advanced-security
diff --git a/‎package-lock.json‎
Lines changed: 0 additions & 11 deletions b/‎package-lock.json‎
Lines changed: 0 additions & 11 deletions
diff --git a/‎server/dist/codeql-development-mcp-server.js‎
Lines changed: 12 additions & 9 deletions b/‎server/dist/codeql-development-mcp-server.js‎
Lines changed: 12 additions & 9 deletions
diff --git a/‎server/dist/codeql-development-mcp-server.js.map‎
Lines changed: 2 additions & 2 deletions b/‎server/dist/codeql-development-mcp-server.js.map‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎server/src/lib/cli-tool-registry.ts‎
Lines changed: 13 additions & 5 deletions b/‎server/src/lib/cli-tool-registry.ts‎
Lines changed: 13 additions & 5 deletions
diff --git a/‎server/src/prompts/compare-overlapping-alerts.prompt.md‎
Lines changed: 8 additions & 2 deletions b/‎server/src/prompts/compare-overlapping-alerts.prompt.md‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎server/src/resources/server-prompts.md‎
Lines changed: 3 additions & 3 deletions b/‎server/src/resources/server-prompts.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎server/test/src/lib/result-processor.test.ts‎
Lines changed: 19 additions & 28 deletions b/‎server/test/src/lib/result-processor.test.ts‎
Lines changed: 19 additions & 28 deletions
diff --git a/‎server/test/src/tools/cache-tools.test.ts‎
Lines changed: 1 addition & 2 deletions b/‎server/test/src/tools/cache-tools.test.ts‎
Lines changed: 1 addition & 2 deletions
@@ -612,11 +612,19 @@ export function registerCLITool(server: McpServer, definition: CLIToolDefinition
           // when the same database is referenced through relative paths, symlinks,
           // or different casing.
           let dbLock: { ready: Promise<void>; release: () => void } | undefined;
-          if (name === 'codeql_database_analyze' && positionalArgs.length > 0) {
-            let lockKey = resolve(positionalArgs[0]);
-            try { lockKey = realpathSync(lockKey); } catch { /* use resolved path if realpath fails */ }
-            dbLock = acquireDatabaseLock(lockKey);
-            await dbLock.ready;
+          if (name === 'codeql_database_analyze') {
+            // Use the resolved database path from params (set before positionalArgs
+            // construction) rather than positionalArgs[0], which may include
+            // _positional values prepended before the database path.
+            const resolvedDb = typeof params.database === 'string'
+              ? resolveDatabasePath(params.database)
+              : (positionalArgs.length > 0 ? positionalArgs[0] : undefined);
+            if (resolvedDb) {
+              let lockKey = resolve(resolvedDb);
+              try { lockKey = realpathSync(lockKey); } catch { /* use resolved path if realpath fails */ }
+              dbLock = acquireDatabaseLock(lockKey);
+              await dbLock.ready;
+            }
           }
 
           try {
 
@@ -19,14 +19,20 @@ This workflow supports:
 
 ### Step 1: Discover available rules
 
-Use #sarif_list_rules on each SARIF source to understand what rules and result counts are present:
+Use #sarif_list_rules on each SARIF source to understand what rules and result counts are present. When comparing within a single file, call it once:
+
+```
+sarif_list_rules(sarifPath="{{sarifPathA}}")
+```
+
+When comparing two different SARIF files, call it on both:
 
 ```
 sarif_list_rules(sarifPath="{{sarifPathA}}")
 sarif_list_rules(sarifPath="{{sarifPathB}}")
 ```
 
-If comparing within a single file, call it once. The response includes `ruleId`, `resultCount`, `kind`, `precision`, `severity`, and `tags` for each rule.
+The response includes `ruleId`, `resultCount`, `kind`, `precision`, `severity`, and `tags` for each rule.
 
 ### Step 2: Choose a comparison strategy
 
 
@@ -39,12 +39,12 @@ This resource provides a complete reference of the prompts exposed by the CodeQL
 ### Documentation and Quality
 
 - **`document_codeql_query`** — Generates standardized markdown documentation as a sibling `.md` file to a query. Requires `queryPath` and `language`.
-- **`run_query_and_summarize_false_positives`** — Runs a CodeQL query on a database and groups results into false-positive categories by root cause. Uses #query_results_cache_lookup, #sarif_list_rules, #sarif_extract_rule, #sarif_rule_to_markdown, and #read_database_source for structured analysis.
-- **`sarif_rank_false_positives`** / **`sarif_rank_true_positives`** — Analyze SARIF output to assess query precision by ranking results as likely true or false positives. Uses #sarif_list_rules, #sarif_extract_rule, #sarif_rule_to_markdown, #read_database_source, #sarif_compare_alerts, and #sarif_diff_runs for context gathering.
+- **`run_query_and_summarize_false_positives`** — Runs a CodeQL query on a database and groups results into false-positive categories by root cause. Uses `query_results_cache_lookup`, `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, and `read_database_source` for structured analysis.
+- **`sarif_rank_false_positives`** / **`sarif_rank_true_positives`** — Analyze SARIF output to assess query precision by ranking results as likely true or false positives. Uses `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, `read_database_source`, `sarif_compare_alerts`, and `sarif_diff_runs` for context gathering.
 
 ### Alert Analysis and Comparison
 
-- **`compare_overlapping_alerts`** — Compares CodeQL SARIF alerts across any combination of SARIF files, analysis runs, CodeQL databases, or query packs. Classifies findings as redundant, complementary, false overlap, behavioral regression, or new coverage. Uses #sarif_list_rules, #sarif_extract_rule, #sarif_rule_to_markdown, #sarif_compare_alerts, #sarif_diff_runs, and #read_database_source tools. Requires `sarifPathA`; optionally accepts `sarifPathB` for cross-file comparison, `ruleIdA`/`ruleIdB` to narrow to specific rules, and `databasePath` for source code context.
+- **`compare_overlapping_alerts`** — Compares CodeQL SARIF alerts across any combination of SARIF files, analysis runs, CodeQL databases, or query packs. Classifies findings as redundant, complementary, false overlap, behavioral regression, or new coverage. Uses `sarif_list_rules`, `sarif_extract_rule`, `sarif_rule_to_markdown`, `sarif_compare_alerts`, `sarif_diff_runs`, and `read_database_source` tools. Requires `sarifPathA`; optionally accepts `sarifPathB` for cross-file comparison, `ruleIdA`/`ruleIdB` to narrow to specific rules, and `databasePath` for source code context.
 
 ### Workshop Creation
 
 
@@ -2,9 +2,11 @@
  * Tests for result-processor — query result caching behavior.
  */
 
-import { existsSync, rmSync } from 'fs';
+import { existsSync, rmSync, writeFileSync } from 'fs';
+import { join } from 'path';
 import { afterEach, beforeEach, describe, expect, it } from 'vitest';
 import { computeQueryCacheKey } from '../../../src/lib/result-processor';
+import { readDatabaseMetadata } from '../../../src/lib/database-resolver';
 import { createProjectTempDir } from '../../../src/utils/temp-dir';
 
 // We can't easily test processQueryRunResults end-to-end because it
@@ -66,12 +68,10 @@ describe('computeQueryCacheKey', () => {
 });
 
 /**
- * Test the resolveDatabaseLanguage function.
- * This is an internal function, so we test it indirectly by importing it
- * via a re-export or by testing through the cache integration path.
- * For direct testing, we use the module internals.
+ * Test language resolution via readDatabaseMetadata (the shared function
+ * used by result-processor for resolving language from database metadata).
  */
-describe('resolveDatabaseLanguage', () => {
+describe('database language resolution for caching', () => {
   let testDir: string;
 
   beforeEach(() => {
@@ -84,29 +84,20 @@ describe('resolveDatabaseLanguage', () => {
     }
   });
 
-  // Since resolveDatabaseLanguage is not exported, we test the behavior
-  // through importing the module and testing the function's effect on
-  // caching. For now, validate the YAML parsing logic pattern.
-  it('should extract language from codeql-database.yml content', () => {
-    const yamlContent = `---
-sourceLocationPrefix: /src
-primaryLanguage: javascript
-creationMetadata:
-  cliVersion: 2.25.1
-`;
-    // Simulate the regex the function uses
-    const match = yamlContent.match(/^primaryLanguage\s*:\s*(\S+)/m);
-    expect(match).not.toBeNull();
-    expect(match![1]).toBe('javascript');
+  it('should resolve language from codeql-database.yml', () => {
+    writeFileSync(join(testDir, 'codeql-database.yml'), 'primaryLanguage: javascript\n');
+    const metadata = readDatabaseMetadata(testDir);
+    expect(metadata.language).toBe('javascript');
   });
 
-  it('should handle YAML without primaryLanguage', () => {
-    const yamlContent = `---
-sourceLocationPrefix: /src
-creationMetadata:
-  cliVersion: 2.25.1
-`;
-    const match = yamlContent.match(/^primaryLanguage\s*:\s*(\S+)/m);
-    expect(match).toBeNull();
+  it('should return undefined language when file is missing', () => {
+    const metadata = readDatabaseMetadata(testDir);
+    expect(metadata.language).toBeUndefined();
+  });
+
+  it('should resolve language from codeql-database.yaml', () => {
+    writeFileSync(join(testDir, 'codeql-database.yaml'), 'primaryLanguage: python\n');
+    const metadata = readDatabaseMetadata(testDir);
+    expect(metadata.language).toBe('python');
   });
 });
@@ -508,9 +508,8 @@ describe('Cache Tools', () => {
 
       it('should use latest entry resultCount for comparison', async () => {
         const store = sessionDataManager.getStore();
-        // Cache entry without resultCount (simulates old cache entries)
         store.putCacheEntry({
-          cacheKey: 'compare-no-count',
+          cacheKey: 'compare-latest-count',
           queryName: 'UI5Clickjacking',
           queryPath: '/ui5.ql',
           databasePath: '/db1',