Add 'CallGraphFromTo` queries for supported langs

Adds a 'CallGraphFromTo.ql' query, associated 'CallGraphFromTo.md'
documentation, and query unit tests for all currently supported
code languages. Incorporates and extends the "CallGraphFromTo"
query concept from GitHubSecurityLab's seclab-taskflow-agent.

Author: data-douser

server/ql/cpp/tools/src/CallGraphFromTo/CallGraphFromTo.md

@@ -0,0 +1,47 @@
+# CallGraphFromTo for C++
+
+Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+
+## Overview
+
+This query identifies all function calls that lie on any transitive call path from a specified source function to a specified target function. Given both a source and target function name, it reports each call site along the connecting paths, which is useful for understanding indirect call chains, security-relevant data flow paths, and function reachability.
+
+The query uses transitive closure (`calls*`) to determine reachability, then reports only the direct call sites that contribute to paths between the source and target. It accepts function names via external predicates (`sourceFunction` and `targetFunction`) and supports both simple and qualified name matching.
+
+## Use Cases
+
+This query is primarily used for:
+
+- Determining if a call path exists between two functions
+- Mapping indirect call chains from a source to a target function
+- Analyzing security-relevant paths (e.g., from user input handlers to sensitive operations)
+- Understanding transitive dependencies between functions
+
+## Example
+
+The following C++ code demonstrates a transitive call chain from `source` through `intermediate` to `target`:
+
+```cpp
+void target() {}
+
+void intermediate() {
+    target();
+}
+
+void source() {
+    intermediate();
+}
+```
+
+Running with `sourceFunction = "source"` and `targetFunction = "target"` produces results showing each call site on the path with the message pattern ``Reachable call from `source`to`intermediate```.
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Reachable call from `caller` to `callee`"``
+
+## References
+
+- [C++ Functions](https://en.cppreference.com/w/cpp/language/functions)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)

server/ql/cpp/tools/src/CallGraphFromTo/CallGraphFromTo.ql

@@ -0,0 +1,92 @@
+/**
+ * @name Call Graph From To for cpp
+ * @description Displays calls on reachable paths from a source function to a target function, showing transitive call graph connectivity.
+ * @id cpp/tools/call-graph-from-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import cpp
+
+/**
+ * Gets the source function name for call graph reachability analysis.
+ * Can be a single function name or comma-separated list of function names.
+ */
+external string sourceFunction();
+
+/**
+ * Gets the target function name for call graph reachability analysis.
+ * Can be a single function name or comma-separated list of function names.
+ */
+external string targetFunction();
+
+/**
+ * Gets a single source function name from the comma-separated list.
+ */
+string getSourceFunctionName() { result = sourceFunction().splitAt(",").trim() }
+
+/**
+ * Gets a single target function name from the comma-separated list.
+ */
+string getTargetFunctionName() { result = targetFunction().splitAt(",").trim() }
+
+/**
+ * Gets a function by matching against the selected source function names.
+ */
+Function getSourceFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getSourceFunctionName() and
+    (
+      // Match by exact function name
+      result.getName() = selectedFunc or
+      // Match by qualified name
+      result.getQualifiedName() = selectedFunc
+    )
+  )
+}
+
+/**
+ * Gets a function by matching against the selected target function names.
+ */
+Function getTargetFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getTargetFunctionName() and
+    (
+      // Match by exact function name
+      result.getName() = selectedFunc or
+      // Match by qualified name
+      result.getQualifiedName() = selectedFunc
+    )
+  )
+}
+
+/**
+ * Holds if function `caller` directly calls function `callee`.
+ */
+predicate calls(Function caller_, Function callee_) {
+  exists(FunctionCall c | c.getEnclosingFunction() = caller_ and c.getTarget() = callee_)
+}
+
+from FunctionCall call, Function caller, Function callee
+where
+  call.getTarget() = callee and
+  call.getEnclosingFunction() = caller and
+  (
+    // Use external predicates if available: show calls on paths from source to target
+    exists(Function source, Function target |
+      source = getSourceFunction() and
+      target = getTargetFunction() and
+      calls*(source, caller) and
+      calls*(callee, target)
+    )
+    or
+    // Fallback for unit tests: include test files
+    (
+      not exists(getSourceFunctionName()) and
+      not exists(getTargetFunctionName()) and
+      caller.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
+    )
+  )
+select call,
+  "Reachable call from `" + caller.getQualifiedName() + "` to `" + callee.getQualifiedName() + "`"

server/ql/cpp/tools/test/CallGraphFromTo/CallGraphFromTo.expected

@@ -0,0 +1,3 @@
+| Example1.cpp:6:5:6:13 | call to unrelated | Reachable call from `target` to `unrelated` |
+| Example1.cpp:10:5:10:10 | call to target | Reachable call from `intermediate` to `target` |
+| Example1.cpp:14:5:14:16 | call to intermediate | Reachable call from `source` to `intermediate` |

server/ql/cpp/tools/test/CallGraphFromTo/CallGraphFromTo.qlref

@@ -0,0 +1 @@
+CallGraphFromTo/CallGraphFromTo.ql

server/ql/cpp/tools/test/CallGraphFromTo/Example1.cpp

@@ -0,0 +1,15 @@
+void unrelated() {
+    // No calls
+}
+
+void target() {
+    unrelated();
+}
+
+void intermediate() {
+    target();
+}
+
+void source() {
+    intermediate();
+}

server/ql/csharp/tools/src/CallGraphFromTo/CallGraphFromTo.md

@@ -0,0 +1,49 @@
+# CallGraphFromTo for `csharp` Source Files
+
+Displays calls on reachable paths from a source method to a target method, showing transitive call graph connectivity.
+
+## Overview
+
+This query identifies all method calls that lie on any transitive call path from a specified source method to a specified target method. Given both a source and target method name, it reports each call site along the connecting paths, which is useful for understanding indirect call chains, security-relevant data flow paths, and method reachability.
+
+The query uses transitive closure (`calls*`) to determine reachability, then reports only the direct call sites that contribute to paths between the source and target. It accepts method names via external predicates (`sourceFunction` and `targetFunction`).
+
+## Use Cases
+
+This query is primarily used for:
+
+- Determining if a call path exists between two methods
+- Mapping indirect call chains from a source to a target method
+- Analyzing security-relevant paths (e.g., from user input handlers to sensitive operations)
+- Understanding transitive dependencies between methods
+
+## Example
+
+The following C# code demonstrates a transitive call chain from `Source` through `Intermediate` to `Target`:
+
+```csharp
+class Example {
+    void Target() {}
+
+    void Intermediate() {
+        Target();
+    }
+
+    void Source() {
+        Intermediate();
+    }
+}
+```
+
+Running with `sourceFunction = "Source"` and `targetFunction = "Target"` produces results showing each call site on the path with the message pattern ``Reachable call from `Source`to`Intermediate```.
+
+## Output Format
+
+The query is a `@kind problem` query producing rows of:
+
+- ``select call, "Reachable call from `caller` to `callee`"``
+
+## References
+
+- [C# Methods](https://learn.microsoft.com/en-us/dotnet/csharp/programming-guide/classes-and-structs/methods)
+- [CodeQL Call Graph Analysis](https://codeql.github.com/docs/writing-codeql-queries/about-data-flow-analysis/)

server/ql/csharp/tools/src/CallGraphFromTo/CallGraphFromTo.ql

@@ -0,0 +1,82 @@
+/**
+ * @name Call Graph From To for csharp
+ * @description Displays calls on reachable paths from a source method to a target method, showing transitive call graph connectivity.
+ * @id csharp/tools/call-graph-from-to
+ * @kind problem
+ * @problem.severity recommendation
+ * @tags call-graph
+ */
+
+import csharp
+
+/**
+ * Gets the source method name for call graph reachability analysis.
+ * Can be a single method name or comma-separated list of method names.
+ */
+external string sourceFunction();
+
+/**
+ * Gets the target method name for call graph reachability analysis.
+ * Can be a single method name or comma-separated list of method names.
+ */
+external string targetFunction();
+
+/**
+ * Gets a single source method name from the comma-separated list.
+ */
+string getSourceFunctionName() { result = sourceFunction().splitAt(",").trim() }
+
+/**
+ * Gets a single target method name from the comma-separated list.
+ */
+string getTargetFunctionName() { result = targetFunction().splitAt(",").trim() }
+
+/**
+ * Gets a method by matching against the selected source method names.
+ */
+Callable getSourceFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getSourceFunctionName() and
+    result.getName() = selectedFunc
+  )
+}
+
+/**
+ * Gets a method by matching against the selected target method names.
+ */
+Callable getTargetFunction() {
+  exists(string selectedFunc |
+    selectedFunc = getTargetFunctionName() and
+    result.getName() = selectedFunc
+  )
+}
+
+/**
+ * Holds if callable `caller` directly calls callable `callee`.
+ */
+predicate calls(Callable caller_, Callable callee_) {
+  exists(Call c | c.getEnclosingCallable() = caller_ and c.getTarget() = callee_)
+}
+
+from Call call, Callable caller, Callable callee
+where
+  call.getEnclosingCallable() = caller and
+  call.getTarget() = callee and
+  (
+    // Use external predicates if available: show calls on paths from source to target
+    exists(Callable source, Callable target |
+      source = getSourceFunction() and
+      target = getTargetFunction() and
+      calls*(source, caller) and
+      calls*(callee, target)
+    )
+    or
+    // Fallback for unit tests: include test files
+    (
+      not exists(getSourceFunctionName()) and
+      not exists(getTargetFunctionName()) and
+      caller.getFile().getParentContainer().getParentContainer().getBaseName() = "test"
+    )
+  )
+select call,
+  "Reachable call from `" + caller.getName() + "` to `" + callee.getName() + "`"

server/ql/csharp/tools/test/CallGraphFromTo/CallGraphFromTo.expected

@@ -0,0 +1,5 @@
+| Example1.cs:1:7:1:14 | call to constructor Object | Reachable call from `Example1` to `Object` |
+| Example1.cs:1:7:1:14 | call to method <object initializer> | Reachable call from `Example1` to `<object initializer>` |
+| Example1.cs:7:9:7:19 | call to method Unrelated | Reachable call from `Target` to `Unrelated` |
+| Example1.cs:11:9:11:16 | call to method Target | Reachable call from `Intermediate` to `Target` |
+| Example1.cs:15:9:15:22 | call to method Intermediate | Reachable call from `Source` to `Intermediate` |

server/ql/csharp/tools/test/CallGraphFromTo/CallGraphFromTo.qlref

@@ -0,0 +1 @@
+CallGraphFromTo/CallGraphFromTo.ql

server/ql/csharp/tools/test/CallGraphFromTo/Example1.cs

@@ -0,0 +1,17 @@
+class Example1 {
+    void Unrelated() {
+        // No calls
+    }
+
+    void Target() {
+        Unrelated();
+    }
+
+    void Intermediate() {
+        Target();
+    }
+
+    void Source() {
+        Intermediate();
+    }
+}