From 48986a51ad8b89573d38fbf3eb129558b8a39fb3 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 14 Jul 2022 11:49:59 +0200
Subject: [PATCH 01/32] Modernize qlpacks and update to CodeQL 2.8.5

---
 .codeqlmanifest.json                          |  2 +-
 .github/actions/action.yml                    | 25 ++++++
 .../actions/install-codeql-packs/action.yml   | 25 ++++++
 .github/workflows/code-scanning-pack-gen.yml  |  9 ++-
 .github/workflows/codeql_unit_tests.yml       | 20 +++--
 .../standard_library_upgrade_tests.yml        |  2 +-
 .../verify-standard-library-dependencies.yml  | 79 +++++++++++++++++++
 .gitignore                                    |  3 +
 c/.codeqlmanifest.json                        |  3 -
 c/cert/src/codeql-pack.lock.yml               |  6 ++
 c/cert/src/qlpack.yml                         |  6 +-
 c/cert/test/codeql-pack.lock.yml              |  6 ++
 c/cert/test/qlpack.yml                        |  7 +-
 c/common/src/codeql-pack.lock.yml             |  6 ++
 c/common/src/qlpack.yml                       |  6 +-
 c/common/test/codeql-pack.lock.yml            |  6 ++
 c/common/test/qlpack.yml                      |  5 +-
 c/misra/src/codeql-pack.lock.yml              |  6 ++
 c/misra/src/qlpack.yml                        |  6 +-
 c/misra/test/codeql-pack.lock.yml             |  6 ++
 c/misra/test/qlpack.yml                       |  7 +-
 cpp/.codeqlmanifest.json                      |  3 -
 cpp/autosar/src/codeql-pack.lock.yml          |  6 ++
 cpp/autosar/src/qlpack.yml                    |  6 +-
 cpp/autosar/test/codeql-pack.lock.yml         |  6 ++
 cpp/autosar/test/qlpack.yml                   |  5 +-
 cpp/cert/src/codeql-pack.lock.yml             |  6 ++
 cpp/cert/src/qlpack.yml                       |  6 +-
 cpp/cert/test/codeql-pack.lock.yml            |  6 ++
 cpp/cert/test/qlpack.yml                      |  5 +-
 cpp/common/src/codeql-pack.lock.yml           |  6 ++
 cpp/common/src/qlpack.yml                     |  5 +-
 cpp/common/test/codeql-pack.lock.yml          |  6 ++
 cpp/common/test/qlpack.yml                    |  5 +-
 cpp/misra/src/codeql-pack.lock.yml            |  6 ++
 cpp/misra/src/qlpack.yml                      |  6 +-
 cpp/misra/test/codeql-pack.lock.yml           |  6 ++
 cpp/misra/test/qlpack.yml                     |  5 +-
 cpp/report/src/codeql-pack.lock.yml           |  6 ++
 cpp/report/src/qlpack.yml                     |  5 +-
 docs/development_handbook.md                  | 64 ++++++++-------
 scripts/get_workspace_packs.py                | 14 ++++
 scripts/install-packs.py                      | 23 ++++++
 scripts/verify-standard-library-version.py    | 68 ++++++++++++++++
 supported_codeql_configs.json                 |  6 +-
 45 files changed, 435 insertions(+), 86 deletions(-)
 create mode 100644 .github/actions/action.yml
 create mode 100644 .github/actions/install-codeql-packs/action.yml
 create mode 100644 .github/workflows/verify-standard-library-dependencies.yml
 delete mode 100644 c/.codeqlmanifest.json
 create mode 100644 c/cert/src/codeql-pack.lock.yml
 create mode 100644 c/cert/test/codeql-pack.lock.yml
 create mode 100644 c/common/src/codeql-pack.lock.yml
 create mode 100644 c/common/test/codeql-pack.lock.yml
 create mode 100644 c/misra/src/codeql-pack.lock.yml
 create mode 100644 c/misra/test/codeql-pack.lock.yml
 delete mode 100644 cpp/.codeqlmanifest.json
 create mode 100644 cpp/autosar/src/codeql-pack.lock.yml
 create mode 100644 cpp/autosar/test/codeql-pack.lock.yml
 create mode 100644 cpp/cert/src/codeql-pack.lock.yml
 create mode 100644 cpp/cert/test/codeql-pack.lock.yml
 create mode 100644 cpp/common/src/codeql-pack.lock.yml
 create mode 100644 cpp/common/test/codeql-pack.lock.yml
 create mode 100644 cpp/misra/src/codeql-pack.lock.yml
 create mode 100644 cpp/misra/test/codeql-pack.lock.yml
 create mode 100644 cpp/report/src/codeql-pack.lock.yml
 create mode 100644 scripts/get_workspace_packs.py
 create mode 100644 scripts/install-packs.py
 create mode 100644 scripts/verify-standard-library-version.py

diff --git a/.codeqlmanifest.json b/.codeqlmanifest.json
index ac468d9838..d6277f5949 100644
--- a/.codeqlmanifest.json
+++ b/.codeqlmanifest.json
@@ -1 +1 @@
-{ "provide": [ "codeql_modules/*/.codeqlmanifest.json", "cpp/.codeqlmanifest.json", "c/.codeqlmanifest.json"] }
+{ "provide": [ "cpp/*/src/qlpack.yml", "cpp/*/test/qlpack.yml", "c/*/src/qlpack.yml", "c/*/test/qlpack.yml" ] }
diff --git a/.github/actions/action.yml b/.github/actions/action.yml
new file mode 100644
index 0000000000..2e6d5f1a2e
--- /dev/null
+++ b/.github/actions/action.yml
@@ -0,0 +1,25 @@
+name: Install CodeQL library pack dependencies
+description: |
+  Downloads any necessary CodeQL library packs needed by packs in the repo.
+inputs:
+  cli_path:
+    description: |
+      The path to the CodeQL CLI directory.
+    required: false
+
+  mode:
+    description: |
+      The `--mode` option to `codeql pack install`.
+    required: true
+    default: verify
+
+runs:
+  using: composite
+  steps:
+    - name: Install CodeQL library packs
+      shell: bash
+      env:
+        CODEQL_CLI: ${{ inputs.cli_path }}
+      run: |
+        PATH=$PATH:$CODEQL_CLI
+        python scripts/install-packs.py --mode ${{ inputs.mode }}
diff --git a/.github/actions/install-codeql-packs/action.yml b/.github/actions/install-codeql-packs/action.yml
new file mode 100644
index 0000000000..2e6d5f1a2e
--- /dev/null
+++ b/.github/actions/install-codeql-packs/action.yml
@@ -0,0 +1,25 @@
+name: Install CodeQL library pack dependencies
+description: |
+  Downloads any necessary CodeQL library packs needed by packs in the repo.
+inputs:
+  cli_path:
+    description: |
+      The path to the CodeQL CLI directory.
+    required: false
+
+  mode:
+    description: |
+      The `--mode` option to `codeql pack install`.
+    required: true
+    default: verify
+
+runs:
+  using: composite
+  steps:
+    - name: Install CodeQL library packs
+      shell: bash
+      env:
+        CODEQL_CLI: ${{ inputs.cli_path }}
+      run: |
+        PATH=$PATH:$CODEQL_CLI
+        python scripts/install-packs.py --mode ${{ inputs.mode }}
diff --git a/.github/workflows/code-scanning-pack-gen.yml b/.github/workflows/code-scanning-pack-gen.yml
index 0814e059e8..7ffa250669 100644
--- a/.github/workflows/code-scanning-pack-gen.yml
+++ b/.github/workflows/code-scanning-pack-gen.yml
@@ -59,6 +59,11 @@ jobs:
           codeql-home: ${{ github.workspace }}/codeql_home
           add-to-path: false
 
+      - name: Install CodeQL packs
+        uses: ./.github/actions/install-codeql-packs
+        with:
+          cli_path: ${{ github.workspace }}/codeql_home/codeql
+
       - name: Checkout external help files
         continue-on-error: true
         id: checkout-external-help-files
@@ -82,8 +87,8 @@ jobs:
         run: |
           PATH=$PATH:$CODEQL_HOME/codeql
 
-          codeql query compile --search-path cpp --threads 0 cpp
-          codeql query compile --search-path c --search-path cpp --threads 0 c
+          codeql query compile --threads 0 cpp
+          codeql query compile --threads 0 c
 
           cd ..
           zip -r codeql-coding-standards/code-scanning-cpp-query-pack.zip codeql-coding-standards/c/ codeql-coding-standards/cpp/ codeql-coding-standards/.codeqlmanifest.json codeql-coding-standards/supported_codeql_configs.json codeql-coding-standards/scripts/deviations codeql-coding-standards/scripts/reports
diff --git a/.github/workflows/codeql_unit_tests.yml b/.github/workflows/codeql_unit_tests.yml
index 1a2374d19d..8fad3c3292 100644
--- a/.github/workflows/codeql_unit_tests.yml
+++ b/.github/workflows/codeql_unit_tests.yml
@@ -66,11 +66,16 @@ jobs:
           codeql-home: ${{ github.workspace }}/codeql_home
           add-to-path: false
 
+      - name: Install CodeQL packs
+        uses: ./.github/actions/install-codeql-packs
+        with:
+          cli_path: ${{ github.workspace }}/codeql_home/codeql
+
       - name: Pre-Compile Queries
         id: pre-compile-queries
         run: |
-         ${{ github.workspace }}/codeql_home/codeql/codeql query compile --search-path cpp --threads 0 cpp
-         ${{ github.workspace }}/codeql_home/codeql/codeql query compile --search-path c --search-path cpp --threads 0 c
+         ${{ github.workspace }}/codeql_home/codeql/codeql query compile --threads 0 cpp
+         ${{ github.workspace }}/codeql_home/codeql/codeql query compile --threads 0 c
 
 
       - name: Run test suites
@@ -122,18 +127,11 @@ jobs:
               os.makedirs(os.path.dirname(test_report_path), exist_ok=True)
               test_report_file = open(test_report_path, 'w')
               files_to_close.append(test_report_file)
-              if "${{ matrix.language }}".casefold() == "c".casefold():
-                # c tests require cpp -- but we don't want c things on the cpp
-                # path in case of design errors. 
-                cpp_language_root = Path(workspace, 'cpp')
-                procs.append(subprocess.Popen([codeql_bin, "test", "run", "--failing-exitcode=122", f"--slice={slice}/{num_slices}", "--ram=2048", "--format=json", f'--search-path={cpp_language_root}', f'--search-path={language_root}', *test_roots], stdout=test_report_file, stderr=subprocess.PIPE))
-              else:
-                procs.append(subprocess.Popen([codeql_bin, "test", "run", "--failing-exitcode=122", f"--slice={slice}/{num_slices}", "--ram=2048", "--format=json", f'--search-path={language_root}', f'--search-path={language_root}', *test_roots], stdout=test_report_file, stderr=subprocess.PIPE))
+              procs.append(subprocess.Popen([codeql_bin, "test", "run", "--failing-exitcode=122", f"--slice={slice}/{num_slices}", "--ram=2048", "--format=json", *test_roots], stdout=test_report_file, stderr=subprocess.PIPE))
 
             for p in procs:
-              p.wait()
+              _, err = p.communicate()
               if p.returncode != 0:
-                _, err = p.communicate()
                 if p.returncode == 122:
                   # Failed because a test case failed, so just print the regular output.
                   # This will allow us to proceed to validate-test-results, which will fail if
diff --git a/.github/workflows/standard_library_upgrade_tests.yml b/.github/workflows/standard_library_upgrade_tests.yml
index 0a4e58dbd3..4f7c2de75c 100644
--- a/.github/workflows/standard_library_upgrade_tests.yml
+++ b/.github/workflows/standard_library_upgrade_tests.yml
@@ -116,7 +116,7 @@ jobs:
             stdlib_path = os.path.join(codeql_home, 'codeql-stdlib')
             cpp_test_root = Path(stdlib_path, 'cpp/ql/test')
             print(f"Executing tests found (recursively) in the directory '{cpp_test_root}'")
-            cp = subprocess.run([codeql_bin, "test", "run", "--format=json", f'--search-path={stdlib_path}', cpp_test_root], stdout=test_report_file, stderr=subprocess.PIPE)
+            cp = subprocess.run([codeql_bin, "test", "run", "--format=json", cpp_test_root], stdout=test_report_file, stderr=subprocess.PIPE)
             if cp.returncode != 0:
               print_error_and_fail(f"Failed to run tests with return code {cp.returncode} and error {cp.stderr}")
 
diff --git a/.github/workflows/verify-standard-library-dependencies.yml b/.github/workflows/verify-standard-library-dependencies.yml
new file mode 100644
index 0000000000..1be00ef43e
--- /dev/null
+++ b/.github/workflows/verify-standard-library-dependencies.yml
@@ -0,0 +1,79 @@
+name: Verify Standard Library Dependencies
+
+# Run this workflow every time the "supported_codeql_configs.json" file or a "qlpack.yml" file is changed
+on:
+  pull_request:
+    branches:
+      - main
+      - "rc/**"
+      - next
+    paths:
+      - "supported_codeql_configs.json"
+      - "qlpack.yml"
+  workflow_dispatch:
+
+jobs:
+  prepare-matrix:
+    name: Prepare CodeQL configuration matrix
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.export-matrix.outputs.matrix }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Export unit test matrix
+        id: export-matrix
+        run: |
+          echo "::set-output name=matrix::$(
+            jq --compact-output \
+            '.supported_environment | map([.+{os: "ubuntu-20.04-xl", codeql_standard_library_ident : .codeql_standard_library | sub("\/"; "_")}]) | flatten | {include: .}' \
+            supported_codeql_configs.json
+          )"
+
+  verify-dependencies:
+    name: Verify dependencies
+    needs: prepare-matrix
+
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix: ${{fromJSON(needs.prepare-matrix.outputs.matrix)}}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Setup Python 3
+        uses: actions/setup-python@v2
+        with:
+          python-version: "3.x"
+
+      - name: Cache CodeQL
+        id: cache-codeql
+        uses: actions/cache@v2.1.3
+        with:
+          # A list of files, directories, and wildcard patterns to cache and restore
+          path: ${{github.workspace}}/codeql_home
+          # An explicit key for restoring and saving the cache
+          key: codeql-home-${{matrix.os}}-${{matrix.codeql_cli}}-${{matrix.codeql_standard_library}}
+
+      - name: Install CodeQL
+        if: steps.cache-codeql.outputs.cache-hit != 'true'
+        uses: ./.github/actions/install-codeql
+        with:
+          codeql-cli-version: ${{matrix.codeql_cli}}
+          codeql-stdlib-version: ${{matrix.codeql_standard_library}}
+          codeql-home: ${{ github.workspace }}/codeql_home
+
+      - name: Verify dependencies
+        shell: bash
+        env:
+          CLI_PATH: ${{ github.workspace }}/codeql_home/codeql
+          STDLIB_PATH: ${{ github.workspace }}/codeql_home/codeql-stdlib
+        run: |
+          PATH=$PATH:$CLI_PATH
+          ls $STDLIB_PATH
+          pip install -r scripts/requirements.txt
+          python3 scripts/verify-standard-library-version.py --codeql-repo $STDLIB_PATH --mode verify
+
diff --git a/.gitignore b/.gitignore
index 5466e33c8f..360134b51c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,3 +20,6 @@
 # C/C++ build artifacts
 *.o
 /databases/
+
+# CodeQL build artifacts
+**/.codeql/**
diff --git a/c/.codeqlmanifest.json b/c/.codeqlmanifest.json
deleted file mode 100644
index 384848fdd1..0000000000
--- a/c/.codeqlmanifest.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{ "provide": [
-  "*/src/qlpack.yml",
-  "*/test/qlpack.yml" ] }
diff --git a/c/cert/src/codeql-pack.lock.yml b/c/cert/src/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/c/cert/src/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/c/cert/src/qlpack.yml b/c/cert/src/qlpack.yml
index 910d4d2636..e27e23f122 100644
--- a/c/cert/src/qlpack.yml
+++ b/c/cert/src/qlpack.yml
@@ -1,4 +1,6 @@
-name: cert-c-coding-standards
+name: codeql/cert-c-coding-standards
 version: 2.6.0-dev
 suites: codeql-suites
-libraryPathDependencies: common-c-coding-standards
\ No newline at end of file
+dependencies:
+  codeql/common-c-coding-standards: '*'
+  codeql/cpp-all: 0.0.13
diff --git a/c/cert/test/codeql-pack.lock.yml b/c/cert/test/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/c/cert/test/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/c/cert/test/qlpack.yml b/c/cert/test/qlpack.yml
index f07c68d211..891bf564fb 100644
--- a/c/cert/test/qlpack.yml
+++ b/c/cert/test/qlpack.yml
@@ -1,4 +1,5 @@
-name: cert-c-coding-standards-tests
+name: codeql/cert-c-coding-standards-tests
 version: 2.6.0-dev
-libraryPathDependencies: cert-c-coding-standards
-extractor: cpp
\ No newline at end of file
+extractor: cpp
+dependencies:
+  codeql/cert-c-coding-standards: '*'
diff --git a/c/common/src/codeql-pack.lock.yml b/c/common/src/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/c/common/src/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/c/common/src/qlpack.yml b/c/common/src/qlpack.yml
index c875247efe..ae2d642c8b 100644
--- a/c/common/src/qlpack.yml
+++ b/c/common/src/qlpack.yml
@@ -1,3 +1,5 @@
-name: common-c-coding-standards
+name: codeql/common-c-coding-standards
 version: 2.6.0-dev
-libraryPathDependencies: common-cpp-coding-standards
+dependencies:
+  codeql/common-cpp-coding-standards: '*'
+  codeql/cpp-all: 0.0.13
diff --git a/c/common/test/codeql-pack.lock.yml b/c/common/test/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/c/common/test/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/c/common/test/qlpack.yml b/c/common/test/qlpack.yml
index 8dac78eb7c..aeedcccf24 100644
--- a/c/common/test/qlpack.yml
+++ b/c/common/test/qlpack.yml
@@ -1,4 +1,5 @@
-name: common-c-coding-standards-tests
+name: codeql/common-c-coding-standards-tests
 version: 2.6.0-dev
-libraryPathDependencies: common-c-coding-standards
 extractor: cpp
+dependencies:
+  codeql/common-c-coding-standards: '*'
diff --git a/c/misra/src/codeql-pack.lock.yml b/c/misra/src/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/c/misra/src/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/c/misra/src/qlpack.yml b/c/misra/src/qlpack.yml
index 58fcca96e0..138a5a1266 100644
--- a/c/misra/src/qlpack.yml
+++ b/c/misra/src/qlpack.yml
@@ -1,4 +1,6 @@
-name: misra-c-coding-standards
+name: codeql/misra-c-coding-standards
 version: 2.6.0-dev
 suites: codeql-suites
-libraryPathDependencies: common-c-coding-standards
+dependencies:
+  codeql/common-c-coding-standards: '*'
+  codeql/cpp-all: 0.0.13
diff --git a/c/misra/test/codeql-pack.lock.yml b/c/misra/test/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/c/misra/test/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/c/misra/test/qlpack.yml b/c/misra/test/qlpack.yml
index e278dfbe3d..d4254d97aa 100644
--- a/c/misra/test/qlpack.yml
+++ b/c/misra/test/qlpack.yml
@@ -1,4 +1,5 @@
-name: misra-c-coding-standards-tests
+name: codeql/misra-c-coding-standards-tests
 version: 2.6.0-dev
-libraryPathDependencies: misra-c-coding-standards
-extractor: cpp
\ No newline at end of file
+extractor: cpp
+dependencies:
+  codeql/misra-c-coding-standards: '*'
diff --git a/cpp/.codeqlmanifest.json b/cpp/.codeqlmanifest.json
deleted file mode 100644
index 384848fdd1..0000000000
--- a/cpp/.codeqlmanifest.json
+++ /dev/null
@@ -1,3 +0,0 @@
-{ "provide": [
-  "*/src/qlpack.yml",
-  "*/test/qlpack.yml" ] }
diff --git a/cpp/autosar/src/codeql-pack.lock.yml b/cpp/autosar/src/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/cpp/autosar/src/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/cpp/autosar/src/qlpack.yml b/cpp/autosar/src/qlpack.yml
index 9f3aa642fd..df34ff31c7 100644
--- a/cpp/autosar/src/qlpack.yml
+++ b/cpp/autosar/src/qlpack.yml
@@ -1,4 +1,6 @@
-name: autosar-cpp-coding-standards
+name: codeql/autosar-cpp-coding-standards
 version: 2.6.0-dev
 suites: codeql-suites
-libraryPathDependencies: common-cpp-coding-standards
+dependencies:
+  codeql/common-cpp-coding-standards: '*'
+  codeql/cpp-all: 0.0.13
diff --git a/cpp/autosar/test/codeql-pack.lock.yml b/cpp/autosar/test/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/cpp/autosar/test/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/cpp/autosar/test/qlpack.yml b/cpp/autosar/test/qlpack.yml
index f7bb481f68..a53e0f71d1 100644
--- a/cpp/autosar/test/qlpack.yml
+++ b/cpp/autosar/test/qlpack.yml
@@ -1,4 +1,5 @@
-name: autosar-cpp-coding-standards-tests
+name: codeql/autosar-cpp-coding-standards-tests
 version: 2.6.0-dev
-libraryPathDependencies: autosar-cpp-coding-standards
 extractor: cpp
+dependencies:
+  codeql/autosar-cpp-coding-standards: '*'
diff --git a/cpp/cert/src/codeql-pack.lock.yml b/cpp/cert/src/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/cpp/cert/src/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/cpp/cert/src/qlpack.yml b/cpp/cert/src/qlpack.yml
index 18c0e900f7..f82426779a 100644
--- a/cpp/cert/src/qlpack.yml
+++ b/cpp/cert/src/qlpack.yml
@@ -1,4 +1,6 @@
-name: cert-cpp-coding-standards
+name: codeql/cert-cpp-coding-standards
 version: 2.6.0-dev
 suites: codeql-suites
-libraryPathDependencies: common-cpp-coding-standards
+dependencies:
+  codeql/cpp-all: 0.0.13
+  codeql/common-cpp-coding-standards: '*'
diff --git a/cpp/cert/test/codeql-pack.lock.yml b/cpp/cert/test/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/cpp/cert/test/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/cpp/cert/test/qlpack.yml b/cpp/cert/test/qlpack.yml
index a0b62f9443..914625ea77 100644
--- a/cpp/cert/test/qlpack.yml
+++ b/cpp/cert/test/qlpack.yml
@@ -1,4 +1,5 @@
-name: cert-cpp-coding-standards-tests
+name: codeql/cert-cpp-coding-standards-tests
 version: 2.6.0-dev
-libraryPathDependencies: cert-cpp-coding-standards
 extractor: cpp
+dependencies:
+  codeql/cert-cpp-coding-standards: '*'
diff --git a/cpp/common/src/codeql-pack.lock.yml b/cpp/common/src/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/cpp/common/src/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/cpp/common/src/qlpack.yml b/cpp/common/src/qlpack.yml
index 79c9793311..d7c8d47f37 100644
--- a/cpp/common/src/qlpack.yml
+++ b/cpp/common/src/qlpack.yml
@@ -1,3 +1,4 @@
-name: common-cpp-coding-standards
+name: codeql/common-cpp-coding-standards
 version: 2.6.0-dev
-libraryPathDependencies: codeql-cpp
+dependencies:
+  codeql/cpp-all: 0.0.13
diff --git a/cpp/common/test/codeql-pack.lock.yml b/cpp/common/test/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/cpp/common/test/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/cpp/common/test/qlpack.yml b/cpp/common/test/qlpack.yml
index a2d68ecf7d..63d98d3368 100644
--- a/cpp/common/test/qlpack.yml
+++ b/cpp/common/test/qlpack.yml
@@ -1,4 +1,5 @@
-name: common-cpp-coding-standards-tests
+name: codeql/common-cpp-coding-standards-tests
 version: 2.6.0-dev
-libraryPathDependencies: common-cpp-coding-standards
 extractor: cpp
+dependencies:
+  codeql/common-cpp-coding-standards: '*'
diff --git a/cpp/misra/src/codeql-pack.lock.yml b/cpp/misra/src/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/cpp/misra/src/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/cpp/misra/src/qlpack.yml b/cpp/misra/src/qlpack.yml
index a7230efd5d..c0f9bdbc6c 100644
--- a/cpp/misra/src/qlpack.yml
+++ b/cpp/misra/src/qlpack.yml
@@ -1,3 +1,5 @@
-name: misra-cpp-coding-standards
+name: codeql/misra-cpp-coding-standards
 version: 2.6.0-dev
-libraryPathDependencies: common-cpp-coding-standards
+dependencies:
+  codeql/common-cpp-coding-standards: '*'
+  codeql/cpp-all: 0.0.13
diff --git a/cpp/misra/test/codeql-pack.lock.yml b/cpp/misra/test/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/cpp/misra/test/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/cpp/misra/test/qlpack.yml b/cpp/misra/test/qlpack.yml
index 7dd2b62644..dcbc132c3a 100644
--- a/cpp/misra/test/qlpack.yml
+++ b/cpp/misra/test/qlpack.yml
@@ -1,4 +1,5 @@
-name: misra-cpp-coding-standards-tests
+name: codeql/misra-cpp-coding-standards-tests
 version: 2.6.0-dev
-libraryPathDependencies: misra-cpp-coding-standards
 extractor: cpp
+dependencies:
+  codeql/misra-cpp-coding-standards: '*'
\ No newline at end of file
diff --git a/cpp/report/src/codeql-pack.lock.yml b/cpp/report/src/codeql-pack.lock.yml
new file mode 100644
index 0000000000..421c52af64
--- /dev/null
+++ b/cpp/report/src/codeql-pack.lock.yml
@@ -0,0 +1,6 @@
+---
+dependencies:
+  codeql/cpp-all:
+    version: 0.0.13
+compiled: false
+lockVersion: 1.0.0
diff --git a/cpp/report/src/qlpack.yml b/cpp/report/src/qlpack.yml
index 5300e54ee4..0781656b00 100644
--- a/cpp/report/src/qlpack.yml
+++ b/cpp/report/src/qlpack.yml
@@ -1,3 +1,4 @@
-name: report-cpp-coding-standards
+name: codeql/report-cpp-coding-standards
 version: 2.6.0-dev
-libraryPathDependencies: codeql-cpp
+dependencies:
+  codeql/cpp-all: 0.0.13
diff --git a/docs/development_handbook.md b/docs/development_handbook.md
index d00e9f3d2a..00e8bdf113 100644
--- a/docs/development_handbook.md
+++ b/docs/development_handbook.md
@@ -4,32 +4,33 @@
 
 **Document ID:** codeql-coding-standards/developer-handbook
 
-| Version | Date       | Author          | Changes                                                                                                                                                                                                                                                                                   |
-| ------- | ---------- | --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| 0.1.0   | 2021-02-02 | Luke Cartey     | Initial version.                                                                                                                                                                                                                                                                          |
-| 0.2.0   | 2021-02-19 | Luke Cartey     | Add section on Python environment preparation.                                                                                                                                                                                                                                            |
-| 0.3.0   | 2021-04-13 | Michael Hohn    | Add cookbook section documenting common procedures.                                                                                                                                                                                                                                       |
-| 0.4.0   | 2021-04-13 | Mario Campos    | Add submodule out of date tip to the cookbook section.                                                                                                                                                                                                                                    |
-| 0.5.0   | 2021-04-30 | Luke Cartey     | Add query style guide.                                                                                                                                                                                                                                                                    |
-| 0.6.0   | 2021-05-05 | John Singleton  | Add task automation files.                                                                                                                                                                                                                                                                |
-| 0.7.0   | 2021-05-10 | Luke Cartey     | Explain non-constant alert messages.                                                                                                                                                                                                                                                      |
-| 0.8.0   | 2021-05-27 | Luke Cartey     | Clarify the `short_name` property.                                                                                                                                                                                                                                                        |
-| 0.9.0   | 2021-09-06 | Luke Cartey     | <ul><li>Update code review requirements.</li><li>Update release process documentation.</li></ul>                                                                                                                                                                                          |
-| 0.10.0  | 2021-09-08 | Luke Cartey     | Update tool qualification section.                                                                                                                                                                                                                                                        |
-| 0.11.0  | 2021-09-10 | Luke Cartey     | Add reporting and deviations to scope of work.                                                                                                                                                                                                                                            |
-| 0.12.0  | 2021-09-18 | Luke Cartey     | <ul><li>Document conditions for overriding PR checks.</li><li>Clarify that LGTM and GHAS are out of scope.</li><li>Document our used versioning control system.</li></ul>                                                                                                                 |
-| 0.13.0  | 2021-09-22 | Remco Vermeulen | Document rule package schema.                                                                                                                                                                                                                                                             |
-| 0.14.0  | 2021-10-11 | Luke Cartey     | Document how to update dependencies.                                                                                                                                                                                                                                                      |
-| 0.15.0  | 2021-10-26 | John Singleton  | Document false positive triage process.                                                                                                                                                                                                                                                   |
-| 0.16.0  | 2021-11-29 | Remco Vermeulen | Add document management section.                                                                                                                                                                                                                                                          |
-| 0.17.0  | 2021-11-29 | Remco Vermeulen | <ul><li>Explain the process of determining if a guideline is amenable to automated static analysis.</li><li>Document the supported language.</li><li>Document the `short_name` property update process.</li><li>Describe guidelines for splitting a rule into multiple queries.</li></ul> |
-| 0.18.0  | 2022-02-16 | Remco Vermeulen | Address mistake in point 2 in section *Splitting a rule into multiple queries*.                                                                                                                                                                                                           |
-| 0.19.0  | 2022-06-15 | Remco Vermeulen | Replace references and steps related to Markdown help files.                                                                                                                                                                                                                              |
-| 0.20.0  | 2022-07-05 | Remco Vermeulen | Expand scope of work to include CERT-C and MISRA C.                                                                                                                                                                                                                                       |
-| 0.21.0  | 2022-07-05 | Remco Vermeulen | Update architecture section to include the supported languages C90, C99, and C11.                                                                                                                                                                                                         |
-| 0.22.0  | 2022-07-05 | Remco Vermeulen | Update section `Generation of query templates from rule specifications` to include external help files.                                                                                                                                                                                   |
-| 0.23.0  | 2022-07-05 | Remco Vermeulen | Update text to consider both the C++ and the C standards.                                                                                                                                                                                                                                 |
-| 0.24.0  | 2022-07-05 | Remco Vermeulen | Update release process to include steps for external help files.                                                                                                                                                                                                                          |
+| Version | Date       | Author           | Changes                                                                                                                                                                                                                                                                                   |
+| ------- | ---------- | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| 0.1.0   | 2021-02-02 | Luke Cartey      | Initial version.                                                                                                                                                                                                                                                                          |
+| 0.2.0   | 2021-02-19 | Luke Cartey      | Add section on Python environment preparation.                                                                                                                                                                                                                                            |
+| 0.3.0   | 2021-04-13 | Michael Hohn     | Add cookbook section documenting common procedures.                                                                                                                                                                                                                                       |
+| 0.4.0   | 2021-04-13 | Mario Campos     | Add submodule out of date tip to the cookbook section.                                                                                                                                                                                                                                    |
+| 0.5.0   | 2021-04-30 | Luke Cartey      | Add query style guide.                                                                                                                                                                                                                                                                    |
+| 0.6.0   | 2021-05-05 | John Singleton   | Add task automation files.                                                                                                                                                                                                                                                                |
+| 0.7.0   | 2021-05-10 | Luke Cartey      | Explain non-constant alert messages.                                                                                                                                                                                                                                                      |
+| 0.8.0   | 2021-05-27 | Luke Cartey      | Clarify the `short_name` property.                                                                                                                                                                                                                                                        |
+| 0.9.0   | 2021-09-06 | Luke Cartey      | <ul><li>Update code review requirements.</li><li>Update release process documentation.</li></ul>                                                                                                                                                                                          |
+| 0.10.0  | 2021-09-08 | Luke Cartey      | Update tool qualification section.                                                                                                                                                                                                                                                        |
+| 0.11.0  | 2021-09-10 | Luke Cartey      | Add reporting and deviations to scope of work.                                                                                                                                                                                                                                            |
+| 0.12.0  | 2021-09-18 | Luke Cartey      | <ul><li>Document conditions for overriding PR checks.</li><li>Clarify that LGTM and GHAS are out of scope.</li><li>Document our used versioning control system.</li></ul>                                                                                                                 |
+| 0.13.0  | 2021-09-22 | Remco Vermeulen  | Document rule package schema.                                                                                                                                                                                                                                                             |
+| 0.14.0  | 2021-10-11 | Luke Cartey      | Document how to update dependencies.                                                                                                                                                                                                                                                      |
+| 0.15.0  | 2021-10-26 | John Singleton   | Document false positive triage process.                                                                                                                                                                                                                                                   |
+| 0.16.0  | 2021-11-29 | Remco Vermeulen  | Add document management section.                                                                                                                                                                                                                                                          |
+| 0.17.0  | 2021-11-29 | Remco Vermeulen  | <ul><li>Explain the process of determining if a guideline is amenable to automated static analysis.</li><li>Document the supported language.</li><li>Document the `short_name` property update process.</li><li>Describe guidelines for splitting a rule into multiple queries.</li></ul> |
+| 0.18.0  | 2022-02-16 | Remco Vermeulen  | Address mistake in point 2 in section *Splitting a rule into multiple queries*.                                                                                                                                                                                                           |
+| 0.19.0  | 2022-06-15 | Remco Vermeulen  | Replace references and steps related to Markdown help files.                                                                                                                                                                                                                              |
+| 0.20.0  | 2022-07-05 | Remco Vermeulen  | Expand scope of work to include CERT-C and MISRA C.                                                                                                                                                                                                                                       |
+| 0.21.0  | 2022-07-05 | Remco Vermeulen  | Update architecture section to include the supported languages C90, C99, and C11.                                                                                                                                                                                                         |
+| 0.22.0  | 2022-07-05 | Remco Vermeulen  | Update section `Generation of query templates from rule specifications` to include external help files.                                                                                                                                                                                   |
+| 0.23.0  | 2022-07-05 | Remco Vermeulen  | Update text to consider both the C++ and the C standards.                                                                                                                                                                                                                                 |
+| 0.24.0  | 2022-07-05 | Remco Vermeulen  | Update release process to include steps for external help files.                                                                                                                                                                                                                          |
+| 0.25.0  | 2022-07-14 | David Bartolomeo | Add section on installing QL dependencies and update CLI commands to account for the migration to CodeQL packs.                                                                                                                                                                          |
 
 ## Scope of work
 
@@ -329,6 +330,11 @@ A query **must** include:
    - Do not try to explain the solution in the message; instead that should be provided in the help for the query.
 
 All public predicates, classes, modules and files should be documented with QLDoc. All QLDoc should follow the [QLDoc style guide](https://github.com/github/codeql/blob/main/docs/qldoc-style-guide.md).
+### Installing QL dependencies
+
+All of our query and library packs depend on the standard CodeQL library for C++, `codeql/cpp-all`. This dependency is specified in the `qlpack.yml` file for each of our packs. Before compiling, running, or testing any of our queries or libraries, you must download the proper dependencies by running `python3 scripts/install-packs.py`. This will download the appropriate version of the standard library from the public package registry, installing it in a cache in your `~/.codeql` directory. When compiling queries or running tests, the QL compiler will pick up the appropriate dependencies from this cache without any need to specify an additional library search path on the command line.
+
+Because the downloaded packs are cached, it is only necessary to run `install-packs.py` once each time we upgrade to a new standard library version. It does not hurt to run it more often; if all necessary packs are already in the download cache, then it will complete quickly without trying to download anything.
 
 ### Unit testing
 
@@ -343,11 +349,10 @@ During query development in VS Code, the unit tests can be run using the [testin
 
 Unit tests can also be run on the command line using the CodeQL CLI. With an appropriate CodeQL CLI (as specified in the `supported_codeql_configs.json` at the root of the repository), you can run the following from the root of the repository:
 ```
-codeql test run --show-extractor-output --search-path . path/to/test/directory
+codeql test run --show-extractor-output path/to/test/directory
 ```
 
 * `--show-extractor-output` - this shows the output from the extractor. It is most useful when the test fails because the file is not valid C++, where the extractor output will include the compilation failure. This is not shown in VS Code.
-* `--search-path .` - this allows the CodeQL CLI to discover all the QL packs within our repository.
 * `path/to/test/directory` - this can be a qlref file (like `cpp/autosar/test/rules/A15-2-2/`), a rule directory (`cpp/autosar/test/rules/A15-2-2/`) or a test qlpack (`cpp/autosar/test/`).
 
 For more details on running unit tests with the CodeQL CLI see the [Testing custom queries](https://codeql.github.com/docs/codeql-cli/testing-custom-queries/) help topic.
@@ -662,7 +667,6 @@ ls cpp/cert/src/$(cat cpp/cert/test/rules/EXP52-CPP/DoNotRelyOnSideEffectsInDecl
 # Run a test.  See
 # https://github.com/github/codeql-coding-standards/blob/main/development_handbook.md#unit-testing
 codeql test run --show-extractor-output \
-       --search-path . \
        cpp/cert/test/rules/EXP52-CPP/DoNotRelyOnSideEffectsInDeclTypeOperand.qlref 
 
 # Get a db error?  Applying  the recommended fix 
@@ -680,7 +684,7 @@ codeql test run --show-extractor-output \
 
 # If the expected output is not yet present, it is printed as a diff:
 mv cpp/cert/test/rules/EXP52-CPP/DoNotRelyOnSideEffectsInDeclTypeOperand.expected foo
-codeql test run --show-extractor-output --search-path .                         \
+codeql test run --show-extractor-output \
        cpp/cert/test/rules/EXP52-CPP/DoNotRelyOnSideEffectsInDeclTypeOperand.qlref
 
 # The actual output can be accepted via codeql test accept (which moves some files):
diff --git a/scripts/get_workspace_packs.py b/scripts/get_workspace_packs.py
new file mode 100644
index 0000000000..fc9054c641
--- /dev/null
+++ b/scripts/get_workspace_packs.py
@@ -0,0 +1,14 @@
+import glob
+import json
+import os
+
+def get_workspace_packs(root):
+    # Find the packs by globbing using the 'provide' patterns in the manifest.
+    os.chdir(root)
+    with open('.codeqlmanifest.json') as manifest_file:
+        manifest = json.load(manifest_file)
+    packs = []
+    for pattern in manifest['provide']:
+        packs.extend(glob.glob(pattern, recursive=True))
+
+    return packs
diff --git a/scripts/install-packs.py b/scripts/install-packs.py
new file mode 100644
index 0000000000..a0286e2228
--- /dev/null
+++ b/scripts/install-packs.py
@@ -0,0 +1,23 @@
+import argparse
+import os
+import subprocess
+import get_workspace_packs
+
+parser = argparse.ArgumentParser(description="Install CodeQL library pack dependencies.")
+parser.add_argument('--mode', required=False, choices=['use-lock', 'update', 'verify', 'no-lock'], default="use-lock", help="Installation mode, identical to the `--mode` argument to `codeql pack install`")
+parser.add_argument('--codeql', required=False, default='codeql', help="Path to the `codeql` executable.")
+args = parser.parse_args()
+
+# Find the root of the repo
+root = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+
+packs = get_workspace_packs.get_workspace_packs(root)
+
+# Find the CodeQL packs in the repo. This can also return packs outside of the repo, if those packs
+# are installed in a sibling directory to the CLI.
+for pack in packs:
+    pack_path = os.path.join(root, pack)
+    # Run `codeql pack install` to install dependencies.
+    command = [args.codeql, 'pack', 'install', '--mode', args.mode, pack_path]
+    print(f'Running `{" ".join(command)}`')
+    subprocess.check_call(command)
diff --git a/scripts/verify-standard-library-version.py b/scripts/verify-standard-library-version.py
new file mode 100644
index 0000000000..0b46068e1d
--- /dev/null
+++ b/scripts/verify-standard-library-version.py
@@ -0,0 +1,68 @@
+import argparse
+import json
+import os
+import subprocess
+import yaml
+import get_workspace_packs
+
+def get_codeql_packs(codeql_repo, codeql):
+    command = [codeql, 'resolve', 'qlpacks', '--additional-packs', codeql_repo, '--format', 'json']
+    print(f'Running `{" ".join(command)}`')
+    packs_json = subprocess.check_output(command)
+    print(packs_json)
+    packs = json.loads(packs_json)
+    return packs
+
+parser = argparse.ArgumentParser(description='Ensure that CodeQL library pack dependency versions match the supported configuration.')
+parser.add_argument('--codeql-repo', required=True, help='Path to checkout of `github/codeql` repo at desired branch.')
+parser.add_argument('--mode', required=False, choices=['verify', 'update'], default='verify', help="`verify` to fail on mismatch; `update` to change `qlpack.lock.yml` files to use new version.")
+parser.add_argument('--codeql', required=False, default='codeql', help='Path to the `codeql` executable.')
+args = parser.parse_args()
+
+# Find the root of the repo
+root = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+
+# Get the packs for the repo's workspace.
+workspace_packs = get_workspace_packs.get_workspace_packs(root)
+
+# Get the packs from the `codeql` repo checkout.
+codeql_packs = get_codeql_packs(args.codeql_repo, args.codeql)
+
+failed = False
+for pack in workspace_packs:
+    pack_path = os.path.join(root, pack)
+
+    print(f"Scanning dependencies of '{pack_path}'...")
+
+    # Read our pack's configuration file.
+    with open(pack_path) as pack_file:
+        pack_yaml = yaml.safe_load(pack_file)
+    
+    updated = False
+    if 'dependencies' in pack_yaml:
+        dependencies = pack_yaml['dependencies']
+        for ref_name in dependencies:
+            ref_version = dependencies[ref_name]
+            if ref_name in codeql_packs:
+                # Found this reference in the `codeql` repo. The version of the reference should match
+                # the version of that pack in the `codeql` repo.
+                lib_path = codeql_packs[ref_name][0]
+                lib_path = os.path.join(lib_path, 'qlpack.yml')
+                with open(lib_path) as lib_file:
+                    lib_yaml = yaml.safe_load(lib_file)
+                lib_version = lib_yaml['version']
+                if ref_version != lib_version:
+                    print(f"Mismatched versions for '{ref_name}', referenced from '{pack_path}'. " +
+                        f"referenced version is '{ref_version}', but should be '{lib_version}'.")
+                    if args.mode == 'verify':
+                        failed = True # Report an error at the end.
+                    else:
+                        pack_yaml['dependencies'][ref_name] = lib_version
+                        updated = True # Update our pack in-place.
+    
+    if updated:
+        print(f"Updating '{pack_path}'...")
+        with open(pack_path, 'w', newline='\n') as pack_file: # Always use LF even on Windows
+            yaml.safe_dump(pack_yaml, pack_file, sort_keys=False)
+
+exit(1 if failed else 0)
diff --git a/supported_codeql_configs.json b/supported_codeql_configs.json
index a0ad42a349..bba3112bae 100644
--- a/supported_codeql_configs.json
+++ b/supported_codeql_configs.json
@@ -1,9 +1,9 @@
 {
   "supported_environment": [
     {
-      "codeql_cli": "2.7.6",
-      "codeql_standard_library": "codeql-cli/v2.7.6",
-      "codeql_cli_bundle": "codeql-bundle-20220120"
+      "codeql_cli": "2.8.5",
+      "codeql_standard_library": "codeql-cli/v2.8.5",
+      "codeql_cli_bundle": "codeql-bundle-20220401"
     }
   ], 
   "supported_language" : [

From d514cfbca0a0565538adc440602ea3be7ca11476 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 14 Jul 2022 13:13:14 +0200
Subject: [PATCH 02/32] Update test expectations for new flow paths

---
 ...OwnedPointerValueStoredInUnrelatedSmartPointer.expected | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/cpp/common/test/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.expected b/cpp/common/test/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.expected
index e291147d15..a4f85ecb72 100644
--- a/cpp/common/test/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.expected
+++ b/cpp/common/test/rules/ownedpointervaluestoredinunrelatedsmartpointer/OwnedPointerValueStoredInUnrelatedSmartPointer.expected
@@ -11,21 +11,14 @@ edges
 | test.cpp:3:14:3:15 | v1 | test.cpp:6:31:6:33 | call to get |
 | test.cpp:3:14:3:15 | v1 | test.cpp:7:28:7:29 | v2 |
 | test.cpp:4:13:4:14 | v1 | test.cpp:7:28:7:29 | v2 |
-| test.cpp:5:27:5:28 | v1 | ../../includes/standard-library/memory.h:76:17:76:19 | ptr |
 | test.cpp:5:27:5:29 | call to shared_ptr | test.cpp:6:31:6:33 | call to get |
-| test.cpp:6:31:6:33 | call to get | ../../includes/standard-library/memory.h:76:17:76:19 | ptr |
-| test.cpp:6:31:6:33 | call to get | ../../includes/standard-library/memory.h:76:17:76:19 | ptr |
-| test.cpp:7:28:7:29 | v2 | ../../includes/standard-library/memory.h:76:17:76:19 | ptr |
-| test.cpp:7:28:7:29 | v2 | ../../includes/standard-library/memory.h:76:17:76:19 | ptr |
 | test.cpp:8:8:8:14 | 0 | test.cpp:9:28:9:29 | v2 |
-| test.cpp:9:28:9:29 | v2 | ../../includes/standard-library/memory.h:76:17:76:19 | ptr |
 | test.cpp:10:8:10:17 | new | test.cpp:11:28:11:29 | v2 |
 | test.cpp:10:8:10:17 | new | test.cpp:11:28:11:29 | v2 |
 | test.cpp:10:8:10:17 | new | test.cpp:12:28:12:29 | v2 |
 | test.cpp:11:28:11:29 | ref arg v2 | test.cpp:12:28:12:29 | v2 |
 | test.cpp:11:28:11:29 | v2 | ../../includes/standard-library/memory.h:76:17:76:19 | ptr |
 | test.cpp:11:28:11:29 | v2 | test.cpp:11:28:11:29 | ref arg v2 |
-| test.cpp:12:28:12:29 | v2 | ../../includes/standard-library/memory.h:76:17:76:19 | ptr |
 | test.cpp:16:13:16:22 | new | test.cpp:17:27:17:28 | v1 |
 | test.cpp:16:13:16:22 | new | test.cpp:17:27:17:28 | v1 |
 | test.cpp:16:13:16:22 | new | test.cpp:19:6:19:7 | v1 |

From cb8814993e92222b6b8b1187ff19987960490909 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 14 Jul 2022 20:35:21 +0200
Subject: [PATCH 03/32] Add missing whitespace in development handbook

---
 docs/development_handbook.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/development_handbook.md b/docs/development_handbook.md
index 00e8bdf113..f6bc93307c 100644
--- a/docs/development_handbook.md
+++ b/docs/development_handbook.md
@@ -330,6 +330,7 @@ A query **must** include:
    - Do not try to explain the solution in the message; instead that should be provided in the help for the query.
 
 All public predicates, classes, modules and files should be documented with QLDoc. All QLDoc should follow the [QLDoc style guide](https://github.com/github/codeql/blob/main/docs/qldoc-style-guide.md).
+
 ### Installing QL dependencies
 
 All of our query and library packs depend on the standard CodeQL library for C++, `codeql/cpp-all`. This dependency is specified in the `qlpack.yml` file for each of our packs. Before compiling, running, or testing any of our queries or libraries, you must download the proper dependencies by running `python3 scripts/install-packs.py`. This will download the appropriate version of the standard library from the public package registry, installing it in a cache in your `~/.codeql` directory. When compiling queries or running tests, the QL compiler will pick up the appropriate dependencies from this cache without any need to specify an additional library search path on the command line.

From 2401e86a39015160f24332135c860eb5d30f2072 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 14 Jul 2022 20:35:49 +0200
Subject: [PATCH 04/32] Bump codeql submodule

---
 codeql_modules/codeql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/codeql_modules/codeql b/codeql_modules/codeql
index a1cdf256ad..4551af90f6 160000
--- a/codeql_modules/codeql
+++ b/codeql_modules/codeql
@@ -1 +1 @@
-Subproject commit a1cdf256ad6b7c3e9984db9069671647e5f47921
+Subproject commit 4551af90f61a8d5f5c1c88a036595b5919a6c98e

From 896e289e5de11397734d48d23bd8aa2d32d4babc Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 15 Jul 2022 19:34:28 +0200
Subject: [PATCH 05/32] Standardize on Python 3.9 per the user manual

---
 .github/actions/action.yml                    | 25 -------------------
 .../verify-standard-library-dependencies.yml  |  4 +--
 2 files changed, 2 insertions(+), 27 deletions(-)
 delete mode 100644 .github/actions/action.yml

diff --git a/.github/actions/action.yml b/.github/actions/action.yml
deleted file mode 100644
index 2e6d5f1a2e..0000000000
--- a/.github/actions/action.yml
+++ /dev/null
@@ -1,25 +0,0 @@
-name: Install CodeQL library pack dependencies
-description: |
-  Downloads any necessary CodeQL library packs needed by packs in the repo.
-inputs:
-  cli_path:
-    description: |
-      The path to the CodeQL CLI directory.
-    required: false
-
-  mode:
-    description: |
-      The `--mode` option to `codeql pack install`.
-    required: true
-    default: verify
-
-runs:
-  using: composite
-  steps:
-    - name: Install CodeQL library packs
-      shell: bash
-      env:
-        CODEQL_CLI: ${{ inputs.cli_path }}
-      run: |
-        PATH=$PATH:$CODEQL_CLI
-        python scripts/install-packs.py --mode ${{ inputs.mode }}
diff --git a/.github/workflows/verify-standard-library-dependencies.yml b/.github/workflows/verify-standard-library-dependencies.yml
index 1be00ef43e..0b05736ddb 100644
--- a/.github/workflows/verify-standard-library-dependencies.yml
+++ b/.github/workflows/verify-standard-library-dependencies.yml
@@ -45,9 +45,9 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Setup Python 3
-        uses: actions/setup-python@v2
+        uses: actions/setup-python@v4
         with:
-          python-version: "3.x"
+          python-version: "3.9"
 
       - name: Cache CodeQL
         id: cache-codeql

From 5613669dd405b9f975494aeb58b58b7718dcdf40 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 14 Jul 2022 15:27:51 +0200
Subject: [PATCH 06/32] Update to CodeQL 2.9.4

---
 c/cert/src/codeql-pack.lock.yml       | 2 +-
 c/cert/src/qlpack.yml                 | 2 +-
 c/cert/test/codeql-pack.lock.yml      | 2 +-
 c/common/src/codeql-pack.lock.yml     | 2 +-
 c/common/src/qlpack.yml               | 2 +-
 c/common/test/codeql-pack.lock.yml    | 2 +-
 c/misra/src/codeql-pack.lock.yml      | 2 +-
 c/misra/src/qlpack.yml                | 2 +-
 c/misra/test/codeql-pack.lock.yml     | 2 +-
 cpp/autosar/src/codeql-pack.lock.yml  | 2 +-
 cpp/autosar/src/qlpack.yml            | 2 +-
 cpp/autosar/test/codeql-pack.lock.yml | 2 +-
 cpp/cert/src/codeql-pack.lock.yml     | 2 +-
 cpp/cert/src/qlpack.yml               | 2 +-
 cpp/cert/test/codeql-pack.lock.yml    | 2 +-
 cpp/common/src/codeql-pack.lock.yml   | 2 +-
 cpp/common/src/qlpack.yml             | 2 +-
 cpp/common/test/codeql-pack.lock.yml  | 2 +-
 cpp/misra/src/codeql-pack.lock.yml    | 2 +-
 cpp/misra/src/qlpack.yml              | 2 +-
 cpp/misra/test/codeql-pack.lock.yml   | 2 +-
 cpp/report/src/codeql-pack.lock.yml   | 2 +-
 cpp/report/src/qlpack.yml             | 2 +-
 supported_codeql_configs.json         | 6 +++---
 24 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/c/cert/src/codeql-pack.lock.yml b/c/cert/src/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/c/cert/src/codeql-pack.lock.yml
+++ b/c/cert/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/cert/src/qlpack.yml b/c/cert/src/qlpack.yml
index e27e23f122..2688a6cbe4 100644
--- a/c/cert/src/qlpack.yml
+++ b/c/cert/src/qlpack.yml
@@ -3,4 +3,4 @@ version: 2.6.0-dev
 suites: codeql-suites
 dependencies:
   codeql/common-c-coding-standards: '*'
-  codeql/cpp-all: 0.0.13
+  codeql/cpp-all: 0.2.3
diff --git a/c/cert/test/codeql-pack.lock.yml b/c/cert/test/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/c/cert/test/codeql-pack.lock.yml
+++ b/c/cert/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/common/src/codeql-pack.lock.yml b/c/common/src/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/c/common/src/codeql-pack.lock.yml
+++ b/c/common/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/common/src/qlpack.yml b/c/common/src/qlpack.yml
index ae2d642c8b..60cf5604f0 100644
--- a/c/common/src/qlpack.yml
+++ b/c/common/src/qlpack.yml
@@ -2,4 +2,4 @@ name: codeql/common-c-coding-standards
 version: 2.6.0-dev
 dependencies:
   codeql/common-cpp-coding-standards: '*'
-  codeql/cpp-all: 0.0.13
+  codeql/cpp-all: 0.2.3
diff --git a/c/common/test/codeql-pack.lock.yml b/c/common/test/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/c/common/test/codeql-pack.lock.yml
+++ b/c/common/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/misra/src/codeql-pack.lock.yml b/c/misra/src/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/c/misra/src/codeql-pack.lock.yml
+++ b/c/misra/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/misra/src/qlpack.yml b/c/misra/src/qlpack.yml
index 138a5a1266..223a56f619 100644
--- a/c/misra/src/qlpack.yml
+++ b/c/misra/src/qlpack.yml
@@ -3,4 +3,4 @@ version: 2.6.0-dev
 suites: codeql-suites
 dependencies:
   codeql/common-c-coding-standards: '*'
-  codeql/cpp-all: 0.0.13
+  codeql/cpp-all: 0.2.3
diff --git a/c/misra/test/codeql-pack.lock.yml b/c/misra/test/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/c/misra/test/codeql-pack.lock.yml
+++ b/c/misra/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/autosar/src/codeql-pack.lock.yml b/cpp/autosar/src/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/cpp/autosar/src/codeql-pack.lock.yml
+++ b/cpp/autosar/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/autosar/src/qlpack.yml b/cpp/autosar/src/qlpack.yml
index df34ff31c7..59af2d6bd8 100644
--- a/cpp/autosar/src/qlpack.yml
+++ b/cpp/autosar/src/qlpack.yml
@@ -3,4 +3,4 @@ version: 2.6.0-dev
 suites: codeql-suites
 dependencies:
   codeql/common-cpp-coding-standards: '*'
-  codeql/cpp-all: 0.0.13
+  codeql/cpp-all: 0.2.3
diff --git a/cpp/autosar/test/codeql-pack.lock.yml b/cpp/autosar/test/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/cpp/autosar/test/codeql-pack.lock.yml
+++ b/cpp/autosar/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/cert/src/codeql-pack.lock.yml b/cpp/cert/src/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/cpp/cert/src/codeql-pack.lock.yml
+++ b/cpp/cert/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/cert/src/qlpack.yml b/cpp/cert/src/qlpack.yml
index f82426779a..4580367052 100644
--- a/cpp/cert/src/qlpack.yml
+++ b/cpp/cert/src/qlpack.yml
@@ -2,5 +2,5 @@ name: codeql/cert-cpp-coding-standards
 version: 2.6.0-dev
 suites: codeql-suites
 dependencies:
-  codeql/cpp-all: 0.0.13
+  codeql/cpp-all: 0.2.3
   codeql/common-cpp-coding-standards: '*'
diff --git a/cpp/cert/test/codeql-pack.lock.yml b/cpp/cert/test/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/cpp/cert/test/codeql-pack.lock.yml
+++ b/cpp/cert/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/common/src/codeql-pack.lock.yml b/cpp/common/src/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/cpp/common/src/codeql-pack.lock.yml
+++ b/cpp/common/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/common/src/qlpack.yml b/cpp/common/src/qlpack.yml
index d7c8d47f37..fe9b103920 100644
--- a/cpp/common/src/qlpack.yml
+++ b/cpp/common/src/qlpack.yml
@@ -1,4 +1,4 @@
 name: codeql/common-cpp-coding-standards
 version: 2.6.0-dev
 dependencies:
-  codeql/cpp-all: 0.0.13
+  codeql/cpp-all: 0.2.3
diff --git a/cpp/common/test/codeql-pack.lock.yml b/cpp/common/test/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/cpp/common/test/codeql-pack.lock.yml
+++ b/cpp/common/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/misra/src/codeql-pack.lock.yml b/cpp/misra/src/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/cpp/misra/src/codeql-pack.lock.yml
+++ b/cpp/misra/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/misra/src/qlpack.yml b/cpp/misra/src/qlpack.yml
index c0f9bdbc6c..b2b60929b0 100644
--- a/cpp/misra/src/qlpack.yml
+++ b/cpp/misra/src/qlpack.yml
@@ -2,4 +2,4 @@ name: codeql/misra-cpp-coding-standards
 version: 2.6.0-dev
 dependencies:
   codeql/common-cpp-coding-standards: '*'
-  codeql/cpp-all: 0.0.13
+  codeql/cpp-all: 0.2.3
diff --git a/cpp/misra/test/codeql-pack.lock.yml b/cpp/misra/test/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/cpp/misra/test/codeql-pack.lock.yml
+++ b/cpp/misra/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/report/src/codeql-pack.lock.yml b/cpp/report/src/codeql-pack.lock.yml
index 421c52af64..b0f02a9d1f 100644
--- a/cpp/report/src/codeql-pack.lock.yml
+++ b/cpp/report/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.0.13
+    version: 0.2.3
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/report/src/qlpack.yml b/cpp/report/src/qlpack.yml
index 0781656b00..4d8fa75c36 100644
--- a/cpp/report/src/qlpack.yml
+++ b/cpp/report/src/qlpack.yml
@@ -1,4 +1,4 @@
 name: codeql/report-cpp-coding-standards
 version: 2.6.0-dev
 dependencies:
-  codeql/cpp-all: 0.0.13
+  codeql/cpp-all: 0.2.3
diff --git a/supported_codeql_configs.json b/supported_codeql_configs.json
index bba3112bae..269af480e3 100644
--- a/supported_codeql_configs.json
+++ b/supported_codeql_configs.json
@@ -1,9 +1,9 @@
 {
   "supported_environment": [
     {
-      "codeql_cli": "2.8.5",
-      "codeql_standard_library": "codeql-cli/v2.8.5",
-      "codeql_cli_bundle": "codeql-bundle-20220401"
+      "codeql_cli": "2.9.4",
+      "codeql_standard_library": "codeql-cli/v2.9.4",
+      "codeql_cli_bundle": "codeql-bundle-20220615"
     }
   ], 
   "supported_language" : [

From 65f4e25f7d3dd536d97743856c8a8a0fba98fde7 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 14 Jul 2022 20:39:03 +0200
Subject: [PATCH 07/32] Bump codeql submodule

---
 codeql_modules/codeql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/codeql_modules/codeql b/codeql_modules/codeql
index 4551af90f6..28fe7a7660 160000
--- a/codeql_modules/codeql
+++ b/codeql_modules/codeql
@@ -1 +1 @@
-Subproject commit 4551af90f61a8d5f5c1c88a036595b5919a6c98e
+Subproject commit 28fe7a76603ab7ef884ca35115b63104ecb699a7

From ea338e6df45a4e4f63c911f18b81aa2c6c44c958 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 15 Jul 2022 17:33:59 +0200
Subject: [PATCH 08/32] Fix M0-1-4 to ignore compiler-generated accesses

---
 change_notes/2022-05-04-compiler-generated-fp-M0-1-4.md | 3 +++
 cpp/autosar/src/rules/M0-1-4/SingleUsePODVariable.qll   | 9 ++++++---
 2 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 change_notes/2022-05-04-compiler-generated-fp-M0-1-4.md

diff --git a/change_notes/2022-05-04-compiler-generated-fp-M0-1-4.md b/change_notes/2022-05-04-compiler-generated-fp-M0-1-4.md
new file mode 100644
index 0000000000..8d3a2045f2
--- /dev/null
+++ b/change_notes/2022-05-04-compiler-generated-fp-M0-1-4.md
@@ -0,0 +1,3 @@
+ - `M0-1-4` - `SingleUsePODVariable.ql`
+   - This rule no longer considers compiler-generated access to a variable when determining if the
+     variable has a single use.
diff --git a/cpp/autosar/src/rules/M0-1-4/SingleUsePODVariable.qll b/cpp/autosar/src/rules/M0-1-4/SingleUsePODVariable.qll
index 765848a63c..c750bb130c 100644
--- a/cpp/autosar/src/rules/M0-1-4/SingleUsePODVariable.qll
+++ b/cpp/autosar/src/rules/M0-1-4/SingleUsePODVariable.qll
@@ -10,8 +10,9 @@ int getUseCount(Variable v) {
     // We enforce that it's a POD type variable, so if it has an initializer it is explicit
     (if v.hasInitializer() then initializers = 1 else initializers = 0) and
     result =
-      initializers + count(v.getAnAccess()) +
-        count(UserProvidedConstructorFieldInit cfi | cfi.getTarget() = v)
+      initializers +
+        count(VariableAccess access | access = v.getAnAccess() and not access.isCompilerGenerated())
+        + count(UserProvidedConstructorFieldInit cfi | cfi.getTarget() = v)
   )
 }
 
@@ -23,7 +24,9 @@ Element getSingleUse(Variable v) {
     or
     result = any(UserProvidedConstructorFieldInit cfi | cfi.getTarget() = v)
     or
-    result = v.getAnAccess()
+    exists(VariableAccess access |
+      access = v.getAnAccess() and not access.isCompilerGenerated() and result = access
+    )
   )
 }
 

From bac21698fad1848816e129d590c7a18efe9dd418 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 15 Jul 2022 17:36:22 +0200
Subject: [PATCH 09/32] Update symbol location in expected test output

---
 change_notes/2022-07-15-fix-A7-3-1-location-reporting.md        | 2 ++
 .../A7-3-1/DefinitionNotConsideredForUnqualifiedLookup.expected | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 change_notes/2022-07-15-fix-A7-3-1-location-reporting.md

diff --git a/change_notes/2022-07-15-fix-A7-3-1-location-reporting.md b/change_notes/2022-07-15-fix-A7-3-1-location-reporting.md
new file mode 100644
index 0000000000..b310d1c010
--- /dev/null
+++ b/change_notes/2022-07-15-fix-A7-3-1-location-reporting.md
@@ -0,0 +1,2 @@
+- `A7-3-1` - `DefinitionNotConsideredForUnqualifiedLookup.ql`
+  - The locations reported for names occurring in using-declarations has improved in the latest CodeQL versions.
diff --git a/cpp/autosar/test/rules/A7-3-1/DefinitionNotConsideredForUnqualifiedLookup.expected b/cpp/autosar/test/rules/A7-3-1/DefinitionNotConsideredForUnqualifiedLookup.expected
index a549240c66..ea0f998533 100644
--- a/cpp/autosar/test/rules/A7-3-1/DefinitionNotConsideredForUnqualifiedLookup.expected
+++ b/cpp/autosar/test/rules/A7-3-1/DefinitionNotConsideredForUnqualifiedLookup.expected
@@ -1 +1 @@
-| test.cpp:42:6:42:7 | declaration of f1 | Definition for 'f1' is not available for unqualified lookup because it is declared after $@ | test.cpp:39:1:39:13 | using f1 | using-declaration |
+| test.cpp:42:6:42:7 | declaration of f1 | Definition for 'f1' is not available for unqualified lookup because it is declared after $@ | test.cpp:39:12:39:13 | using f1 | using-declaration |

From e252fb3db40d93cb0f26d3dd01f5562343aaa993 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 15 Jul 2022 17:46:05 +0200
Subject: [PATCH 10/32] Fix braced initialization detection in A8-5-3

---
 ...-fix-A8-5-3-braced-initialization-detection.md |  3 +++
 .../A8-5-3/AvoidAutoWithBracedInitialization.ql   |  2 +-
 cpp/autosar/test/rules/A8-5-3/test.cpp            | 15 ++++++++-------
 3 files changed, 12 insertions(+), 8 deletions(-)
 create mode 100644 change_notes/2022-06-01-fix-A8-5-3-braced-initialization-detection.md

diff --git a/change_notes/2022-06-01-fix-A8-5-3-braced-initialization-detection.md b/change_notes/2022-06-01-fix-A8-5-3-braced-initialization-detection.md
new file mode 100644
index 0000000000..ec48fda73a
--- /dev/null
+++ b/change_notes/2022-06-01-fix-A8-5-3-braced-initialization-detection.md
@@ -0,0 +1,3 @@
+- `A8-5-3` - `AvoidAutoWithBracedInitialization.ql`:
+  - Fix regression where `auto x{0}` was no longer detected as a braced initialization with type `auto` with the latest CodeQL versions.
+  - No longer falsely detect cases where braced initialization was not used, but where the inferred type would be `std::initializer_list`.
diff --git a/cpp/autosar/src/rules/A8-5-3/AvoidAutoWithBracedInitialization.ql b/cpp/autosar/src/rules/A8-5-3/AvoidAutoWithBracedInitialization.ql
index b62b8785c3..bcb64dba8d 100644
--- a/cpp/autosar/src/rules/A8-5-3/AvoidAutoWithBracedInitialization.ql
+++ b/cpp/autosar/src/rules/A8-5-3/AvoidAutoWithBracedInitialization.ql
@@ -21,5 +21,5 @@ from Variable v
 where
   not isExcluded(v, InitializationPackage::avoidAutoWithBracedInitializationQuery()) and
   v.getTypeWithAuto().getUnspecifiedType() instanceof AutoType and
-  v.getType().getUnspecifiedType().(Class).hasQualifiedName("std", "initializer_list")
+  v.getInitializer().isBraced()
 select v, "Variable " + v.getName() + " of type auto uses braced initialization."
diff --git a/cpp/autosar/test/rules/A8-5-3/test.cpp b/cpp/autosar/test/rules/A8-5-3/test.cpp
index c17c8241a1..7baa9aa487 100644
--- a/cpp/autosar/test/rules/A8-5-3/test.cpp
+++ b/cpp/autosar/test/rules/A8-5-3/test.cpp
@@ -1,11 +1,12 @@
 #include <initializer_list>
 
 void test() {
-  auto a1(1);       // COMPLIANT
-  auto a2{1};       // NON_COMPLIANT
-  auto a3 = 1;      // COMPLIANT
-  auto a4 = {1};    // NON_COMPLIANT
-  int a5 = {1};     // COMPLIANT
-  const auto a6(1); // COMPLIANT
-  const auto a7{1}; // NON_COMPLIANT
+  auto a1(1);                             // COMPLIANT
+  auto a2{1};                             // NON_COMPLIANT
+  auto a3 = 1;                            // COMPLIANT
+  auto a4 = {1};                          // NON_COMPLIANT
+  int a5 = {1};                           // COMPLIANT
+  const auto a6(1);                       // COMPLIANT
+  const auto a7{1};                       // NON_COMPLIANT
+  auto a8 = std::initializer_list<int>(); // COMPLIANT
 }
\ No newline at end of file

From 24d9942cc779fef5127249c59587d00c4a59ced8 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 19 Jul 2022 20:30:47 +0200
Subject: [PATCH 11/32] Update to CodeQL 2.10.1

---
 c/cert/src/codeql-pack.lock.yml       | 2 +-
 c/cert/src/qlpack.yml                 | 2 +-
 c/cert/test/codeql-pack.lock.yml      | 2 +-
 c/common/src/codeql-pack.lock.yml     | 2 +-
 c/common/src/qlpack.yml               | 2 +-
 c/common/test/codeql-pack.lock.yml    | 2 +-
 c/misra/src/codeql-pack.lock.yml      | 2 +-
 c/misra/src/qlpack.yml                | 2 +-
 c/misra/test/codeql-pack.lock.yml     | 2 +-
 cpp/autosar/src/codeql-pack.lock.yml  | 2 +-
 cpp/autosar/src/qlpack.yml            | 2 +-
 cpp/autosar/test/codeql-pack.lock.yml | 2 +-
 cpp/cert/src/codeql-pack.lock.yml     | 2 +-
 cpp/cert/src/qlpack.yml               | 2 +-
 cpp/cert/test/codeql-pack.lock.yml    | 2 +-
 cpp/common/src/codeql-pack.lock.yml   | 2 +-
 cpp/common/src/qlpack.yml             | 2 +-
 cpp/common/test/codeql-pack.lock.yml  | 2 +-
 cpp/misra/src/codeql-pack.lock.yml    | 2 +-
 cpp/misra/src/qlpack.yml              | 2 +-
 cpp/misra/test/codeql-pack.lock.yml   | 2 +-
 cpp/report/src/codeql-pack.lock.yml   | 2 +-
 cpp/report/src/qlpack.yml             | 2 +-
 supported_codeql_configs.json         | 6 +++---
 24 files changed, 26 insertions(+), 26 deletions(-)

diff --git a/c/cert/src/codeql-pack.lock.yml b/c/cert/src/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/c/cert/src/codeql-pack.lock.yml
+++ b/c/cert/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/cert/src/qlpack.yml b/c/cert/src/qlpack.yml
index 2688a6cbe4..ab00bcba8e 100644
--- a/c/cert/src/qlpack.yml
+++ b/c/cert/src/qlpack.yml
@@ -3,4 +3,4 @@ version: 2.6.0-dev
 suites: codeql-suites
 dependencies:
   codeql/common-c-coding-standards: '*'
-  codeql/cpp-all: 0.2.3
+  codeql/cpp-all: 0.3.1
diff --git a/c/cert/test/codeql-pack.lock.yml b/c/cert/test/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/c/cert/test/codeql-pack.lock.yml
+++ b/c/cert/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/common/src/codeql-pack.lock.yml b/c/common/src/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/c/common/src/codeql-pack.lock.yml
+++ b/c/common/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/common/src/qlpack.yml b/c/common/src/qlpack.yml
index 60cf5604f0..d821daf3cf 100644
--- a/c/common/src/qlpack.yml
+++ b/c/common/src/qlpack.yml
@@ -2,4 +2,4 @@ name: codeql/common-c-coding-standards
 version: 2.6.0-dev
 dependencies:
   codeql/common-cpp-coding-standards: '*'
-  codeql/cpp-all: 0.2.3
+  codeql/cpp-all: 0.3.1
diff --git a/c/common/test/codeql-pack.lock.yml b/c/common/test/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/c/common/test/codeql-pack.lock.yml
+++ b/c/common/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/misra/src/codeql-pack.lock.yml b/c/misra/src/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/c/misra/src/codeql-pack.lock.yml
+++ b/c/misra/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/misra/src/qlpack.yml b/c/misra/src/qlpack.yml
index 223a56f619..80abbb2dd6 100644
--- a/c/misra/src/qlpack.yml
+++ b/c/misra/src/qlpack.yml
@@ -3,4 +3,4 @@ version: 2.6.0-dev
 suites: codeql-suites
 dependencies:
   codeql/common-c-coding-standards: '*'
-  codeql/cpp-all: 0.2.3
+  codeql/cpp-all: 0.3.1
diff --git a/c/misra/test/codeql-pack.lock.yml b/c/misra/test/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/c/misra/test/codeql-pack.lock.yml
+++ b/c/misra/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/autosar/src/codeql-pack.lock.yml b/cpp/autosar/src/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/cpp/autosar/src/codeql-pack.lock.yml
+++ b/cpp/autosar/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/autosar/src/qlpack.yml b/cpp/autosar/src/qlpack.yml
index 59af2d6bd8..8c715d1ab7 100644
--- a/cpp/autosar/src/qlpack.yml
+++ b/cpp/autosar/src/qlpack.yml
@@ -3,4 +3,4 @@ version: 2.6.0-dev
 suites: codeql-suites
 dependencies:
   codeql/common-cpp-coding-standards: '*'
-  codeql/cpp-all: 0.2.3
+  codeql/cpp-all: 0.3.1
diff --git a/cpp/autosar/test/codeql-pack.lock.yml b/cpp/autosar/test/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/cpp/autosar/test/codeql-pack.lock.yml
+++ b/cpp/autosar/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/cert/src/codeql-pack.lock.yml b/cpp/cert/src/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/cpp/cert/src/codeql-pack.lock.yml
+++ b/cpp/cert/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/cert/src/qlpack.yml b/cpp/cert/src/qlpack.yml
index 4580367052..0a803153da 100644
--- a/cpp/cert/src/qlpack.yml
+++ b/cpp/cert/src/qlpack.yml
@@ -2,5 +2,5 @@ name: codeql/cert-cpp-coding-standards
 version: 2.6.0-dev
 suites: codeql-suites
 dependencies:
-  codeql/cpp-all: 0.2.3
+  codeql/cpp-all: 0.3.1
   codeql/common-cpp-coding-standards: '*'
diff --git a/cpp/cert/test/codeql-pack.lock.yml b/cpp/cert/test/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/cpp/cert/test/codeql-pack.lock.yml
+++ b/cpp/cert/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/common/src/codeql-pack.lock.yml b/cpp/common/src/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/cpp/common/src/codeql-pack.lock.yml
+++ b/cpp/common/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/common/src/qlpack.yml b/cpp/common/src/qlpack.yml
index fe9b103920..1726a860e3 100644
--- a/cpp/common/src/qlpack.yml
+++ b/cpp/common/src/qlpack.yml
@@ -1,4 +1,4 @@
 name: codeql/common-cpp-coding-standards
 version: 2.6.0-dev
 dependencies:
-  codeql/cpp-all: 0.2.3
+  codeql/cpp-all: 0.3.1
diff --git a/cpp/common/test/codeql-pack.lock.yml b/cpp/common/test/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/cpp/common/test/codeql-pack.lock.yml
+++ b/cpp/common/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/misra/src/codeql-pack.lock.yml b/cpp/misra/src/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/cpp/misra/src/codeql-pack.lock.yml
+++ b/cpp/misra/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/misra/src/qlpack.yml b/cpp/misra/src/qlpack.yml
index b2b60929b0..2156a1d22f 100644
--- a/cpp/misra/src/qlpack.yml
+++ b/cpp/misra/src/qlpack.yml
@@ -2,4 +2,4 @@ name: codeql/misra-cpp-coding-standards
 version: 2.6.0-dev
 dependencies:
   codeql/common-cpp-coding-standards: '*'
-  codeql/cpp-all: 0.2.3
+  codeql/cpp-all: 0.3.1
diff --git a/cpp/misra/test/codeql-pack.lock.yml b/cpp/misra/test/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/cpp/misra/test/codeql-pack.lock.yml
+++ b/cpp/misra/test/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/report/src/codeql-pack.lock.yml b/cpp/report/src/codeql-pack.lock.yml
index b0f02a9d1f..98fd8cb0ea 100644
--- a/cpp/report/src/codeql-pack.lock.yml
+++ b/cpp/report/src/codeql-pack.lock.yml
@@ -1,6 +1,6 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.2.3
+    version: 0.3.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/report/src/qlpack.yml b/cpp/report/src/qlpack.yml
index 4d8fa75c36..c85d14cd4e 100644
--- a/cpp/report/src/qlpack.yml
+++ b/cpp/report/src/qlpack.yml
@@ -1,4 +1,4 @@
 name: codeql/report-cpp-coding-standards
 version: 2.6.0-dev
 dependencies:
-  codeql/cpp-all: 0.2.3
+  codeql/cpp-all: 0.3.1
diff --git a/supported_codeql_configs.json b/supported_codeql_configs.json
index 269af480e3..52435c7ac1 100644
--- a/supported_codeql_configs.json
+++ b/supported_codeql_configs.json
@@ -1,9 +1,9 @@
 {
   "supported_environment": [
     {
-      "codeql_cli": "2.9.4",
-      "codeql_standard_library": "codeql-cli/v2.9.4",
-      "codeql_cli_bundle": "codeql-bundle-20220615"
+      "codeql_cli": "2.10.1",
+      "codeql_standard_library": "codeql-cli/v2.10.1",
+      "codeql_cli_bundle": "codeql-bundle-20220714"
     }
   ], 
   "supported_language" : [

From 70b684a81b323eec461bf9386ac02327688d2e90 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 19 Jul 2022 20:31:16 +0200
Subject: [PATCH 12/32] Bump codeql submodule

---
 codeql_modules/codeql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/codeql_modules/codeql b/codeql_modules/codeql
index 28fe7a7660..fd7561cf27 160000
--- a/codeql_modules/codeql
+++ b/codeql_modules/codeql
@@ -1 +1 @@
-Subproject commit 28fe7a76603ab7ef884ca35115b63104ecb699a7
+Subproject commit fd7561cf279f64ee266ccdc6746e8d66d81c6b8e

From 5b6e9c28eb1f36322a47b7f99d662ca5b2de3125 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 19 Jul 2022 20:31:42 +0200
Subject: [PATCH 13/32] Fix A2-10-4 and A2-10-5 test results

---
 change_notes/2022-06-28-detect-static-namespace-members.md  | 6 ++++++
 ...IdentifierNameOfStaticFunctionReusedInNamespace.expected | 2 ++
 ...ierNameOfStaticNonMemberObjectReusedInNamespace.expected | 2 ++
 cpp/autosar/test/rules/A2-10-4/test1b.cpp                   | 5 ++---
 ...mberObjectWithExternalOrInternalLinkageIsReused.expected | 6 ++++--
 .../IdentifierNameOfAStaticFunctionIsReused.expected        | 4 ++--
 cpp/autosar/test/rules/A2-10-5/test1b.cpp                   | 3 +--
 7 files changed, 19 insertions(+), 9 deletions(-)
 create mode 100644 change_notes/2022-06-28-detect-static-namespace-members.md

diff --git a/change_notes/2022-06-28-detect-static-namespace-members.md b/change_notes/2022-06-28-detect-static-namespace-members.md
new file mode 100644
index 0000000000..05af4deb79
--- /dev/null
+++ b/change_notes/2022-06-28-detect-static-namespace-members.md
@@ -0,0 +1,6 @@
+- `A2-10-4` - `IdentifierNameOfStaticFunctionReusedInNamespace.ql`:
+  - Reuse of an identifier name of a static function in a namespace is now detected.
+- `A2-10-4` - `IdentifierNameOfStaticNonMemberObjectReusedInNamespace.ql`:
+  - Reuse of an identifier name of a static non-member object in a namespace is now detected.
+- `A2-10-5` - `IdentifierNameOfStaticNonMemberObjectWithExternalOrInternalLinkageIsReused.ql`:
+  - Reuse of an identifier name of a static non-member object with internal linkage in a namespace is now detected.
diff --git a/cpp/autosar/test/rules/A2-10-4/IdentifierNameOfStaticFunctionReusedInNamespace.expected b/cpp/autosar/test/rules/A2-10-4/IdentifierNameOfStaticFunctionReusedInNamespace.expected
index e69de29bb2..180e52c6f1 100644
--- a/cpp/autosar/test/rules/A2-10-4/IdentifierNameOfStaticFunctionReusedInNamespace.expected
+++ b/cpp/autosar/test/rules/A2-10-4/IdentifierNameOfStaticFunctionReusedInNamespace.expected
@@ -0,0 +1,2 @@
+| test1a.cpp:13:13:13:14 | f1 | Static function $@ reuses identifier of $@ | test1a.cpp:13:13:13:14 | f1 | f1 | test1b.cpp:6:13:6:14 | f1 | f1 |
+| test1b.cpp:6:13:6:14 | f1 | Static function $@ reuses identifier of $@ | test1b.cpp:6:13:6:14 | f1 | f1 | test1a.cpp:13:13:13:14 | f1 | f1 |
diff --git a/cpp/autosar/test/rules/A2-10-4/IdentifierNameOfStaticNonMemberObjectReusedInNamespace.expected b/cpp/autosar/test/rules/A2-10-4/IdentifierNameOfStaticNonMemberObjectReusedInNamespace.expected
index e69de29bb2..9eef8da1b5 100644
--- a/cpp/autosar/test/rules/A2-10-4/IdentifierNameOfStaticNonMemberObjectReusedInNamespace.expected
+++ b/cpp/autosar/test/rules/A2-10-4/IdentifierNameOfStaticNonMemberObjectReusedInNamespace.expected
@@ -0,0 +1,2 @@
+| test1a.cpp:2:12:2:13 | v1 | Non-member static object $@ reuses identifier name of non-member static object $@ | test1a.cpp:2:12:2:13 | v1 | v1 | test1b.cpp:2:12:2:13 | v1 | v1 |
+| test1b.cpp:2:12:2:13 | v1 | Non-member static object $@ reuses identifier name of non-member static object $@ | test1b.cpp:2:12:2:13 | v1 | v1 | test1a.cpp:2:12:2:13 | v1 | v1 |
diff --git a/cpp/autosar/test/rules/A2-10-4/test1b.cpp b/cpp/autosar/test/rules/A2-10-4/test1b.cpp
index 49a01226c3..c8a0e8a4b5 100644
--- a/cpp/autosar/test/rules/A2-10-4/test1b.cpp
+++ b/cpp/autosar/test/rules/A2-10-4/test1b.cpp
@@ -3,7 +3,6 @@ static int v1 = 3; // NON_COMPLIANT
 } // namespace ns1
 
 namespace ns3 {
-static void f1() {} // NON_COMPLIANT - Not accepted by Clang linker and
-                    // therefore not alerted upon.
+static void f1() {} // NON_COMPLIANT - Not accepted by Clang linker
 void f2() {}        // COMPLIANT - Not accepted by Clang linker
-} // namespace ns3
\ No newline at end of file
+} // namespace ns3
diff --git a/cpp/autosar/test/rules/A2-10-5/IdentifierNameOfANonMemberObjectWithExternalOrInternalLinkageIsReused.expected b/cpp/autosar/test/rules/A2-10-5/IdentifierNameOfANonMemberObjectWithExternalOrInternalLinkageIsReused.expected
index aac4b23463..7667818c63 100644
--- a/cpp/autosar/test/rules/A2-10-5/IdentifierNameOfANonMemberObjectWithExternalOrInternalLinkageIsReused.expected
+++ b/cpp/autosar/test/rules/A2-10-5/IdentifierNameOfANonMemberObjectWithExternalOrInternalLinkageIsReused.expected
@@ -1,2 +1,4 @@
-| test1a.cpp:6:12:6:13 | g3 | Identifier name of non-member object $@ reuses the identifier name of non-member object $@. | test1a.cpp:6:12:6:13 | g3 | g3 | test1b.cpp:7:12:7:13 | g3 | g3 |
-| test1b.cpp:7:12:7:13 | g3 | Identifier name of non-member object $@ reuses the identifier name of non-member object $@. | test1b.cpp:7:12:7:13 | g3 | g3 | test1a.cpp:6:12:6:13 | g3 | g3 |
+| test1a.cpp:2:12:2:13 | g1 | Identifier name of non-member object $@ reuses the identifier name of non-member object $@. | test1a.cpp:2:12:2:13 | g1 | g1 | test1b.cpp:2:12:2:13 | g1 | g1 |
+| test1a.cpp:6:12:6:13 | g3 | Identifier name of non-member object $@ reuses the identifier name of non-member object $@. | test1a.cpp:6:12:6:13 | g3 | g3 | test1b.cpp:6:12:6:13 | g3 | g3 |
+| test1b.cpp:2:12:2:13 | g1 | Identifier name of non-member object $@ reuses the identifier name of non-member object $@. | test1b.cpp:2:12:2:13 | g1 | g1 | test1a.cpp:2:12:2:13 | g1 | g1 |
+| test1b.cpp:6:12:6:13 | g3 | Identifier name of non-member object $@ reuses the identifier name of non-member object $@. | test1b.cpp:6:12:6:13 | g3 | g3 | test1a.cpp:6:12:6:13 | g3 | g3 |
diff --git a/cpp/autosar/test/rules/A2-10-5/IdentifierNameOfAStaticFunctionIsReused.expected b/cpp/autosar/test/rules/A2-10-5/IdentifierNameOfAStaticFunctionIsReused.expected
index d84cdee2b0..c9eea3450b 100644
--- a/cpp/autosar/test/rules/A2-10-5/IdentifierNameOfAStaticFunctionIsReused.expected
+++ b/cpp/autosar/test/rules/A2-10-5/IdentifierNameOfAStaticFunctionIsReused.expected
@@ -1,2 +1,2 @@
-| test1a.cpp:7:13:7:14 | f1 | Identifier name of static function $@ reuses identifier name of static function $@ | test1a.cpp:7:13:7:14 | f1 | f1 | test1b.cpp:10:13:10:14 | f1 | f1 |
-| test1b.cpp:10:13:10:14 | f1 | Identifier name of static function $@ reuses identifier name of static function $@ | test1b.cpp:10:13:10:14 | f1 | f1 | test1a.cpp:7:13:7:14 | f1 | f1 |
+| test1a.cpp:7:13:7:14 | f1 | Identifier name of static function $@ reuses identifier name of static function $@ | test1a.cpp:7:13:7:14 | f1 | f1 | test1b.cpp:9:13:9:14 | f1 | f1 |
+| test1b.cpp:9:13:9:14 | f1 | Identifier name of static function $@ reuses identifier name of static function $@ | test1b.cpp:9:13:9:14 | f1 | f1 | test1a.cpp:7:13:7:14 | f1 | f1 |
diff --git a/cpp/autosar/test/rules/A2-10-5/test1b.cpp b/cpp/autosar/test/rules/A2-10-5/test1b.cpp
index 3a42797cc4..4d9d72e9d5 100644
--- a/cpp/autosar/test/rules/A2-10-5/test1b.cpp
+++ b/cpp/autosar/test/rules/A2-10-5/test1b.cpp
@@ -1,6 +1,5 @@
 namespace n1 {
-static int g1 = 1; // NON_COMPLIANT[FALSE_NEGATIVE], considered the same as
-                   // n1::g1 in test1a.cpp.
+static int g1 = 1; // NON_COMPLIANT
 }
 
 namespace n2 {

From 5deb10880f9aabdca220f97d1113064405127b34 Mon Sep 17 00:00:00 2001
From: erik-krogh <erik-krogh@github.com>
Date: Thu, 25 Aug 2022 10:43:13 +0200
Subject: [PATCH 14/32] use idPod instead of isPOD

---
 .../src/codingstandards/cpp/HardwareOrProtocolInterface.qll     | 2 +-
 .../src/rules/A11-0-1/NonPodTypeShouldBeDefinedAsClass.ql       | 2 +-
 .../A12-0-2/OperationsAssumingMemoryLayoutPerformedOnObjects.ql | 2 +-
 ...cingWithHardwareOrProtocolsMustBeTrivialAndStandardLayout.ql | 2 +-
 .../src/rules/M11-0-1/MemberDataInNonPodClassTypesNotPrivate.ql | 2 +-
 cpp/common/src/codingstandards/cpp/TrivialType.qll              | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/cpp/autosar/src/codingstandards/cpp/HardwareOrProtocolInterface.qll b/cpp/autosar/src/codingstandards/cpp/HardwareOrProtocolInterface.qll
index 673d7045ed..d92a28e477 100644
--- a/cpp/autosar/src/codingstandards/cpp/HardwareOrProtocolInterface.qll
+++ b/cpp/autosar/src/codingstandards/cpp/HardwareOrProtocolInterface.qll
@@ -39,7 +39,7 @@ class DefinedSizeType extends Type {
 
 class DefinedSizeClass extends Class {
   DefinedSizeClass() {
-    this.isPOD() and
+    this.isPod() and
     forall(Field f | f = this.getAField() | f.getType() instanceof DefinedSizeType)
   }
 }
diff --git a/cpp/autosar/src/rules/A11-0-1/NonPodTypeShouldBeDefinedAsClass.ql b/cpp/autosar/src/rules/A11-0-1/NonPodTypeShouldBeDefinedAsClass.ql
index 7867af2fdc..41611c5536 100644
--- a/cpp/autosar/src/rules/A11-0-1/NonPodTypeShouldBeDefinedAsClass.ql
+++ b/cpp/autosar/src/rules/A11-0-1/NonPodTypeShouldBeDefinedAsClass.ql
@@ -22,5 +22,5 @@ import codingstandards.cpp.Typehelpers
 from Struct s
 where
   not isExcluded(s, ClassesPackage::nonPodTypeShouldBeDefinedAsClassQuery()) and
-  not s.isPOD()
+  not s.isPod()
 select s, "Non-POD type defined as struct instead of class."
diff --git a/cpp/autosar/src/rules/A12-0-2/OperationsAssumingMemoryLayoutPerformedOnObjects.ql b/cpp/autosar/src/rules/A12-0-2/OperationsAssumingMemoryLayoutPerformedOnObjects.ql
index 865c7189ad..4248b223b0 100644
--- a/cpp/autosar/src/rules/A12-0-2/OperationsAssumingMemoryLayoutPerformedOnObjects.ql
+++ b/cpp/autosar/src/rules/A12-0-2/OperationsAssumingMemoryLayoutPerformedOnObjects.ql
@@ -19,7 +19,7 @@ import cpp
 import codingstandards.cpp.autosar
 
 class Object extends Class {
-  Object() { not this.(Struct).isPOD() }
+  Object() { not this.(Struct).isPod() }
 }
 
 predicate isPointerToObject(Expr e) {
diff --git a/cpp/autosar/src/rules/A9-6-1/DataTypesUsedForInterfacingWithHardwareOrProtocolsMustBeTrivialAndStandardLayout.ql b/cpp/autosar/src/rules/A9-6-1/DataTypesUsedForInterfacingWithHardwareOrProtocolsMustBeTrivialAndStandardLayout.ql
index 1d89b275f6..0fd09210f7 100644
--- a/cpp/autosar/src/rules/A9-6-1/DataTypesUsedForInterfacingWithHardwareOrProtocolsMustBeTrivialAndStandardLayout.ql
+++ b/cpp/autosar/src/rules/A9-6-1/DataTypesUsedForInterfacingWithHardwareOrProtocolsMustBeTrivialAndStandardLayout.ql
@@ -23,6 +23,6 @@ from HardwareOrProtocolInterfaceClass c
 where
   not isExcluded(c,
     ClassesPackage::dataTypesUsedForInterfacingWithHardwareOrProtocolsMustBeTrivialAndStandardLayoutQuery()) and
-  not c.isPOD()
+  not c.isPod()
 select c,
   "Data type used for hardware interface or communication protocol is not standard layout and trivial."
diff --git a/cpp/autosar/src/rules/M11-0-1/MemberDataInNonPodClassTypesNotPrivate.ql b/cpp/autosar/src/rules/M11-0-1/MemberDataInNonPodClassTypesNotPrivate.ql
index b60594b8a9..a9902a72e0 100644
--- a/cpp/autosar/src/rules/M11-0-1/MemberDataInNonPodClassTypesNotPrivate.ql
+++ b/cpp/autosar/src/rules/M11-0-1/MemberDataInNonPodClassTypesNotPrivate.ql
@@ -17,7 +17,7 @@ import cpp
 import codingstandards.cpp.autosar
 
 class NonPODType extends Class {
-  NonPODType() { not this.isPOD() }
+  NonPODType() { not this.isPod() }
 }
 
 from NonPODType p, Field f
diff --git a/cpp/common/src/codingstandards/cpp/TrivialType.qll b/cpp/common/src/codingstandards/cpp/TrivialType.qll
index bbbdea852d..71b5f8fd47 100644
--- a/cpp/common/src/codingstandards/cpp/TrivialType.qll
+++ b/cpp/common/src/codingstandards/cpp/TrivialType.qll
@@ -284,7 +284,7 @@ predicate isTrivialType(Type t) {
 /** A POD type as defined by [basic.types]/9. */
 class PODType extends Type {
   PODType() {
-    this.(Class).isPOD()
+    this.(Class).isPod()
     or
     isScalarType(this)
     or

From e9444e1bde6696badfb846f41aeb7502497cabeb Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 30 Aug 2022 14:23:07 +0200
Subject: [PATCH 15/32] Replace `XMLElement` by `XmlElement` and `XMLFile` by
 `XmlFile`

`XMLElement` and `XMLFile` are deprecated from CodeQL 2.10.4 onwards.
`XmlElement` and `XmlFile` are their direct replacements.
---
 .../cpp/deviations/Deviations.qll              | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/cpp/common/src/codingstandards/cpp/deviations/Deviations.qll b/cpp/common/src/codingstandards/cpp/deviations/Deviations.qll
index dbc6a240cd..f902fd556c 100644
--- a/cpp/common/src/codingstandards/cpp/deviations/Deviations.qll
+++ b/cpp/common/src/codingstandards/cpp/deviations/Deviations.qll
@@ -16,7 +16,7 @@ predicate applyDeviationsAtQueryLevel() {
 }
 
 /** A `coding-standards.xml` configuration file (usually generated from an YAML configuration file). */
-class CodingStandardsFile extends XMLFile {
+class CodingStandardsFile extends XmlFile {
   CodingStandardsFile() {
     this.getBaseName() = "coding-standards.xml" and
     // Must be within the users source code.
@@ -25,7 +25,7 @@ class CodingStandardsFile extends XMLFile {
 }
 
 /** A "Coding Standards" configuration file */
-class CodingStandardsConfig extends XMLElement {
+class CodingStandardsConfig extends XmlElement {
   CodingStandardsConfig() {
     any(CodingStandardsFile csf).getARootElement() = this and
     this.getName() = "codingstandards"
@@ -36,7 +36,7 @@ class CodingStandardsConfig extends XMLElement {
 }
 
 /** An element which tells the analysis whether to report deviated results. */
-class CodingStandardsReportDeviatedAlerts extends XMLElement {
+class CodingStandardsReportDeviatedAlerts extends XmlElement {
   CodingStandardsReportDeviatedAlerts() {
     getParent() instanceof CodingStandardsConfig and
     hasName("report-deviated-alerts")
@@ -44,7 +44,7 @@ class CodingStandardsReportDeviatedAlerts extends XMLElement {
 }
 
 /** A container of deviation records. */
-class DeviationRecords extends XMLElement {
+class DeviationRecords extends XmlElement {
   DeviationRecords() {
     getParent() instanceof CodingStandardsConfig and
     hasName("deviations")
@@ -52,7 +52,7 @@ class DeviationRecords extends XMLElement {
 }
 
 /** A container for the deviation permits records. */
-class DeviationPermits extends XMLElement {
+class DeviationPermits extends XmlElement {
   DeviationPermits() {
     getParent() instanceof CodingStandardsConfig and
     hasName("deviation-permits")
@@ -60,7 +60,7 @@ class DeviationPermits extends XMLElement {
 }
 
 /** A deviation permit record, that is specified by a permit identifier */
-class DeviationPermit extends XMLElement {
+class DeviationPermit extends XmlElement {
   DeviationPermit() {
     getParent() instanceof DeviationPermits and
     hasName("deviation-permits-entry")
@@ -143,7 +143,7 @@ class DeviationPermit extends XMLElement {
 }
 
 /** A deviation record, that is a specified rule or query */
-class DeviationRecord extends XMLElement {
+class DeviationRecord extends XmlElement {
   DeviationRecord() {
     getParent() instanceof DeviationRecords and
     hasName("deviations-entry")
@@ -159,13 +159,13 @@ class DeviationRecord extends XMLElement {
 
   private string getRawPermitId() { result = getAChild("permit-id").getTextValue() }
 
-  private XMLElement getRawRaisedBy() { result = getAChild("raised-by") }
+  private XmlElement getRawRaisedBy() { result = getAChild("raised-by") }
 
   private string getRawRaisedByName() { result = getRawRaisedBy().getAChild("name").getTextValue() }
 
   private string getRawRaisedByDate() { result = getRawRaisedBy().getAChild("date").getTextValue() }
 
-  private XMLElement getRawApprovedBy() { result = getAChild("approved-by") }
+  private XmlElement getRawApprovedBy() { result = getAChild("approved-by") }
 
   private string getRawApprovedByName() {
     result = getRawApprovedBy().getAChild("name").getTextValue()

From 422bdb3776dd55ecb5a753c45810748cb3f8e448 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Fri, 2 Sep 2022 13:39:20 +0200
Subject: [PATCH 16/32] Replace `NULLMacro` by `NullMacro`

---
 c/common/src/codingstandards/c/Pointers.qll                     | 2 +-
 .../src/codingstandards/cpp/enhancements/MacroEnhacements.qll   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/c/common/src/codingstandards/c/Pointers.qll b/c/common/src/codingstandards/c/Pointers.qll
index 87ade425e1..3d216e009a 100644
--- a/c/common/src/codingstandards/c/Pointers.qll
+++ b/c/common/src/codingstandards/c/Pointers.qll
@@ -9,7 +9,7 @@ import codingstandards.cpp.Type
  * A null pointer constant, which is either in the form `NULL` or `(void *)0`.
  */
 predicate isNullPointerConstant(Expr e) {
-  e.findRootCause() instanceof NULLMacro
+  e.findRootCause() instanceof NullMacro
   or
   exists(CStyleCast c |
     not c.isImplicit() and
diff --git a/cpp/common/src/codingstandards/cpp/enhancements/MacroEnhacements.qll b/cpp/common/src/codingstandards/cpp/enhancements/MacroEnhacements.qll
index ba132f5892..be79397929 100644
--- a/cpp/common/src/codingstandards/cpp/enhancements/MacroEnhacements.qll
+++ b/cpp/common/src/codingstandards/cpp/enhancements/MacroEnhacements.qll
@@ -29,7 +29,7 @@ module MacroEnhancements {
   /** A use of the NULL macro. */
   class NULL extends StandardLibrary::Literal {
     NULL() {
-      exists(StandardLibrary::NULLMacro nm | this = nm.getAnInvocation().getAnExpandedElement())
+      exists(StandardLibrary::NullMacro nm | this = nm.getAnInvocation().getAnExpandedElement())
     }
   }
 }

From 799fc609d2db30a1969f9c3c8f2c26da0c80b6cd Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Sun, 30 Oct 2022 09:27:31 +0100
Subject: [PATCH 17/32] Update to CodeQL 2.11.0

---
 c/cert/src/codeql-pack.lock.yml       | 4 +++-
 c/cert/src/qlpack.yml                 | 2 +-
 c/cert/test/codeql-pack.lock.yml      | 4 +++-
 c/common/src/codeql-pack.lock.yml     | 4 +++-
 c/common/src/qlpack.yml               | 2 +-
 c/common/test/codeql-pack.lock.yml    | 4 +++-
 c/misra/src/codeql-pack.lock.yml      | 4 +++-
 c/misra/src/qlpack.yml                | 2 +-
 c/misra/test/codeql-pack.lock.yml     | 4 +++-
 codeql_modules/codeql                 | 2 +-
 cpp/autosar/src/codeql-pack.lock.yml  | 4 +++-
 cpp/autosar/src/qlpack.yml            | 2 +-
 cpp/autosar/test/codeql-pack.lock.yml | 4 +++-
 cpp/cert/src/codeql-pack.lock.yml     | 4 +++-
 cpp/cert/src/qlpack.yml               | 2 +-
 cpp/cert/test/codeql-pack.lock.yml    | 4 +++-
 cpp/common/src/codeql-pack.lock.yml   | 4 +++-
 cpp/common/src/qlpack.yml             | 2 +-
 cpp/common/test/codeql-pack.lock.yml  | 4 +++-
 cpp/misra/src/codeql-pack.lock.yml    | 4 +++-
 cpp/misra/src/qlpack.yml              | 2 +-
 cpp/misra/test/codeql-pack.lock.yml   | 4 +++-
 cpp/report/src/codeql-pack.lock.yml   | 4 +++-
 cpp/report/src/qlpack.yml             | 2 +-
 supported_codeql_configs.json         | 6 +++---
 25 files changed, 57 insertions(+), 27 deletions(-)

diff --git a/c/cert/src/codeql-pack.lock.yml b/c/cert/src/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/c/cert/src/codeql-pack.lock.yml
+++ b/c/cert/src/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/cert/src/qlpack.yml b/c/cert/src/qlpack.yml
index ab00bcba8e..0127035965 100644
--- a/c/cert/src/qlpack.yml
+++ b/c/cert/src/qlpack.yml
@@ -3,4 +3,4 @@ version: 2.6.0-dev
 suites: codeql-suites
 dependencies:
   codeql/common-c-coding-standards: '*'
-  codeql/cpp-all: 0.3.1
+  codeql/cpp-all: 0.4.0
diff --git a/c/cert/test/codeql-pack.lock.yml b/c/cert/test/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/c/cert/test/codeql-pack.lock.yml
+++ b/c/cert/test/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/common/src/codeql-pack.lock.yml b/c/common/src/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/c/common/src/codeql-pack.lock.yml
+++ b/c/common/src/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/common/src/qlpack.yml b/c/common/src/qlpack.yml
index d821daf3cf..0125987fca 100644
--- a/c/common/src/qlpack.yml
+++ b/c/common/src/qlpack.yml
@@ -2,4 +2,4 @@ name: codeql/common-c-coding-standards
 version: 2.6.0-dev
 dependencies:
   codeql/common-cpp-coding-standards: '*'
-  codeql/cpp-all: 0.3.1
+  codeql/cpp-all: 0.4.0
diff --git a/c/common/test/codeql-pack.lock.yml b/c/common/test/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/c/common/test/codeql-pack.lock.yml
+++ b/c/common/test/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/misra/src/codeql-pack.lock.yml b/c/misra/src/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/c/misra/src/codeql-pack.lock.yml
+++ b/c/misra/src/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/c/misra/src/qlpack.yml b/c/misra/src/qlpack.yml
index 80abbb2dd6..aaeaed24ab 100644
--- a/c/misra/src/qlpack.yml
+++ b/c/misra/src/qlpack.yml
@@ -3,4 +3,4 @@ version: 2.6.0-dev
 suites: codeql-suites
 dependencies:
   codeql/common-c-coding-standards: '*'
-  codeql/cpp-all: 0.3.1
+  codeql/cpp-all: 0.4.0
diff --git a/c/misra/test/codeql-pack.lock.yml b/c/misra/test/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/c/misra/test/codeql-pack.lock.yml
+++ b/c/misra/test/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/codeql_modules/codeql b/codeql_modules/codeql
index fd7561cf27..87cc0481a0 160000
--- a/codeql_modules/codeql
+++ b/codeql_modules/codeql
@@ -1 +1 @@
-Subproject commit fd7561cf279f64ee266ccdc6746e8d66d81c6b8e
+Subproject commit 87cc0481a06e389c765fe916ce01e3a1c4329a2c
diff --git a/cpp/autosar/src/codeql-pack.lock.yml b/cpp/autosar/src/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/cpp/autosar/src/codeql-pack.lock.yml
+++ b/cpp/autosar/src/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/autosar/src/qlpack.yml b/cpp/autosar/src/qlpack.yml
index 8c715d1ab7..6dba3a5375 100644
--- a/cpp/autosar/src/qlpack.yml
+++ b/cpp/autosar/src/qlpack.yml
@@ -3,4 +3,4 @@ version: 2.6.0-dev
 suites: codeql-suites
 dependencies:
   codeql/common-cpp-coding-standards: '*'
-  codeql/cpp-all: 0.3.1
+  codeql/cpp-all: 0.4.0
diff --git a/cpp/autosar/test/codeql-pack.lock.yml b/cpp/autosar/test/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/cpp/autosar/test/codeql-pack.lock.yml
+++ b/cpp/autosar/test/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/cert/src/codeql-pack.lock.yml b/cpp/cert/src/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/cpp/cert/src/codeql-pack.lock.yml
+++ b/cpp/cert/src/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/cert/src/qlpack.yml b/cpp/cert/src/qlpack.yml
index 0a803153da..b1370255be 100644
--- a/cpp/cert/src/qlpack.yml
+++ b/cpp/cert/src/qlpack.yml
@@ -2,5 +2,5 @@ name: codeql/cert-cpp-coding-standards
 version: 2.6.0-dev
 suites: codeql-suites
 dependencies:
-  codeql/cpp-all: 0.3.1
+  codeql/cpp-all: 0.4.0
   codeql/common-cpp-coding-standards: '*'
diff --git a/cpp/cert/test/codeql-pack.lock.yml b/cpp/cert/test/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/cpp/cert/test/codeql-pack.lock.yml
+++ b/cpp/cert/test/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/common/src/codeql-pack.lock.yml b/cpp/common/src/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/cpp/common/src/codeql-pack.lock.yml
+++ b/cpp/common/src/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/common/src/qlpack.yml b/cpp/common/src/qlpack.yml
index 1726a860e3..f4d8dffac4 100644
--- a/cpp/common/src/qlpack.yml
+++ b/cpp/common/src/qlpack.yml
@@ -1,4 +1,4 @@
 name: codeql/common-cpp-coding-standards
 version: 2.6.0-dev
 dependencies:
-  codeql/cpp-all: 0.3.1
+  codeql/cpp-all: 0.4.0
diff --git a/cpp/common/test/codeql-pack.lock.yml b/cpp/common/test/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/cpp/common/test/codeql-pack.lock.yml
+++ b/cpp/common/test/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/misra/src/codeql-pack.lock.yml b/cpp/misra/src/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/cpp/misra/src/codeql-pack.lock.yml
+++ b/cpp/misra/src/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/misra/src/qlpack.yml b/cpp/misra/src/qlpack.yml
index 2156a1d22f..8880350a66 100644
--- a/cpp/misra/src/qlpack.yml
+++ b/cpp/misra/src/qlpack.yml
@@ -2,4 +2,4 @@ name: codeql/misra-cpp-coding-standards
 version: 2.6.0-dev
 dependencies:
   codeql/common-cpp-coding-standards: '*'
-  codeql/cpp-all: 0.3.1
+  codeql/cpp-all: 0.4.0
diff --git a/cpp/misra/test/codeql-pack.lock.yml b/cpp/misra/test/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/cpp/misra/test/codeql-pack.lock.yml
+++ b/cpp/misra/test/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/report/src/codeql-pack.lock.yml b/cpp/report/src/codeql-pack.lock.yml
index 98fd8cb0ea..95e394b2f4 100644
--- a/cpp/report/src/codeql-pack.lock.yml
+++ b/cpp/report/src/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
 dependencies:
   codeql/cpp-all:
-    version: 0.3.1
+    version: 0.4.0
+  codeql/ssa:
+    version: 0.0.1
 compiled: false
 lockVersion: 1.0.0
diff --git a/cpp/report/src/qlpack.yml b/cpp/report/src/qlpack.yml
index c85d14cd4e..c64d2ae3e6 100644
--- a/cpp/report/src/qlpack.yml
+++ b/cpp/report/src/qlpack.yml
@@ -1,4 +1,4 @@
 name: codeql/report-cpp-coding-standards
 version: 2.6.0-dev
 dependencies:
-  codeql/cpp-all: 0.3.1
+  codeql/cpp-all: 0.4.0
diff --git a/supported_codeql_configs.json b/supported_codeql_configs.json
index 52435c7ac1..da79ca3c10 100644
--- a/supported_codeql_configs.json
+++ b/supported_codeql_configs.json
@@ -1,9 +1,9 @@
 {
   "supported_environment": [
     {
-      "codeql_cli": "2.10.1",
-      "codeql_standard_library": "codeql-cli/v2.10.1",
-      "codeql_cli_bundle": "codeql-bundle-20220714"
+      "codeql_cli": "2.11.0",
+      "codeql_standard_library": "codeql-cli/v2.11.0",
+      "codeql_cli_bundle": "codeql-bundle-20220923"
     }
   ], 
   "supported_language" : [

From a38938d00b769b2cb3c654d7644568a83b7d7aaf Mon Sep 17 00:00:00 2001
From: Tom Hvitved <hvitved@github.com>
Date: Tue, 1 Nov 2022 11:28:06 +0100
Subject: [PATCH 18/32] Update expected test output

---
 .../FIO32-C/DoNotPerformFileOperationsOnDevices.expected      | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected b/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected
index c9252151d5..b4852b09e7 100644
--- a/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected
+++ b/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected
@@ -23,18 +23,14 @@ nodes
 | test.c:20:15:20:23 | file_name | semmle.label | file_name |
 | test.c:20:15:20:23 | scanf output argument | semmle.label | scanf output argument |
 | test.c:21:8:21:16 | (const char *)... | semmle.label | (const char *)... |
-| test.c:21:8:21:16 | (const char *)... | semmle.label | (const char *)... |
 | test.c:21:8:21:16 | file_name | semmle.label | file_name |
 | test.c:21:8:21:16 | file_name indirection | semmle.label | file_name indirection |
-| test.c:21:8:21:16 | file_name indirection | semmle.label | file_name indirection |
 | test.c:45:15:45:23 | array to pointer conversion | semmle.label | array to pointer conversion |
 | test.c:45:15:45:23 | file_name | semmle.label | file_name |
 | test.c:45:15:45:23 | scanf output argument | semmle.label | scanf output argument |
 | test.c:46:29:46:37 | (LPCTSTR)... | semmle.label | (LPCTSTR)... |
-| test.c:46:29:46:37 | (LPCTSTR)... | semmle.label | (LPCTSTR)... |
 | test.c:46:29:46:37 | file_name | semmle.label | file_name |
 | test.c:46:29:46:37 | file_name indirection | semmle.label | file_name indirection |
-| test.c:46:29:46:37 | file_name indirection | semmle.label | file_name indirection |
 #select
 | test.c:21:8:21:16 | file_name | test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name | This argument to a file access function is derived from $@ and then passed to func(file_name), which calls fopen((unnamed parameter 0)) | test.c:20:15:20:23 | file_name | user input (scanf) |
 | test.c:46:29:46:37 | file_name | test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name | This argument to a file access function is derived from $@ and then passed to CreateFile(lpFileName) | test.c:45:15:45:23 | file_name | user input (scanf) |

From b3f8d13fbb5022c0485eedc85a62d439e7d16b21 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 6 Dec 2022 16:24:27 +0100
Subject: [PATCH 19/32] C++: Pull in the latest version of `TaintedPath.ql`
 from CodeQL

---
 .../DoNotPerformFileOperationsOnDevices.ql    | 94 ++++++++++++++++---
 ...NotPerformFileOperationsOnDevices.expected | 26 +----
 2 files changed, 86 insertions(+), 34 deletions(-)

diff --git a/c/cert/src/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.ql b/c/cert/src/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.ql
index 2d16b2ffea..8906e01b8c 100644
--- a/c/cert/src/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.ql
+++ b/c/cert/src/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.ql
@@ -12,11 +12,11 @@
  */
 
 import cpp
-import codingstandards.c.cert
 import semmle.code.cpp.security.FunctionWithWrappers
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.security.TaintTracking
-import TaintedWithPath
+import semmle.code.cpp.ir.IR
+import semmle.code.cpp.ir.dataflow.TaintTracking
+import DataFlow::PathGraph
 
 // Query TaintedPath.ql from the CodeQL standard library
 /**
@@ -45,20 +45,92 @@ class FileFunction extends FunctionWithWrappers {
   override predicate interestingArg(int arg) { arg = 0 }
 }
 
-class TaintedPathConfiguration extends TaintTrackingConfiguration {
-  override predicate isSink(Element tainted) {
-    exists(FileFunction fileFunction | fileFunction.outermostWrapperFunctionCall(tainted, _))
+Expr asSourceExpr(DataFlow::Node node) {
+  result = node.asConvertedExpr()
+  or
+  result = node.asDefiningArgument()
+}
+
+Expr asSinkExpr(DataFlow::Node node) {
+  result =
+    node.asOperand()
+        .(SideEffectOperand)
+        .getUse()
+        .(ReadSideEffectInstruction)
+        .getArgumentDef()
+        .getUnconvertedResultExpression()
+}
+
+/**
+ * Holds for a variable that has any kind of upper-bound check anywhere in the program.
+ * This is biased towards being inclusive and being a coarse overapproximation because
+ * there are a lot of valid ways of doing an upper bounds checks if we don't consider
+ * where it occurs, for example:
+ * ```cpp
+ *   if (x < 10) { sink(x); }
+ *
+ *   if (10 > y) { sink(y); }
+ *
+ *   if (z > 10) { z = 10; }
+ *   sink(z);
+ * ```
+ */
+predicate hasUpperBoundsCheck(Variable var) {
+  exists(RelationalOperation oper, VariableAccess access |
+    oper.getAnOperand() = access and
+    access.getTarget() = var and
+    // Comparing to 0 is not an upper bound check
+    not oper.getAnOperand().getValue() = "0"
+  )
+}
+
+class TaintedPathConfiguration extends TaintTracking::Configuration {
+  TaintedPathConfiguration() { this = "TaintedPathConfiguration" }
+
+  override predicate isSource(DataFlow::Node node) { isUserInput(asSourceExpr(node), _) }
+
+  override predicate isSink(DataFlow::Node node) {
+    exists(FileFunction fileFunction |
+      fileFunction.outermostWrapperFunctionCall(asSinkExpr(node), _)
+    )
+  }
+
+  override predicate isSanitizerIn(DataFlow::Node node) { this.isSource(node) }
+
+  override predicate isSanitizer(DataFlow::Node node) {
+    node.asExpr().(Call).getTarget().getUnspecifiedType() instanceof ArithmeticType
+    or
+    exists(LoadInstruction load, Variable checkedVar |
+      load = node.asInstruction() and
+      checkedVar = load.getSourceAddress().(VariableAddressInstruction).getAstVariable() and
+      hasUpperBoundsCheck(checkedVar)
+    )
+  }
+
+  predicate hasFilteredFlowPath(DataFlow::PathNode source, DataFlow::PathNode sink) {
+    this.hasFlowPath(source, sink) and
+    // The use of `isUserInput` in `isSink` in combination with `asSourceExpr` causes
+    // duplicate results. Filter these duplicates. The proper solution is to switch to
+    // using `LocalFlowSource` and `RemoteFlowSource`, but this currently only supports
+    // a subset of the cases supported by `isUserInput`.
+    not exists(DataFlow::PathNode source2 |
+      this.hasFlowPath(source2, sink) and
+      asSourceExpr(source.getNode()) = asSourceExpr(source2.getNode())
+    |
+      not exists(source.getNode().asConvertedExpr()) and exists(source2.getNode().asConvertedExpr())
+    )
   }
 }
 
 from
-  FileFunction fileFunction, Expr taintedArg, Expr taintSource, PathNode sourceNode,
-  PathNode sinkNode, string taintCause, string callChain
+  FileFunction fileFunction, Expr taintedArg, Expr taintSource, TaintedPathConfiguration cfg,
+  DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, string taintCause, string callChain
 where
-  not isExcluded(taintedArg, IO3Package::doNotPerformFileOperationsOnDevicesQuery()) and
+  taintedArg = asSinkExpr(sinkNode.getNode()) and
   fileFunction.outermostWrapperFunctionCall(taintedArg, callChain) and
-  taintedWithPath(taintSource, taintedArg, sourceNode, sinkNode) and
+  cfg.hasFilteredFlowPath(sourceNode, sinkNode) and
+  taintSource = asSourceExpr(sourceNode.getNode()) and
   isUserInput(taintSource, taintCause)
 select taintedArg, sourceNode, sinkNode,
-  "This argument to a file access function is derived from $@ and then passed to " + callChain,
+  "This argument to a file access function is derived from $@ and then passed to " + callChain + ".",
   taintSource, "user input (" + taintCause + ")"
diff --git a/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected b/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected
index b4852b09e7..b4f07d6ca8 100644
--- a/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected
+++ b/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected
@@ -1,36 +1,16 @@
 edges
-| test.c:20:15:20:23 | array to pointer conversion | test.c:21:8:21:16 | (const char *)... |
-| test.c:20:15:20:23 | array to pointer conversion | test.c:21:8:21:16 | file_name |
-| test.c:20:15:20:23 | array to pointer conversion | test.c:21:8:21:16 | file_name indirection |
-| test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | (const char *)... |
-| test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name |
 | test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name indirection |
-| test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | (const char *)... |
-| test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | file_name |
 | test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | file_name indirection |
-| test.c:45:15:45:23 | array to pointer conversion | test.c:46:29:46:37 | (LPCTSTR)... |
-| test.c:45:15:45:23 | array to pointer conversion | test.c:46:29:46:37 | file_name |
-| test.c:45:15:45:23 | array to pointer conversion | test.c:46:29:46:37 | file_name indirection |
-| test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | (LPCTSTR)... |
-| test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name |
 | test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name indirection |
-| test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | (LPCTSTR)... |
-| test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | file_name |
 | test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | file_name indirection |
-subpaths
 nodes
-| test.c:20:15:20:23 | array to pointer conversion | semmle.label | array to pointer conversion |
 | test.c:20:15:20:23 | file_name | semmle.label | file_name |
 | test.c:20:15:20:23 | scanf output argument | semmle.label | scanf output argument |
-| test.c:21:8:21:16 | (const char *)... | semmle.label | (const char *)... |
-| test.c:21:8:21:16 | file_name | semmle.label | file_name |
 | test.c:21:8:21:16 | file_name indirection | semmle.label | file_name indirection |
-| test.c:45:15:45:23 | array to pointer conversion | semmle.label | array to pointer conversion |
 | test.c:45:15:45:23 | file_name | semmle.label | file_name |
 | test.c:45:15:45:23 | scanf output argument | semmle.label | scanf output argument |
-| test.c:46:29:46:37 | (LPCTSTR)... | semmle.label | (LPCTSTR)... |
-| test.c:46:29:46:37 | file_name | semmle.label | file_name |
 | test.c:46:29:46:37 | file_name indirection | semmle.label | file_name indirection |
+subpaths
 #select
-| test.c:21:8:21:16 | file_name | test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name | This argument to a file access function is derived from $@ and then passed to func(file_name), which calls fopen((unnamed parameter 0)) | test.c:20:15:20:23 | file_name | user input (scanf) |
-| test.c:46:29:46:37 | file_name | test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name | This argument to a file access function is derived from $@ and then passed to CreateFile(lpFileName) | test.c:45:15:45:23 | file_name | user input (scanf) |
+| test.c:21:8:21:16 | file_name | test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name indirection | This argument to a file access function is derived from $@ and then passed to func(file_name), which calls fopen((unnamed parameter 0)). | test.c:20:15:20:23 | file_name | user input (scanf) |
+| test.c:46:29:46:37 | file_name | test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name indirection | This argument to a file access function is derived from $@ and then passed to CreateFile(lpFileName). | test.c:45:15:45:23 | file_name | user input (scanf) |

From 0a7696c2094f5d119c64b61a43c15a445f1bdb07 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 6 Dec 2022 17:13:10 +0100
Subject: [PATCH 20/32] Add change note

---
 change_notes/2022-12-06-remove-use-of-default-taint-tracking.md | 2 ++
 1 file changed, 2 insertions(+)
 create mode 100644 change_notes/2022-12-06-remove-use-of-default-taint-tracking.md

diff --git a/change_notes/2022-12-06-remove-use-of-default-taint-tracking.md b/change_notes/2022-12-06-remove-use-of-default-taint-tracking.md
new file mode 100644
index 0000000000..2f0c6706fc
--- /dev/null
+++ b/change_notes/2022-12-06-remove-use-of-default-taint-tracking.md
@@ -0,0 +1,2 @@
+ - `FIO32-C` - `DoNotPerformFileOperationsOnDevices.ql`:
+   - The query was rewritten to no longer depend of the `DefaultTaintTracking` library, which will be deprecated.

From f29b89be531891f323504fc5b6082ec69706f4bc Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Tue, 6 Dec 2022 17:16:37 +0100
Subject: [PATCH 21/32] Add back coding standards specific changes

---
 c/cert/src/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.ql | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/c/cert/src/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.ql b/c/cert/src/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.ql
index 8906e01b8c..88cc11ef80 100644
--- a/c/cert/src/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.ql
+++ b/c/cert/src/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.ql
@@ -12,6 +12,7 @@
  */
 
 import cpp
+import codingstandards.c.cert
 import semmle.code.cpp.security.FunctionWithWrappers
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.ir.IR
@@ -126,6 +127,7 @@ from
   FileFunction fileFunction, Expr taintedArg, Expr taintSource, TaintedPathConfiguration cfg,
   DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, string taintCause, string callChain
 where
+  not isExcluded(taintedArg, IO3Package::doNotPerformFileOperationsOnDevicesQuery()) and
   taintedArg = asSinkExpr(sinkNode.getNode()) and
   fileFunction.outermostWrapperFunctionCall(taintedArg, callChain) and
   cfg.hasFilteredFlowPath(sourceNode, sinkNode) and

From 760ccdebfeb28e8eaaa9381f913fd77fef46c1a2 Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 8 Dec 2022 15:52:01 +0100
Subject: [PATCH 22/32] C++: Accept test changes after CodeQL `scanf` work

---
 .../FIO32-C/DoNotPerformFileOperationsOnDevices.expected  | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected b/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected
index b4f07d6ca8..824149f294 100644
--- a/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected
+++ b/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected
@@ -1,16 +1,12 @@
 edges
-| test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name indirection |
 | test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | file_name indirection |
-| test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name indirection |
 | test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | file_name indirection |
 nodes
-| test.c:20:15:20:23 | file_name | semmle.label | file_name |
 | test.c:20:15:20:23 | scanf output argument | semmle.label | scanf output argument |
 | test.c:21:8:21:16 | file_name indirection | semmle.label | file_name indirection |
-| test.c:45:15:45:23 | file_name | semmle.label | file_name |
 | test.c:45:15:45:23 | scanf output argument | semmle.label | scanf output argument |
 | test.c:46:29:46:37 | file_name indirection | semmle.label | file_name indirection |
 subpaths
 #select
-| test.c:21:8:21:16 | file_name | test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name indirection | This argument to a file access function is derived from $@ and then passed to func(file_name), which calls fopen((unnamed parameter 0)). | test.c:20:15:20:23 | file_name | user input (scanf) |
-| test.c:46:29:46:37 | file_name | test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name indirection | This argument to a file access function is derived from $@ and then passed to CreateFile(lpFileName). | test.c:45:15:45:23 | file_name | user input (scanf) |
+| test.c:21:8:21:16 | file_name | test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | file_name indirection | This argument to a file access function is derived from $@ and then passed to func(file_name), which calls fopen((unnamed parameter 0)). | test.c:20:15:20:23 | file_name | user input (scanf) |
+| test.c:46:29:46:37 | file_name | test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | file_name indirection | This argument to a file access function is derived from $@ and then passed to CreateFile(lpFileName). | test.c:45:15:45:23 | file_name | user input (scanf) |

From d1fe1ad5b22ecb6d75fa6e0e998ad7998163705a Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Thu, 8 Dec 2022 18:54:44 +0100
Subject: [PATCH 23/32] Fix references to pack names after pack renaming

---
 c/cert/src/codeql-suites/cert-default.qls                     | 4 ++--
 c/misra/src/codeql-suites/misra-default.qls                   | 4 ++--
 cpp/autosar/src/codeql-suites/autosar-advisory.qls            | 4 ++--
 cpp/autosar/src/codeql-suites/autosar-audit.qls               | 4 ++--
 cpp/autosar/src/codeql-suites/autosar-default.qls             | 4 ++--
 cpp/autosar/src/codeql-suites/autosar-required.qls            | 4 ++--
 .../src/codeql-suites/autosar-single-translation-unit.qls     | 4 ++--
 cpp/cert/src/codeql-suites/cert-default.qls                   | 4 ++--
 cpp/cert/src/codeql-suites/cert-single-translation-unit.qls   | 4 ++--
 9 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/c/cert/src/codeql-suites/cert-default.qls b/c/cert/src/codeql-suites/cert-default.qls
index c8652930e9..1e11a0afca 100644
--- a/c/cert/src/codeql-suites/cert-default.qls
+++ b/c/cert/src/codeql-suites/cert-default.qls
@@ -1,9 +1,9 @@
 - description: CERT C 2016 (Default)
-- qlpack: cert-c-coding-standards
+- qlpack: codeql/cert-c-coding-standards
 - include:
     kind:
     - problem
     - path-problem
 - exclude:
     tags contain:
-    - external/cert/default-disabled
\ No newline at end of file
+    - external/cert/default-disabled
diff --git a/c/misra/src/codeql-suites/misra-default.qls b/c/misra/src/codeql-suites/misra-default.qls
index d32637556d..343379a2b3 100644
--- a/c/misra/src/codeql-suites/misra-default.qls
+++ b/c/misra/src/codeql-suites/misra-default.qls
@@ -1,5 +1,5 @@
 - description: MISRA C 2012 (Default)
-- qlpack: misra-c-coding-standards
+- qlpack: codeql/misra-c-coding-standards
 - include:
     kind:
     - problem
@@ -7,4 +7,4 @@
 - exclude:
     tags contain:
     - external/misra/audit
-    - external/misra/default-disabled
\ No newline at end of file
+    - external/misra/default-disabled
diff --git a/cpp/autosar/src/codeql-suites/autosar-advisory.qls b/cpp/autosar/src/codeql-suites/autosar-advisory.qls
index 163de00856..f7319085dd 100644
--- a/cpp/autosar/src/codeql-suites/autosar-advisory.qls
+++ b/cpp/autosar/src/codeql-suites/autosar-advisory.qls
@@ -1,5 +1,5 @@
 - description: AUTOSAR C++14 Guidelines 20-11 (Advisory)
-- qlpack: autosar-cpp-coding-standards
+- qlpack: codeql/autosar-cpp-coding-standards
 - include:
     kind:
     - problem
@@ -8,4 +8,4 @@
     - external/autosar/obligation/advisory
 - exclude:
     tags contain:
-    - external/autosar/audit
\ No newline at end of file
+    - external/autosar/audit
diff --git a/cpp/autosar/src/codeql-suites/autosar-audit.qls b/cpp/autosar/src/codeql-suites/autosar-audit.qls
index 6e77e82e77..8d45e238cd 100644
--- a/cpp/autosar/src/codeql-suites/autosar-audit.qls
+++ b/cpp/autosar/src/codeql-suites/autosar-audit.qls
@@ -1,8 +1,8 @@
 - description: AUTOSAR C++14 Guidelines 20-11 (Audit)
-- qlpack: autosar-cpp-coding-standards
+- qlpack: codeql/autosar-cpp-coding-standards
 - include:
     kind:
     - problem
     - path-problem
     tags contain:
-    - external/autosar/audit
\ No newline at end of file
+    - external/autosar/audit
diff --git a/cpp/autosar/src/codeql-suites/autosar-default.qls b/cpp/autosar/src/codeql-suites/autosar-default.qls
index 0296cc54f8..f6072946ef 100644
--- a/cpp/autosar/src/codeql-suites/autosar-default.qls
+++ b/cpp/autosar/src/codeql-suites/autosar-default.qls
@@ -1,5 +1,5 @@
 - description: AUTOSAR C++14 Guidelines 20-11 (Default)
-- qlpack: autosar-cpp-coding-standards
+- qlpack: codeql/autosar-cpp-coding-standards
 - include:
     kind:
     - problem
@@ -7,4 +7,4 @@
 - exclude:
     tags contain:
     - external/autosar/audit
-    - external/autosar/default-disabled
\ No newline at end of file
+    - external/autosar/default-disabled
diff --git a/cpp/autosar/src/codeql-suites/autosar-required.qls b/cpp/autosar/src/codeql-suites/autosar-required.qls
index b79562c66c..6b93a4cfa6 100644
--- a/cpp/autosar/src/codeql-suites/autosar-required.qls
+++ b/cpp/autosar/src/codeql-suites/autosar-required.qls
@@ -1,5 +1,5 @@
 - description: AUTOSAR C++14 Guidelines 20-11 (Required)
-- qlpack: autosar-cpp-coding-standards
+- qlpack: codeql/autosar-cpp-coding-standards
 - include:
     kind:
     - problem
@@ -8,4 +8,4 @@
     - external/autosar/obligation/required
 - exclude:
     tags contain:
-    - external/autosar/audit
\ No newline at end of file
+    - external/autosar/audit
diff --git a/cpp/autosar/src/codeql-suites/autosar-single-translation-unit.qls b/cpp/autosar/src/codeql-suites/autosar-single-translation-unit.qls
index 6ba3032fa8..d4f28f499b 100644
--- a/cpp/autosar/src/codeql-suites/autosar-single-translation-unit.qls
+++ b/cpp/autosar/src/codeql-suites/autosar-single-translation-unit.qls
@@ -1,5 +1,5 @@
 - description: AUTOSAR C++14 Guidelines 20-11 (Single Translation Unit)
-- qlpack: autosar-cpp-coding-standards
+- qlpack: codeql/autosar-cpp-coding-standards
 - include:
     kind:
     - problem
@@ -9,4 +9,4 @@
 - exclude:
     tags contain:
     - external/autosar/audit
-    - external/autosar/default-disabled
\ No newline at end of file
+    - external/autosar/default-disabled
diff --git a/cpp/cert/src/codeql-suites/cert-default.qls b/cpp/cert/src/codeql-suites/cert-default.qls
index 6ec40af9b9..e9211246b1 100644
--- a/cpp/cert/src/codeql-suites/cert-default.qls
+++ b/cpp/cert/src/codeql-suites/cert-default.qls
@@ -1,9 +1,9 @@
 - description: CERT C++ 2016 (Default)
-- qlpack: cert-cpp-coding-standards
+- qlpack: codeql/cert-cpp-coding-standards
 - include:
     kind:
     - problem
     - path-problem
 - exclude:
     tags contain:
-    - external/cert/default-disabled
\ No newline at end of file
+    - external/cert/default-disabled
diff --git a/cpp/cert/src/codeql-suites/cert-single-translation-unit.qls b/cpp/cert/src/codeql-suites/cert-single-translation-unit.qls
index ca1315d6ff..2f09815e0d 100644
--- a/cpp/cert/src/codeql-suites/cert-single-translation-unit.qls
+++ b/cpp/cert/src/codeql-suites/cert-single-translation-unit.qls
@@ -1,5 +1,5 @@
 - description: CERT C++ 2016 (Single Translation Unit)
-- qlpack: cert-cpp-coding-standards
+- qlpack: codeql/cert-cpp-coding-standards
 - include:
     kind:
     - problem
@@ -8,4 +8,4 @@
     - scope/single-translation-unit
 - exclude:
     tags contain:
-    - external/cert/default-disabled
\ No newline at end of file
+    - external/cert/default-disabled

From d1f7ebc325296218f51957c76798d02a078eda20 Mon Sep 17 00:00:00 2001
From: Luke Cartey <lcartey@github.com>
Date: Fri, 28 Jul 2023 17:21:41 -0700
Subject: [PATCH 24/32] Update to CodeQL CLI 2.11.6.

---
 supported_codeql_configs.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/supported_codeql_configs.json b/supported_codeql_configs.json
index f5a3e9b573..ff7551a34f 100644
--- a/supported_codeql_configs.json
+++ b/supported_codeql_configs.json
@@ -1,9 +1,9 @@
 {
   "supported_environment": [
     {
-      "codeql_cli": "2.11.0",
-      "codeql_standard_library": "codeql-cli/v2.11.0",
-      "codeql_cli_bundle": "codeql-bundle-20220923"
+      "codeql_cli": "2.11.6",
+      "codeql_standard_library": "codeql-cli/v2.11.6",
+      "codeql_cli_bundle": "codeql-bundle-20221211"
     }
   ],
   "supported_language": [

From a9b155751f40c214c82fba0d26373e5e473cfa17 Mon Sep 17 00:00:00 2001
From: Luke Cartey <lcartey@github.com>
Date: Sun, 30 Jul 2023 17:50:45 +0100
Subject: [PATCH 25/32] Fix CERT C pack name.

---
 c/cert/src/qlpack.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/c/cert/src/qlpack.yml b/c/cert/src/qlpack.yml
index 6a4d2c4a0f..6f2707660e 100644
--- a/c/cert/src/qlpack.yml
+++ b/c/cert/src/qlpack.yml
@@ -1,4 +1,4 @@
-name: codeql/codeql/cert-c-coding-standards
+name: codeql/cert-c-coding-standards
 version: 2.19.0-dev
 description: CERT C 2016
 suites: codeql-suites

From 77d571a7357dd2e4264e947ee7703900ee11d6a2 Mon Sep 17 00:00:00 2001
From: Luke Cartey <lcartey@github.com>
Date: Sun, 30 Jul 2023 18:39:40 +0100
Subject: [PATCH 26/32] Update all codeql/cpp-all dependencies to 0.4.6

This matches the v2.11.6 CodeQL CLI bundle.
---
 c/cert/src/codeql-pack.lock.yml                       | 6 +++---
 c/cert/src/qlpack.yml                                 | 2 +-
 c/cert/test/codeql-pack.lock.yml                      | 6 +++---
 c/common/src/codeql-pack.lock.yml                     | 6 +++---
 c/common/src/qlpack.yml                               | 2 +-
 c/common/test/codeql-pack.lock.yml                    | 6 +++---
 c/misra/src/codeql-pack.lock.yml                      | 6 +++---
 c/misra/src/qlpack.yml                                | 2 +-
 c/misra/test/codeql-pack.lock.yml                     | 6 +++---
 cpp/autosar/src/codeql-pack.lock.yml                  | 6 +++---
 cpp/autosar/src/qlpack.yml                            | 2 +-
 cpp/autosar/test/codeql-pack.lock.yml                 | 6 +++---
 cpp/cert/src/codeql-pack.lock.yml                     | 6 +++---
 cpp/cert/src/qlpack.yml                               | 2 +-
 cpp/cert/test/codeql-pack.lock.yml                    | 6 +++---
 cpp/common/src/codeql-pack.lock.yml                   | 6 +++---
 cpp/common/src/qlpack.yml                             | 2 +-
 cpp/common/test/codeql-pack.lock.yml                  | 6 +++---
 cpp/misra/src/codeql-pack.lock.yml                    | 6 +++---
 cpp/misra/src/qlpack.yml                              | 2 +-
 cpp/misra/test/codeql-pack.lock.yml                   | 6 +++---
 cpp/report/src/codeql-pack.lock.yml                   | 6 +++---
 cpp/report/src/qlpack.yml                             | 2 +-
 scripts/generate_modules/queries/codeql-pack.lock.yml | 6 ++++--
 scripts/generate_modules/queries/qlpack.yml           | 2 +-
 25 files changed, 58 insertions(+), 56 deletions(-)

diff --git a/c/cert/src/codeql-pack.lock.yml b/c/cert/src/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/c/cert/src/codeql-pack.lock.yml
+++ b/c/cert/src/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/c/cert/src/qlpack.yml b/c/cert/src/qlpack.yml
index 6f2707660e..3428462642 100644
--- a/c/cert/src/qlpack.yml
+++ b/c/cert/src/qlpack.yml
@@ -5,4 +5,4 @@ suites: codeql-suites
 license: MIT
 dependencies:
   codeql/common-c-coding-standards: '*'
-  codeql/cpp-all: 0.4.0
+  codeql/cpp-all: 0.4.6
diff --git a/c/cert/test/codeql-pack.lock.yml b/c/cert/test/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/c/cert/test/codeql-pack.lock.yml
+++ b/c/cert/test/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/c/common/src/codeql-pack.lock.yml b/c/common/src/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/c/common/src/codeql-pack.lock.yml
+++ b/c/common/src/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/c/common/src/qlpack.yml b/c/common/src/qlpack.yml
index 62d72d88d1..b423bfa795 100644
--- a/c/common/src/qlpack.yml
+++ b/c/common/src/qlpack.yml
@@ -3,4 +3,4 @@ version: 2.19.0-dev
 license: MIT
 dependencies:
   codeql/common-cpp-coding-standards: '*'
-  codeql/cpp-all: 0.4.0
+  codeql/cpp-all: 0.4.6
diff --git a/c/common/test/codeql-pack.lock.yml b/c/common/test/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/c/common/test/codeql-pack.lock.yml
+++ b/c/common/test/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/c/misra/src/codeql-pack.lock.yml b/c/misra/src/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/c/misra/src/codeql-pack.lock.yml
+++ b/c/misra/src/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/c/misra/src/qlpack.yml b/c/misra/src/qlpack.yml
index a4e7e50d02..78913f0b57 100644
--- a/c/misra/src/qlpack.yml
+++ b/c/misra/src/qlpack.yml
@@ -5,4 +5,4 @@ suites: codeql-suites
 license: MIT
 dependencies:
   codeql/common-c-coding-standards: '*'
-  codeql/cpp-all: 0.4.0
+  codeql/cpp-all: 0.4.6
diff --git a/c/misra/test/codeql-pack.lock.yml b/c/misra/test/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/c/misra/test/codeql-pack.lock.yml
+++ b/c/misra/test/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/cpp/autosar/src/codeql-pack.lock.yml b/cpp/autosar/src/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/cpp/autosar/src/codeql-pack.lock.yml
+++ b/cpp/autosar/src/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/cpp/autosar/src/qlpack.yml b/cpp/autosar/src/qlpack.yml
index ee2303ae2f..23cec947cc 100644
--- a/cpp/autosar/src/qlpack.yml
+++ b/cpp/autosar/src/qlpack.yml
@@ -5,4 +5,4 @@ suites: codeql-suites
 license: MIT
 dependencies:
   codeql/common-cpp-coding-standards: '*'
-  codeql/cpp-all: 0.4.0
+  codeql/cpp-all: 0.4.6
diff --git a/cpp/autosar/test/codeql-pack.lock.yml b/cpp/autosar/test/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/cpp/autosar/test/codeql-pack.lock.yml
+++ b/cpp/autosar/test/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/cpp/cert/src/codeql-pack.lock.yml b/cpp/cert/src/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/cpp/cert/src/codeql-pack.lock.yml
+++ b/cpp/cert/src/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/cpp/cert/src/qlpack.yml b/cpp/cert/src/qlpack.yml
index a873f7204a..8d92d36591 100644
--- a/cpp/cert/src/qlpack.yml
+++ b/cpp/cert/src/qlpack.yml
@@ -4,5 +4,5 @@ description: CERT C++ 2016
 suites: codeql-suites
 license: MIT
 dependencies:
-  codeql/cpp-all: 0.4.0
+  codeql/cpp-all: 0.4.6
   codeql/common-cpp-coding-standards: '*'
diff --git a/cpp/cert/test/codeql-pack.lock.yml b/cpp/cert/test/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/cpp/cert/test/codeql-pack.lock.yml
+++ b/cpp/cert/test/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/cpp/common/src/codeql-pack.lock.yml b/cpp/common/src/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/cpp/common/src/codeql-pack.lock.yml
+++ b/cpp/common/src/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/cpp/common/src/qlpack.yml b/cpp/common/src/qlpack.yml
index 39e1cfcea4..07fe320f1b 100644
--- a/cpp/common/src/qlpack.yml
+++ b/cpp/common/src/qlpack.yml
@@ -2,4 +2,4 @@ name: codeql/common-cpp-coding-standards
 version: 2.19.0-dev
 license: MIT
 dependencies:
-  codeql/cpp-all: 0.4.50
\ No newline at end of file
+  codeql/cpp-all: 0.4.6
\ No newline at end of file
diff --git a/cpp/common/test/codeql-pack.lock.yml b/cpp/common/test/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/cpp/common/test/codeql-pack.lock.yml
+++ b/cpp/common/test/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/cpp/misra/src/codeql-pack.lock.yml b/cpp/misra/src/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/cpp/misra/src/codeql-pack.lock.yml
+++ b/cpp/misra/src/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/cpp/misra/src/qlpack.yml b/cpp/misra/src/qlpack.yml
index a1b0015fb7..8b8a78edb5 100644
--- a/cpp/misra/src/qlpack.yml
+++ b/cpp/misra/src/qlpack.yml
@@ -5,4 +5,4 @@ suites: codeql-suites
 license: MIT
 dependencies:
   codeql/common-cpp-coding-standards: '*'
-  codeql/cpp-all: 0.4.0
+  codeql/cpp-all: 0.4.6
diff --git a/cpp/misra/test/codeql-pack.lock.yml b/cpp/misra/test/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/cpp/misra/test/codeql-pack.lock.yml
+++ b/cpp/misra/test/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/cpp/report/src/codeql-pack.lock.yml b/cpp/report/src/codeql-pack.lock.yml
index 95e394b2f4..a7035a9f24 100644
--- a/cpp/report/src/codeql-pack.lock.yml
+++ b/cpp/report/src/codeql-pack.lock.yml
@@ -1,8 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.4.0
+    version: 0.4.6
   codeql/ssa:
-    version: 0.0.1
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/cpp/report/src/qlpack.yml b/cpp/report/src/qlpack.yml
index ae3f87c1cf..878d34f50c 100644
--- a/cpp/report/src/qlpack.yml
+++ b/cpp/report/src/qlpack.yml
@@ -2,4 +2,4 @@ name: codeql/report-cpp-coding-standards
 version: 2.19.0-dev
 license: MIT
 dependencies:
-  codeql/cpp-all: 0.4.0
+  codeql/cpp-all: 0.4.6
diff --git a/scripts/generate_modules/queries/codeql-pack.lock.yml b/scripts/generate_modules/queries/codeql-pack.lock.yml
index 1da7b6075b..a7035a9f24 100644
--- a/scripts/generate_modules/queries/codeql-pack.lock.yml
+++ b/scripts/generate_modules/queries/codeql-pack.lock.yml
@@ -1,6 +1,8 @@
 ---
+lockVersion: 1.0.0
 dependencies:
   codeql/cpp-all:
-    version: 0.3.5
+    version: 0.4.6
+  codeql/ssa:
+    version: 0.0.7
 compiled: false
-lockVersion: 1.0.0
diff --git a/scripts/generate_modules/queries/qlpack.yml b/scripts/generate_modules/queries/qlpack.yml
index 76ee66f817..e3e1783997 100644
--- a/scripts/generate_modules/queries/qlpack.yml
+++ b/scripts/generate_modules/queries/qlpack.yml
@@ -2,4 +2,4 @@ name: codeql/standard-library-extraction-cpp-coding-standards
 version: 0.0.0
 license: MIT
 dependencies:
-  codeql/cpp-all: 0.3.5
+  codeql/cpp-all: 0.4.6

From c0f13fd3337b85a7c88491c54352870cf768e6f1 Mon Sep 17 00:00:00 2001
From: Luke Cartey <lcartey@github.com>
Date: Sun, 30 Jul 2023 18:58:14 +0100
Subject: [PATCH 27/32] Enable installation of pre-release packs

Since 2.11.3 pre-release packs have been ignored CodeQL when installing
packs. We re-enable this since we use pre-release packs internally (e.g.
in the common packs).
---
 scripts/install-packs.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/install-packs.py b/scripts/install-packs.py
index a0286e2228..5990905a40 100644
--- a/scripts/install-packs.py
+++ b/scripts/install-packs.py
@@ -18,6 +18,6 @@
 for pack in packs:
     pack_path = os.path.join(root, pack)
     # Run `codeql pack install` to install dependencies.
-    command = [args.codeql, 'pack', 'install', '--mode', args.mode, pack_path]
+    command = [args.codeql, 'pack', 'install', '--alow-prerelease', '--mode', args.mode, pack_path]
     print(f'Running `{" ".join(command)}`')
     subprocess.check_call(command)

From caa312519048fdd3e2b07e1d65d0866b7c3521ad Mon Sep 17 00:00:00 2001
From: Luke Cartey <lcartey@github.com>
Date: Sun, 30 Jul 2023 19:01:32 +0100
Subject: [PATCH 28/32] Fix name of allow-prerelease flag.

---
 scripts/install-packs.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/install-packs.py b/scripts/install-packs.py
index 5990905a40..ab45c32818 100644
--- a/scripts/install-packs.py
+++ b/scripts/install-packs.py
@@ -18,6 +18,6 @@
 for pack in packs:
     pack_path = os.path.join(root, pack)
     # Run `codeql pack install` to install dependencies.
-    command = [args.codeql, 'pack', 'install', '--alow-prerelease', '--mode', args.mode, pack_path]
+    command = [args.codeql, 'pack', 'install', '--allow-prerelease', '--mode', args.mode, pack_path]
     print(f'Running `{" ".join(command)}`')
     subprocess.check_call(command)

From cd4bbc0ea5a5006fdf599163e85c4dabd9e71063 Mon Sep 17 00:00:00 2001
From: Luke Cartey <lcartey@github.com>
Date: Sun, 30 Jul 2023 23:05:30 +0100
Subject: [PATCH 29/32] Revert "C++: Accept test changes after CodeQL `scanf`
 work"

This reverts commit 760ccdebfeb28e8eaaa9381f913fd77fef46c1a2.

This was prematurely included, but was only shipped in 2.12.*.
---
 .../FIO32-C/DoNotPerformFileOperationsOnDevices.expected  | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected b/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected
index 824149f294..b4f07d6ca8 100644
--- a/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected
+++ b/c/cert/test/rules/FIO32-C/DoNotPerformFileOperationsOnDevices.expected
@@ -1,12 +1,16 @@
 edges
+| test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name indirection |
 | test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | file_name indirection |
+| test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name indirection |
 | test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | file_name indirection |
 nodes
+| test.c:20:15:20:23 | file_name | semmle.label | file_name |
 | test.c:20:15:20:23 | scanf output argument | semmle.label | scanf output argument |
 | test.c:21:8:21:16 | file_name indirection | semmle.label | file_name indirection |
+| test.c:45:15:45:23 | file_name | semmle.label | file_name |
 | test.c:45:15:45:23 | scanf output argument | semmle.label | scanf output argument |
 | test.c:46:29:46:37 | file_name indirection | semmle.label | file_name indirection |
 subpaths
 #select
-| test.c:21:8:21:16 | file_name | test.c:20:15:20:23 | scanf output argument | test.c:21:8:21:16 | file_name indirection | This argument to a file access function is derived from $@ and then passed to func(file_name), which calls fopen((unnamed parameter 0)). | test.c:20:15:20:23 | file_name | user input (scanf) |
-| test.c:46:29:46:37 | file_name | test.c:45:15:45:23 | scanf output argument | test.c:46:29:46:37 | file_name indirection | This argument to a file access function is derived from $@ and then passed to CreateFile(lpFileName). | test.c:45:15:45:23 | file_name | user input (scanf) |
+| test.c:21:8:21:16 | file_name | test.c:20:15:20:23 | file_name | test.c:21:8:21:16 | file_name indirection | This argument to a file access function is derived from $@ and then passed to func(file_name), which calls fopen((unnamed parameter 0)). | test.c:20:15:20:23 | file_name | user input (scanf) |
+| test.c:46:29:46:37 | file_name | test.c:45:15:45:23 | file_name | test.c:46:29:46:37 | file_name indirection | This argument to a file access function is derived from $@ and then passed to CreateFile(lpFileName). | test.c:45:15:45:23 | file_name | user input (scanf) |

From 68dc174aa914165810062d443f809212f08a0787 Mon Sep 17 00:00:00 2001
From: Luke Cartey <lcartey@github.com>
Date: Sun, 30 Jul 2023 23:08:09 +0100
Subject: [PATCH 30/32] Remove redundant change notes.

These were already released with a previous version.
---
 change_notes/2022-05-04-compiler-generated-fp-M0-1-4.md        | 3 ---
 .../2022-06-01-fix-A8-5-3-braced-initialization-detection.md   | 3 ---
 change_notes/2022-07-15-fix-A7-3-1-location-reporting.md       | 2 --
 3 files changed, 8 deletions(-)
 delete mode 100644 change_notes/2022-05-04-compiler-generated-fp-M0-1-4.md
 delete mode 100644 change_notes/2022-06-01-fix-A8-5-3-braced-initialization-detection.md
 delete mode 100644 change_notes/2022-07-15-fix-A7-3-1-location-reporting.md

diff --git a/change_notes/2022-05-04-compiler-generated-fp-M0-1-4.md b/change_notes/2022-05-04-compiler-generated-fp-M0-1-4.md
deleted file mode 100644
index 8d3a2045f2..0000000000
--- a/change_notes/2022-05-04-compiler-generated-fp-M0-1-4.md
+++ /dev/null
@@ -1,3 +0,0 @@
- - `M0-1-4` - `SingleUsePODVariable.ql`
-   - This rule no longer considers compiler-generated access to a variable when determining if the
-     variable has a single use.
diff --git a/change_notes/2022-06-01-fix-A8-5-3-braced-initialization-detection.md b/change_notes/2022-06-01-fix-A8-5-3-braced-initialization-detection.md
deleted file mode 100644
index ec48fda73a..0000000000
--- a/change_notes/2022-06-01-fix-A8-5-3-braced-initialization-detection.md
+++ /dev/null
@@ -1,3 +0,0 @@
-- `A8-5-3` - `AvoidAutoWithBracedInitialization.ql`:
-  - Fix regression where `auto x{0}` was no longer detected as a braced initialization with type `auto` with the latest CodeQL versions.
-  - No longer falsely detect cases where braced initialization was not used, but where the inferred type would be `std::initializer_list`.
diff --git a/change_notes/2022-07-15-fix-A7-3-1-location-reporting.md b/change_notes/2022-07-15-fix-A7-3-1-location-reporting.md
deleted file mode 100644
index b310d1c010..0000000000
--- a/change_notes/2022-07-15-fix-A7-3-1-location-reporting.md
+++ /dev/null
@@ -1,2 +0,0 @@
-- `A7-3-1` - `DefinitionNotConsideredForUnqualifiedLookup.ql`
-  - The locations reported for names occurring in using-declarations has improved in the latest CodeQL versions.

From 125bfde53a73ef355cc72251a1b1b387131868ed Mon Sep 17 00:00:00 2001
From: Jeroen Ketema <jketema@github.com>
Date: Wed, 1 Mar 2023 11:50:03 +0100
Subject: [PATCH 31/32] Fix `NULLMacro` deprecation warning

---
 cpp/common/src/codingstandards/cpp/Concurrency.qll | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cpp/common/src/codingstandards/cpp/Concurrency.qll b/cpp/common/src/codingstandards/cpp/Concurrency.qll
index 5162255de9..7c92d93752 100644
--- a/cpp/common/src/codingstandards/cpp/Concurrency.qll
+++ b/cpp/common/src/codingstandards/cpp/Concurrency.qll
@@ -857,7 +857,7 @@ class TSSCreateFunctionCall extends ThreadSpecificStorageFunctionCall {
   TSSCreateFunctionCall() { getTarget().getName() = "tss_create" }
 
   predicate hasDeallocator() {
-    not exists(MacroInvocation mi, NULLMacro nm |
+    not exists(MacroInvocation mi, NullMacro nm |
       getArgument(1) = mi.getExpr() and
       mi = nm.getAnInvocation()
     )

From 8287ff20a8828d03c5f43124610aaf4d72f3b544 Mon Sep 17 00:00:00 2001
From: Luke Cartey <lcartey@github.com>
Date: Sun, 30 Jul 2023 23:24:34 +0100
Subject: [PATCH 32/32] Add change note.

---
 change_notes/2023-07-30-update-to-2.11.6.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 change_notes/2023-07-30-update-to-2.11.6.md

diff --git a/change_notes/2023-07-30-update-to-2.11.6.md b/change_notes/2023-07-30-update-to-2.11.6.md
new file mode 100644
index 0000000000..57664a7ac0
--- /dev/null
+++ b/change_notes/2023-07-30-update-to-2.11.6.md
@@ -0,0 +1 @@
+ - Updated the supported CodeQL version to `2.11.6`.
\ No newline at end of file