type conversion | WrongUsageOfUnsafe.go:274:16:274:50 | type conversion | $@. | WrongUsageOfUnsafe.go:274:25:274:49 | type conversion | Dangerous numeric type casting to int64 from int8 |
-| WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | WrongUsageOfUnsafe.go:292:16:292:48 | type conversion | $@. | WrongUsageOfUnsafe.go:292:23:292:47 | type conversion | Dangerous numeric type casting to int from int8 |
--- a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go
+++ b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.go
@@ -74,7 +74,7 @@ func badIndexExpr() {
 	// the address of the 3rd element of the `harmless` array,
 	// and continue for 8 bytes, going out of the boundaries of
 	// `harmless` and crossing into the memory occupied by `secret`.
-	var leaking = (*[8]byte)(unsafe.Pointer(&harmless[2])) // BAD
+	var leaking = (*[8]byte)(unsafe.Pointer(&harmless[2])) // $ Alert // BAD

 	fmt.Println(string((*leaking)[:]))

@@ -108,7 +108,7 @@ func bad0() {

 	// Read before secret, overflowing into secret
 	// (notice we get the pointer to the first byte of harmless)
-	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless[0])) // BAD
+	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless[0])) // $ Alert // BAD

 	fmt.Println(string((*leaking)[:]))

@@ -126,7 +126,7 @@ func bad1() {

 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless)
-	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // $ Alert // BAD

 	fmt.Println(string((*leaking)[:]))

@@ -146,7 +146,7 @@ func bad2() {

 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless)
-	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // $ Alert // BAD

 	fmt.Println(string((*leaking)[:]))

@@ -163,7 +163,7 @@ func bad3() {

 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless)
-	var leaking = (*[8 + 9]string)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*[8 + 9]string)(unsafe.Pointer(&harmless)) // $ Alert // BAD

 	fmt.Println(*leaking)
 	fmt.Println([17]string((*leaking)))
@@ -186,7 +186,7 @@ func bad4() {

 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless)
-	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless)) // $ Alert // BAD

 	fmt.Println(string((*leaking)[:]))

@@ -208,7 +208,7 @@ func bad5() {

 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless)
-	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless.Data)) // BAD
+	var leaking = (*[8 + 9]byte)(unsafe.Pointer(&harmless.Data)) // $ Alert // BAD

 	fmt.Println(string(leaking[:]))

@@ -224,7 +224,7 @@ func bad6() {
 	secret := [9]byte{'s', 'e', 'n', 's', 'i', 't', 'i', 'v', 'e'}

 	// Read before secret:
-	var leaking = buffer_request(unsafe.Pointer(&harmless)) // BAD (see inside buffer_request func)
+	var leaking = buffer_request(unsafe.Pointer(&harmless)) // $ Source // BAD (see inside buffer_request func)

 	fmt.Println((string)(leaking[:]))

@@ -240,7 +240,7 @@ func buffer_request(req unsafe.Pointer) [8 + 9]byte {
 	// will be read, the read will also contain pieces of
 	// data from `secret`.
 	var buf [8 + 9]byte
-	buf = *(*[8 + 9]byte)(req) // BAD (from above func)
+	buf = *(*[8 + 9]byte)(req) // $ Alert // BAD (from above func)
 	return buf
 }
 func bad7() {
@@ -253,7 +253,7 @@ func bad7() {
 	// (notice we read more than the length of harmless);
 	// the leaking array will not contain letters,
 	// but integers representing bytes from `secret`.
-	var leaking = (*[4]int64)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*[4]int64)(unsafe.Pointer(&harmless)) // $ Alert // BAD

 	fmt.Println(*leaking)

@@ -271,7 +271,7 @@ func bad8() {
 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless);
 	// the leaking data will contain some bits from `secret`.
-	var leaking = (*int64)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*int64)(unsafe.Pointer(&harmless)) // $ Alert // BAD

 	fmt.Println(*leaking)

@@ -289,7 +289,7 @@ func bad9() {
 	// Read before secret, overflowing into secret
 	// (notice we read more than the length of harmless);
 	// the leaking data will contain some bits from `secret`.
-	var leaking = (*int)(unsafe.Pointer(&harmless)) // BAD
+	var leaking = (*int)(unsafe.Pointer(&harmless)) // $ Alert // BAD

 	fmt.Println(*leaking)

--- a/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref
+++ b/go/ql/test/experimental/Unsafe/WrongUsageOfUnsafe.qlref
@@ -1 +1,2 @@
-experimental/Unsafe/WrongUsageOfUnsafe.ql
+query: experimental/Unsafe/WrongUsageOfUnsafe.ql
+postprocess: utils/test/InlineExpectationsTestQuery.ql
--- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go
+++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/glog.go
@@ -1,54 +1,181 @@
-//go:generate depstubber -vendor github.com/golang/glog "" Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln
-//go:generate depstubber -vendor k8s.io/klog "" Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln
+//go:generate depstubber -vendor github.com/golang/glog Level,Verbose Error,ErrorContext,ErrorContextDepth,ErrorContextDepthf,ErrorContextf,ErrorDepth,ErrorDepthf,Errorf,Errorln,Exit,ExitContext,ExitContextDepth,ExitContextDepthf,ExitContextf,ExitDepth,ExitDepthf,Exitf,Exitln,Fatal,FatalContext,FatalContextDepth,FatalContextDepthf,FatalContextf,FatalDepth,FatalDepthf,Fatalf,Fatalln,Info,InfoContext,InfoContextDepth,InfoContextDepthf,InfoContextf,InfoDepth,InfoDepthf,Infof,Infoln,V,VDepth,Warning,WarningContext,WarningContextDepth,WarningContextDepthf,WarningContextf,WarningDepth,WarningDepthf,Warningf,Warningln
+//go:generate depstubber -vendor k8s.io/klog Level,Verbose Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,V,Warning,WarningDepth,Warningf,Warningln

 package main

 import (
+	"context"
+
 	"github.com/golang/glog"
 	"k8s.io/klog"
 )

-func glogTest() {
-	glog.Error(text)           // $ logger=text
-	glog.ErrorDepth(0, text)   // $ logger=text
-	glog.Errorf(fmt, text)     // $ logger=fmt logger=text
-	glog.Errorln(text)         // $ logger=text
-	glog.Exit(text)            // $ logger=text
-	glog.ExitDepth(0, text)    // $ logger=text
-	glog.Exitf(fmt, text)      // $ logger=fmt logger=text
-	glog.Exitln(text)          // $ logger=text
-	glog.Fatal(text)           // $ logger=text
-	glog.FatalDepth(0, text)   // $ logger=text
-	glog.Fatalf(fmt, text)     // $ logger=fmt logger=text
-	glog.Fatalln(text)         // $ logger=text
-	glog.Info(text)            // $ logger=text
-	glog.InfoDepth(0, text)    // $ logger=text
-	glog.Infof(fmt, text)      // $ logger=fmt logger=text
-	glog.Infoln(text)          // $ logger=text
-	glog.Warning(text)         // $ logger=text
-	glog.WarningDepth(0, text) // $ logger=text
-	glog.Warningf(fmt, text)   // $ logger=fmt logger=text
-	glog.Warningln(text)       // $ logger=text
+func glogTest(selector int) {
+	ctx := context.Background()
+
+	glog.Error(text)                           // $ logger=text
+	glog.ErrorContext(ctx, text)               // $ logger=text
+	glog.ErrorContextDepth(ctx, 0, text)       // $ logger=text
+	glog.ErrorContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.ErrorContextf(ctx, fmt, text)         // $ logger=fmt logger=text
+	glog.ErrorDepth(0, text)                   // $ logger=text
+	glog.ErrorDepthf(0, fmt, text)             // $ logger=fmt logger=text
+	glog.Errorf(fmt, text)                     // $ logger=fmt logger=text
+	glog.Errorln(text)                         // $ logger=text
+	if selector == 1 {
+		glog.Exit(text) // $ logger=text
+	}
+	if selector == 2 {
+		glog.ExitContext(ctx, text) // $ logger=text
+	}
+	if selector == 3 {
+		glog.ExitContextDepth(ctx, 0, text) // $ logger=text
+	}
+	if selector == 4 {
+		glog.ExitContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 5 {
+		glog.ExitContextf(ctx, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 6 {
+		glog.ExitDepth(0, text) // $ logger=text
+	}
+	if selector == 7 {
+		glog.ExitDepthf(0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 8 {
+		glog.Exitf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 9 {
+		glog.Exitln(text) // $ logger=text
+	}
+	if selector == 10 {
+		glog.Fatal(text) // $ logger=text
+	}
+	if selector == 11 {
+		glog.FatalContext(ctx, text) // $ logger=text
+	}
+	if selector == 12 {
+		glog.FatalContextDepth(ctx, 0, text) // $ logger=text
+	}
+	if selector == 13 {
+		glog.FatalContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 14 {
+		glog.FatalContextf(ctx, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 15 {
+		glog.FatalDepth(0, text) // $ logger=text
+	}
+	if selector == 16 {
+		glog.FatalDepthf(0, fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 17 {
+		glog.Fatalf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 18 {
+		glog.Fatalln(text) // $ logger=text
+	}
+	glog.Info(text)                              // $ logger=text
+	glog.InfoContext(ctx, text)                  // $ logger=text
+	glog.InfoContextDepth(ctx, 0, text)          // $ logger=text
+	glog.InfoContextDepthf(ctx, 0, fmt, text)    // $ logger=fmt logger=text
+	glog.InfoContextf(ctx, fmt, text)            // $ logger=fmt logger=text
+	glog.InfoDepth(0, text)                      // $ logger=text
+	glog.InfoDepthf(0, fmt, text)                // $ logger=fmt logger=text
+	glog.Infof(fmt, text)                        // $ logger=fmt logger=text
+	glog.Infoln(text)                            // $ logger=text
+	glog.Warning(text)                           // $ logger=text
+	glog.WarningContext(ctx, text)               // $ logger=text
+	glog.WarningContextDepth(ctx, 0, text)       // $ logger=text
+	glog.WarningContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.WarningContextf(ctx, fmt, text)         // $ logger=fmt logger=text
+	glog.WarningDepth(0, text)                   // $ logger=text
+	glog.WarningDepthf(0, fmt, text)             // $ logger=fmt logger=text
+	glog.Warningf(fmt, text)                     // $ logger=fmt logger=text
+	glog.Warningln(text)                         // $ logger=text
+
+	glog.V(0).Info(text)                           // $ logger=text
+	glog.V(0).InfoContext(ctx, text)               // $ logger=text
+	glog.V(0).InfoContextDepth(ctx, 0, text)       // $ logger=text
+	glog.V(0).InfoContextDepthf(ctx, 0, fmt, text) // $ logger=fmt logger=text
+	glog.V(0).InfoContextf(ctx, fmt, text)         // $ logger=fmt logger=text
+	glog.V(0).InfoDepth(0, text)                   // $ logger=text
+	glog.V(0).InfoDepthf(0, fmt, text)             // $ logger=fmt logger=text
+	glog.V(0).Infof(fmt, text)                     // $ logger=fmt logger=text
+	glog.V(0).Infoln(text)                         // $ logger=text
+	glog.VDepth(0, 0).Info(text)                   // $ logger=text

 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	glog.Errorf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Exitf("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Fatalf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Infof("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
-	glog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorContextf(ctx, "%s: found type %T", text, v)         // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.ErrorDepthf(0, "%s: found type %T", text, v)             // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.Errorf("%s: found type %T", text, v)                     // $ logger="%s: found type %T" logger=text type-logger=v
+	if selector == 19 {
+		glog.ExitContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 20 {
+		glog.ExitContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 21 {
+		glog.ExitDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 22 {
+		glog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 23 {
+		glog.FatalContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 24 {
+		glog.FatalContextf(ctx, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 25 {
+		glog.FatalDepthf(0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 26 {
+		glog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	glog.InfoContextDepthf(ctx, 0, "%s: found type %T", text, v)      // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.InfoContextf(ctx, "%s: found type %T", text, v)              // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.InfoDepthf(0, "%s: found type %T", text, v)                  // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.Infof("%s: found type %T", text, v)                          // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningContextDepthf(ctx, 0, "%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningContextf(ctx, "%s: found type %T", text, v)           // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.WarningDepthf(0, "%s: found type %T", text, v)               // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.Warningf("%s: found type %T", text, v)                       // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoContextDepthf(ctx, 0, "%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoContextf(ctx, "%s: found type %T", text, v)         // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).InfoDepthf(0, "%s: found type %T", text, v)             // $ logger="%s: found type %T" logger=text type-logger=v
+	glog.V(0).Infof("%s: found type %T", text, v)                     // $ logger="%s: found type %T" logger=text type-logger=v

-	klog.Error(text)           // $ logger=text
-	klog.ErrorDepth(0, text)   // $ logger=text
-	klog.Errorf(fmt, text)     // $ logger=fmt logger=text
-	klog.Errorln(text)         // $ logger=text
-	klog.Exit(text)            // $ logger=text
-	klog.ExitDepth(0, text)    // $ logger=text
-	klog.Exitf(fmt, text)      // $ logger=fmt logger=text
-	klog.Exitln(text)          // $ logger=text
-	klog.Fatal(text)           // $ logger=text
-	klog.FatalDepth(0, text)   // $ logger=text
-	klog.Fatalf(fmt, text)     // $ logger=fmt logger=text
-	klog.Fatalln(text)         // $ logger=text
+	klog.Error(text)         // $ logger=text
+	klog.ErrorDepth(0, text) // $ logger=text
+	klog.Errorf(fmt, text)   // $ logger=fmt logger=text
+	klog.Errorln(text)       // $ logger=text
+	if selector == 27 {
+		klog.Exit(text) // $ logger=text
+	}
+	if selector == 28 {
+		klog.ExitDepth(0, text) // $ logger=text
+	}
+	if selector == 29 {
+		klog.Exitf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 30 {
+		klog.Exitln(text) // $ logger=text
+	}
+	if selector == 31 {
+		klog.Fatal(text) // $ logger=text
+	}
+	if selector == 32 {
+		klog.FatalDepth(0, text) // $ logger=text
+	}
+	if selector == 33 {
+		klog.Fatalf(fmt, text) // $ logger=fmt logger=text
+	}
+	if selector == 34 {
+		klog.Fatalln(text) // $ logger=text
+	}
 	klog.Info(text)            // $ logger=text
 	klog.InfoDepth(0, text)    // $ logger=text
 	klog.Infof(fmt, text)      // $ logger=fmt logger=text
@@ -57,11 +184,19 @@ func glogTest() {
 	klog.WarningDepth(0, text) // $ logger=text
 	klog.Warningf(fmt, text)   // $ logger=fmt logger=text
 	klog.Warningln(text)       // $ logger=text
+	klog.V(0).Info(text)       // $ logger=text
+	klog.V(0).Infof(fmt, text) // $ logger=fmt logger=text
+	klog.V(0).Infoln(text)     // $ logger=text

 	// components corresponding to the format specifier "%T" are not considered vulnerable
-	klog.Errorf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
-	klog.Exitf("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
-	klog.Fatalf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
-	klog.Infof("%s: found type %T", text, v)    // $ logger="%s: found type %T" logger=text type-logger=v
-	klog.Warningf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.Errorf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	if selector == 35 {
+		klog.Exitf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	if selector == 36 {
+		klog.Fatalf("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
+	}
+	klog.Infof("%s: found type %T", text, v)      // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.Warningf("%s: found type %T", text, v)   // $ logger="%s: found type %T" logger=text type-logger=v
+	klog.V(0).Infof("%s: found type %T", text, v) // $ logger="%s: found type %T" logger=text type-logger=v
 }
--- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/go.mod
+++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/go.mod
@@ -3,7 +3,7 @@ module codeql-go-tests/concepts/loggercall
 go 1.15

 require (
-	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+	github.com/golang/glog v1.2.5
 	github.com/sirupsen/logrus v1.7.0
 	k8s.io/klog v1.0.0
 )
--- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go
+++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/main.go
@@ -6,5 +6,6 @@ const text = "test"
 var v []byte

 func main() {
+	glogTest(len(v))
 	stdlib()
 }
--- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/github.com/golang/glog/stub.go
+++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/github.com/golang/glog/stub.go
@@ -2,47 +2,125 @@
 // This is a simple stub for github.com/golang/glog, strictly for use in testing.

 // See the LICENSE file for information about the licensing of the original library.
-// Source: github.com/golang/glog (exports: ; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln)
+// Source: github.com/golang/glog (exports: Level,Verbose; functions: Error,ErrorContext,ErrorContextDepth,ErrorContextDepthf,ErrorContextf,ErrorDepth,ErrorDepthf,Errorf,Errorln,Exit,ExitContext,ExitContextDepth,ExitContextDepthf,ExitContextf,ExitDepth,ExitDepthf,Exitf,Exitln,Fatal,FatalContext,FatalContextDepth,FatalContextDepthf,FatalContextf,FatalDepth,FatalDepthf,Fatalf,Fatalln,Info,InfoContext,InfoContextDepth,InfoContextDepthf,InfoContextf,InfoDepth,InfoDepthf,Infof,Infoln,V,VDepth,Warning,WarningContext,WarningContextDepth,WarningContextDepthf,WarningContextf,WarningDepth,WarningDepthf,Warningf,Warningln)

 // Package glog is a stub of github.com/golang/glog, generated by depstubber.
 package glog

+import "context"
+
+type Level int32
+
+type Verbose bool
+
 func Error(_ ...interface{}) {}

+func ErrorContext(_ context.Context, _ ...interface{}) {}
+
+func ErrorContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func ErrorContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func ErrorContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func ErrorDepth(_ int, _ ...interface{}) {}

+func ErrorDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Errorf(_ string, _ ...interface{}) {}

 func Errorln(_ ...interface{}) {}

 func Exit(_ ...interface{}) {}

+func ExitContext(_ context.Context, _ ...interface{}) {}
+
+func ExitContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func ExitContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func ExitContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func ExitDepth(_ int, _ ...interface{}) {}

+func ExitDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Exitf(_ string, _ ...interface{}) {}

 func Exitln(_ ...interface{}) {}

 func Fatal(_ ...interface{}) {}

+func FatalContext(_ context.Context, _ ...interface{}) {}
+
+func FatalContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func FatalContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func FatalContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func FatalDepth(_ int, _ ...interface{}) {}

+func FatalDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Fatalf(_ string, _ ...interface{}) {}

 func Fatalln(_ ...interface{}) {}

 func Info(_ ...interface{}) {}

+func InfoContext(_ context.Context, _ ...interface{}) {}
+
+func InfoContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func InfoContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func InfoContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func InfoDepth(_ int, _ ...interface{}) {}

+func InfoDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Infof(_ string, _ ...interface{}) {}

 func Infoln(_ ...interface{}) {}

+func V(_ Level) Verbose { return false }
+
+func VDepth(_ int, _ Level) Verbose { return false }
+
 func Warning(_ ...interface{}) {}

+func WarningContext(_ context.Context, _ ...interface{}) {}
+
+func WarningContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func WarningContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func WarningContextf(_ context.Context, _ string, _ ...interface{}) {}
+
 func WarningDepth(_ int, _ ...interface{}) {}

+func WarningDepthf(_ int, _ string, _ ...interface{}) {}
+
 func Warningf(_ string, _ ...interface{}) {}

 func Warningln(_ ...interface{}) {}
+
+func (_ Verbose) Info(_ ...interface{}) {}
+
+func (_ Verbose) InfoContext(_ context.Context, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextDepth(_ context.Context, _ int, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextDepthf(_ context.Context, _ int, _ string, _ ...interface{}) {}
+
+func (_ Verbose) InfoContextf(_ context.Context, _ string, _ ...interface{}) {}
+
+func (_ Verbose) InfoDepth(_ int, _ ...interface{}) {}
+
+func (_ Verbose) InfoDepthf(_ int, _ string, _ ...interface{}) {}
+
+func (_ Verbose) Infof(_ string, _ ...interface{}) {}
+
+func (_ Verbose) Infoln(_ ...interface{}) {}
--- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/k8s.io/klog/stub.go
+++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/k8s.io/klog/stub.go
@@ -2,11 +2,15 @@
 // This is a simple stub for k8s.io/klog, strictly for use in testing.

 // See the LICENSE file for information about the licensing of the original library.
-// Source: k8s.io/klog (exports: ; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,Warning,WarningDepth,Warningf,Warningln)
+// Source: k8s.io/klog (exports: Level,Verbose; functions: Error,ErrorDepth,Errorf,Errorln,Exit,ExitDepth,Exitf,Exitln,Fatal,FatalDepth,Fatalf,Fatalln,Info,InfoDepth,Infof,Infoln,V,Warning,WarningDepth,Warningf,Warningln)

 // Package klog is a stub of k8s.io/klog, generated by depstubber.
 package klog

+type Level int32
+
+type Verbose bool
+
 func Error(_ ...interface{}) {}

 func ErrorDepth(_ int, _ ...interface{}) {}
@@ -39,6 +43,8 @@ func Infof(_ string, _ ...interface{}) {}

 func Infoln(_ ...interface{}) {}

+func V(_ Level) Verbose { return false }
+
 func Warning(_ ...interface{}) {}

 func WarningDepth(_ int, _ ...interface{}) {}
@@ -46,3 +52,9 @@ func WarningDepth(_ int, _ ...interface{}) {}
 func Warningf(_ string, _ ...interface{}) {}

 func Warningln(_ ...interface{}) {}
+
+func (_ Verbose) Info(_ ...interface{}) {}
+
+func (_ Verbose) Infof(_ string, _ ...interface{}) {}
+
+func (_ Verbose) Infoln(_ ...interface{}) {}
--- a/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/concepts/LoggerCall/vendor/modules.txt
@@ -1,4 +1,4 @@
-# github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
+# github.com/golang/glog v1.2.5
 ## explicit
 github.com/golang/glog
 # github.com/sirupsen/logrus v1.7.0
--- a/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected
+++ b/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.expected
@@ -1,11 +1,21 @@
-| file://:0:0:0:0 | Exit | package os |
-| file://:0:0:0:0 | Fatal | package log |
-| file://:0:0:0:0 | Fatalf | package log |
-| file://:0:0:0:0 | Fatalln | package log |
-| noretfunctions.go:8:6:8:12 | isNoRet | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
-| noretfunctions.go:20:6:20:22 | noRetUsesLogFatal | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
-| noretfunctions.go:24:6:24:23 | noRetUsesLogFatalf | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
-| stmts7.go:10:6:10:15 | canRecover | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
-| stmts.go:10:6:10:10 | test5 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
-| stmts.go:46:6:46:10 | test6 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
-| stmts.go:112:6:112:10 | test9 | package github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph |
+| file://:0:0:0:0 | Exit | os.Exit |
+| file://:0:0:0:0 | Fatal | log.Fatal |
+| file://:0:0:0:0 | Fatal | log.Logger.Fatal |
+| file://:0:0:0:0 | Fatalf | log.Fatalf |
+| file://:0:0:0:0 | Fatalf | log.Logger.Fatalf |
+| file://:0:0:0:0 | Fatalln | log.Fatalln |
+| file://:0:0:0:0 | Fatalln | log.Logger.Fatalln |
+| file://:0:0:0:0 | Panic | log.Logger.Panic |
+| file://:0:0:0:0 | Panic | log.Panic |
+| file://:0:0:0:0 | Panicf | log.Logger.Panicf |
+| file://:0:0:0:0 | Panicf | log.Panicf |
+| file://:0:0:0:0 | Panicln | log.Logger.Panicln |
+| file://:0:0:0:0 | Panicln | log.Panicln |
+| file://:0:0:0:0 | panic | panic |
+| noretfunctions.go:8:6:8:12 | isNoRet | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.isNoRet |
+| noretfunctions.go:20:6:20:22 | noRetUsesLogFatal | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.noRetUsesLogFatal |
+| noretfunctions.go:24:6:24:23 | noRetUsesLogFatalf | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.noRetUsesLogFatalf |
+| stmts7.go:10:6:10:15 | canRecover | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.canRecover |
+| stmts.go:10:6:10:10 | test5 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test5 |
+| stmts.go:46:6:46:10 | test6 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test6 |
+| stmts.go:112:6:112:10 | test9 | github.com/github/codeql-go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph.test9 |
--- a/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.ql
+++ b/go/ql/test/library-tests/semmle/go/controlflow/ControlFlowGraph/NoretFunctions.ql
@@ -2,4 +2,4 @@ import go

 from Function f
 where not f.mayReturnNormally()
-select f, f.getPackage()
+select f, f.getQualifiedName()
--- a/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ql
+++ b/go/ql/test/library-tests/semmle/go/dataflow/ExternalValueFlow/completetest.ql
@@ -9,9 +9,9 @@ import semmle.go.dataflow.internal.FlowSummaryImpl as FlowSummaryImpl
 import utils.test.InlineFlowTest

 module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { sourceNode(src, "qltest") }
+  predicate isSource(DataFlow::Node source) { sourceNode(source, "qltest") }

-  predicate isSink(DataFlow::Node src) { sinkNode(src, "qltest") }
+  predicate isSink(DataFlow::Node sink) { sinkNode(sink, "qltest") }
 }

 import ValueFlowTest<Config>
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgs/CONSISTENCY/DataFlowConsistency.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgs/CONSISTENCY/DataFlowConsistency.expected
@@ -0,0 +1,2 @@
+reverseRead
+| main.go:23:3:23:5 | out | Origin of readStep is missing a PostUpdateNode. |
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgs/main.go
@@ -4,7 +4,7 @@ func source() string {
 	return "untrusted data"
 }

-func sink(string) {
+func sink(any) {
 }

 type A struct {
@@ -19,6 +19,10 @@ func functionWithVarArgsParameter(s ...string) string {
 	return s[1]
 }

+func functionWithVarArgsOutParameter(in string, out ...*string) {
+	*out[0] = in
+}
+
 func functionWithSliceOfStructsParameter(s []A) string {
 	return s[1].f
 }
@@ -38,6 +42,12 @@ func main() {
 	sink(functionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to functionWithVarArgsParameter"
 	sink(functionWithVarArgsParameter(s0, s1))    // $ hasValueFlow="call to functionWithVarArgsParameter"

+	var out1 *string
+	var out2 *string
+	functionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ MISSING: hasValueFlow="out1"
+	sink(out2) // $ MISSING: hasValueFlow="out2"
+
 	sliceOfStructs := []A{{f: source()}}
 	sink(sliceOfStructs[0].f) // $ hasValueFlow="selection of f"

--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.expected
@@ -0,0 +1,2 @@
+invalidModelRow
+testFailures
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ext.yml
@@ -0,0 +1,21 @@
+extensions:
+  - addsTo:
+      pack: codeql/go-all
+      extensible: summaryModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "FunctionWithParameter", "", "", "Argument[0]", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithSliceParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsParameter", "", "", "Argument[0].ArrayElement", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOutParameter", "", "", "Argument[0]", "Argument[1].ArrayElement", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithSliceOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
+      - ["github.com/nonexistent/test", "", False, "FunctionWithVarArgsOfStructsParameter", "", "", "Argument[0].ArrayElement.Field[github.com/nonexistent/test.A.Field]", "ReturnValue", "value", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sourceModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "VariadicSource", "", "", "Argument[0]", "qltest", "manual"]
+  - addsTo:
+      pack: codeql/go-all
+      extensible: sinkModel
+    data:
+      - ["github.com/nonexistent/test", "", False, "VariadicSink", "", "", "Argument[0]", "qltest", "manual"]
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/Flows.ql
@@ -0,0 +1,22 @@
+import go
+import semmle.go.dataflow.ExternalFlow
+import ModelValidation
+import utils.test.InlineFlowTest
+
+module Config implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    sourceNode(source, "qltest")
+    or
+    exists(Function fn | fn.hasQualifiedName(_, ["source", "taint"]) |
+      source = fn.getACall().getResult()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    sinkNode(sink, "qltest")
+    or
+    exists(Function fn | fn.hasQualifiedName(_, "sink") | sink = fn.getACall().getAnArgument())
+  }
+}
+
+import FlowTest<Config, Config>
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/go.mod
@@ -0,0 +1,5 @@
+module semmle.go.Packages
+
+go 1.25
+
+require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/main.go
@@ -0,0 +1,56 @@
+package main
+
+import (
+	"github.com/nonexistent/test"
+)
+
+func source() string {
+	return "untrusted data"
+}
+
+func sink(any) {
+}
+
+func main() {
+	s := source()
+	sink(test.FunctionWithParameter(s)) // $ hasValueFlow="call to FunctionWithParameter"
+
+	stringSlice := []string{source()}
+	sink(stringSlice[0]) // $ hasValueFlow="index expression"
+
+	s0 := ""
+	s1 := source()
+	sSlice := []string{s0, s1}
+	sink(test.FunctionWithParameter(sSlice[1]))        // $ hasValueFlow="call to FunctionWithParameter"
+	sink(test.FunctionWithSliceParameter(sSlice))      // $ hasValueFlow="call to FunctionWithSliceParameter"
+	sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+	sink(test.FunctionWithVarArgsParameter(s0, s1))    // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+
+	var out1 *string
+	var out2 *string
+	test.FunctionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ MISSING: hasValueFlow="out1"
+	sink(out2) // $ MISSING: hasValueFlow="out2"
+
+	sliceOfStructs := []test.A{{Field: source()}}
+	sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
+
+	a0 := test.A{Field: ""}
+	a1 := test.A{Field: source()}
+	aSlice := []test.A{a0, a1}
+	sink(test.FunctionWithSliceOfStructsParameter(aSlice))      // $ hasValueFlow="call to FunctionWithSliceOfStructsParameter"
+	sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
+	sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1))    // $ hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
+
+	var variadicSource string
+	test.VariadicSource(&variadicSource)
+	sink(variadicSource)  // $ MISSING: hasTaintFlow="variadicSource"
+	sink(&variadicSource) // $ MISSING: hasTaintFlow="&..."
+
+	var variadicSourcePtr *string
+	test.VariadicSource(variadicSourcePtr)
+	sink(variadicSourcePtr)  // $ MISSING: hasTaintFlow="variadicSourcePtr"
+	sink(*variadicSourcePtr) // $ MISSING: hasTaintFlow="star expression"
+
+	test.VariadicSink(source()) // $ hasTaintFlow="[]type{args}"
+}
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/github.com/nonexistent/test/stub.go
@@ -0,0 +1,32 @@
+package test
+
+type A struct {
+	Field string
+}
+
+func FunctionWithParameter(s string) string {
+	return ""
+}
+
+func FunctionWithSliceParameter(s []string) string {
+	return ""
+}
+
+func FunctionWithVarArgsParameter(s ...string) string {
+	return ""
+}
+
+func FunctionWithVarArgsOutParameter(in string, out ...*string) {
+}
+
+func FunctionWithSliceOfStructsParameter(s []A) string {
+	return ""
+}
+
+func FunctionWithVarArgsOfStructsParameter(s ...A) string {
+	return ""
+}
+
+func VariadicSource(s ...*string) {}
+
+func VariadicSink(s ...string) {}
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/modules.txt
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithExternalFlow/vendor/modules.txt
@@ -0,0 +1,3 @@
+# github.com/nonexistent/test v0.0.0-20200203000000-0000000000000
+## explicit
+github.com/nonexistent/test
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/Flows.ql
@@ -20,6 +20,9 @@ class SummaryModelTest extends DataFlow::FunctionModel {
    this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsParameter") and
    (inp.isParameter(_) and outp.isResult())
    or
+    this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithVarArgsOutParameter") and
+    (inp.isParameter(0) and outp.isParameter(any(int i | i >= 1)))
+    or
    this.hasQualifiedName("github.com/nonexistent/test", "FunctionWithSliceOfStructsParameter") and
    (inp.isParameter(0) and outp.isResult())
    or
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/go.mod
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/go.mod
@@ -1,5 +1,5 @@
 module semmle.go.Packages

-go 1.17
+go 1.25

 require github.com/nonexistent/test v0.0.0-20200203000000-0000000000000
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/main.go
@@ -8,7 +8,7 @@ func source() string {
 	return "untrusted data"
 }

-func sink(string) {
+func sink(any) {
 }

 func main() {
@@ -21,10 +21,17 @@ func main() {
 	s0 := ""
 	s1 := source()
 	sSlice := []string{s0, s1}
-	sink(test.FunctionWithParameter(sSlice[1]))        // $ hasValueFlow="call to FunctionWithParameter"
-	sink(test.FunctionWithSliceParameter(sSlice))      // $ hasTaintFlow="call to FunctionWithSliceParameter" MISSING: hasValueFlow="call to FunctionWithSliceParameter"
-	sink(test.FunctionWithVarArgsParameter(sSlice...)) // $ hasTaintFlow="call to FunctionWithVarArgsParameter" MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
-	sink(test.FunctionWithVarArgsParameter(s0, s1))    // $ MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
+	sink(test.FunctionWithParameter(sSlice[1]))           // $ hasValueFlow="call to FunctionWithParameter"
+	sink(test.FunctionWithSliceParameter(sSlice))         // $ hasTaintFlow="call to FunctionWithSliceParameter" MISSING: hasValueFlow="call to FunctionWithSliceParameter"
+	sink(test.FunctionWithVarArgsParameter(sSlice...))    // $ hasTaintFlow="call to FunctionWithVarArgsParameter" MISSING: hasValueFlow="call to FunctionWithVarArgsParameter"
+	randomFunctionWithMoreThanOneParameter(1, 2, 3, 4, 5) // This is needed to make the next line pass, because we need to have seen a call to a function with at least 2 parameters for ParameterInput to exist with index 1.
+	sink(test.FunctionWithVarArgsParameter(s0, s1))       // $ hasValueFlow="call to FunctionWithVarArgsParameter"
+
+	var out1 *string
+	var out2 *string
+	test.FunctionWithVarArgsOutParameter(source(), out1, out2)
+	sink(out1) // $ hasValueFlow="out1"
+	sink(out2) // $ hasValueFlow="out2"

 	sliceOfStructs := []test.A{{Field: source()}}
 	sink(sliceOfStructs[0].Field) // $ hasValueFlow="selection of Field"
@@ -37,3 +44,6 @@ func main() {
 	sink(test.FunctionWithVarArgsOfStructsParameter(aSlice...)) // $ MISSING: hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
 	sink(test.FunctionWithVarArgsOfStructsParameter(a0, a1))    // $ MISSING: hasValueFlow="call to FunctionWithVarArgsOfStructsParameter"
 }
+
+func randomFunctionWithMoreThanOneParameter(i1, i2, i3, i4, i5 int) {
+}
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/semmle.go.Packages
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/semmle.go.Packages
--- a/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/vendor/github.com/nonexistent/test/stub.go
+++ b/go/ql/test/library-tests/semmle/go/dataflow/VarArgsWithFunctionModels/vendor/github.com/nonexistent/test/stub.go
@@ -16,6 +16,9 @@ func FunctionWithVarArgsParameter(s ...string) string {
 	return ""
 }

+func FunctionWithVarArgsOutParameter(in string, out ...*string) {
+}
+
 func FunctionWithSliceOfStructsParameter(s []A) string {
 	return ""
 }
--- a/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref
+++ b/go/ql/test/library-tests/semmle/go/frameworks/BeegoOrm/SqlInjection.qlref
@@ -1,2 +1,4 @@
 query: Security/CWE-089/SqlInjection.ql
-postprocess: utils/test/PrettyPrintModels.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
copilot-swe-agent[bot]	838d06c53f	Fix changelog copy errors in change-notes and CHANGELOG.md files (codeql-cli-2.25.6)	2026-06-11 22:45:33 +02:00
Jeroen Ketema	642259cd51	Merge pull request #21968 from jketema/jketema/namequalifiers C++: Fix `NameQualifyingElement` db inconsistency	2026-06-11 15:11:51 +02:00
Owen Mansel-Chan	0d984588f9	Merge pull request #21965 from owen-mc/go/convert-to-inline-expectation-tests Go: convert all qlref tests to inline expectation tests using postprocessing	2026-06-11 13:27:06 +01:00
Owen Mansel-Chan	b4a9689341	Convert .qlref test to inline expectations	2026-06-11 07:15:54 +02:00
Owen Mansel-Chan	6a8e20a0c8	Fix pre-existing whitespace issues in go test files	2026-06-11 07:15:09 +02:00
Owen Mansel-Chan	4c411bbcb5	Convert hand-rolled inline expectations test	2026-06-11 07:13:48 +02:00
Asger F	b60bf8c79f	Merge pull request #21950 from tonghuaroot/experimental-ssrf-ipv6-transition-js Add experimental query: SSRF host guard missing IPv6-transition unwrap (CWE-918/CWE-1389)	2026-06-10 21:42:54 +02:00
Jeroen Ketema	ef00aa2567	C++: Add upgrade and downgrade scripts	2026-06-10 14:38:15 +02:00
Jeroen Ketema	6d0968744b	C++: Fix `NameQualifyingElement` db inconsistency	2026-06-10 14:35:36 +02:00
Jeroen Ketema	98f147556a	C++: Add namequalifier test with inconsistency While where the remove the file restriction in QL.	2026-06-10 14:27:56 +02:00
tonghuaroot (童话)	4c1a0058bf	Add SsrfIpv6TransitionIncompleteGuard.ql to not_included_in_qls.expected Fix the JS integration test failure flagged in review by listing the new experimental CWE-918 query in the expected not-included-in-qls suite, in sorted order.	2026-06-10 08:42:42 +08:00
Tom Hvitved	f5919875b7	Merge pull request #21941 from hvitved/python/content-approx Python: Implement `ContentApprox`	2026-06-09 15:46:04 +02:00
Owen Mansel-Chan	8d456df26f	Merge pull request #21960 from github/dependabot/go_modules/go/extractor/extractor-dependencies-28a04969f3 Bump golang.org/x/mod from 0.36.0 to 0.37.0 in /go/extractor in the extractor-dependencies group	2026-06-09 05:30:45 +01:00
dependabot[bot]	72fcf27d1a	Bump golang.org/x/mod Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/mod](https://github.com/golang/mod). Updates `golang.org/x/mod` from 0.36.0 to 0.37.0 - [Commits](https://github.com/golang/mod/compare/v0.36.0...v0.37.0) --- updated-dependencies: - dependency-name: golang.org/x/mod dependency-version: 0.37.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: extractor-dependencies ... Signed-off-by: dependabot[bot] <support@github.com>	2026-06-09 03:03:37 +00:00
yoff	0cea01c22f	Merge pull request #21926 from github/yoff/python-simplify-decorator-predicates Python: simplify decorator-detection predicates to pure AST match	2026-06-08 22:04:33 +02:00
Anders Schack-Mulligen	a473565256	Merge pull request #21954 from aschackmull/cfg/consistency-child-idx Cfg: Add consistency check for relevant child indices.	2026-06-08 14:44:20 +02:00
Anders Schack-Mulligen	c47135a40b	Cfg: Add consistency check for relevant child indices.	2026-06-08 13:40:33 +02:00
Owen Mansel-Chan	3cbc8f0262	Merge pull request #21951 from github/workflow/go-version-update Go: Update to 1.26.4	2026-06-08 11:47:47 +01:00
Tom Hvitved	cc1ea25856	Python: Implement `ContentApprox`	2026-06-08 08:41:28 +02:00
github-actions[bot]	5a38cbd5d5	Go: Update to 1.26.4	2026-06-08 04:30:10 +00:00
tonghuaroot	e93bc11f6f	Add experimental JS query for SSRF guards missing IPv6-transition unwrap Add javascript/ssrf-ipv6-transition-incomplete-guard, an experimental @kind problem query that flags hand-rolled SSRF host guards which reject private/loopback IPv4 ranges but never unwrap IPv6-transition forms (IPv4-mapped ::ffff:, NAT64 64:ff9b::, 6to4 2002::). Such guards can be bypassed by wrapping an internal IPv4 address in a transition literal. Includes a .qhelp with good/bad examples, a change note, and a test pack with two true-positive fixtures (private-ip package guard and a hand-written RFC 1918 denylist) and two negative-control fixtures (ipaddr.js range classifier and an explicit ::ffff: unwrap). Signed-off-by: tonghuaroot <23011166+tonghuaroot@users.noreply.github.com>	2026-06-06 21:47:24 +08:00
Owen Mansel-Chan	cf6d94cf8a	Merge pull request #21324 from github/copilot/automate-go-version-updates-again Automate Go version updates via scheduled workflow	2026-06-06 03:03:03 +01:00
Owen Mansel-Chan	292fc8b777	Fix detection of failed text replacement I checked and the comment seems to be correct. Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-06-06 02:52:21 +01:00
Owen Mansel-Chan	a1759d9834	Use --force-with-lease for slightly improved safety Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-06-06 02:51:36 +01:00
Owen Mansel-Chan	6b74874372	Minor improvement to PR text	2026-06-06 02:32:43 +01:00
copilot-swe-agent[bot]	ef29d22c75	Update Go version workflow to include patch numbers in messages	2026-06-06 01:03:44 +00:00
Owen Mansel-Chan	1f91f915c7	Merge pull request #21888 from owen-mc/py/remove-imprecise-container-steps Python: Remove imprecise container steps #2	2026-06-04 22:16:24 +01:00
Jon Janego	ba8eebe2b5	Merge pull request #21948 from github/codeql-spark-run-26974832191 Update changelog documentation site for codeql-cli-2.25.6	2026-06-04 14:55:17 -05:00
github-actions[bot]	dc1409e5f4	update codeql documentation	2026-06-04 19:36:45 +00:00
Mario Campos	284f42bb9e	Merge pull request #21945 from github/codeql-spark-run-26947645690 Update changelog documentation site for codeql-cli-2.25.6	2026-06-04 13:09:04 -05:00
Henry Mercer	2f3524de74	Merge branch 'rc/3.22' into codeql-spark-run-26947645690	2026-06-04 16:01:11 +01:00
github-actions[bot]	b32573b060	update codeql documentation	2026-06-04 14:57:38 +00:00
Owen Mansel-Chan	cd2398aeea	Merge pull request #21936 from github/workflow/coverage/update Update CSV framework coverage reports	2026-06-04 12:45:21 +01:00
Sotiris Dragonas	d6892eaf0d	Merge pull request #21900 from github/bazookamusic/range-analysis-bound-move-to-shared Bound.qll - Replace utility for range analysis duplicate across java and cs with shared file	2026-06-04 12:45:11 +02:00
BazookaMusic	d2972cb53f	Add back alias for module	2026-06-04 11:08:49 +02:00
github-actions[bot]	5576d30780	Add changed framework coverage reports	2026-06-04 01:04:50 +00:00
Owen Mansel-Chan	da999ee440	Address review comments	2026-06-03 21:24:16 +01:00
Tom Hvitved	3da195f50f	Merge pull request #21918 from hvitved/rust/expose-resolution Rust: Add `Impl::getSelf()` and `Impl::getTrait()`	2026-06-03 20:18:05 +02:00
Henry Mercer	93a4b427e3	Merge pull request #21933 from github/post-release-prep/codeql-cli-2.25.6 Post-release preparation for codeql-cli-2.25.6	2026-06-03 16:57:48 +01:00
Tom Hvitved	0430c71318	Merge pull request #21922 from hvitved/rust/static-const-resolution Rust: Path resolution for `static` items	2026-06-03 17:48:21 +02:00
Owen Mansel-Chan	52f2a5825a	Merge pull request #21804 from github/copilot/add-tests-for-models Java: Update CWE-918 model coverage for Apache HttpClient `execute` sinks	2026-06-03 12:55:56 +01:00
Owen Mansel-Chan	d55ff83568	Merge pull request #21269 from owen-mc/go/improve-tests-for-varargs-flow Go: improve tests for varargs flow	2026-06-03 12:39:46 +01:00
BazookaMusic	f34275636c	No duplicate Ssa and remove release changenot	2026-06-03 11:54:24 +02:00
BazookaMusic	0a801440b9	review comments	2026-06-03 10:48:50 +02:00
Asger F	7edf0100cc	Merge pull request #21924 from asgerf/asgerf/yeast-changes Yeast: some fixes	2026-06-03 10:32:38 +02:00
Owen Mansel-Chan	167c837088	Merge pull request #21914 from owen-mc/shared/cfg/if-init Shared CFG: allow init stmts for IfStmt	2026-06-02 22:01:02 +01:00
Owen Mansel-Chan	6f2cc43f32	Remove imprecise model for `tuple()`	2026-06-02 21:59:48 +01:00
Owen Mansel-Chan	5042fdee84	Remove imprecise model for `list()`	2026-06-02 21:59:46 +01:00
Owen Mansel-Chan	04341c47bd	Tweak model for str.join	2026-06-02 21:59:44 +01:00
Tom Hvitved	af45e53e77	Rust: Rename parameter in DB upgrade script	2026-06-02 21:18:53 +02:00
Owen Mansel-Chan	b27d08ee32	Update edges in expected test output	2026-06-02 18:29:56 +01:00
Jeroen Ketema	d11fc3a00e	Merge pull request #21932 from jketema/jketema/vue JS: Add Vue to `file_coverage_languages` and `github_api_languages`	2026-06-02 17:53:25 +02:00
Owen Mansel-Chan	20ce679d61	Accept changed edges in test output No changes to alerts	2026-06-02 16:15:08 +01:00
Owen Mansel-Chan	f62ebef9e0	Adjust expected test output	2026-06-02 16:15:06 +01:00
Owen Mansel-Chan	c3ef1ddd64	Add MaD models for lxml and xml etree.fromstringlist	2026-06-02 16:15:01 +01:00
Owen Mansel-Chan	dede5bc49b	Track flow through `tuple()` with list with tainted elements	2026-06-02 16:14:59 +01:00
Owen Mansel-Chan	ad97b6dd64	Use access path for `str.join` model	2026-06-02 16:14:56 +01:00
Jeroen Ketema	9d5dfea5c5	JS: Add Vue to `file_coverage_languages` and `github_api_languages`	2026-06-02 16:57:51 +02:00
Tom Hvitved	dc0c7d7ec2	Fix `commment` typos	2026-06-02 14:41:27 +02:00
Owen Mansel-Chan	aaa3b363e1	Merge pull request #21929 from owen-mc/go/no-ret-functions Go: Recognize more non-returning logging functions	2026-06-02 10:39:28 +01:00
Sotiris Dragonas	61a5cece56	Merge branch 'main' into bazookamusic/range-analysis-bound-move-to-shared	2026-06-02 10:41:49 +02:00
BazookaMusic	566a92e555	formatting again	2026-06-02 10:41:10 +02:00
Owen Mansel-Chan	9dbe9adb00	Update tests	2026-06-02 09:34:03 +01:00
Owen Mansel-Chan	be9c785cb2	Fix incorrect QLDoc Co-authored-by: Tom Hvitved <hvitved@github.com>	2026-06-02 09:26:13 +01:00
Tom Hvitved	1fd31d0ddd	Rust: Data flow for `const`s and `static`s	2026-06-02 09:55:51 +02:00
Tom Hvitved	c4e3720d8a	Rust: Run codegen	2026-06-02 09:02:57 +02:00
Tom Hvitved	0547e9c98d	Rust: Path resolution for `static` items	2026-06-02 09:02:56 +02:00
Owen Mansel-Chan	703cea2b65	Model panicking log functions better	2026-06-02 01:32:00 +01:00
Owen Mansel-Chan	e6e8e3d005	Taint doesn't flow through panicking functions	2026-06-02 01:31:44 +01:00
Owen Mansel-Chan	adc9b7714b	Accept changed test output	2026-06-02 00:57:06 +01:00
Owen Mansel-Chan	e706c5f444	Improve test for non-returning fns	2026-06-02 00:56:12 +01:00
Owen Mansel-Chan	8a1e6d4f64	Add missing QLDocs	2026-06-02 00:41:48 +01:00
Owen Mansel-Chan	1a747dd8be	(Trivial) Fix QLDoc grammar	2026-06-02 00:39:25 +01:00
Owen Mansel-Chan	28bb1a6870	Add change note	2026-06-02 00:16:23 +01:00
Owen Mansel-Chan	45b1253b23	Improve glog and klog tests	2026-06-02 00:16:21 +01:00
Owen Mansel-Chan	c99dab1d71	Improve glog (and klog) modelling	2026-06-02 00:16:19 +01:00
Owen Mansel-Chan	f3e3647209	Improve noretFunctions test	2026-06-02 00:16:17 +01:00
Owen Mansel-Chan	8d099cbe38	Recognize more non-returning logging functions	2026-06-02 00:15:58 +01:00
Tom Hvitved	9618e9b35c	Merge pull request #21873 from hvitved/local-name-resolution Shared: Local name resolution library	2026-06-01 20:51:07 +02:00
BazookaMusic	2a3cff382c	more specific comment	2026-06-01 18:20:50 +02:00
BazookaMusic	c610af88d3	fix comment and add overlay[local?]	2026-06-01 18:18:37 +02:00
BazookaMusic	fa63dad1d1	change note	2026-06-01 18:16:51 +02:00
Sotiris Dragonas	019a5c01ad	Merge branch 'main' into bazookamusic/range-analysis-bound-move-to-shared	2026-06-01 18:10:02 +02:00
BazookaMusic	c1c9287535	restore file header	2026-06-01 15:48:26 +02:00
BazookaMusic	d1226b71de	formatting	2026-06-01 15:46:52 +02:00
BazookaMusic	71a363545a	formatting	2026-06-01 15:24:06 +02:00
Asger F	3f3bed62d3	yeast: type-check for missing required fields Add FieldCardinality to Schema to track required/multiple per field, populated from the ast_types.yml suffixes (bare = required single, ? = optional single, + = required multiple, * = optional multiple). dump_ast_with_type_errors now emits: <-- ERROR: missing required field 'name' for any node in the output AST whose declared schema requires a field that is absent from the actual node. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-01 14:18:37 +02:00
Asger F	21f216af8c	yeast-macros: omit empty fields produced by .. splice When a {..expr} splice in an output template is empty (e.g. from an optional capture that did not match), drop the field entirely rather than emitting an empty named field. This lets a single rule with optional captures replace what used to be two near-identical rules. Also re-renders the corpus to drop the now-suppressed empty fields. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>	2026-06-01 14:18:37 +02:00
Asger F	1751d70c62	Fix parsing of corpus tests when --- delimiter is missing	2026-06-01 14:18:37 +02:00
Asger F	ac8eb50c26	Yeast: Allow 'r#type' to escape the 'type' keyword in macro	2026-06-01 14:18:37 +02:00
Asger F	1ecdc3614f	Yeast: Fix matching against extras like comments	2026-06-01 14:18:37 +02:00
Asger F	e3b3888bee	Yeast: Fix handling of captures with multiple results	2026-06-01 14:18:36 +02:00
Asger F	ef9306d82c	Yeast: Allow rules that return an empty sequence	2026-06-01 14:18:36 +02:00
Asger F	56822f8ee1	Tree-sitter-extactor: More helpful panic message	2026-06-01 14:04:49 +02:00
Tom Hvitved	62207f152c	Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-06-01 13:55:22 +02:00
Tom Hvitved	d5f94475b5	Rust: DB upgrade/downgrade scripts	2026-06-01 10:38:10 +02:00
Tom Hvitved	00e95a0757	Rust: Add `Impl::getSelf()` and `Impl::getTrait()`	2026-06-01 10:38:09 +02:00
Tom Hvitved	c695c151ea	Rust: Rename `Impl::getTrait` to `Impl::getTraitTy`	2026-06-01 10:38:07 +02:00
Tom Hvitved	d2f474d998	Address review comments	2026-06-01 08:30:01 +02:00
Owen Mansel-Chan	b38440490a	Address review comment	2026-05-31 21:47:44 +01:00
Owen Mansel-Chan	5e5a0437e1	Shared CFG: allow init stmts for IfStmt	2026-05-30 07:35:29 +01:00
Tom Hvitved	caae5a8bf1	Apply suggestions from code review Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>	2026-05-29 14:24:45 +02:00
Owen Mansel-Chan	aee33a0cc9	Add missing code for `TAnyTupleOrDictionaryElement`	2026-05-29 10:26:24 +01:00
Tom Hvitved	09371339d7	Ruby: Adopt shared local name resolution library	2026-05-29 09:06:14 +02:00
Owen Mansel-Chan	df15a719cb	Add a `ContentSet` for any tuple or dictionary element	2026-05-28 16:48:23 +01:00
Owen Mansel-Chan	812e8e6b34	Add change note	2026-05-28 11:37:54 +01:00
Owen Mansel-Chan	80c6f082d1	Fix TODO in `containerStep`	2026-05-28 11:34:02 +01:00
Owen Mansel-Chan	d95d99848c	Build `RequestBuilder` more realistically	2026-05-28 11:05:40 +01:00
Owen Mansel-Chan	8937e22735	Add summary models for `org.apache.http.client.methods.RequestBuilder` Generated by GPT 5.3-codex, verified by me.	2026-05-28 10:56:37 +01:00
Owen Mansel-Chan	37589dd8a0	Improve how `org.apache.http.client.HttpClient` is created in test	2026-05-28 10:30:43 +01:00
Owen Mansel-Chan	a159dc1c66	Change variable name in test	2026-05-28 10:28:14 +01:00
Tom Hvitved	7718fe40a0	Ruby: Add more variable tests	2026-05-28 10:50:15 +02:00
Tom Hvitved	aeb82858d7	Rust: Run codegen	2026-05-28 10:50:13 +02:00
Tom Hvitved	c08cf81665	Rust: Adopt shared local name resolution library	2026-05-28 10:50:10 +02:00
Tom Hvitved	e06158629e	Rust: More local variable tests	2026-05-28 10:50:05 +02:00
Tom Hvitved	3e09961662	Shared: Add local name binding library	2026-05-28 10:50:03 +02:00
BazookaMusic	cc12740c0e	remove check for files in sync	2026-05-27 17:41:44 +02:00
BazookaMusic	acb5c0e70f	missed changes	2026-05-27 17:23:45 +02:00
BazookaMusic	6042adebae	move identical java and cs bound.qll to shared library	2026-05-27 17:23:28 +02:00
Owen Mansel-Chan	ec13e1bcd3	Add wildcard `ContentSet`s to avoid performance problems	2026-05-27 15:28:07 +01:00
Owen Mansel-Chan	e8779295ee	Update test results	2026-05-22 11:43:18 +01:00
Rasmus Lerchedahl Petersen	fa758d6bf5	python: fix test	2026-05-21 16:59:19 +01:00
Rasmus Lerchedahl Petersen	fa9426c749	Python: extra tests for comprehension	2026-05-21 16:59:18 +01:00
Rasmus Lerchedahl Petersen	0ecca91dea	Python: typo	2026-05-21 16:59:16 +01:00
Rasmus Lerchedahl Petersen	f669a4f3bf	Python: Make sure all imprecise taint bubbles up	2026-05-21 16:59:14 +01:00
Rasmus Lerchedahl Petersen	3275c814bd	Python: reset test expectations	2026-05-21 16:59:11 +01:00
Rasmus Lerchedahl Petersen	9a180036a5	Python: conversion step for `format_map` and adjust collection test	2026-05-21 16:59:08 +01:00
Rasmus Lerchedahl Petersen	93e7ab52b7	Python: adjust test expectations We now find an alert on this line as we hope to It is not an alert for _full_ SSRF, though, since that configuration cannot handle multiple substitutions.	2026-05-21 16:58:51 +01:00
Rasmus Lerchedahl Petersen	facb3b681d	Python: recover taint for % format strings	2026-05-21 16:57:50 +01:00
Rasmus Lerchedahl Petersen	b67694b2ab	Python: Remove imprecise container steps - remove `tupleStoreStep` and `dictStoreStep` from `containerStep` These are imprecise compared to the content being precise. - add implicit reads to recover taint at sinks - add implicit read steps for decoders to supplement the `AdditionalTaintStep` that now only covers when the full container is tainted.	2026-05-21 16:57:44 +01:00
Owen Mansel-Chan	dc864762c3	Add change note	2026-05-07 10:23:50 +01:00
Owen Mansel-Chan	dd35bc0722	Update test output	2026-05-07 10:17:47 +01:00
copilot-swe-agent[bot]	043ec857ab	Replace fluent SSRF changes with Apache HttpClient execute model tests Agent-Logs-Url: https://github.com/github/codeql/sessions/3db201db-a1b5-4353-a94a-14a8d156dd3b Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>	2026-05-06 20:31:34 +00:00
copilot-swe-agent[bot]	f5b17b0b48	Add SSRF tests and stubs for Apache Http fluent Request models Agent-Logs-Url: https://github.com/github/codeql/sessions/bd4fa112-dbc3-47e8-9cef-9b1b13c7e549 Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>	2026-05-06 16:08:02 +00:00
copilot-swe-agent[bot]	26dca558c7	Initial plan	2026-05-06 16:02:08 +00:00
Owen Mansel-Chan	a367294c23	Merge branch 'main' into copilot/automate-go-version-updates-again	2026-04-23 14:41:46 +01:00
copilot-swe-agent[bot]	b6004045bd	Clean up Go version workflow - remove unnecessary escaping and checks Co-authored-by: mbg <278086+mbg@users.noreply.github.com>	2026-02-13 11:23:44 +00:00
copilot-swe-agent[bot]	cc7e03b0f5	Add error handling and validation to Go version workflow Co-authored-by: mbg <278086+mbg@users.noreply.github.com>	2026-02-13 11:22:36 +00:00
copilot-swe-agent[bot]	1cbd423251	Improve portability and fix PR detection in Go version workflow Co-authored-by: mbg <278086+mbg@users.noreply.github.com>	2026-02-13 11:21:13 +00:00
copilot-swe-agent[bot]	437244fe90	Fix portability issues in Go version update workflow Co-authored-by: mbg <278086+mbg@users.noreply.github.com>	2026-02-13 11:19:56 +00:00
copilot-swe-agent[bot]	f7cf24d1f9	Add Go version update workflow Co-authored-by: mbg <278086+mbg@users.noreply.github.com>	2026-02-13 11:17:57 +00:00
copilot-swe-agent[bot]	c3bafacf81	Initial plan	2026-02-13 11:15:15 +00:00
Owen Mansel-Chan	57ce0b3d51	Accept data flow consistency result	2026-02-05 22:28:54 +00:00
Owen Mansel-Chan	408ba2e139	(Misc) Delete spuriously committed binary file	2026-02-04 13:41:14 +00:00
Owen Mansel-Chan	7632bdba88	(Misc) fix variable names	2026-02-04 13:40:52 +00:00
Owen Mansel-Chan	4b830c1864	Test varargs flow with models-as-data	2026-02-04 13:40:33 +00:00
Owen Mansel-Chan	d6c8767647	Test flow out of varargs parameter in function model	2026-02-04 13:40:01 +00:00
Owen Mansel-Chan	ec815397a2	Test flow out of varargs parameter in source function	2026-02-04 13:38:48 +00:00