codeql-development-mcp-server 2.24.1-rc1

package/ql/ruby/tools/src/CallGraphTo/CallGraphTo.ql

@@ -0,0 +1,48 @@
+/**
+ * @name Call Graph To for ruby
+ * @description Displays calls made to a specified method, showing the call graph inbound to the target method.
+ * @id ruby/tools/call-graph-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+private import codeql.ruby.AST
+private import codeql.ruby.DataFlow
+
+/**
+ * Gets the target method name for which to generate the call graph.
+ * Can be a single method name or comma-separated list of method names.
+ */
+external string targetFunction();
+
+/**
+ * Gets a single target method name from the comma-separated list.
+ */
+string getTargetFunctionName() {
+  result = targetFunction().splitAt(",").trim()
+}
+
+/**
+ * Gets the caller name for a call expression.
+ */
+string getCallerName(MethodCall call) {
+  if exists(call.getEnclosingMethod())
+  then result = call.getEnclosingMethod().getName()
+  else result = "Top-level"
+}
+
+from MethodCall call
+where
+  (
+    // Use external predicate if available
+    call.getMethodName() = getTargetFunctionName()
+    or
+    // Fallback for unit tests: include test files
+    (
+      not exists(getTargetFunctionName()) and
+      call.getLocation().getFile().getParentContainer().getParentContainer().getBaseName() = "test"
+    )
+  )
+select call,
+  "Call to `" + call.getMethodName() + "` from `" + getCallerName(call) + "`"

package/ql/ruby/tools/src/PrintAST/PrintAST.ql

@@ -0,0 +1,57 @@
+/**
+ * @name Print AST for ruby
+ * @description Outputs a representation of the Abstract Syntax Tree for specified source files.
+ * @id ruby/tools/print-ast
+ * @kind graph
+ * @tags ast
+ */
+
+private import codeql.ruby.AST
+private import codeql.ruby.printAst
+
+/**
+ * Gets the source files to generate AST from.
+ * Can be a single file path or comma-separated list of file paths.
+ */
+external string selectedSourceFiles();
+
+/**
+ * Gets a single source file from the comma-separated list.
+ */
+string getSelectedSourceFile() {
+  result = selectedSourceFiles().splitAt(",").trim()
+}
+
+/**
+ * Gets a file by matching against the selected source file paths.
+ */
+File getSelectedFile() {
+  exists(string selectedFile |
+    selectedFile = getSelectedSourceFile() and
+    (
+      // Match by exact relative path from source root
+      result.getRelativePath() = selectedFile or
+      // Match by file name if no path separators
+      (not selectedFile.matches("%/%") and result.getBaseName() = selectedFile) or
+      // Match by ending path component
+      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) = selectedFile
+    )
+  )
+}
+
+/**
+ * Configuration for PrintAST that uses external predicates to specify source files.
+ * Falls back to all files when external predicates are not available (for unit tests).
+ */
+class Cfg extends PrintAstConfiguration {
+  override predicate shouldPrintNode(AstNode n) {
+    super.shouldPrintNode(n) and
+    (
+      // Use external predicate if available
+      n.getLocation().getFile() = getSelectedFile()
+      or
+      // Fallback for unit tests: include all files
+      not exists(getSelectedFile())
+    )
+  }
+}

package/ql/ruby/tools/src/PrintCFG/PrintCFG.md

@@ -0,0 +1,55 @@
+# Print CFG for Ruby
+
+Produces a representation of a file's Control Flow Graph (CFG) for specified source files.
+
+## Overview
+
+The Control Flow Graph represents the order in which statements and expressions are executed in a program. Each node in the graph represents a control-flow element (statement or expression), and edges represent possible execution paths between them.
+
+This query outputs all CFG nodes and their successor relationships for Ruby code, which is useful for understanding program execution flow, debugging control flow issues, and analyzing code paths.
+
+## Use Cases
+
+This query is primarily used for:
+
+- Visualizing program execution flow
+- Understanding complex branching logic
+- Debugging control flow issues
+- Analysis of code paths and reachability
+- IDE integration for control flow visualization
+
+## Example
+
+The following Ruby code demonstrates control flow through conditional statements and loops:
+
+```ruby
+def example(x)
+    if x > 0                      # COMPLIANT - Branching creates CFG edges
+        puts "Positive"
+    else
+        puts "Non-positive"
+    end
+
+    (0..2).each do |i|            # COMPLIANT - Iterator creates CFG paths
+        puts i
+    end
+end
+```
+
+In the resulting CFG:
+
+- The `if` condition creates two outgoing edges (true/false branches)
+- The `each` iterator creates paths through the block
+- Each statement connects to its successor in execution order
+
+## Output Format
+
+The query produces two relations:
+
+- `nodes(CfgNode, string, string)`: Each CFG node with its label
+- `edges(CfgNode, CfgNode)`: Successor relationships between nodes
+
+## References
+
+- [Ruby Control Structures](https://ruby-doc.org/core/doc/syntax/control_expressions_rdoc.html)
+- [CodeQL Control Flow Graph](https://codeql.github.com/docs/writing-codeql-queries/about-control-flow-in-codeql/)

package/ql/ruby/tools/src/PrintCFG/PrintCFG.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Print CFG for ruby
+ * @description Produces a representation of a file's Control Flow Graph for specified source files.
+ * @id ruby/tools/print-cfg
+ * @kind graph
+ * @tags cfg
+ */
+
+private import codeql.ruby.AST
+private import codeql.ruby.controlflow.ControlFlowGraph
+
+/**
+ * Configuration for PrintCFG that outputs all CFG nodes and edges.
+ */
+query predicate nodes(CfgNode node, string property, string value) {
+  property = "semmle.label" and
+  value = node.toString()
+}
+
+query predicate edges(CfgNode pred, CfgNode succ) {
+  pred.getASuccessor() = succ
+}

package/ql/ruby/tools/src/codeql-pack.lock.yml

@@ -0,0 +1,24 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/concepts:
+    version: 0.0.15
+  codeql/controlflow:
+    version: 2.0.25
+  codeql/dataflow:
+    version: 2.0.25
+  codeql/mad:
+    version: 1.0.41
+  codeql/regex:
+    version: 1.0.41
+  codeql/ruby-all:
+    version: 5.1.9
+  codeql/ssa:
+    version: 2.0.17
+  codeql/tutorial:
+    version: 1.0.41
+  codeql/typetracking:
+    version: 2.0.25
+  codeql/util:
+    version: 2.0.28
+compiled: false

package/ql/ruby/tools/src/codeql-pack.yml

@@ -0,0 +1,6 @@
+name: advanced-security/ql-mcp-ruby-tools-src
+version: 2.24.1-rc1
+description: 'Queries for codeql-development-mcp-server tools for ruby language'
+library: false
+dependencies:
+  codeql/ruby-all: 5.1.9

package/ql/swift/tools/src/CallGraphFrom/CallGraphFrom.ql

@@ -0,0 +1,53 @@
+/**
+ * @name Call Graph From for swift
+ * @description Displays calls made from a specified function, showing the call graph outbound from the source function.
+ * @id swift/tools/call-graph-from
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import swift
+
+/**
+ * Gets the source function name for which to generate the call graph.
+ * Can be a single function name or comma-separated list of function names.
+ */
+external string sourceFunction();
+
+/**
+ * Gets a single source function name from the comma-separated list.
+ */
+string getSourceFunctionName() { result = sourceFunction().splitAt(",").trim() }
+
+/**
+ * Gets a function by matching against the selected source function names.
+ */
+Function getSourceFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getSourceFunctionName() and
+    result.getName() = selectedFunc
+  )
+}
+
+/**
+ * Gets the name of the called function.
+ */
+string getCalleeName(CallExpr call) {
+  if exists(call.getStaticTarget())
+  then result = call.getStaticTarget().getName()
+  else result = call.toString()
+}
+
+from CallExpr call, Function source
+where
+  call.getEnclosingFunction() = source and
+  (
+    // Use external predicate if available
+    source = getSourceFunction()
+    or
+    // Fallback for unit tests: include specific test files
+    not exists(getSourceFunction()) and
+    source.getFile().getBaseName() = "Example1.swift"
+  )
+select call, "Call from `" + source.getName() + "` to `" + getCalleeName(call) + "`"

package/ql/swift/tools/src/CallGraphTo/CallGraphTo.ql

@@ -0,0 +1,49 @@
+/**
+ * @name Call Graph To for swift
+ * @description Displays calls made to a specified function, showing the call graph inbound to the target function.
+ * @id swift/tools/call-graph-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import swift
+
+/**
+ * Gets the target function name for which to generate the call graph.
+ * Can be a single function name or comma-separated list of function names.
+ */
+external string targetFunction();
+
+/**
+ * Gets a single target function name from the comma-separated list.
+ */
+string getTargetFunctionName() { result = targetFunction().splitAt(",").trim() }
+
+/**
+ * Gets the caller name for a call expression.
+ */
+string getCallerName(CallExpr call) {
+  if exists(call.getEnclosingFunction())
+  then result = call.getEnclosingFunction().getName()
+  else result = "Top-level"
+}
+
+/**
+ * Gets the name of the called function.
+ */
+string getCalleeName(CallExpr call) {
+  if exists(call.getStaticTarget())
+  then result = call.getStaticTarget().getName()
+  else result = call.toString()
+}
+
+from CallExpr call
+where
+  // Use external predicate if available
+  call.getStaticTarget().getName() = getTargetFunctionName()
+  or
+  // Fallback for unit tests: include specific test files
+  not exists(getTargetFunctionName()) and
+  call.getLocation().getFile().getBaseName() = "Example1.swift"
+select call, "Call to `" + getCalleeName(call) + "` from `" + getCallerName(call) + "`"

package/ql/swift/tools/src/PrintAST/PrintAST.ql

@@ -0,0 +1,58 @@
+/**
+ * @name Print AST for swift
+ * @description Outputs a representation of the Abstract Syntax Tree for specified source files.
+ * @id swift/tools/print-ast
+ * @kind graph
+ * @tags ast
+ */
+
+import codeql.swift.printast.PrintAst
+
+/**
+ * Gets the source files to generate AST from.
+ * Can be a single file path or comma-separated list of file paths.
+ */
+external string selectedSourceFiles();
+
+/**
+ * Gets a single source file from the comma-separated list.
+ */
+string getSelectedSourceFile() { result = selectedSourceFiles().splitAt(",").trim() }
+
+/**
+ * Gets a file by matching against the selected source file paths.
+ */
+File getSelectedFile() {
+  exists(string selectedFile |
+    selectedFile = getSelectedSourceFile() and
+    (
+      // Match by exact relative path from source root
+      result.getRelativePath() = selectedFile
+      or
+      // Match by file name if no path separators
+      not selectedFile.matches("%/%") and result.getBaseName() = selectedFile
+      or
+      // Match by ending path component
+      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) =
+        selectedFile
+    )
+  )
+}
+
+/**
+ * Configuration for PrintAST that uses external predicates to specify source files.
+ * Falls back to test files when external predicates are not available.
+ */
+class Cfg extends PrintAstConfiguration {
+  override predicate shouldPrint(Locatable e) {
+    super.shouldPrint(e) and
+    (
+      // Use external predicate if available
+      e.getLocation().getFile() = getSelectedFile()
+      or
+      // Fallback for unit tests: include specific test files
+      not exists(getSelectedFile()) and
+      e.getLocation().getFile().getBaseName() = "Example1.swift"
+    )
+  }
+}

package/ql/swift/tools/src/PrintCFG/PrintCFG.ql

@@ -0,0 +1,68 @@
+/**
+ * @name Print CFG for swift
+ * @description Produces a representation of a file's Control Flow Graph for specified source files.
+ * @id swift/tools/print-cfg
+ * @kind graph
+ * @tags cfg
+ */
+
+import swift
+import codeql.swift.controlflow.ControlFlowGraph
+
+/**
+ * Gets the source files to generate CFG from.
+ * Can be a single file path or comma-separated list of file paths.
+ */
+external string selectedSourceFiles();
+
+/**
+ * Gets a single source file from the comma-separated list.
+ */
+string getSelectedSourceFile() { result = selectedSourceFiles().splitAt(",").trim() }
+
+/**
+ * Gets a file by matching against the selected source file paths.
+ */
+File getSelectedFile() {
+  exists(string selectedFile |
+    selectedFile = getSelectedSourceFile() and
+    (
+      // Match by exact relative path from source root
+      result.getRelativePath() = selectedFile
+      or
+      // Match by file name if no path separators
+      not selectedFile.matches("%/%") and result.getBaseName() = selectedFile
+      or
+      // Match by ending path component
+      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) =
+        selectedFile
+    )
+  )
+}
+
+/**
+ * Holds if this CFG node should be included in output.
+ */
+predicate shouldPrintNode(ControlFlowNode node) {
+  // Use external predicate if available
+  node.getLocation().getFile() = getSelectedFile()
+  or
+  // Fallback for unit tests: include specific test files
+  not exists(getSelectedFile()) and
+  node.getLocation().getFile().getBaseName() = "Example1.swift"
+}
+
+/**
+ * Configuration for PrintCFG that outputs filtered CFG nodes and edges.
+ */
+query predicate nodes(ControlFlowNode node, string property, string value) {
+  shouldPrintNode(node) and
+  property = "semmle.label" and
+  value = node.toString()
+}
+
+query predicate edges(ControlFlowNode pred, ControlFlowNode succ) {
+  shouldPrintNode(pred) and
+  shouldPrintNode(succ) and
+  pred.getASuccessor() = succ
+}

package/ql/swift/tools/src/codeql-pack.lock.yml

@@ -0,0 +1,24 @@
+---
+lockVersion: 1.0.0
+dependencies:
+  codeql/concepts:
+    version: 0.0.15
+  codeql/controlflow:
+    version: 2.0.25
+  codeql/dataflow:
+    version: 2.0.25
+  codeql/mad:
+    version: 1.0.41
+  codeql/regex:
+    version: 1.0.41
+  codeql/ssa:
+    version: 2.0.17
+  codeql/swift-all:
+    version: 6.2.1
+  codeql/tutorial:
+    version: 1.0.41
+  codeql/typetracking:
+    version: 2.0.25
+  codeql/util:
+    version: 2.0.28
+compiled: false

package/ql/swift/tools/src/codeql-pack.yml

@@ -0,0 +1,6 @@
+name: advanced-security/ql-mcp-swift-tools-src
+version: 2.24.1-rc1
+description: 'Queries for codeql-development-mcp-server tools for swift language'
+library: false
+dependencies:
+  codeql/swift-all: 6.2.1

package/scripts/setup-packs.sh

@@ -0,0 +1,150 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+## setup-packs.sh — Install CodeQL pack dependencies for bundled tool query packs.
+##
+## This script runs `codeql pack install` for each tool query source pack bundled
+## with the codeql-development-mcp-server. It works from both:
+##   - npm install layout:  <pkg>/ql/<language>/tools/src/
+##   - monorepo layout:     server/ql/<language>/tools/src/
+##
+## The lock files (codeql-pack.lock.yml) shipped with each source pack pin exact
+## dependency versions. `codeql pack install` reads these and fetches packages
+## from the GitHub Container Registry (GHCR) into ~/.codeql/packages/.
+##
+## Prerequisites: codeql CLI must be on PATH (or set CODEQL_PATH).
+##
+## Usage:
+##   setup-packs.sh [OPTIONS]
+##
+## Options:
+##   --language <lang>  Install packs only for the specified language
+##   -h, --help         Show this help message
+
+LANGUAGE=""
+
+usage() {
+  cat << EOF
+Usage: $0 [OPTIONS]
+
+Install CodeQL pack dependencies for bundled tool query packs.
+
+OPTIONS:
+    --language <lang>  Install packs only for the specified language
+                       Valid values: actions, cpp, csharp, go, java, javascript, python, ruby, swift
+    -h, --help         Show this help message
+
+By default, installs pack dependencies for all supported languages.
+EOF
+}
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    --language)
+      if [[ $# -lt 2 || "$2" =~ ^- ]]; then
+        echo "Error: --language requires a value" >&2
+        usage >&2
+        exit 1
+      fi
+      LANGUAGE="$2"
+      shift 2
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Error: Unknown option $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+## Validate language if provided
+VALID_LANGUAGES=("actions" "cpp" "csharp" "go" "java" "javascript" "python" "ruby" "swift")
+if [ -n "${LANGUAGE}" ]; then
+  LANGUAGE_VALID=false
+  for valid_lang in "${VALID_LANGUAGES[@]}"; do
+    if [ "${LANGUAGE}" = "${valid_lang}" ]; then
+      LANGUAGE_VALID=true
+      break
+    fi
+  done
+
+  if [ "${LANGUAGE_VALID}" = false ]; then
+    echo "Error: Invalid language '${LANGUAGE}'" >&2
+    echo "Valid languages: ${VALID_LANGUAGES[*]}" >&2
+    exit 1
+  fi
+fi
+
+## Resolve the CodeQL CLI binary.
+CODEQL="${CODEQL_PATH:-codeql}"
+if ! command -v "${CODEQL}" &> /dev/null; then
+  echo "Error: CodeQL CLI not found. Install it or set CODEQL_PATH." >&2
+  exit 1
+fi
+
+## Resolve the ql/ root directory.
+## Works from both:
+##   npm layout:     <pkg>/scripts/setup-packs.sh  → <pkg>/ql/
+##   monorepo layout: server/scripts/setup-packs.sh → server/ql/
+## When invoked via npm bin shim/symlink, BASH_SOURCE[0] may point to the
+## .bin/ directory. Resolve the real path first to find the actual package root.
+SCRIPT_PATH="${BASH_SOURCE[0]}"
+if command -v realpath &> /dev/null; then
+  SCRIPT_PATH="$(realpath "${SCRIPT_PATH}")"
+elif command -v readlink &> /dev/null; then
+  # macOS readlink doesn't support -f, use a loop to resolve symlinks
+  while [ -L "${SCRIPT_PATH}" ]; do
+    LINK_TARGET="$(readlink "${SCRIPT_PATH}")"
+    # Resolve relative targets against the symlink's directory
+    if [[ "${LINK_TARGET}" != /* ]]; then
+      LINK_TARGET="$(cd "$(dirname "${SCRIPT_PATH}")" && pwd)/${LINK_TARGET}"
+    fi
+    SCRIPT_PATH="${LINK_TARGET}"
+  done
+fi
+SCRIPT_DIR="$(cd "$(dirname "${SCRIPT_PATH}")" && pwd)"
+PACKAGE_ROOT="$(cd "${SCRIPT_DIR}/.." && pwd)"
+QL_ROOT="${PACKAGE_ROOT}/ql"
+
+if [ ! -d "${QL_ROOT}" ]; then
+  echo "Error: ql/ directory not found at ${QL_ROOT}" >&2
+  exit 1
+fi
+
+## Install pack dependencies for a single language.
+install_language_pack() {
+  local lang="$1"
+  local pack_dir="${QL_ROOT}/${lang}/tools/src"
+
+  if [ ! -d "${pack_dir}" ]; then
+    echo "⚠️  Skipping ${lang}: ${pack_dir} not found"
+    return
+  fi
+
+  if [ ! -f "${pack_dir}/codeql-pack.yml" ]; then
+    echo "⚠️  Skipping ${lang}: no codeql-pack.yml in ${pack_dir}"
+    return
+  fi
+
+  echo "📦 Installing pack dependencies for ${lang}..."
+  "${CODEQL}" pack install --no-strict-mode -- "${pack_dir}"
+  echo "✅ ${lang} pack dependencies installed"
+}
+
+## Main
+if [ -n "${LANGUAGE}" ]; then
+  echo "Installing pack dependencies for language: ${LANGUAGE}"
+  install_language_pack "${LANGUAGE}"
+else
+  echo "Installing pack dependencies for all languages..."
+  for lang in "${VALID_LANGUAGES[@]}"; do
+    install_language_pack "${lang}"
+  done
+fi
+
+echo ""
+echo "Done. Tool query pack dependencies are cached in ~/.codeql/packages/"