github · michaelnebel · Sep 10, 2025 · Sep 3, 2025 · Sep 3, 2025 · Sep 4, 2025
@@ -34,7 +34,7 @@ jobs:
     - name: Setup dotnet
       uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 9.0.100
+        dotnet-version: 9.0.300
 
     - name: Checkout repository
       uses: actions/checkout@v5

@@ -43,14 +43,14 @@ jobs:
       - name: Setup dotnet
         uses: actions/setup-dotnet@v4
         with:
-          dotnet-version: 9.0.100
+          dotnet-version: 9.0.300
       - name: Extractor unit tests
         run: |
           dotnet tool restore
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Util.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 extractor/Semmle.Extraction.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.CSharp.Tests
-          dotnet test -p:RuntimeFrameworkVersion=9.0.0 autobuilder/Semmle.Autobuild.Cpp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Util.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 extractor/Semmle.Extraction.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.CSharp.Tests
+          dotnet test -p:RuntimeFrameworkVersion=9.0.5 autobuilder/Semmle.Autobuild.Cpp.Tests
         shell: bash
   stubgentest:
     runs-on: ubuntu-latest

@@ -26,7 +26,7 @@ bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "10.0.0")
 bazel_dep(name = "rules_kotlin", version = "2.1.3-codeql.1")
 bazel_dep(name = "gazelle", version = "0.40.0")
-bazel_dep(name = "rules_dotnet", version = "0.17.4")
+bazel_dep(name = "rules_dotnet", version = "0.19.2-codeql.1")
 bazel_dep(name = "googletest", version = "1.14.0.bcr.1")
 bazel_dep(name = "rules_rust", version = "0.63.0")
 bazel_dep(name = "zstd", version = "1.5.5.bcr.1")
@@ -172,7 +172,7 @@ http_archive(
 )
 
 dotnet = use_extension("@rules_dotnet//dotnet:extensions.bzl", "dotnet")
-dotnet.toolchain(dotnet_version = "9.0.100")
+dotnet.toolchain(dotnet_version = "9.0.300")
 use_repo(dotnet, "dotnet_toolchains")
 
 register_toolchains("@dotnet_toolchains//:all")

@@ -7,7 +7,7 @@ runs:
     - name: Setup dotnet
       uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 9.0.100
+        dotnet-version: 9.0.300
     - name: Build Extractor
       shell: bash
       run: scripts/create-extractor-pack.sh

@@ -138,7 +138,7 @@ public IList<string> GetNugetFeedsFromFolder(string folderPath)
         }
 
         // The version number should be kept in sync with the version .NET version used for building the application.
-        public const string LatestDotNetSdkVersion = "9.0.100";
+        public const string LatestDotNetSdkVersion = "9.0.300";
 
         /// <summary>
         /// Returns a script for downloading relevant versions of the

@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
-}
+}
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
-}
+}
@@ -3,8 +3,8 @@
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | User-provided value |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | $@ flows to here and is written to HTML or JavaScript. | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | User-provided value |
 edges
-| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | BlazorTest/obj/Debug/net9.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:569:16:577:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
-| BlazorTest/obj/Debug/net9.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:569:16:577:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
+| BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | BlazorTest/obj/Debug/net9.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | provenance | Src:MaD:2 MaD:3 |
+| BlazorTest/obj/Debug/net9.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | BlazorTest/Components/MyOutput.razor:5:53:5:57 | access to property Value | provenance | Sink:MaD:1 |
 models
 | 1 | Sink: Microsoft.AspNetCore.Components; MarkupString; false; MarkupString; (System.String); ; Argument[0]; html-injection; manual |
 | 2 | Source: Microsoft.AspNetCore.Components; SupplyParameterFromQueryAttribute; false; ; ; Attribute.Getter; ReturnValue; remote; manual |
@@ -14,5 +14,5 @@ nodes
 | BlazorTest/Components/Pages/TestPage.razor:11:48:11:55 | access to property UrlParam | semmle.label | access to property UrlParam |
 | BlazorTest/Components/Pages/TestPage.razor:20:60:20:69 | access to property QueryParam | semmle.label | access to property QueryParam |
 | BlazorTest/Components/Pages/TestPage.razor:85:23:85:32 | access to property QueryParam : String | semmle.label | access to property QueryParam : String |
-| BlazorTest/obj/Debug/net9.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:569:16:577:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
+| BlazorTest/obj/Debug/net9.0/generated/Microsoft.CodeAnalysis.Razor.Compiler/Microsoft.NET.Sdk.Razor.SourceGenerators.RazorSourceGenerator/Components_Pages_TestPage_razor.g.cs:553:16:561:13 | call to method TypeCheck<String> : String | semmle.label | call to method TypeCheck<String> : String |
 subpaths
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.300"
+        "version": "9.0.304"
     }
-}
+}
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }
@@ -1,5 +1,5 @@
 {
   "sdk": {
-    "version": "9.0.100"
+    "version": "9.0.304"
   }
 }
@@ -1,5 +1,5 @@
 {
     "sdk": {
-        "version": "9.0.100"
+        "version": "9.0.304"
     }
 }