codeql-development-mcp-server 2.24.3 → 2.25.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql-development-mcp-server",
-  "version": "2.24.3",
+  "version": "2.25.0",
   "description": "An MCP server supporting LLM requests for CodeQL development tools and resources.",
   "main": "dist/codeql-development-mcp-server.js",
   "type": "module",
@@ -55,7 +55,7 @@
     "npm": ">=11.6.2"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.27.1",
+    "@modelcontextprotocol/sdk": "^1.28.0",
     "adm-zip": "^0.5.16",
     "cors": "^2.8.6",
     "dotenv": "^17.3.1",
@@ -66,20 +66,20 @@
   },
   "devDependencies": {
     "@eslint/js": "^10.0.1",
-    "@types/adm-zip": "^0.5.7",
+    "@types/adm-zip": "^0.5.8",
     "@types/cors": "^2.8.19",
     "@types/express": "^5.0.6",
     "@types/js-yaml": "^4.0.9",
-    "@types/node": "^25.3.5",
-    "@vitest/coverage-v8": "^4.0.18",
-    "esbuild": "^0.27.3",
-    "eslint": "^10.0.3",
+    "@types/node": "^25.5.0",
+    "@vitest/coverage-v8": "^4.1.2",
+    "esbuild": "^0.27.4",
+    "eslint": "^10.1.0",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-prettier": "^5.5.5",
     "prettier": "^3.8.1",
     "typescript": "^5.9.3",
-    "typescript-eslint": "^8.56.1",
-    "vitest": "^4.0.18"
+    "typescript-eslint": "^8.57.2",
+    "vitest": "^4.1.2"
   },
   "scripts": {
     "build": "npm run clean && npm run lint && npm run bundle",

package/ql/actions/tools/src/PrintCFG/PrintCFG.ql

@@ -18,6 +18,4 @@ query predicate nodes(Node node, string property, string value) {
   value = node.toString()
 }
 
-query predicate edges(Node pred, Node succ) {
-  pred.getASuccessor() = succ
-}
+query predicate edges(Node pred, Node succ) { pred.getASuccessor() = succ }

package/ql/actions/tools/src/codeql-pack.lock.yml

@@ -2,31 +2,31 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/actions-all:
-    version: 0.4.27
+    version: 0.4.30
   codeql/concepts:
-    version: 0.0.15
+    version: 0.0.18
   codeql/controlflow:
-    version: 2.0.25
+    version: 2.0.28
   codeql/dataflow:
-    version: 2.0.25
+    version: 2.1.0
   codeql/javascript-all:
-    version: 2.6.21
+    version: 2.6.24
   codeql/mad:
-    version: 1.0.41
+    version: 1.0.44
   codeql/regex:
-    version: 1.0.41
+    version: 1.0.44
   codeql/ssa:
-    version: 2.0.17
+    version: 2.0.20
   codeql/threat-models:
-    version: 1.0.41
+    version: 1.0.44
   codeql/tutorial:
-    version: 1.0.41
+    version: 1.0.44
   codeql/typetracking:
-    version: 2.0.25
-  codeql/util:
     version: 2.0.28
+  codeql/util:
+    version: 2.0.31
   codeql/xml:
-    version: 1.0.41
+    version: 1.0.44
   codeql/yaml:
-    version: 1.0.41
+    version: 1.0.44
 compiled: false

package/ql/actions/tools/src/codeql-pack.yml

@@ -1,6 +1,6 @@
 name: advanced-security/ql-mcp-actions-tools-src
-version: 2.24.3
+version: 2.25.0
 description: 'Queries for codeql-development-mcp-server tools for actions language'
 library: false
 dependencies:
-  codeql/actions-all: 0.4.27
+  codeql/actions-all: 0.4.30

package/ql/cpp/tools/src/CallGraphFrom/CallGraphFrom.ql

@@ -8,18 +8,13 @@
  */
 
 import cpp
-
-/**
- * Gets the source function name for which to generate the call graph.
- * Can be a single function name or comma-separated list of function names.
- */
-external string sourceFunction();
+import ExternalPredicates
 
 /**
  * Gets a single source function name from the comma-separated list.
  */
 string getSourceFunctionName() {
-  result = sourceFunction().splitAt(",").trim()
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -30,7 +25,8 @@ Function getSourceFunction() {
     selectedFunc = getSourceFunctionName() and
     (
       // Match by exact function name
-      result.getName() = selectedFunc or
+      result.getName() = selectedFunc
+      or
       // Match by qualified name
       result.getQualifiedName() = selectedFunc
     )
@@ -41,15 +37,5 @@ from FunctionCall call, Function source, Function callee
 where
   call.getTarget() = callee and
   call.getEnclosingFunction() = source and
-  (
-    // Use external predicate if available
-    source = getSourceFunction()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getSourceFunction()) and
-      source.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
-select call,
-  "Call from `" + source.getQualifiedName() + "` to `" + callee.getQualifiedName() + "`"
+  source = getSourceFunction()
+select call, "Call from `" + source.getQualifiedName() + "` to `" + callee.getQualifiedName() + "`"

package/ql/cpp/tools/src/CallGraphFromTo/CallGraphFromTo.md

@@ -0,0 +1,47 @@
+# CallGraphFromTo for C++
+
+Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+
+## Overview
+
+This query identifies all function calls that lie on any transitive call path from a specified source function to a specified target function. Given both a source and target function name, it reports each call site along the connecting paths, which is useful for understanding indirect call chains, security-relevant data flow paths, and function reachability.
+
+The query uses transitive closure (`calls*`) to determine reachability, then reports only the direct call sites that contribute to paths between the source and target. It accepts function names via extensible predicates (`sourceFunction` and `targetFunction`) populated via CodeQL data extensions or model packs (see `ExternalPredicates.qll`) and supports both simple and qualified name matching.
+
+## Use Cases
+
+This query is primarily used for:
+
+- Determining if a call path exists between two functions
+- Mapping indirect call chains from a source to a target function
+- Analyzing security-relevant paths (e.g., from user input handlers to sensitive operations)
+- Understanding transitive dependencies between functions
+
+## Example
+
+The following C++ code demonstrates a transitive call chain from `source` through `intermediate` to `target`:
+
+```cpp
+void target() {}
+
+void intermediate() {
+    target();
+}
+
+void source() {
+    intermediate();
+}
+```
+
+Running with `sourceFunction = "source"` and `targetFunction = "target"` produces results showing each call site on the path with a message like: "Reachable call from `source` to `intermediate`".
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Reachable call from `caller` to `callee`"``
+
+## References
+
+- [C++ Functions](https://en.cppreference.com/w/cpp/language/functions)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)

package/ql/cpp/tools/src/CallGraphFromTo/CallGraphFromTo.ql

@@ -0,0 +1,77 @@
+/**
+ * @name Call Graph From To for cpp
+ * @description Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+ * @id cpp/tools/call-graph-from-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import cpp
+import ExternalPredicates
+
+/**
+ * Gets a single source function name from the comma-separated list.
+ */
+string getSourceFunctionName() {
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a single target function name from the comma-separated list.
+ */
+string getTargetFunctionName() {
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a function by matching against the selected source function names.
+ */
+Function getSourceFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getSourceFunctionName() and
+    (
+      // Match by exact function name
+      result.getName() = selectedFunc
+      or
+      // Match by qualified name
+      result.getQualifiedName() = selectedFunc
+    )
+  )
+}
+
+/**
+ * Gets a function by matching against the selected target function names.
+ */
+Function getTargetFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getTargetFunctionName() and
+    (
+      // Match by exact function name
+      result.getName() = selectedFunc
+      or
+      // Match by qualified name
+      result.getQualifiedName() = selectedFunc
+    )
+  )
+}
+
+/**
+ * Holds if function `caller` directly calls function `callee`.
+ */
+predicate calls(Function caller_, Function callee_) {
+  exists(FunctionCall c | c.getEnclosingFunction() = caller_ and c.getTarget() = callee_)
+}
+
+from FunctionCall call, Function caller, Function callee
+where
+  call.getTarget() = callee and
+  call.getEnclosingFunction() = caller and
+  exists(Function source, Function target |
+    source = getSourceFunction() and
+    target = getTargetFunction() and
+    calls*(source, caller) and
+    calls*(callee, target)
+  )
+select call,
+  "Reachable call from `" + caller.getQualifiedName() + "` to `" + callee.getQualifiedName() + "`"

package/ql/cpp/tools/src/CallGraphTo/CallGraphTo.ql

@@ -8,18 +8,13 @@
  */
 
 import cpp
-
-/**
- * Gets the target function name for which to generate the call graph.
- * Can be a single function name or comma-separated list of function names.
- */
-external string targetFunction();
+import ExternalPredicates
 
 /**
  * Gets a single target function name from the comma-separated list.
  */
 string getTargetFunctionName() {
-  result = targetFunction().splitAt(",").trim()
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -30,7 +25,8 @@ Function getTargetFunction() {
     selectedFunc = getTargetFunctionName() and
     (
       // Match by exact function name
-      result.getName() = selectedFunc or
+      result.getName() = selectedFunc
+      or
       // Match by qualified name
       result.getQualifiedName() = selectedFunc
     )
@@ -41,15 +37,5 @@ from FunctionCall call, Function target, Function caller
 where
   call.getTarget() = target and
   call.getEnclosingFunction() = caller and
-  (
-    // Use external predicate if available
-    target = getTargetFunction()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getTargetFunction()) and
-      target.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
-select call,
-  "Call to `" + target.getQualifiedName() + "` from `" + caller.getQualifiedName() + "`"
+  target = getTargetFunction()
+select call, "Call to `" + target.getQualifiedName() + "` from `" + caller.getQualifiedName() + "`"

package/ql/cpp/tools/src/ExternalPredicates.qll

@@ -0,0 +1,14 @@
+/**
+ * Shared extensible predicate declarations for MCP server tools queries.
+ * Values are provided via dataExtensions YAML files during testing,
+ * or via a temporary data extension pack at runtime from the MCP server.
+ */
+
+/** Holds for each source function name for call graph analysis. */
+extensible predicate sourceFunction(string name);
+
+/** Holds for each target function name for call graph analysis. */
+extensible predicate targetFunction(string name);
+
+/** Holds for each selected source file path for AST/CFG printing. */
+extensible predicate selectedSourceFiles(string path);

package/ql/cpp/tools/src/PrintAST/PrintAST.ql

@@ -8,18 +8,13 @@
 
 import cpp
 import semmle.code.cpp.PrintAST
-
-/**
- * Gets the source files to generate AST from.
- * Can be a single file path or comma-separated list of file paths.
- */
-external string selectedSourceFiles();
+import ExternalPredicates
 
 /**
  * Gets a single source file from the comma-separated list.
  */
 string getSelectedSourceFile() {
-  result = selectedSourceFiles().splitAt(",").trim()
+  exists(string s | selectedSourceFiles(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -30,11 +25,14 @@ File getSelectedFile() {
     selectedFile = getSelectedSourceFile() and
     (
       // Match by exact relative path from source root
-      result.getRelativePath() = selectedFile or
+      result.getRelativePath() = selectedFile
+      or
       // Match by file name if no path separators
-      (not selectedFile.matches("%/%") and result.getBaseName() = selectedFile) or
+      not selectedFile.matches("%/%") and result.getBaseName() = selectedFile
+      or
       // Match by ending path component
-      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) = selectedFile
+      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) =
+        selectedFile
     )
   )
 }
@@ -44,14 +42,5 @@ File getSelectedFile() {
  * Falls back to test directory structure when external predicates are not available.
  */
 class Cfg extends PrintAstConfiguration {
-  override predicate shouldPrintDeclaration(Declaration decl) {
-    // Use external predicate if available
-    decl.getFile() = getSelectedFile()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getSelectedFile()) and
-      decl.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  }
+  override predicate shouldPrintDeclaration(Declaration decl) { decl.getFile() = getSelectedFile() }
 }

package/ql/cpp/tools/src/PrintCFG/PrintCFG.ql

@@ -17,6 +17,4 @@ query predicate nodes(ControlFlowNode node, string property, string value) {
   value = node.toString()
 }
 
-query predicate edges(ControlFlowNode pred, ControlFlowNode succ) {
-  pred.getASuccessor() = succ
-}
+query predicate edges(ControlFlowNode pred, ControlFlowNode succ) { pred.getASuccessor() = succ }

package/ql/cpp/tools/src/codeql-pack.lock.yml

@@ -2,27 +2,27 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 2.0.25
+    version: 2.0.28
   codeql/cpp-all:
-    version: 7.1.0
+    version: 8.0.1
   codeql/dataflow:
-    version: 2.0.25
+    version: 2.1.0
   codeql/mad:
-    version: 1.0.41
+    version: 1.0.44
   codeql/quantum:
-    version: 0.0.19
+    version: 0.0.22
   codeql/rangeanalysis:
-    version: 1.0.41
+    version: 1.0.44
   codeql/ssa:
-    version: 2.0.17
+    version: 2.0.20
   codeql/tutorial:
-    version: 1.0.41
+    version: 1.0.44
   codeql/typeflow:
-    version: 1.0.41
+    version: 1.0.44
   codeql/typetracking:
-    version: 2.0.25
-  codeql/util:
     version: 2.0.28
+  codeql/util:
+    version: 2.0.31
   codeql/xml:
-    version: 1.0.41
+    version: 1.0.44
 compiled: false

package/ql/cpp/tools/src/codeql-pack.yml

@@ -1,6 +1,6 @@
 name: advanced-security/ql-mcp-cpp-tools-src
-version: 2.24.3
+version: 2.25.0
 description: 'Queries for codeql-development-mcp-server tools for cpp language'
 library: false
 dependencies:
-  codeql/cpp-all: 7.1.0
+  codeql/cpp-all: 8.0.1

package/ql/csharp/tools/src/CallGraphFrom/CallGraphFrom.ql

@@ -8,18 +8,13 @@
  */
 
 import csharp
-
-/**
- * Gets the source method name for which to generate the call graph.
- * Can be a single method name or comma-separated list of method names.
- */
-external string sourceFunction();
+import ExternalPredicates
 
 /**
  * Gets a single source method name from the comma-separated list.
  */
 string getSourceFunctionName() {
-  result = sourceFunction().splitAt(",").trim()
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -36,15 +31,5 @@ from Call call, Callable source, Callable callee
 where
   call.getEnclosingCallable() = source and
   call.getTarget() = callee and
-  (
-    // Use external predicate if available
-    source = getSourceFunction()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getSourceFunction()) and
-      source.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
-select call,
-  "Call from `" + source.getName() + "` to `" + callee.getName() + "`"
+  source = getSourceFunction()
+select call, "Call from `" + source.getName() + "` to `" + callee.getName() + "`"

package/ql/csharp/tools/src/CallGraphFromTo/CallGraphFromTo.md

@@ -0,0 +1,49 @@
+# CallGraphFromTo for C# Source Files
+
+Displays calls on reachable paths from a source method to a target method, showing transitive call graph connectivity.
+
+## Overview
+
+This query identifies all method calls that lie on any transitive call path from a specified source method to a specified target method. Given both a source and target method name, it reports each call site along the connecting paths, which is useful for understanding indirect call chains, security-relevant data flow paths, and method reachability.
+
+The query uses transitive closure (`calls*`) to determine reachability, then reports only the direct call sites that contribute to paths between the source and target. It accepts method names via extensible predicates (`sourceFunction` and `targetFunction`) populated via CodeQL data extensions / model packs (see `ExternalPredicates.qll`).
+
+## Use Cases
+
+This query is primarily used for:
+
+- Determining if a call path exists between two methods
+- Mapping indirect call chains from a source to a target method
+- Analyzing security-relevant paths (e.g., from user input handlers to sensitive operations)
+- Understanding transitive dependencies between methods
+
+## Example
+
+The following C# code demonstrates a transitive call chain from `Source` through `Intermediate` to `Target`:
+
+```csharp
+class Example {
+    void Target() {}
+
+    void Intermediate() {
+        Target();
+    }
+
+    void Source() {
+        Intermediate();
+    }
+}
+```
+
+Running with `sourceFunction = "Source"` and `targetFunction = "Target"` produces results showing each call site on the path with a message like: "Reachable call from `Source` to `Intermediate`".
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Reachable call from `caller` to `callee`"``
+
+## References
+
+- [C# Methods](https://learn.microsoft.com/en-us/dotnet/csharp/programming-guide/classes-and-structs/methods)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)

package/ql/csharp/tools/src/CallGraphFromTo/CallGraphFromTo.ql

@@ -0,0 +1,64 @@
+/**
+ * @name Call Graph From To for csharp
+ * @description Displays calls on reachable paths from a source method to a target method, showing transitive call graph connectivity.
+ * @id csharp/tools/call-graph-from-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import csharp
+import ExternalPredicates
+
+/**
+ * Gets a single source method name from the comma-separated list.
+ */
+string getSourceFunctionName() {
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a single target method name from the comma-separated list.
+ */
+string getTargetFunctionName() {
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a method by matching against the selected source method names.
+ */
+Callable getSourceFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getSourceFunctionName() and
+    result.getName() = selectedFunc
+  )
+}
+
+/**
+ * Gets a method by matching against the selected target method names.
+ */
+Callable getTargetFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getTargetFunctionName() and
+    result.getName() = selectedFunc
+  )
+}
+
+/**
+ * Holds if callable `caller` directly calls callable `callee`.
+ */
+predicate calls(Callable caller_, Callable callee_) {
+  exists(Call c | c.getEnclosingCallable() = caller_ and c.getTarget() = callee_)
+}
+
+from Call call, Callable caller, Callable callee
+where
+  call.getEnclosingCallable() = caller and
+  call.getTarget() = callee and
+  exists(Callable source, Callable target |
+    source = getSourceFunction() and
+    target = getTargetFunction() and
+    calls*(source, caller) and
+    calls*(callee, target)
+  )
+select call, "Reachable call from `" + caller.getName() + "` to `" + callee.getName() + "`"

package/ql/csharp/tools/src/CallGraphTo/CallGraphTo.ql

@@ -8,18 +8,13 @@
  */
 
 import csharp
-
-/**
- * Gets the target method name for which to generate the call graph.
- * Can be a single method name or comma-separated list of method names.
- */
-external string targetFunction();
+import ExternalPredicates
 
 /**
  * Gets a single target method name from the comma-separated list.
  */
 string getTargetFunctionName() {
-  result = targetFunction().splitAt(",").trim()
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -36,15 +31,5 @@ from Call call, Callable target, Callable caller
 where
   call.getTarget() = target and
   call.getEnclosingCallable() = caller and
-  (
-    // Use external predicate if available
-    target = getTargetFunction()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getTargetFunction()) and
-      target.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
-select call,
-  "Call to `" + target.getName() + "` from `" + caller.getName() + "`"
+  target = getTargetFunction()
+select call, "Call to `" + target.getName() + "` from `" + caller.getName() + "`"

package/ql/csharp/tools/src/ExternalPredicates.qll

@@ -0,0 +1,14 @@
+/**
+ * Shared extensible predicate declarations for MCP server tools queries.
+ * Values are provided via dataExtensions YAML files during testing,
+ * or via a temporary data extension pack at runtime from the MCP server.
+ */
+
+/** Holds for each source function name for call graph analysis. */
+extensible predicate sourceFunction(string name);
+
+/** Holds for each target function name for call graph analysis. */
+extensible predicate targetFunction(string name);
+
+/** Holds for each selected source file path for AST/CFG printing. */
+extensible predicate selectedSourceFiles(string path);