github
diff --git a/‎.github/workflows/go-tests-other-os.yml
Lines changed: 1 addition & 2 deletions b/‎.github/workflows/go-tests-other-os.yml
Lines changed: 1 addition & 2 deletions
diff --git a/‎cpp/ql/lib/change-notes/2025-05-16-array-aggregate-literals.md
Lines changed: 4 additions & 0 deletions b/‎cpp/ql/lib/change-notes/2025-05-16-array-aggregate-literals.md
Lines changed: 4 additions & 0 deletions
diff --git a/‎cpp/ql/lib/change-notes/2025-05-18-2025-May-outdated-deprecations.md
Lines changed: 9 additions & 0 deletions b/‎cpp/ql/lib/change-notes/2025-05-18-2025-May-outdated-deprecations.md
Lines changed: 9 additions & 0 deletions
diff --git a/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll
Lines changed: 4 additions & 3 deletions b/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll
Lines changed: 4 additions & 3 deletions
diff --git a/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll
Lines changed: 6 additions & 5 deletions b/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll
Lines changed: 6 additions & 5 deletions
diff --git a/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll
Lines changed: 9 additions & 8 deletions b/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll
Lines changed: 9 additions & 8 deletions
diff --git a/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll
Lines changed: 46 additions & 0 deletions b/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll
Lines changed: 46 additions & 0 deletions
diff --git a/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll
Lines changed: 5 additions & 4 deletions b/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll
Lines changed: 5 additions & 4 deletions
diff --git a/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll
Lines changed: 10 additions & 1 deletion b/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll
Lines changed: 10 additions & 1 deletion
diff --git a/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll
Lines changed: 2 additions & 2 deletions b/‎cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll
Lines changed: 2 additions & 2 deletions
@@ -26,9 +26,8 @@ jobs:
         uses: ./go/actions/test
 
   test-win:
-    if: github.repository_owner == 'github'
     name: Test Windows
-    runs-on: windows-latest-xl
+    runs-on: windows-latest
     steps:
       - name: Check out code
         uses: actions/checkout@v4
 
@@ -0,0 +1,4 @@
+---
+category: fix
+---
+* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.
@@ -0,0 +1,9 @@
+---
+category: breaking
+---
+* Deleted the deprecated `userInputArgument` predicate and its convenience accessor from the `Security.qll`.
+* Deleted the deprecated `userInputReturned` predicate and its convenience accessor from the `Security.qll`.
+* Deleted the deprecated `userInputReturn` predicate from the `Security.qll`.
+* Deleted the deprecated `isUserInput` predicate and its convenience accessor from the `Security.qll`.
+* Deleted the deprecated `userInputArgument` predicate from the `SecurityOptions.qll`.
+* Deleted the deprecated `userInputReturned` predicate from the `SecurityOptions.qll`.
@@ -1,7 +1,8 @@
 import cpp
-import semmle.code.cpp.dataflow.new.DataFlow
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.Language
+private import semmle.code.cpp.dataflow.new.DataFlow
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 
 /**
  * Traces 'known algorithms' to AVCs, specifically
 
@@ -1,9 +1,10 @@
 import cpp
-import experimental.quantum.Language
-import OpenSSLAlgorithmInstanceBase
-import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
-import AlgToAVCFlow
+private import experimental.quantum.Language
+private import OpenSSLAlgorithmInstanceBase
+private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import AlgToAVCFlow
 
 /**
  * Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type.
 
@@ -1,12 +1,13 @@
 import cpp
-import experimental.quantum.Language
-import KnownAlgorithmConstants
-import Crypto::KeyOpAlg as KeyOpAlg
-import OpenSSLAlgorithmInstanceBase
-import PaddingAlgorithmInstance
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-import AlgToAVCFlow
-import BlockAlgorithmInstance
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import Crypto::KeyOpAlg as KeyOpAlg
+private import OpenSSLAlgorithmInstanceBase
+private import PaddingAlgorithmInstance
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import AlgToAVCFlow
+private import BlockAlgorithmInstance
 
 /**
  * Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type.
 
@@ -0,0 +1,46 @@
+import cpp
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import OpenSSLAlgorithmInstanceBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
+private import AlgToAVCFlow
+
+class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
+  Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant
+{
+  OpenSSLAlgorithmValueConsumer getterCall;
+
+  KnownOpenSSLEllipticCurveConstantAlgorithmInstance() {
+    // Two possibilities:
+    // 1) The source is a literal and flows to a getter, then we know we have an instance
+    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
+    // Possibility 1:
+    this instanceof Literal and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      // Sink is an argument to a CipherGetterCall
+      sink = getterCall.getInputNode() and
+      // Source is `this`
+      src.asExpr() = this and
+      // This traces to a getter
+      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
+    )
+    or
+    // Possibility 2:
+    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+  }
+
+  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
+
+  override string getRawEllipticCurveName() { result = this.(Literal).getValue().toString() }
+
+  override Crypto::TEllipticCurveType getEllipticCurveType() {
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant)
+          .getNormalizedName(), _, result)
+  }
+
+  override int getKeySize() {
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant)
+          .getNormalizedName(), result, _)
+  }
+}
@@ -1,8 +1,9 @@
 import cpp
-import experimental.quantum.Language
-import KnownAlgorithmConstants
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
-import AlgToAVCFlow
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import AlgToAVCFlow
 
 predicate knownOpenSSLConstantToHashFamilyType(
   KnownOpenSSLHashAlgorithmConstant e, Crypto::THashType type
 
@@ -1,5 +1,5 @@
 import cpp
-import experimental.quantum.OpenSSL.LibraryDetector
+private import experimental.quantum.OpenSSL.LibraryDetector
 
 predicate resolveAlgorithmFromExpr(Expr e, string normalizedName, string algType) {
   resolveAlgorithmFromCall(e, normalizedName, algType)
@@ -67,6 +67,15 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
   }
 }
 
+class KnownOpenSSLEllipticCurveAlgorithmConstant extends KnownOpenSSLAlgorithmConstant {
+  KnownOpenSSLEllipticCurveAlgorithmConstant() {
+    exists(string algType |
+      resolveAlgorithmFromExpr(this, _, algType) and
+      algType.toLowerCase().matches("elliptic_curve")
+    )
+  }
+}
+
 /**
  * Resolves a call to a 'direct algorithm getter', e.g., EVP_MD5()
  * This approach to fetching algorithms was used in OpenSSL 1.0.2.
 
@@ -1,5 +1,5 @@
-import experimental.quantum.Language
-import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import experimental.quantum.Language
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 
 abstract class OpenSSLAlgorithmInstance extends Crypto::AlgorithmInstance {
   abstract OpenSSLAlgorithmValueConsumer getAVC();
-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: fix
 +---
 +* Fixed a problem where `asExpr()` on `DataFlow::Node` would never return `ArrayAggregateLiteral`s.