codeql-development-mcp-server 2.24.3 → 2.25.0

package/ql/python/tools/src/CallGraphFromTo/CallGraphFromTo.ql

@@ -0,0 +1,71 @@
+/**
+ * @name Call Graph From To for python
+ * @description Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+ * @id python/tools/call-graph-from-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import python
+import ExternalPredicates
+
+/**
+ * Gets a single source function name from the comma-separated list.
+ */
+string getSourceFunctionName() {
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a single target function name from the comma-separated list.
+ */
+string getTargetFunctionName() {
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a function by matching against the selected source function names.
+ */
+Function getSourceFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getSourceFunctionName() and
+    result.getName() = selectedFunc
+  )
+}
+
+/**
+ * Gets a function by matching against the selected target function names.
+ */
+Function getTargetFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getTargetFunctionName() and
+    result.getName() = selectedFunc
+  )
+}
+
+/**
+ * Holds if function `caller` directly calls function `callee` by name.
+ */
+predicate calls(Function caller_, Function callee_) {
+  exists(CallNode c |
+    c.getScope() = caller_ and
+    c.getNode().(Call).getFunc().(Name).getId() = callee_.getName()
+  )
+}
+
+from CallNode call, Function caller
+where
+  call.getScope() = caller and
+  exists(Function source, Function target |
+    source = getSourceFunction() and
+    target = getTargetFunction() and
+    calls*(source, caller) and
+    exists(Function callee |
+      call.getNode().(Call).getFunc().(Name).getId() = callee.getName() and
+      calls*(callee, target)
+    )
+  )
+select call.getNode(),
+  "Reachable call from `" + caller.getName() + "` to `" +
+    call.getNode().(Call).getFunc().(Name).getId() + "`"

package/ql/python/tools/src/CallGraphTo/CallGraphTo.ql

@@ -8,40 +8,24 @@
  */
 
 import python
-
-/**
- * Gets the target function name for which to generate the call graph.
- * Can be a single function name or comma-separated list of function names.
- */
-external string targetFunction();
+import ExternalPredicates
 
 /**
  * Gets a single target function name from the comma-separated list.
  */
 string getTargetFunctionName() {
-  result = targetFunction().splitAt(",").trim()
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
 }
 
 /**
  * Gets the caller name for a call expression.
  */
 string getCallerName(CallNode call) {
-  if exists(call.getScope())
-  then result = call.getScope().getName()
-  else result = "Module"
+  if exists(call.getScope()) then result = call.getScope().getName() else result = "Module"
 }
 
 from CallNode call
-where
-  (
-    // Use external predicate if available
-    call.getNode().(Call).getFunc().(Name).getId() = getTargetFunctionName()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getTargetFunctionName()) and
-      call.getLocation().getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
+where call.getNode().(Call).getFunc().(Name).getId() = getTargetFunctionName()
 select call.getNode(),
-  "Call to `" + call.getNode().(Call).getFunc().(Name).getId() + "` from `" + getCallerName(call) + "`"
+  "Call to `" + call.getNode().(Call).getFunc().(Name).getId() + "` from `" + getCallerName(call) +
+    "`"

package/ql/python/tools/src/ExternalPredicates.qll

@@ -0,0 +1,14 @@
+/**
+ * Shared extensible predicate declarations for MCP server tools queries.
+ * Values are provided via dataExtensions YAML files during testing,
+ * or via a temporary data extension pack at runtime from the MCP server.
+ */
+
+/** Holds for each source function name for call graph analysis. */
+extensible predicate sourceFunction(string name);
+
+/** Holds for each target function name for call graph analysis. */
+extensible predicate targetFunction(string name);
+
+/** Holds for each selected source file path for AST/CFG printing. */
+extensible predicate selectedSourceFiles(string path);

package/ql/python/tools/src/PrintAST/PrintAST.ql

@@ -7,18 +7,13 @@
  */
 
 import semmle.python.PrintAst
-
-/**
- * Gets the source files to generate AST from.
- * Can be a single file path or comma-separated list of file paths.
- */
-external string selectedSourceFiles();
+import ExternalPredicates
 
 /**
  * Gets a single source file from the comma-separated list.
  */
 string getSelectedSourceFile() {
-  result = selectedSourceFiles().splitAt(",").trim()
+  exists(string s | selectedSourceFiles(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -29,11 +24,14 @@ File getSelectedFile() {
     selectedFile = getSelectedSourceFile() and
     (
       // Match by exact relative path from source root
-      result.getRelativePath() = selectedFile or
+      result.getRelativePath() = selectedFile
+      or
       // Match by file name if no path separators
-      (not selectedFile.matches("%/%") and result.getBaseName() = selectedFile) or
+      not selectedFile.matches("%/%") and result.getBaseName() = selectedFile
+      or
       // Match by ending path component
-      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) = selectedFile
+      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) =
+        selectedFile
     )
   )
 }
@@ -45,16 +43,7 @@ File getSelectedFile() {
 class Cfg extends PrintAstConfiguration {
   override predicate shouldPrint(AstNode e, Location l) {
     super.shouldPrint(e, l) and
-    (
-      // Use external predicate if available
-      l.getFile() = getSelectedFile()
-      or
-      // Fallback for unit tests: include test files
-      (
-        not exists(getSelectedFile()) and
-        l.getFile().getParent().getParent().getBaseName() = "test"
-      )
-    ) and
+    l.getFile() = getSelectedFile() and
     // Exclude the "Name" class so that results are deterministic
     // for a given source file, which is required for reproducible results
     not e.getAQlClass() = "Name"

package/ql/python/tools/src/PrintCFG/PrintCFG.ql

@@ -16,6 +16,4 @@ query predicate nodes(ControlFlowNode node, string property, string value) {
   value = node.toString()
 }
 
-query predicate edges(ControlFlowNode pred, ControlFlowNode succ) {
-  pred.getASuccessor() = succ
-}
+query predicate edges(ControlFlowNode pred, ControlFlowNode succ) { pred.getASuccessor() = succ }

package/ql/python/tools/src/codeql-pack.lock.yml

@@ -2,29 +2,29 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.15
+    version: 0.0.18
   codeql/controlflow:
-    version: 2.0.25
+    version: 2.0.28
   codeql/dataflow:
-    version: 2.0.25
+    version: 2.1.0
   codeql/mad:
-    version: 1.0.41
+    version: 1.0.44
   codeql/python-all:
-    version: 6.1.0
+    version: 7.0.1
   codeql/regex:
-    version: 1.0.41
+    version: 1.0.44
   codeql/ssa:
-    version: 2.0.17
+    version: 2.0.20
   codeql/threat-models:
-    version: 1.0.41
+    version: 1.0.44
   codeql/tutorial:
-    version: 1.0.41
+    version: 1.0.44
   codeql/typetracking:
-    version: 2.0.25
-  codeql/util:
     version: 2.0.28
+  codeql/util:
+    version: 2.0.31
   codeql/xml:
-    version: 1.0.41
+    version: 1.0.44
   codeql/yaml:
-    version: 1.0.41
+    version: 1.0.44
 compiled: false

package/ql/python/tools/src/codeql-pack.yml

@@ -1,6 +1,6 @@
 name: advanced-security/ql-mcp-python-tools-src
-version: 2.24.3
+version: 2.25.0
 description: 'Queries for codeql-development-mcp-server tools for python language'
 library: false
 dependencies:
-  codeql/python-all: 6.1.0
+  codeql/python-all: 7.0.1

package/ql/ruby/tools/src/CallGraphFrom/CallGraphFrom.ql

@@ -9,32 +9,17 @@
 
 private import codeql.ruby.AST
 private import codeql.ruby.DataFlow
-
-/**
- * Gets the source method name for which to generate the call graph.
- * Can be a single method name or comma-separated list of method names.
- */
-external string sourceFunction();
+import ExternalPredicates
 
 /**
  * Gets a single source method name from the comma-separated list.
  */
 string getSourceFunctionName() {
-  result = sourceFunction().splitAt(",").trim()
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
 }
 
 from MethodCall call, MethodBase source
 where
   call.getEnclosingMethod() = source and
-  (
-    // Use external predicate if available
-    source.getName() = getSourceFunctionName()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getSourceFunctionName()) and
-      source.getLocation().getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
-select call,
-  "Call from `" + source.getName() + "` to `" + call.getMethodName() + "`"
+  source.getName() = getSourceFunctionName()
+select call, "Call from `" + source.getName() + "` to `" + call.getMethodName() + "`"

package/ql/ruby/tools/src/CallGraphFromTo/CallGraphFromTo.md

@@ -0,0 +1,48 @@
+# CallGraphFromTo for Ruby
+
+Displays calls on reachable paths from a source method to a target method, showing transitive call graph connectivity.
+
+## Overview
+
+This query identifies all method calls that lie on any transitive call path from a specified source method to a specified target method. Given both a source and target method name, it reports each call site along the connecting paths, which is useful for understanding indirect call chains, security-relevant data flow paths, and method reachability.
+
+The query uses transitive closure (`calls*`) to determine reachability, then reports only the direct call sites that contribute to paths between the source and target. It accepts method names via extensible predicates (`sourceFunction` and `targetFunction`) populated via CodeQL data extensions / model packs (see `ExternalPredicates.qll`).
+
+## Use Cases
+
+This query is primarily used for:
+
+- Determining if a call path exists between two methods
+- Mapping indirect call chains from a source to a target method
+- Analyzing security-relevant paths (e.g., from user input handlers to sensitive operations)
+- Understanding transitive dependencies between methods
+
+## Example
+
+The following Ruby code demonstrates a transitive call chain from `source` through `intermediate` to `target`:
+
+```ruby
+def target
+end
+
+def intermediate
+  target
+end
+
+def source
+  intermediate
+end
+```
+
+Running with `sourceFunction = "source"` and `targetFunction = "target"` produces results showing each call site on the path with a message like: "Reachable call from `source` to `intermediate`".
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Reachable call from `caller` to `callee`"``
+
+## References
+
+- [Ruby Methods](https://ruby-doc.org/3.2.0/syntax/methods_rdoc.html)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)

package/ql/ruby/tools/src/CallGraphFromTo/CallGraphFromTo.ql

@@ -0,0 +1,50 @@
+/**
+ * @name Call Graph From To for ruby
+ * @description Displays calls on reachable paths from a source method to a target method, showing transitive call graph connectivity.
+ * @id ruby/tools/call-graph-from-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+private import codeql.ruby.AST
+private import codeql.ruby.DataFlow
+import ExternalPredicates
+
+/**
+ * Gets a single source method name from the comma-separated list.
+ */
+string getSourceFunctionName() {
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a single target method name from the comma-separated list.
+ */
+string getTargetFunctionName() {
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Holds if method `caller` directly calls method `callee` by name.
+ */
+predicate calls(MethodBase caller_, MethodBase callee_) {
+  exists(MethodCall c |
+    c.getEnclosingMethod() = caller_ and
+    c.getMethodName() = callee_.getName()
+  )
+}
+
+from MethodCall call, MethodBase caller
+where
+  call.getEnclosingMethod() = caller and
+  exists(MethodBase source, MethodBase target |
+    source.getName() = getSourceFunctionName() and
+    target.getName() = getTargetFunctionName() and
+    calls*(source, caller) and
+    exists(MethodBase callee |
+      call.getMethodName() = callee.getName() and
+      calls*(callee, target)
+    )
+  )
+select call, "Reachable call from `" + caller.getName() + "` to `" + call.getMethodName() + "`"

package/ql/ruby/tools/src/CallGraphTo/CallGraphTo.ql

@@ -9,18 +9,13 @@
 
 private import codeql.ruby.AST
 private import codeql.ruby.DataFlow
-
-/**
- * Gets the target method name for which to generate the call graph.
- * Can be a single method name or comma-separated list of method names.
- */
-external string targetFunction();
+import ExternalPredicates
 
 /**
  * Gets a single target method name from the comma-separated list.
  */
 string getTargetFunctionName() {
-  result = targetFunction().splitAt(",").trim()
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -33,16 +28,5 @@ string getCallerName(MethodCall call) {
 }
 
 from MethodCall call
-where
-  (
-    // Use external predicate if available
-    call.getMethodName() = getTargetFunctionName()
-    or
-    // Fallback for unit tests: include test files
-    (
-      not exists(getTargetFunctionName()) and
-      call.getLocation().getFile().getParentContainer().getParentContainer().getBaseName() = "test"
-    )
-  )
-select call,
-  "Call to `" + call.getMethodName() + "` from `" + getCallerName(call) + "`"
+where call.getMethodName() = getTargetFunctionName()
+select call, "Call to `" + call.getMethodName() + "` from `" + getCallerName(call) + "`"

package/ql/ruby/tools/src/ExternalPredicates.qll

@@ -0,0 +1,14 @@
+/**
+ * Shared extensible predicate declarations for MCP server tools queries.
+ * Values are provided via dataExtensions YAML files during testing,
+ * or via a temporary data extension pack at runtime from the MCP server.
+ */
+
+/** Holds for each source function name for call graph analysis. */
+extensible predicate sourceFunction(string name);
+
+/** Holds for each target function name for call graph analysis. */
+extensible predicate targetFunction(string name);
+
+/** Holds for each selected source file path for AST/CFG printing. */
+extensible predicate selectedSourceFiles(string path);

package/ql/ruby/tools/src/PrintAST/PrintAST.ql

@@ -8,18 +8,13 @@
 
 private import codeql.ruby.AST
 private import codeql.ruby.printAst
-
-/**
- * Gets the source files to generate AST from.
- * Can be a single file path or comma-separated list of file paths.
- */
-external string selectedSourceFiles();
+import ExternalPredicates
 
 /**
  * Gets a single source file from the comma-separated list.
  */
 string getSelectedSourceFile() {
-  result = selectedSourceFiles().splitAt(",").trim()
+  exists(string s | selectedSourceFiles(s) | result = s.splitAt(",").trim())
 }
 
 /**
@@ -30,11 +25,14 @@ File getSelectedFile() {
     selectedFile = getSelectedSourceFile() and
     (
       // Match by exact relative path from source root
-      result.getRelativePath() = selectedFile or
+      result.getRelativePath() = selectedFile
+      or
       // Match by file name if no path separators
-      (not selectedFile.matches("%/%") and result.getBaseName() = selectedFile) or
+      not selectedFile.matches("%/%") and result.getBaseName() = selectedFile
+      or
       // Match by ending path component
-      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) = selectedFile
+      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) =
+        selectedFile
     )
   )
 }
@@ -46,12 +44,6 @@ File getSelectedFile() {
 class Cfg extends PrintAstConfiguration {
   override predicate shouldPrintNode(AstNode n) {
     super.shouldPrintNode(n) and
-    (
-      // Use external predicate if available
-      n.getLocation().getFile() = getSelectedFile()
-      or
-      // Fallback for unit tests: include all files
-      not exists(getSelectedFile())
-    )
+    n.getLocation().getFile() = getSelectedFile()
   }
 }

package/ql/ruby/tools/src/PrintCFG/PrintCFG.ql

@@ -17,6 +17,4 @@ query predicate nodes(CfgNode node, string property, string value) {
   value = node.toString()
 }
 
-query predicate edges(CfgNode pred, CfgNode succ) {
-  pred.getASuccessor() = succ
-}
+query predicate edges(CfgNode pred, CfgNode succ) { pred.getASuccessor() = succ }

package/ql/ruby/tools/src/codeql-pack.lock.yml

@@ -2,23 +2,23 @@
 lockVersion: 1.0.0
 dependencies:
   codeql/concepts:
-    version: 0.0.15
+    version: 0.0.18
   codeql/controlflow:
-    version: 2.0.25
+    version: 2.0.28
   codeql/dataflow:
-    version: 2.0.25
+    version: 2.1.0
   codeql/mad:
-    version: 1.0.41
+    version: 1.0.44
   codeql/regex:
-    version: 1.0.41
+    version: 1.0.44
   codeql/ruby-all:
-    version: 5.1.9
+    version: 5.1.12
   codeql/ssa:
-    version: 2.0.17
+    version: 2.0.20
   codeql/tutorial:
-    version: 1.0.41
+    version: 1.0.44
   codeql/typetracking:
-    version: 2.0.25
-  codeql/util:
     version: 2.0.28
+  codeql/util:
+    version: 2.0.31
 compiled: false

package/ql/ruby/tools/src/codeql-pack.yml

@@ -1,6 +1,6 @@
 name: advanced-security/ql-mcp-ruby-tools-src
-version: 2.24.3
+version: 2.25.0
 description: 'Queries for codeql-development-mcp-server tools for ruby language'
 library: false
 dependencies:
-  codeql/ruby-all: 5.1.9
+  codeql/ruby-all: 5.1.12

package/ql/swift/tools/src/CallGraphFrom/CallGraphFrom.ql

@@ -8,25 +8,23 @@
  */
 
 import swift
-
-/**
- * Gets the source function name for which to generate the call graph.
- * Can be a single function name or comma-separated list of function names.
- */
-external string sourceFunction();
+import ExternalPredicates
 
 /**
  * Gets a single source function name from the comma-separated list.
  */
-string getSourceFunctionName() { result = sourceFunction().splitAt(",").trim() }
+string getSourceFunctionName() {
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
+}
 
 /**
  * Gets a function by matching against the selected source function names.
+ * Supports both base names (e.g. "sourceFunc") and full Swift signatures (e.g. "sourceFunc()").
  */
 Function getSourceFunction() {
   exists(string selectedFunc |
     selectedFunc = getSourceFunctionName() and
-    result.getName() = selectedFunc
+    (result.getName() = selectedFunc or result.getName().matches(selectedFunc + "(%"))
   )
 }
 
@@ -42,12 +40,5 @@ string getCalleeName(CallExpr call) {
 from CallExpr call, Function source
 where
   call.getEnclosingFunction() = source and
-  (
-    // Use external predicate if available
-    source = getSourceFunction()
-    or
-    // Fallback for unit tests: include specific test files
-    not exists(getSourceFunction()) and
-    source.getFile().getBaseName() = "Example1.swift"
-  )
+  source = getSourceFunction()
 select call, "Call from `" + source.getName() + "` to `" + getCalleeName(call) + "`"

package/ql/swift/tools/src/CallGraphFromTo/CallGraphFromTo.md

@@ -0,0 +1,47 @@
+# CallGraphFromTo for Swift
+
+Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+
+## Overview
+
+This query identifies all function calls that lie on any transitive call path from a specified source function to a specified target function. Given both a source and target function name, it reports each call site along the connecting paths, which is useful for understanding indirect call chains, security-relevant data flow paths, and function reachability.
+
+The query uses transitive closure (`calls*`) to determine reachability, then reports only the direct call sites that contribute to paths between the source and target. It accepts function names via extensible predicates (`sourceFunction` and `targetFunction`) populated via CodeQL data extensions / model packs (see `ExternalPredicates.qll`).
+
+## Use Cases
+
+This query is primarily used for:
+
+- Determining if a call path exists between two functions
+- Mapping indirect call chains from a source to a target function
+- Analyzing security-relevant paths (e.g., from user input handlers to sensitive operations)
+- Understanding transitive dependencies between functions
+
+## Example
+
+The following Swift code demonstrates a transitive call chain from `source` through `intermediate` to `target`:
+
+```swift
+func target() {}
+
+func intermediate() {
+    target()
+}
+
+func source() {
+    intermediate()
+}
+```
+
+Running with `sourceFunction = "source"` and `targetFunction = "target"` produces results showing each call site on the path with a message like: "Reachable call from `source` to `intermediate`".
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Reachable call from `caller` to `callee`"``
+
+## References
+
+- [Swift Functions](https://docs.swift.org/swift-book/documentation/the-swift-programming-language/functions)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)