codeql-development-mcp-server 2.24.3 → 2.25.0

package/ql/csharp/tools/src/PrintAST/PrintAST.ql

@@ -8,18 +8,13 @@
 
 import csharp
 import semmle.code.csharp.PrintAst
-
-/**
- * Gets the source files to generate AST from.
- * Can be a single file path or comma-separated list of file paths.
- */
-external string selectedSourceFiles();
+import ExternalPredicates
 
 /**
  * Gets a single source file from the comma-separated list.
  */
 string getSelectedSourceFile() {
-  result = selectedSourceFiles().splitAt(",").trim()
+  exists(string s | selectedSourceFiles(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -30,11 +25,14 @@ File getSelectedFile() {
     selectedFile = getSelectedSourceFile() and
     (
       // Match by exact relative path from source root
-      result.getRelativePath() = selectedFile or
+      result.getRelativePath() = selectedFile
+      or
       // Match by file name if no path separators
-      (not selectedFile.matches("%/%") and result.getBaseName() = selectedFile) or
+      not selectedFile.matches("%/%") and result.getBaseName() = selectedFile
+      or
       // Match by ending path component
-      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) = selectedFile
+      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) =
+        selectedFile
     )
   )
 }
@@ -46,12 +44,6 @@ File getSelectedFile() {
 class Cfg extends PrintAstConfiguration {
   override predicate shouldPrint(Element e, Location l) {
     super.shouldPrint(e, l) and
-    (
-      // Use external predicate if available
-      l.getFile() = getSelectedFile()
-      or
-      // Fallback for unit tests: include all files
-      not exists(getSelectedFile())
-    )
+    l.getFile() = getSelectedFile()
   }
 }

package/ql/csharp/tools/src/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 2.0.25
+    version: 2.0.28
   codeql/csharp-all:
-    version: 5.4.6
+    version: 5.4.9
   codeql/dataflow:
-    version: 2.0.25
+    version: 2.1.0
   codeql/mad:
-    version: 1.0.41
+    version: 1.0.44
   codeql/ssa:
-    version: 2.0.17
+    version: 2.0.20
   codeql/threat-models:
-    version: 1.0.41
+    version: 1.0.44
   codeql/tutorial:
-    version: 1.0.41
+    version: 1.0.44
   codeql/typetracking:
-    version: 2.0.25
-  codeql/util:
     version: 2.0.28
+  codeql/util:
+    version: 2.0.31
   codeql/xml:
-    version: 1.0.41
+    version: 1.0.44
 compiled: false

package/ql/csharp/tools/src/codeql-pack.yml

@@ -1,6 +1,6 @@
 name: advanced-security/ql-mcp-csharp-tools-src
-version: 2.24.3
+version: 2.25.0
 description: 'Queries for codeql-development-mcp-server tools for csharp language'
 library: false
 dependencies:
-  codeql/csharp-all: 5.4.6
+  codeql/csharp-all: 5.4.9

package/ql/go/tools/src/CallGraphFrom/CallGraphFrom.ql

@@ -8,32 +8,17 @@
  */
 
 import go
-
-/**
- * Gets the source function name for which to generate the call graph.
- * Can be a single function name or comma-separated list of function names.
- */
-external string sourceFunction();
+import ExternalPredicates
 
 /**
  * Gets a single source function name from the comma-separated list.
  */
 string getSourceFunctionName() {
-  result = sourceFunction().splitAt(",").trim()
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
 }
 
 from CallExpr call, FuncDecl source
 where
   call.getEnclosingFunction() = source and
-  (
-    // Use external predicate if available
-    source.getName() = getSourceFunctionName()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getSourceFunctionName()) and
-      source.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
-select call,
-  "Call from `" + source.getName() + "` to `" + call.getTarget().getName() + "`"
+  source.getName() = getSourceFunctionName()
+select call, "Call from `" + source.getName() + "` to `" + call.getTarget().getName() + "`"

package/ql/go/tools/src/CallGraphFromTo/CallGraphFromTo.md

@@ -0,0 +1,47 @@
+# CallGraphFromTo for Go
+
+Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+
+## Overview
+
+This query identifies all function calls that lie on any transitive call path from a specified source function to a specified target function. Given both a source and target function name, it reports each call site along the connecting paths, which is useful for understanding indirect call chains, security-relevant data flow paths, and function reachability.
+
+The query uses transitive closure (`calls*`) to determine reachability, then reports only the direct call sites that contribute to paths between the source and target. It accepts function names via extensible predicates (`sourceFunction` and `targetFunction`) populated via CodeQL data extensions / model packs (see `ExternalPredicates.qll`).
+
+## Use Cases
+
+This query is primarily used for:
+
+- Determining if a call path exists between two functions
+- Mapping indirect call chains from a source to a target function
+- Analyzing security-relevant paths (e.g., from user input handlers to sensitive operations)
+- Understanding transitive dependencies between functions
+
+## Example
+
+The following Go code demonstrates a transitive call chain from `source` through `intermediate` to `target`:
+
+```go
+func target() {}
+
+func intermediate() {
+    target()
+}
+
+func source() {
+    intermediate()
+}
+```
+
+Running with `sourceFunction = "source"` and `targetFunction = "target"` produces results showing each call site on the path with a message like: "Reachable call from `source` to `intermediate`".
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Reachable call from `caller` to `callee`"``
+
+## References
+
+- [Go Functions](https://go.dev/doc/effective_go#functions)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)

package/ql/go/tools/src/CallGraphFromTo/CallGraphFromTo.ql

@@ -0,0 +1,53 @@
+/**
+ * @name Call Graph From To for go
+ * @description Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+ * @id go/tools/call-graph-from-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import go
+import ExternalPredicates
+
+/**
+ * Gets a single source function name from the comma-separated list.
+ */
+string getSourceFunctionName() {
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a single target function name from the comma-separated list.
+ */
+string getTargetFunctionName() {
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Holds if function `caller` directly calls function `callee` by name.
+ */
+predicate calls(FuncDecl caller_, FuncDecl callee_) {
+  exists(CallExpr c |
+    c.getEnclosingFunction() = caller_ and
+    c.getTarget().getName() = callee_.getName()
+  )
+}
+
+from CallExpr call, FuncDecl caller
+where
+  call.getEnclosingFunction() = caller and
+  exists(
+    // Use external predicates if available: show calls on paths from source to target
+    FuncDecl source, FuncDecl target
+  |
+    source.getName() = getSourceFunctionName() and
+    target.getName() = getTargetFunctionName() and
+    calls*(source, caller) and
+    exists(FuncDecl callee |
+      call.getTarget().getName() = callee.getName() and
+      calls*(callee, target)
+    )
+  )
+select call,
+  "Reachable call from `" + caller.getName() + "` to `" + call.getTarget().getName() + "`"

package/ql/go/tools/src/CallGraphTo/CallGraphTo.ql

@@ -8,18 +8,13 @@
  */
 
 import go
-
-/**
- * Gets the target function name for which to generate the call graph.
- * Can be a single function name or comma-separated list of function names.
- */
-external string targetFunction();
+import ExternalPredicates
 
 /**
  * Gets a single target function name from the comma-separated list.
  */
 string getTargetFunctionName() {
-  result = targetFunction().splitAt(",").trim()
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -32,16 +27,5 @@ string getCallerName(CallExpr call) {
 }
 
 from CallExpr call
-where
-  (
-    // Use external predicate if available
-    call.getTarget().getName() = getTargetFunctionName()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getTargetFunctionName()) and
-      call.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
-select call,
-  "Call to `" + call.getTarget().getName() + "` from `" + getCallerName(call) + "`"
+where call.getTarget().getName() = getTargetFunctionName()
+select call, "Call to `" + call.getTarget().getName() + "` from `" + getCallerName(call) + "`"

package/ql/go/tools/src/ExternalPredicates.qll

@@ -0,0 +1,14 @@
+/**
+ * Shared extensible predicate declarations for MCP server tools queries.
+ * Values are provided via dataExtensions YAML files during testing,
+ * or via a temporary data extension pack at runtime from the MCP server.
+ */
+
+/** Holds for each source function name for call graph analysis. */
+extensible predicate sourceFunction(string name);
+
+/** Holds for each target function name for call graph analysis. */
+extensible predicate targetFunction(string name);
+
+/** Holds for each selected source file path for AST/CFG printing. */
+extensible predicate selectedSourceFiles(string path);

package/ql/go/tools/src/PrintAST/PrintAST.ql

@@ -7,19 +7,13 @@
  */
 
 import go
-import semmle.go.PrintAst
-
-/**
- * Gets the source files to generate AST from.
- * Can be a single file path or comma-separated list of file paths.
- */
-external string selectedSourceFiles();
+import ExternalPredicates
 
 /**
  * Gets a single source file from the comma-separated list.
  */
 string getSelectedSourceFile() {
-  result = selectedSourceFiles().splitAt(",").trim()
+  exists(string s | selectedSourceFiles(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -30,29 +24,145 @@ File getSelectedFile() {
     selectedFile = getSelectedSourceFile() and
     (
       // Match by exact relative path from source root
-      result.getRelativePath() = selectedFile or
+      result.getRelativePath() = selectedFile
+      or
       // Match by file name if no path separators
-      (not selectedFile.matches("%/%") and result.getBaseName() = selectedFile) or
+      not selectedFile.matches("%/%") and result.getBaseName() = selectedFile
+      or
       // Match by ending path component
-      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) = selectedFile
+      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) =
+        selectedFile
     )
   )
 }
 
 /**
- * Configuration for PrintAST that uses external predicates to specify source files.
- * Falls back to test file selection when external predicates are not available.
+ * Holds if the given file should be printed.
+ * Uses the external predicate if available, otherwise falls back to test files.
+ */
+private predicate isSelectedFile(File file) { file = getSelectedFile() }
+
+// Standalone PrintAST implementation for Go.
+//
+// This avoids extending the library's `PrintAstConfiguration` (which is inside
+// an `overlay[local]` module in `go-all`) by directly using the Go AST API.
+// File filtering is applied at the source level for efficiency.
+/** Gets the enclosing function declaration for `n`, if any. */
+private FuncDecl getEnclosingFunctionDecl(AstNode n) { result = n.getParent*() }
+
+/**
+ * Holds if `ast` should be included in the printed AST.
+ * Restricts to selected files and excludes comments for deterministic output.
+ */
+private predicate shouldPrint(AstNode ast) {
+  isSelectedFile(ast.getFile()) and
+  // Print nodes without an enclosing function (e.g. file headers)
+  forall(FuncDecl f | f = getEnclosingFunctionDecl(ast) | isSelectedFile(f.getFile())) and
+  // Exclude comments for deterministic output
+  not ast instanceof Comment and
+  not ast instanceof CommentGroup and
+  exists(ast.getLocation())
+}
+
+/** Gets the QL class label for an AST node. */
+private string qlClass(AstNode el) { result = "[" + concat(el.getAPrimaryQlClass(), ", ") + "] " }
+
+/** Gets the default string representation for an AST node. */
+private string nodeToString(AstNode ast) {
+  if ast instanceof File
+  then result = qlClass(ast) + ast.(File).getRelativePath()
+  else result = qlClass(ast) + ast.toString()
+}
+
+/**
+ * Gets the child at `childIndex` for `ast`, with special handling
+ * for `File` nodes (package name expression is moved to index 0).
+ * Comments are excluded from the child list.
  */
-class Cfg extends PrintAstConfiguration {
-  override predicate shouldPrintFunction(FuncDecl func) { this.shouldPrintFile(func.getFile()) }
+private AstNode getChild(AstNode ast, int childIndex) {
+  if ast instanceof File and exists(ast.(File).getPackageNameExpr())
+  then
+    exists(AstNode packageNode, int oldPackageIndex |
+      ast.getUniquelyNumberedChild(oldPackageIndex) = packageNode and
+      packageNode = ast.(File).getPackageNameExpr() and
+      (
+        childIndex = 0 and result = packageNode
+        or
+        result =
+          rank[childIndex](AstNode node, int i |
+            node = ast.getUniquelyNumberedChild(i) and
+            i != oldPackageIndex and
+            not node instanceof Comment and
+            not node instanceof CommentGroup
+          |
+            node order by i
+          )
+      )
+    )
+  else
+    result =
+      rank[childIndex](AstNode node, int i |
+        node = ast.getUniquelyNumberedChild(i) and
+        not node instanceof Comment and
+        not node instanceof CommentGroup
+      |
+        node order by i
+      )
+}
+
+/** Gets the edge label from `ast` to its child at `childIndex`. */
+private string getChildEdgeLabel(AstNode ast, int childIndex) {
+  exists(getChild(ast, childIndex)) and
+  if
+    ast instanceof File and
+    exists(ast.(File).getPackageNameExpr()) and
+    getChild(ast, childIndex) = ast.(File).getPackageNameExpr()
+  then result = "package"
+  else result = childIndex.toString()
+}
 
-  override predicate shouldPrintFile(File file) { 
-    // Use external predicate if available
-    file = getSelectedFile()
+/** Holds if `node` belongs to the output tree, and its property `key` has the given `value`. */
+query predicate nodes(AstNode node, string key, string value) {
+  shouldPrint(node) and
+  (
+    key = "semmle.label" and value = nodeToString(node)
+    or
+    node instanceof Expr and
+    (
+      key = "Value" and
+      value = qlClass(node) + node.(Expr).getExactValue()
+      or
+      key = "Type" and
+      not node.(Expr).getType() instanceof InvalidType and
+      value = node.(Expr).getType().pp()
+    )
     or
-    // Fallback for unit tests: include specific test files
-    (not exists(getSelectedFile()) and file.getBaseName() = "Example1.go")
-  }
+    node instanceof File and
+    key = "semmle.order" and
+    value =
+      any(int i |
+        node = rank[i](File fn | isSelectedFile(fn) | fn order by fn.getRelativePath())
+      |
+        i
+      ).toString()
+  )
+}
+
+/** Holds if `target` is a child of `source` in the AST. */
+query predicate edges(AstNode source, AstNode target, string key, string value) {
+  shouldPrint(source) and
+  shouldPrint(target) and
+  exists(int childIndex |
+    target = getChild(source, childIndex) and
+    (
+      key = "semmle.label" and value = getChildEdgeLabel(source, childIndex)
+      or
+      key = "semmle.order" and value = childIndex.toString()
+    )
+  )
+}
 
-  override predicate shouldPrintComments(File file) { none() }
+/** Holds if property `key` of the graph has the given `value`. */
+query predicate graphProperties(string key, string value) {
+  key = "semmle.graphKind" and value = "tree"
 }

package/ql/go/tools/src/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.15
+    version: 0.0.18
   codeql/controlflow:
-    version: 2.0.25
+    version: 2.0.28
   codeql/dataflow:
-    version: 2.0.25
+    version: 2.1.0
   codeql/go-all:
-    version: 6.0.1
+    version: 7.0.2
   codeql/mad:
-    version: 1.0.41
+    version: 1.0.44
   codeql/ssa:
-    version: 2.0.17
+    version: 2.0.20
   codeql/threat-models:
-    version: 1.0.41
+    version: 1.0.44
   codeql/tutorial:
-    version: 1.0.41
+    version: 1.0.44
   codeql/typetracking:
-    version: 2.0.25
-  codeql/util:
     version: 2.0.28
+  codeql/util:
+    version: 2.0.31
 compiled: false

package/ql/go/tools/src/codeql-pack.yml

@@ -1,6 +1,6 @@
 name: advanced-security/ql-mcp-go-tools-src
-version: 2.24.3
+version: 2.25.0
 description: 'Queries for codeql-development-mcp-server tools for go language'
 library: false
 dependencies:
-  codeql/go-all: 6.0.1
+  codeql/go-all: 7.0.2

package/ql/java/tools/src/CallGraphFrom/CallGraphFrom.ql

@@ -8,18 +8,13 @@
  */
 
 import java
-
-/**
- * Gets the source method name for which to generate the call graph.
- * Can be a single method name or comma-separated list of method names.
- */
-external string sourceFunction();
+import ExternalPredicates
 
 /**
  * Gets a single source method name from the comma-separated list.
  */
 string getSourceFunctionName() {
-  result = sourceFunction().splitAt(",").trim()
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -36,15 +31,5 @@ from Call call, Callable source, Callable callee
 where
   call.getCaller() = source and
   call.getCallee() = callee and
-  (
-    // Use external predicate if available
-    source = getSourceFunction()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getSourceFunction()) and
-      source.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
-select call,
-  "Call from `" + source.getName() + "` to `" + callee.getName() + "`"
+  source = getSourceFunction()
+select call, "Call from `" + source.getName() + "` to `" + callee.getName() + "`"

package/ql/java/tools/src/CallGraphFromTo/CallGraphFromTo.md

@@ -0,0 +1,49 @@
+# CallGraphFromTo for Java
+
+Displays calls on reachable paths from a source method to a target method, showing transitive call graph connectivity.
+
+## Overview
+
+This query identifies all method calls that lie on any transitive call path from a specified source method to a specified target method. Given both a source and target method name, it reports each call site along the connecting paths, which is useful for understanding indirect call chains, security-relevant data flow paths, and method reachability.
+
+The query uses transitive closure (`calls*`) to determine reachability, then reports only the direct call sites that contribute to paths between the source and target. It accepts method names via extensible predicates (`sourceFunction` and `targetFunction`) populated via CodeQL data extensions / model packs (see `ExternalPredicates.qll`).
+
+## Use Cases
+
+This query is primarily used for:
+
+- Determining if a call path exists between two methods
+- Mapping indirect call chains from a source to a target method
+- Analyzing security-relevant paths (e.g., from user input handlers to sensitive operations)
+- Understanding transitive dependencies between methods
+
+## Example
+
+The following Java code demonstrates a transitive call chain from `source` through `intermediate` to `target`:
+
+```java
+class Example {
+    void target() {}
+
+    void intermediate() {
+        target();
+    }
+
+    void source() {
+        intermediate();
+    }
+}
+```
+
+Running with `sourceFunction = "source"` and `targetFunction = "target"` produces results showing each call site on the path with a message like: "Reachable call from `source` to `intermediate`".
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Reachable call from `caller` to `callee`"``
+
+## References
+
+- [Java Methods](https://docs.oracle.com/javase/tutorial/java/javaOO/methods.html)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)

package/ql/java/tools/src/CallGraphFromTo/CallGraphFromTo.ql

@@ -0,0 +1,64 @@
+/**
+ * @name Call Graph From To for java
+ * @description Displays calls on reachable paths from a source method to a target method, showing transitive call graph connectivity.
+ * @id java/tools/call-graph-from-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import java
+import ExternalPredicates
+
+/**
+ * Gets a single source method name from the comma-separated list.
+ */
+string getSourceFunctionName() {
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a single target method name from the comma-separated list.
+ */
+string getTargetFunctionName() {
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a method by matching against the selected source method names.
+ */
+Callable getSourceFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getSourceFunctionName() and
+    result.getName() = selectedFunc
+  )
+}
+
+/**
+ * Gets a method by matching against the selected target method names.
+ */
+Callable getTargetFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getTargetFunctionName() and
+    result.getName() = selectedFunc
+  )
+}
+
+/**
+ * Holds if callable `caller` directly calls callable `callee`.
+ */
+predicate calls(Callable caller_, Callable callee_) {
+  exists(Call c | c.getCaller() = caller_ and c.getCallee() = callee_)
+}
+
+from Call call, Callable caller, Callable callee
+where
+  call.getCaller() = caller and
+  call.getCallee() = callee and
+  exists(Callable source, Callable target |
+    source = getSourceFunction() and
+    target = getTargetFunction() and
+    calls*(source, caller) and
+    calls*(callee, target)
+  )
+select call, "Reachable call from `" + caller.getName() + "` to `" + callee.getName() + "`"