Geoffrey White

I've fixed the CI issues (hopefully) and the merge, though alert provenance is not properly computed (I've created another follow-up issue to cover that).

Ready for final approval + merge.

> Hi, as I don't have enough experience with C++ package/module systems, It takes some time to implement tests. Unfortunately you can't import external code into the C++ language tests,...

> can I start writing tests based on this test file "cpp/ql/test/experimental/query-tests/Security/CWE/CWE-078/test.cpp"? I don't think there's much you'll need from that particular file besides perhaps a stub definition of `size_t`,...

Yep, push the test cases so we can see what's going on / if anything doesn't look right.

Hi @ebickle , the QL approach described above (as in `SqLite3.qll`) should work. Alternatively I believe you could add support for the `sql-injection` models-as-data sink type in C++ with a...

The file you linked is the example (used in the query help), you want to edit the test - either `test.c` or `test.cpp` in https://github.com/github/codeql/tree/main/cpp/ql/test/query-tests/Security/CWE/CWE-089/SqlTainted . Then add the `.yml`...

Yep, our query tests are pretty mature and usually nice to work with. There is an issue with your PR - more precisely, with my suggested implementation for adding models-as-data...

@hvitved do you think this is heading in the right direction?

Ready for review: there are gaps (and apparently a conflict with main), but we get some useful results and I'd like to push towards merging this ASAP.