codeql-development-mcp-server 2.24.3 → 2.25.0

package/ql/java/tools/src/CallGraphTo/CallGraphTo.ql

@@ -8,18 +8,13 @@
  */
 
 import java
-
-/**
- * Gets the target method name for which to generate the call graph.
- * Can be a single method name or comma-separated list of method names.
- */
-external string targetFunction();
+import ExternalPredicates
 
 /**
  * Gets a single target method name from the comma-separated list.
  */
 string getTargetFunctionName() {
-  result = targetFunction().splitAt(",").trim()
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -36,15 +31,5 @@ from Call call, Callable target, Callable caller
 where
   call.getCallee() = target and
   call.getCaller() = caller and
-  (
-    // Use external predicate if available
-    target = getTargetFunction()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getTargetFunction()) and
-      target.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
-select call,
-  "Call to `" + target.getName() + "` from `" + caller.getName() + "`"
+  target = getTargetFunction()
+select call, "Call to `" + target.getName() + "` from `" + caller.getName() + "`"

package/ql/java/tools/src/ExternalPredicates.qll

@@ -0,0 +1,14 @@
+/**
+ * Shared extensible predicate declarations for MCP server tools queries.
+ * Values are provided via dataExtensions YAML files during testing,
+ * or via a temporary data extension pack at runtime from the MCP server.
+ */
+
+/** Holds for each source function name for call graph analysis. */
+extensible predicate sourceFunction(string name);
+
+/** Holds for each target function name for call graph analysis. */
+extensible predicate targetFunction(string name);
+
+/** Holds for each selected source file path for AST/CFG printing. */
+extensible predicate selectedSourceFiles(string path);

package/ql/java/tools/src/PrintAST/PrintAST.ql

@@ -8,18 +8,13 @@
 
 import java
 import semmle.code.java.PrintAst
-
-/**
- * Gets the source files to generate AST from.
- * Can be a single file path or comma-separated list of file paths.
- */
-external string selectedSourceFiles();
+import ExternalPredicates
 
 /**
  * Gets a single source file from the comma-separated list.
  */
 string getSelectedSourceFile() {
-  result = selectedSourceFiles().splitAt(",").trim()
+  exists(string s | selectedSourceFiles(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -30,11 +25,14 @@ File getSelectedFile() {
     selectedFile = getSelectedSourceFile() and
     (
       // Match by exact relative path from source root
-      result.getRelativePath() = selectedFile or
+      result.getRelativePath() = selectedFile
+      or
       // Match by file name if no path separators
-      (not selectedFile.matches("%/%") and result.getBaseName() = selectedFile) or
+      not selectedFile.matches("%/%") and result.getBaseName() = selectedFile
+      or
       // Match by ending path component
-      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) = selectedFile
+      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) =
+        selectedFile
     )
   )
 }
@@ -46,12 +44,6 @@ File getSelectedFile() {
 class Cfg extends PrintAstConfiguration {
   override predicate shouldPrint(Element e, Location l) {
     super.shouldPrint(e, l) and
-    (
-      // Use external predicate if available
-      l.getFile() = getSelectedFile()
-      or
-      // Fallback for unit tests: include specific test files
-      (not exists(getSelectedFile()) and l.getFile().getBaseName() = "Example1.java")
-    )
+    l.getFile() = getSelectedFile()
   }
 }

package/ql/java/tools/src/PrintCFG/PrintCFG.ql

@@ -10,26 +10,27 @@ import java
 import semmle.code.java.ControlFlowGraph
 
 /**
- * Holds if the node is an exit-related CFG node.
+ * Holds if the node is an entry- or exit-related CFG node.
  * These nodes are excluded from the output because their ordering
- * is non-deterministic across CodeQL CLI versions.
+ * is non-deterministic across CodeQL CLI versions and environments.
  */
-private predicate isExitNode(ControlFlow::Node node) {
-  node.toString().matches("%Exit")
+private predicate isEntryOrExitNode(ControlFlowNode node) {
+  node.toString().matches("%Exit") or
+  node.toString() = "Entry"
 }
 
 /**
  * Configuration for PrintCFG that outputs all CFG nodes and edges,
- * excluding exit nodes for deterministic output.
+ * excluding entry and exit nodes for deterministic output.
  */
-query predicate nodes(ControlFlow::Node node, string property, string value) {
+query predicate nodes(ControlFlowNode node, string property, string value) {
   property = "semmle.label" and
   value = node.toString() and
-  not isExitNode(node)
+  not isEntryOrExitNode(node)
 }
 
-query predicate edges(ControlFlow::Node pred, ControlFlow::Node succ) {
+query predicate edges(ControlFlowNode pred, ControlFlowNode succ) {
   pred.getASuccessor() = succ and
-  not isExitNode(pred) and
-  not isExitNode(succ)
+  not isEntryOrExitNode(pred) and
+  not isEntryOrExitNode(succ)
 }

package/ql/java/tools/src/codeql-pack.lock.yml

@@ -2,31 +2,31 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/controlflow:
-    version: 2.0.25
+    version: 2.0.28
   codeql/dataflow:
-    version: 2.0.25
+    version: 2.1.0
   codeql/java-all:
-    version: 8.0.0
+    version: 9.0.0
   codeql/mad:
-    version: 1.0.41
+    version: 1.0.44
   codeql/quantum:
-    version: 0.0.19
+    version: 0.0.22
   codeql/rangeanalysis:
-    version: 1.0.41
+    version: 1.0.44
   codeql/regex:
-    version: 1.0.41
+    version: 1.0.44
   codeql/ssa:
-    version: 2.0.17
+    version: 2.0.20
   codeql/threat-models:
-    version: 1.0.41
+    version: 1.0.44
   codeql/tutorial:
-    version: 1.0.41
+    version: 1.0.44
   codeql/typeflow:
-    version: 1.0.41
+    version: 1.0.44
   codeql/typetracking:
-    version: 2.0.25
-  codeql/util:
     version: 2.0.28
+  codeql/util:
+    version: 2.0.31
   codeql/xml:
-    version: 1.0.41
+    version: 1.0.44
 compiled: false

package/ql/java/tools/src/codeql-pack.yml

@@ -1,6 +1,6 @@
 name: advanced-security/ql-mcp-java-tools-src
-version: 2.24.3
+version: 2.25.0
 description: 'Queries for codeql-development-mcp-server tools for java language'
 library: false
 dependencies:
-  codeql/java-all: 8.0.0
+  codeql/java-all: 9.0.0

package/ql/javascript/tools/src/CallGraphFrom/CallGraphFrom.ql

@@ -8,18 +8,13 @@
  */
 
 import javascript
-
-/**
- * Gets the source function name for which to generate the call graph.
- * Can be a single function name or comma-separated list of function names.
- */
-external string sourceFunction();
+import ExternalPredicates
 
 /**
  * Gets a single source function name from the comma-separated list.
  */
 string getSourceFunctionName() {
-  result = sourceFunction().splitAt(",").trim()
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -35,15 +30,5 @@ Function getSourceFunction() {
 from CallExpr call, Function source
 where
   call.getEnclosingFunction() = source and
-  (
-    // Use external predicate if available
-    source = getSourceFunction()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getSourceFunction()) and
-      source.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
-select call,
-  "Call from `" + source.getName() + "` to `" + call.getCalleeName() + "`"
+  source = getSourceFunction()
+select call, "Call from `" + source.getName() + "` to `" + call.getCalleeName() + "`"

package/ql/javascript/tools/src/CallGraphFromTo/CallGraphFromTo.md

@@ -0,0 +1,47 @@
+# CallGraphFromTo for JavaScript
+
+Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+
+## Overview
+
+This query identifies all function calls that lie on any transitive call path from a specified source function to a specified target function. Given both a source and target function name, it reports each call site along the connecting paths, which is useful for understanding indirect call chains, security-relevant data flow paths, and function reachability.
+
+The query uses transitive closure (`calls*`) to determine reachability, then reports only the direct call sites that contribute to paths between the source and target. It accepts function names via extensible predicates (`sourceFunction` and `targetFunction`) populated via CodeQL data extensions / model packs (see `ExternalPredicates.qll`).
+
+## Use Cases
+
+This query is primarily used for:
+
+- Determining if a call path exists between two functions
+- Mapping indirect call chains from a source to a target function
+- Analyzing security-relevant paths (e.g., from user input handlers to sensitive operations)
+- Understanding transitive dependencies between functions
+
+## Example
+
+The following JavaScript code demonstrates a transitive call chain from `source` through `intermediate` to `target`:
+
+```javascript
+function target() {}
+
+function intermediate() {
+  target();
+}
+
+function source() {
+  intermediate();
+}
+```
+
+Running with `sourceFunction = "source"` and `targetFunction = "target"` produces results showing each call site on the path with a message like: "Reachable call from `source` to `intermediate`".
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Reachable call from `caller` to `callee`"``
+
+## References
+
+- [JavaScript Functions](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Functions)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)

package/ql/javascript/tools/src/CallGraphFromTo/CallGraphFromTo.ql

@@ -0,0 +1,69 @@
+/**
+ * @name Call Graph From To for javascript
+ * @description Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+ * @id javascript/tools/call-graph-from-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import javascript
+import ExternalPredicates
+
+/**
+ * Gets a single source function name from the comma-separated list.
+ */
+string getSourceFunctionName() {
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a single target function name from the comma-separated list.
+ */
+string getTargetFunctionName() {
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a function by matching against the selected source function names.
+ */
+Function getSourceFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getSourceFunctionName() and
+    result.getName() = selectedFunc
+  )
+}
+
+/**
+ * Gets a function by matching against the selected target function names.
+ */
+Function getTargetFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getTargetFunctionName() and
+    result.getName() = selectedFunc
+  )
+}
+
+/**
+ * Holds if function `caller` directly calls function `callee` by name.
+ */
+predicate calls(Function caller_, Function callee_) {
+  exists(CallExpr c |
+    c.getEnclosingFunction() = caller_ and
+    c.getCalleeName() = callee_.getName()
+  )
+}
+
+from CallExpr call, Function caller
+where
+  call.getEnclosingFunction() = caller and
+  exists(Function source, Function target |
+    source = getSourceFunction() and
+    target = getTargetFunction() and
+    calls*(source, caller) and
+    exists(Function callee |
+      call.getCalleeName() = callee.getName() and
+      calls*(callee, target)
+    )
+  )
+select call, "Reachable call from `" + caller.getName() + "` to `" + call.getCalleeName() + "`"

package/ql/javascript/tools/src/CallGraphTo/CallGraphTo.ql

@@ -8,18 +8,13 @@
  */
 
 import javascript
-
-/**
- * Gets the target function name for which to generate the call graph.
- * Can be a single function name or comma-separated list of function names.
- */
-external string targetFunction();
+import ExternalPredicates
 
 /**
  * Gets a single target function name from the comma-separated list.
  */
 string getTargetFunctionName() {
-  result = targetFunction().splitAt(",").trim()
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -32,16 +27,5 @@ string getCallerName(CallExpr call) {
 }
 
 from CallExpr call
-where
-  (
-    // Use external predicate if available
-    call.getCalleeName() = getTargetFunctionName()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getTargetFunctionName()) and
-      call.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
-select call,
-  "Call to `" + call.getCalleeName() + "` from `" + getCallerName(call) + "`"
+where call.getCalleeName() = getTargetFunctionName()
+select call, "Call to `" + call.getCalleeName() + "` from `" + getCallerName(call) + "`"

package/ql/javascript/tools/src/ExternalPredicates.qll

@@ -0,0 +1,14 @@
+/**
+ * Shared extensible predicate declarations for MCP server tools queries.
+ * Values are provided via dataExtensions YAML files during testing,
+ * or via a temporary data extension pack at runtime from the MCP server.
+ */
+
+/** Holds for each source function name for call graph analysis. */
+extensible predicate sourceFunction(string name);
+
+/** Holds for each target function name for call graph analysis. */
+extensible predicate targetFunction(string name);
+
+/** Holds for each selected source file path for AST/CFG printing. */
+extensible predicate selectedSourceFiles(string path);

package/ql/javascript/tools/src/PrintAST/PrintAST.ql

@@ -8,18 +8,13 @@
 
 import javascript
 import semmle.javascript.PrintAst
-
-/**
- * Gets the source files to generate AST from.
- * Can be a single file path or comma-separated list of file paths.
- */
-external string selectedSourceFiles();
+import ExternalPredicates
 
 /**
  * Gets a single source file from the comma-separated list.
  */
 string getSelectedSourceFile() {
-  result = selectedSourceFiles().splitAt(",").trim()
+  exists(string s | selectedSourceFiles(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -30,11 +25,14 @@ File getSelectedFile() {
     selectedFile = getSelectedSourceFile() and
     (
       // Match by exact relative path from source root
-      result.getRelativePath() = selectedFile or
+      result.getRelativePath() = selectedFile
+      or
       // Match by file name if no path separators
-      (not selectedFile.matches("%/%") and result.getBaseName() = selectedFile) or
+      not selectedFile.matches("%/%") and result.getBaseName() = selectedFile
+      or
       // Match by ending path component
-      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) = selectedFile
+      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) =
+        selectedFile
     )
   )
 }
@@ -46,15 +44,6 @@ File getSelectedFile() {
 class Cfg extends PrintAstConfiguration {
   override predicate shouldPrint(Locatable e, Location l) {
     super.shouldPrint(e, l) and
-    (
-      // Use external predicate if available
-      l.getFile() = getSelectedFile()
-      or
-      // Fallback for unit tests: include test files
-      (
-        not exists(getSelectedFile()) and
-        l.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-      )
-    )
+    l.getFile() = getSelectedFile()
   }
 }

package/ql/javascript/tools/src/PrintCFG/PrintCFG.ql

@@ -16,6 +16,4 @@ query predicate nodes(ControlFlowNode node, string property, string value) {
   value = node.toString()
 }
 
-query predicate edges(ControlFlowNode pred, ControlFlowNode succ) {
-  pred.getASuccessor() = succ
-}
+query predicate edges(ControlFlowNode pred, ControlFlowNode succ) { pred.getASuccessor() = succ }

package/ql/javascript/tools/src/codeql-pack.lock.yml

@@ -2,29 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.15
+    version: 0.0.18
   codeql/controlflow:
-    version: 2.0.25
+    version: 2.0.28
   codeql/dataflow:
-    version: 2.0.25
+    version: 2.1.0
   codeql/javascript-all:
-    version: 2.6.21
+    version: 2.6.24
   codeql/mad:
-    version: 1.0.41
+    version: 1.0.44
   codeql/regex:
-    version: 1.0.41
+    version: 1.0.44
   codeql/ssa:
-    version: 2.0.17
+    version: 2.0.20
   codeql/threat-models:
-    version: 1.0.41
+    version: 1.0.44
   codeql/tutorial:
-    version: 1.0.41
+    version: 1.0.44
   codeql/typetracking:
-    version: 2.0.25
-  codeql/util:
     version: 2.0.28
+  codeql/util:
+    version: 2.0.31
   codeql/xml:
-    version: 1.0.41
+    version: 1.0.44
   codeql/yaml:
-    version: 1.0.41
+    version: 1.0.44
 compiled: false

package/ql/javascript/tools/src/codeql-pack.yml

@@ -1,6 +1,6 @@
 name: advanced-security/ql-mcp-javascript-tools-src
-version: 2.24.3
+version: 2.25.0
 description: 'Queries for codeql-development-mcp-server tools for javascript language'
 library: false
 dependencies:
-  codeql/javascript-all: 2.6.21
+  codeql/javascript-all: 2.6.24

package/ql/python/tools/src/CallGraphFrom/CallGraphFrom.ql

@@ -8,18 +8,13 @@
  */
 
 import python
-
-/**
- * Gets the source function name for which to generate the call graph.
- * Can be a single function name or comma-separated list of function names.
- */
-external string sourceFunction();
+import ExternalPredicates
 
 /**
  * Gets a single source function name from the comma-separated list.
  */
 string getSourceFunctionName() {
-  result = sourceFunction().splitAt(",").trim()
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -35,15 +30,6 @@ Function getSourceFunction() {
 from CallNode call, Function source
 where
   call.getScope() = source and
-  (
-    // Use external predicate if available
-    source = getSourceFunction()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getSourceFunction()) and
-      call.getLocation().getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
+  source = getSourceFunction()
 select call.getNode(),
   "Call from `" + source.getName() + "` to `" + call.getNode().(Call).getFunc().(Name).getId() + "`"

package/ql/python/tools/src/CallGraphFromTo/CallGraphFromTo.md

@@ -0,0 +1,46 @@
+# CallGraphFromTo for Python
+
+Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+
+## Overview
+
+This query identifies all function calls that lie on any transitive call path from a specified source function to a specified target function. Given both a source and target function name, it reports each call site along the connecting paths, which is useful for understanding indirect call chains, security-relevant data flow paths, and function reachability.
+
+The query uses transitive closure (`calls*`) to determine reachability, then reports only the direct call sites that contribute to paths between the source and target. It accepts function names via extensible predicates (`sourceFunction` and `targetFunction`) populated via CodeQL data extensions / model packs (see `ExternalPredicates.qll`).
+
+## Use Cases
+
+This query is primarily used for:
+
+- Determining if a call path exists between two functions
+- Mapping indirect call chains from a source to a target function
+- Analyzing security-relevant paths (e.g., from user input handlers to sensitive operations)
+- Understanding transitive dependencies between functions
+
+## Example
+
+The following Python code demonstrates a transitive call chain from `source` through `intermediate` to `target`:
+
+```python
+def target():
+    pass
+
+def intermediate():
+    target()
+
+def source():
+    intermediate()
+```
+
+Running with `sourceFunction = "source"` and `targetFunction = "target"` produces results showing each call site on the path with a message like: "Reachable call from `source` to `intermediate`".
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Reachable call from `caller` to `callee`"``
+
+## References
+
+- [Python Functions](https://docs.python.org/3/tutorial/controlflow.html#defining-functions)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)