codeql-development-mcp-server 2.25.1 → 2.25.2-rc1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeql-development-mcp-server",
-  "version": "2.25.1",
+  "version": "2.25.2-rc1",
   "description": "An MCP server supporting LLM requests for CodeQL development tools and resources.",
   "main": "dist/codeql-development-mcp-server.js",
   "type": "module",
@@ -18,6 +18,7 @@
     "ql/javascript/tools/src/",
     "ql/python/tools/src/",
     "ql/ruby/tools/src/",
+    "ql/rust/tools/src/",
     "ql/swift/tools/src/",
     "scripts/setup-packs.sh",
     "package.json",
@@ -40,7 +41,7 @@
     "typescript"
   ],
   "author": "@github/ps-codeql",
-  "license": "SEE LICENSE IN LICENSE",
+  "license": "LicenseRef-CodeQL-Terms",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/advanced-security/codeql-development-mcp-server.git",
@@ -55,13 +56,13 @@
     "npm": ">=11.6.2"
   },
   "dependencies": {
-    "@modelcontextprotocol/sdk": "^1.28.0",
-    "adm-zip": "^0.5.16",
+    "@modelcontextprotocol/sdk": "^1.29.0",
+    "adm-zip": "^0.5.17",
     "cors": "^2.8.6",
-    "dotenv": "^17.3.1",
+    "dotenv": "^17.4.0",
     "express": "^5.2.1",
     "js-yaml": "^4.1.1",
-    "lowdb": "^7.0.1",
+    "sql.js": "^1.14.1",
     "zod": "^3.25.76"
   },
   "devDependencies": {
@@ -70,16 +71,16 @@
     "@types/cors": "^2.8.19",
     "@types/express": "^5.0.6",
     "@types/js-yaml": "^4.0.9",
-    "@types/node": "^25.5.0",
-    "@vitest/coverage-v8": "^4.1.2",
-    "esbuild": "^0.27.4",
-    "eslint": "^10.1.0",
+    "@types/node": "^25.6.0",
+    "@vitest/coverage-v8": "^4.1.4",
+    "esbuild": "^0.28.0",
+    "eslint": "^10.2.0",
     "eslint-config-prettier": "^10.1.8",
     "eslint-plugin-prettier": "^5.5.5",
-    "prettier": "^3.8.1",
-    "typescript": "^5.9.3",
-    "typescript-eslint": "^8.57.2",
-    "vitest": "^4.1.2"
+    "prettier": "^3.8.2",
+    "typescript": "^6.0.2",
+    "typescript-eslint": "^8.58.1",
+    "vitest": "^4.1.4"
   },
   "scripts": {
     "build": "npm run clean && npm run lint && npm run bundle",

package/ql/README.md

@@ -35,6 +35,7 @@ Currently supported languages:
 - `javascript/` - JavaScript/TypeScript
 - `python/` - Python
 - `ruby/` - Ruby
+- `rust/` - Rust
 - `swift/` - Swift
 
 ## Testing

package/ql/actions/tools/src/codeql-pack.yml

@@ -1,5 +1,5 @@
 name: advanced-security/ql-mcp-actions-tools-src
-version: 2.25.1
+version: 2.25.2-rc1
 description: 'Queries for codeql-development-mcp-server tools for actions language'
 library: false
 dependencies:

package/ql/cpp/tools/src/codeql-pack.yml

@@ -1,5 +1,5 @@
 name: advanced-security/ql-mcp-cpp-tools-src
-version: 2.25.1
+version: 2.25.2-rc1
 description: 'Queries for codeql-development-mcp-server tools for cpp language'
 library: false
 dependencies:

package/ql/csharp/tools/src/codeql-pack.yml

@@ -1,5 +1,5 @@
 name: advanced-security/ql-mcp-csharp-tools-src
-version: 2.25.1
+version: 2.25.2-rc1
 description: 'Queries for codeql-development-mcp-server tools for csharp language'
 library: false
 dependencies:

package/ql/go/tools/src/codeql-pack.yml

@@ -1,5 +1,5 @@
 name: advanced-security/ql-mcp-go-tools-src
-version: 2.25.1
+version: 2.25.2-rc1
 description: 'Queries for codeql-development-mcp-server tools for go language'
 library: false
 dependencies:

package/ql/java/tools/src/codeql-pack.yml

@@ -1,5 +1,5 @@
 name: advanced-security/ql-mcp-java-tools-src
-version: 2.25.1
+version: 2.25.2-rc1
 description: 'Queries for codeql-development-mcp-server tools for java language'
 library: false
 dependencies:

package/ql/javascript/tools/src/codeql-pack.yml

@@ -1,5 +1,5 @@
 name: advanced-security/ql-mcp-javascript-tools-src
-version: 2.25.1
+version: 2.25.2-rc1
 description: 'Queries for codeql-development-mcp-server tools for javascript language'
 library: false
 dependencies:

package/ql/python/tools/src/codeql-pack.yml

@@ -1,5 +1,5 @@
 name: advanced-security/ql-mcp-python-tools-src
-version: 2.25.1
+version: 2.25.2-rc1
 description: 'Queries for codeql-development-mcp-server tools for python language'
 library: false
 dependencies:

package/ql/ruby/tools/src/codeql-pack.yml

@@ -1,5 +1,5 @@
 name: advanced-security/ql-mcp-ruby-tools-src
-version: 2.25.1
+version: 2.25.2-rc1
 description: 'Queries for codeql-development-mcp-server tools for ruby language'
 library: false
 dependencies:

package/ql/rust/tools/src/CallGraphFrom/CallGraphFrom.md

@@ -0,0 +1,48 @@
+# CallGraphFrom for Rust
+
+Displays calls made from a specified function, showing the call graph outbound from the source function.
+
+## Overview
+
+This query identifies all function calls made within the body of a named function, producing an outbound call graph. Given a source function name, it reports each call site and the callee, which is useful for understanding function dependencies and call chains.
+
+The query accepts function names via an external predicate (`sourceFunction`).
+
+## Use Cases
+
+This query is primarily used for:
+
+- Mapping outbound dependencies of a specific function
+- Understanding what a function calls and in what order
+- Analyzing call chains for refactoring or security review
+
+## Example
+
+The following Rust code demonstrates outbound calls from `source_func`:
+
+```rust
+fn helper1() {}
+
+fn helper2() {
+    helper1();
+}
+
+fn source_func() {  // Source function for analysis
+    helper1();
+    helper2();
+}
+```
+
+Running with `sourceFunction = "source_func"` produces results showing each call site with the message pattern ``Call from `source_func` to `helper1` ``.
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Call from `source` to `callee`"``
+
+## References
+
+- [Rust Functions](https://doc.rust-lang.org/book/ch03-03-how-functions-work.html)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)
+- [CodeQL Library for Rust](https://codeql.github.com/docs/codeql-language-guides/codeql-library-for-rust/)

package/ql/rust/tools/src/CallGraphFrom/CallGraphFrom.ql

@@ -0,0 +1,38 @@
+/**
+ * @name Call Graph From for rust
+ * @description Displays calls made from a specified function, showing the call graph outbound from the source function.
+ * @id rust/tools/call-graph-from
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import rust
+import ExternalPredicates
+
+/**
+ * Gets a single source function name from the comma-separated list.
+ */
+string getSourceFunctionName() {
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a function by matching against the selected source function names.
+ */
+Function getSourceFunction() { result.getName().getText() = getSourceFunctionName() }
+
+/**
+ * Gets the name of the called function.
+ */
+string getCalleeName(CallExpr call) {
+  if exists(call.getResolvedTarget().(Function).getName())
+  then result = call.getResolvedTarget().(Function).getName().getText()
+  else result = call.toString()
+}
+
+from CallExpr call, Function source
+where
+  call.getEnclosingCallable() = source and
+  source = getSourceFunction()
+select call, "Call from `" + source.getName().getText() + "` to `" + getCalleeName(call) + "`"

package/ql/rust/tools/src/CallGraphFromTo/CallGraphFromTo.md

@@ -0,0 +1,48 @@
+# CallGraphFromTo for Rust
+
+Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+
+## Overview
+
+This query identifies all call sites on paths that transitively connect a source function to a target function. It uses the `calls*` transitive closure to find functions reachable from the source that can also reach the target, then reports calls within those functions.
+
+The query accepts both source and target function names via external predicates (`sourceFunction` and `targetFunction`).
+
+## Use Cases
+
+This query is primarily used for:
+
+- Understanding transitive call chains between two functions
+- Analyzing reachability in the call graph
+- Identifying intermediate functions on critical paths
+- Security analysis of data flow through function boundaries
+
+## Example
+
+The following Rust code demonstrates a transitive call chain:
+
+```rust
+fn target() {}
+
+fn intermediate() {
+    target();
+}
+
+fn source() {
+    intermediate();
+}
+```
+
+Running with `sourceFunction = "source"` and `targetFunction = "target"` produces results showing each call site on the path with the message pattern ``Reachable call from `intermediate` to `target` ``.
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Reachable call from `caller` to `callee`"``
+
+## References
+
+- [Rust Functions](https://doc.rust-lang.org/book/ch03-03-how-functions-work.html)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)
+- [CodeQL Library for Rust](https://codeql.github.com/docs/codeql-language-guides/codeql-library-for-rust/)

package/ql/rust/tools/src/CallGraphFromTo/CallGraphFromTo.ql

@@ -0,0 +1,69 @@
+/**
+ * @name Call Graph From To for rust
+ * @description Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+ * @id rust/tools/call-graph-from-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import rust
+import ExternalPredicates
+
+/**
+ * Gets a single source function name from the comma-separated list.
+ */
+string getSourceFunctionName() {
+  exists(string s | sourceFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a single target function name from the comma-separated list.
+ */
+string getTargetFunctionName() {
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a function by matching against the selected source function names.
+ */
+Function getSourceFunction() { result.getName().getText() = getSourceFunctionName() }
+
+/**
+ * Gets a function by matching against the selected target function names.
+ */
+Function getTargetFunction() { result.getName().getText() = getTargetFunctionName() }
+
+/**
+ * Holds if function `caller` directly calls function `callee`.
+ */
+predicate calls(Function caller_, Function callee_) {
+  exists(CallExpr c |
+    c.getEnclosingCallable() = caller_ and
+    c.getResolvedTarget().(Function) = callee_
+  )
+}
+
+/**
+ * Gets the name of the called function.
+ */
+string getCalleeName(CallExpr call) {
+  if exists(call.getResolvedTarget().(Function).getName())
+  then result = call.getResolvedTarget().(Function).getName().getText()
+  else result = call.toString()
+}
+
+from CallExpr call, Function caller
+where
+  call.getEnclosingCallable() = caller and
+  exists(Function source, Function target |
+    source = getSourceFunction() and
+    target = getTargetFunction() and
+    calls*(source, caller) and
+    exists(Function callee |
+      call.getResolvedTarget().(Function) = callee and
+      calls*(callee, target)
+    )
+  )
+select call,
+  "Reachable call from `" + caller.getName().getText() + "` to `" + getCalleeName(call) + "`"

package/ql/rust/tools/src/CallGraphTo/CallGraphTo.md

@@ -0,0 +1,47 @@
+# CallGraphTo for Rust
+
+Displays calls made to a specified function, showing the call graph inbound to the target function.
+
+## Overview
+
+This query identifies all call sites that invoke a named function, producing an inbound call graph. Given a target function name, it reports each call site and the enclosing caller, which is useful for understanding how a function is used throughout the codebase.
+
+The query accepts function names via an external predicate (`targetFunction`).
+
+## Use Cases
+
+This query is primarily used for:
+
+- Finding all callers of a specific function
+- Understanding how a function is used across modules
+- Impact analysis when modifying or deprecating a function
+
+## Example
+
+The following Rust code demonstrates inbound calls to `target_func`:
+
+```rust
+fn target_func() {}  // Target function for analysis
+
+fn caller1() {
+    target_func();
+}
+
+fn caller2() {
+    target_func();
+}
+```
+
+Running with `targetFunction = "target_func"` produces results showing each call site with the message pattern ``Call to `target_func` from `caller1` ``.
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Call to `callee` from `caller`"``
+
+## References
+
+- [Rust Functions](https://doc.rust-lang.org/book/ch03-03-how-functions-work.html)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)
+- [CodeQL Library for Rust](https://codeql.github.com/docs/codeql-language-guides/codeql-library-for-rust/)

package/ql/rust/tools/src/CallGraphTo/CallGraphTo.ql

@@ -0,0 +1,47 @@
+/**
+ * @name Call Graph To for rust
+ * @description Displays calls made to a specified function, showing the call graph inbound to the target function.
+ * @id rust/tools/call-graph-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import rust
+import ExternalPredicates
+
+/**
+ * Gets a single target function name from the comma-separated list.
+ */
+string getTargetFunctionName() {
+  exists(string s | targetFunction(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a function by matching against the selected target function names.
+ */
+Function getTargetFunction() { result.getName().getText() = getTargetFunctionName() }
+
+/**
+ * Gets the caller name for a call expression.
+ */
+string getCallerName(CallExpr call) {
+  if exists(call.getEnclosingCallable().(Function).getName())
+  then result = call.getEnclosingCallable().(Function).getName().getText()
+  else result = "Top-level"
+}
+
+/**
+ * Gets the name of the called function.
+ */
+string getCalleeName(CallExpr call) {
+  if exists(call.getResolvedTarget().(Function).getName())
+  then result = call.getResolvedTarget().(Function).getName().getText()
+  else result = call.toString()
+}
+
+from CallExpr call, Function target
+where
+  target = getTargetFunction() and
+  call.getResolvedTarget() = target
+select call, "Call to `" + getCalleeName(call) + "` from `" + getCallerName(call) + "`"

package/ql/rust/tools/src/ExternalPredicates.qll

@@ -0,0 +1,14 @@
+/**
+ * Shared extensible predicate declarations for MCP server tools queries.
+ * Values are provided via dataExtensions YAML files during testing,
+ * or via a temporary data extension pack at runtime from the MCP server.
+ */
+
+/** Holds for each source function name for call graph analysis. */
+extensible predicate sourceFunction(string name);
+
+/** Holds for each target function name for call graph analysis. */
+extensible predicate targetFunction(string name);
+
+/** Holds for each selected source file path for AST/CFG printing. */
+extensible predicate selectedSourceFiles(string path);

package/ql/rust/tools/src/PrintAST/PrintAST.md

@@ -0,0 +1,59 @@
+# Print AST for Rust
+
+Outputs a representation of the Abstract Syntax Tree (AST) for specified source files.
+
+## Overview
+
+The Abstract Syntax Tree is a hierarchical representation of source code structure. Each node represents a syntactic construct (declaration, statement, expression, etc.) and edges represent parent-child containment relationships.
+
+This query produces the full AST for specified Rust source files, which is useful for understanding code structure, inspecting how the CodeQL extractor parses modules and functions, and debugging query logic that operates on AST nodes.
+
+## Use Cases
+
+This query is primarily used for:
+
+- Inspecting how CodeQL represents Rust functions, structs, and expressions
+- Debugging queries that match on AST node types
+- Understanding parent-child relationships between items and statements
+- Verifying extractor behavior for ownership, borrowing, and pattern matching
+- IDE integration for syntax tree visualization
+
+## Example
+
+The following Rust code demonstrates AST structure through function declarations and control flow:
+
+```rust
+struct Greeter {
+    name: String,
+}
+
+impl Greeter {
+    fn greet(&self) {
+        println!("Hello, {}!", self.name);
+    }
+}
+
+fn main() {
+    let g = Greeter { name: "World".to_string() };
+    g.greet();
+}
+```
+
+In the resulting AST:
+
+- The module contains struct and function declarations as children
+- Each function body contains a block expression with statement nodes
+- Call expressions reference their target and arguments as child nodes
+
+## Output Format
+
+The query produces a graph via the parameterized `PrintAst` library module:
+
+- `nodes`: Each AST node with its type, label, and properties
+- `edges`: Parent-child relationships forming the syntax tree
+
+## References
+
+- [The Rust Reference](https://doc.rust-lang.org/reference/)
+- [CodeQL Abstract Syntax Trees](https://codeql.github.com/docs/writing-codeql-queries/abstract-syntax-tree/)
+- [CodeQL Library for Rust](https://codeql.github.com/docs/codeql-language-guides/codeql-library-for-rust/)

package/ql/rust/tools/src/PrintAST/PrintAST.ql

@@ -0,0 +1,46 @@
+/**
+ * @name Print AST for rust
+ * @description Outputs a representation of the Abstract Syntax Tree for specified source files.
+ * @id rust/tools/print-ast
+ * @kind graph
+ * @tags ast
+ */
+
+import rust
+private import codeql.rust.printast.PrintAst
+import ExternalPredicates
+
+/**
+ * Gets a single source file from the comma-separated list.
+ */
+string getSelectedSourceFile() {
+  exists(string s | selectedSourceFiles(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a file by matching against the selected source file paths.
+ */
+File getSelectedFile() {
+  exists(string selectedFile |
+    selectedFile = getSelectedSourceFile() and
+    (
+      // Match by exact relative path from source root
+      result.getRelativePath() = selectedFile
+      or
+      // Match by file name if no path separators
+      not selectedFile.matches("%/%") and result.getBaseName() = selectedFile
+      or
+      // Match by ending path component
+      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) =
+        selectedFile
+    )
+  )
+}
+
+/**
+ * Holds if a locatable element should be printed in the AST output.
+ * Restricts output to elements from the selected file.
+ */
+predicate shouldPrint(Locatable e) { e.getLocation().getFile() = getSelectedFile() }
+
+import PrintAst<shouldPrint/1>

package/ql/rust/tools/src/PrintCFG/PrintCFG.md

@@ -0,0 +1,56 @@
+# Print CFG for Rust
+
+Produces a representation of a file's Control Flow Graph (CFG) for specified source files.
+
+## Overview
+
+The Control Flow Graph models the runtime execution order of statements and expressions within functions. Nodes represent individual executable elements and edges represent possible transitions between them, including branches, loops, and exceptional control flow.
+
+This query produces the CFG for specified Rust source files, which is useful for understanding execution paths, identifying dead code, and debugging data flow queries that depend on control flow ordering.
+
+## Use Cases
+
+This query is primarily used for:
+
+- Visualizing execution paths through Rust functions
+- Understanding how `if`, `match`, `loop`, `while`, and `for` affect control flow
+- Debugging data flow queries that depend on CFG structure
+- Identifying unreachable code or unexpected control flow edges
+- Verifying CFG behavior for Rust-specific constructs like pattern matching
+
+## Example
+
+The following Rust code demonstrates control flow through branching and loops:
+
+```rust
+fn example(x: i32) -> i32 {
+    if x > 0 {
+        return x;
+    }
+
+    let mut val = x;
+    while val < 10 {
+        val += 1;
+    }
+    val
+}
+```
+
+In the resulting CFG:
+
+- The `if` condition creates a branch with two successors
+- The early `return` creates an edge to the function exit
+- The `while` loop creates a back-edge from the loop body to the condition
+
+## Output Format
+
+The query produces a graph with:
+
+- `nodes`: Each CFG node with a `semmle.label` property
+- `edges`: Control flow transitions between nodes
+
+## References
+
+- [The Rust Reference - Expressions](https://doc.rust-lang.org/reference/expressions.html)
+- [CodeQL Control Flow Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)
+- [CodeQL Library for Rust](https://codeql.github.com/docs/codeql-language-guides/codeql-library-for-rust/)

package/ql/rust/tools/src/PrintCFG/PrintCFG.ql

@@ -0,0 +1,58 @@
+/**
+ * @name Print CFG for rust
+ * @description Produces a representation of a file's Control Flow Graph for specified source files.
+ * @id rust/tools/print-cfg
+ * @kind graph
+ * @tags cfg
+ */
+
+import rust
+import codeql.rust.controlflow.ControlFlowGraph
+import ExternalPredicates
+
+/**
+ * Gets a single source file from the comma-separated list.
+ */
+string getSelectedSourceFile() {
+  exists(string s | selectedSourceFiles(s) | result = s.splitAt(",").trim())
+}
+
+/**
+ * Gets a file by matching against the selected source file paths.
+ */
+File getSelectedFile() {
+  exists(string selectedFile |
+    selectedFile = getSelectedSourceFile() and
+    (
+      // Match by exact relative path from source root
+      result.getRelativePath() = selectedFile
+      or
+      // Match by file name if no path separators
+      not selectedFile.matches("%/%") and result.getBaseName() = selectedFile
+      or
+      // Match by ending path component
+      result.getAbsolutePath().suffix(result.getAbsolutePath().length() - selectedFile.length()) =
+        selectedFile
+    )
+  )
+}
+
+/**
+ * Holds if this CFG node should be included in output.
+ */
+predicate shouldPrintNode(CfgNode node) { node.getLocation().getFile() = getSelectedFile() }
+
+/**
+ * Configuration for PrintCFG that outputs filtered CFG nodes and edges.
+ */
+query predicate nodes(CfgNode node, string property, string value) {
+  shouldPrintNode(node) and
+  property = "semmle.label" and
+  value = node.toString()
+}
+
+query predicate edges(CfgNode pred, CfgNode succ) {
+  shouldPrintNode(pred) and
+  shouldPrintNode(succ) and
+  pred.getASuccessor() = succ
+}