advanced-security
diff --git a/‎client/integration-tests/primitives/prompts/compare_overlapping_alerts/basic_comparison/after/monitoring-state.json‎
Lines changed: 10 additions & 0 deletions b/‎client/integration-tests/primitives/prompts/compare_overlapping_alerts/basic_comparison/after/monitoring-state.json‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎client/integration-tests/primitives/prompts/compare_overlapping_alerts/basic_comparison/before/monitoring-state.json‎
Lines changed: 6 additions & 0 deletions b/‎client/integration-tests/primitives/prompts/compare_overlapping_alerts/basic_comparison/before/monitoring-state.json‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎extensions/vscode/vitest.config.ts‎
Lines changed: 1 addition & 1 deletion b/‎extensions/vscode/vitest.config.ts‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎server/dist/codeql-development-mcp-server.js‎
Lines changed: 79 additions & 82 deletions b/‎server/dist/codeql-development-mcp-server.js‎
Lines changed: 79 additions & 82 deletions
diff --git a/‎server/dist/codeql-development-mcp-server.js.map‎
Lines changed: 3 additions & 3 deletions b/‎server/dist/codeql-development-mcp-server.js.map‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎server/src/lib/cli-tool-registry.ts‎
Lines changed: 5 additions & 11 deletions b/‎server/src/lib/cli-tool-registry.ts‎
Lines changed: 5 additions & 11 deletions
diff --git a/‎server/src/lib/database-resolver.ts‎
Lines changed: 71 additions & 1 deletion b/‎server/src/lib/database-resolver.ts‎
Lines changed: 71 additions & 1 deletion
diff --git a/‎server/src/lib/result-processor.ts‎
Lines changed: 14 additions & 8 deletions b/‎server/src/lib/result-processor.ts‎
Lines changed: 14 additions & 8 deletions
diff --git a/‎server/src/lib/sarif-utils.ts‎
Lines changed: 17 additions & 2 deletions b/‎server/src/lib/sarif-utils.ts‎
Lines changed: 17 additions & 2 deletions
diff --git a/‎server/src/tools/cache-tools.ts‎
Lines changed: 7 additions & 19 deletions b/‎server/src/tools/cache-tools.ts‎
Lines changed: 7 additions & 19 deletions
@@ -0,0 +1,10 @@
+{
+  "sessions": [
+    {
+      "expectedContentPatterns": [
+        "sarif_list_rules",
+        "sarif_compare_alerts"
+      ]
+    }
+  ]
+}
@@ -0,0 +1,6 @@
+{
+  "sessions": [],
+  "parameters": {
+    "sarifPathA": "nonexistent/path/to/results.sarif"
+  }
+}
@@ -6,7 +6,7 @@ export default defineConfig({
     globals: true,
     environment: 'node',
     include: ['test/**/*.{test,spec}.{js,ts}'],
-    exclude: ['test/suite/**'],
+    exclude: ['test/suite/**', 'dist/**', 'node_modules/**'],
     watch: false,
     testTimeout: 10000,
     alias: {
 
@@ -5,13 +5,13 @@
 import { McpServer } from '@modelcontextprotocol/sdk/server/mcp.js';
 import { z } from 'zod';
 import { CLIExecutionResult, executeCodeQLCommand, executeQLTCommand } from './cli-executor';
-import { resolveDatabasePath } from './database-resolver';
+import { readDatabaseMetadata, resolveDatabasePath } from './database-resolver';
 import { logger } from '../utils/logger';
 import { getOrCreateLogDirectory } from './log-directory-manager';
 import { resolveQueryPath } from './query-resolver';
 import { cacheDatabaseAnalyzeResults, processQueryRunResults } from './result-processor';
 import { getUserWorkspaceDir, packageRootDir } from '../utils/package-paths';
-import { existsSync, mkdirSync, readFileSync, realpathSync, rmSync, writeFileSync } from 'fs';
+import { existsSync, mkdirSync, realpathSync, rmSync, writeFileSync } from 'fs';
 import { delimiter, dirname, isAbsolute, join, resolve } from 'path';
 import * as yaml from 'js-yaml';
 import { createProjectTempDir } from '../utils/temp-dir';
@@ -430,15 +430,9 @@ export function registerCLITool(server: McpServer, definition: CLIToolDefinition
               // Auto-resolve --source-location-prefix from codeql-database.yml
               // (only when not explicitly provided)
               if (!options['source-location-prefix']) {
-                const dbYmlPath = join(dbPath, 'codeql-database.yml');
-                try {
-                  const dbYml = readFileSync(dbYmlPath, 'utf8');
-                  const dbMeta = yaml.load(dbYml) as Record<string, unknown> | undefined;
-                  if (dbMeta?.sourceLocationPrefix && typeof dbMeta.sourceLocationPrefix === 'string') {
-                    options['source-location-prefix'] = dbMeta.sourceLocationPrefix;
-                  }
-                } catch {
-                  // codeql-database.yml missing or unparseable — skip prefix resolution
+                const dbMeta = readDatabaseMetadata(dbPath);
+                if (dbMeta.sourceLocationPrefix) {
+                  options['source-location-prefix'] = dbMeta.sourceLocationPrefix;
                 }
               }
             }
 
@@ -6,7 +6,7 @@
  */
 
 import { basename, join } from 'path';
-import { existsSync, readdirSync, statSync } from 'fs';
+import { existsSync, readdirSync, readFileSync, statSync } from 'fs';
 import { logger } from '../utils/logger';
 
 /**
@@ -70,3 +70,73 @@ export function resolveDatabasePath(dbPath: string): string {
   databasePathCache.set(dbPath, dbPath);
   return dbPath;
 }
+
+// ---------------------------------------------------------------------------
+// Database metadata
+// ---------------------------------------------------------------------------
+
+/**
+ * Metadata parsed from `codeql-database.yml`.
+ */
+export interface DatabaseMetadata {
+  cliVersion?: string;
+  creationTime?: string;
+  language?: string;
+  sourceLocationPrefix?: string;
+}
+
+/**
+ * Read and parse `codeql-database.yml` from a CodeQL database directory.
+ *
+ * Uses simple line-based parsing (no YAML dependency) to extract common
+ * metadata fields. Returns an empty object if the file is missing or
+ * unparseable. Handles both `.yml` and `.yaml` extensions.
+ *
+ * This is the single authoritative function for reading database metadata.
+ * All code that needs `primaryLanguage`, `sourceLocationPrefix`, etc.
+ * should use this function instead of ad-hoc YAML parsing.
+ */
+export function readDatabaseMetadata(databasePath: string): DatabaseMetadata {
+  for (const filename of ['codeql-database.yml', 'codeql-database.yaml']) {
+    try {
+      const content = readFileSync(join(databasePath, filename), 'utf8');
+      return parseDatabaseYmlContent(content);
+    } catch { /* file not found, try next */ }
+  }
+  return {};
+}
+
+/**
+ * Parse the text content of a `codeql-database.yml` file.
+ *
+ * Exported for testing — callers should prefer `readDatabaseMetadata()`.
+ */
+export function parseDatabaseYmlContent(content: string): DatabaseMetadata {
+  const metadata: DatabaseMetadata = {};
+
+  for (const line of content.split('\n')) {
+    const trimmed = line.trim();
+    const colonIdx = trimmed.indexOf(':');
+    if (colonIdx === -1) continue;
+
+    const key = trimmed.substring(0, colonIdx).trim();
+    const value = trimmed.substring(colonIdx + 1).trim().replace(/^["']|["']$/g, '');
+
+    switch (key) {
+      case 'primaryLanguage':
+        metadata.language = value;
+        break;
+      case 'sourceLocationPrefix':
+        metadata.sourceLocationPrefix = value;
+        break;
+      case 'cliVersion':
+        metadata.cliVersion = value;
+        break;
+      case 'creationTime':
+        metadata.creationTime = value;
+        break;
+    }
+  }
+
+  return metadata;
+}
@@ -10,9 +10,10 @@ import { basename, dirname } from 'path';
 import { mkdirSync, readFileSync } from 'fs';
 import { createHash } from 'crypto';
 import { CLIExecutionResult, executeCodeQLCommand, getActualCodeqlVersion } from './cli-executor';
+import { readDatabaseMetadata } from './database-resolver';
 import { evaluateQueryResults, extractQueryMetadata, QueryEvaluationResult } from './query-results-evaluator';
 import { resolveQueryPath } from './query-resolver';
-import { decomposeSarifByRule } from './sarif-utils';
+import { decomposeSarifByRule, getRuleDisplayName } from './sarif-utils';
 import { sessionDataManager } from './session-data-manager';
 
 /**
@@ -218,7 +219,7 @@ export async function processQueryRunResults(
             const resultContent = readFileSync(outputFilePath, 'utf8');
             const codeqlVersion = getActualCodeqlVersion();
             const dbPath = (params.database as string) || '';
-            const lang = (queryLanguage as string) || 'unknown';
+            const lang = (queryLanguage as string) || (dbPath ? (readDatabaseMetadata(dbPath).language ?? 'unknown') : 'unknown');
             const extPreds: Record<string, string> = {};
             if (params.sourceFiles) extPreds.sourceFiles = params.sourceFiles as string;
             if (params.sourceFunction) extPreds.sourceFunction = params.sourceFunction as string;
@@ -237,14 +238,17 @@ export async function processQueryRunResults(
             // Compute result count from content for SARIF formats
             let resultCount: number | null = null;
             let ruleId: string | null = null;
+            let sarifQueryName: string | null = null;
             if (outputFormat.includes('sarif')) {
               try {
                 const sarif = JSON.parse(resultContent);
                 resultCount = (sarif?.runs?.[0]?.results as unknown[] | undefined)?.length ?? 0;
-                // Extract ruleId from SARIF — single-query runs have exactly one rule
+                // Extract ruleId and query name from SARIF — single-query runs have exactly one rule
                 const rules = sarif?.runs?.[0]?.tool?.driver?.rules;
                 if (Array.isArray(rules) && rules.length > 0) {
-                  ruleId = (rules[0] as { id?: string }).id ?? null;
+                  const rule = rules[0] as import('../types/sarif').SarifRule;
+                  ruleId = rule.id ?? null;
+                  sarifQueryName = getRuleDisplayName(rule);
                 }
               } catch { /* non-SARIF content — leave count/ruleId null */ }
             }
@@ -258,7 +262,7 @@ export async function processQueryRunResults(
               interpretedPath: outputFilePath,
               language: lang,
               outputFormat,
-              queryName: (queryName as string) || basename(queryPath, '.ql'),
+              queryName: sarifQueryName || (queryName as string) || basename(queryPath, '.ql'),
               queryPath,
               resultContent,
               resultCount,
@@ -371,8 +375,8 @@ export function cacheDatabaseAnalyzeResults(
       resultCount = runs?.[0]?.results?.length ?? 0;
     } catch { /* non-SARIF content */ }
 
-    // Resolve language from database metadata if possible
-    const language = (params.language as string) || 'unknown';
+    // Resolve language from database metadata
+    const language = (params.language as string) || (readDatabaseMetadata(dbPath).language ?? 'unknown');
 
     const cacheKey = computeQueryCacheKey({
       codeqlVersion,
@@ -406,6 +410,8 @@ export function cacheDatabaseAnalyzeResults(
         for (const [ruleId, ruleSarif] of decomposed) {
           const ruleResults = ruleSarif.runs[0]?.results ?? [];
           const ruleContent = JSON.stringify(ruleSarif, null, 2);
+          const ruleDef = ruleSarif.runs[0]?.tool.driver.rules?.[0];
+          const ruleDisplayName = ruleDef ? getRuleDisplayName(ruleDef) : ruleId;
           const ruleCacheKey = computeQueryCacheKey({
             codeqlVersion,
             databasePath: dbPath,
@@ -420,7 +426,7 @@ export function cacheDatabaseAnalyzeResults(
             interpretedPath: outputPath,
             language,
             outputFormat: format,
-            queryName: ruleId,
+            queryName: ruleDisplayName,
             queryPath: queries || 'database-analyze',
             resultContent: ruleContent,
             resultCount: ruleResults.length,
 
@@ -85,6 +85,21 @@ export interface SarifDiffResult {
   unchangedRules: SarifRuleSummary[];
 }
 
+// ---------------------------------------------------------------------------
+// SARIF rule helpers
+// ---------------------------------------------------------------------------
+
+/**
+ * Get the human-readable display name for a SARIF rule.
+ *
+ * Priority: `shortDescription.text` → `name` → `id` (fallback).
+ * This is the single authoritative function for deriving a rule's
+ * display name from its SARIF definition.
+ */
+export function getRuleDisplayName(rule: SarifRule): string {
+  return rule.shortDescription?.text ?? rule.name ?? rule.id;
+}
+
 // ---------------------------------------------------------------------------
 // Location extraction helpers
 // ---------------------------------------------------------------------------
@@ -445,7 +460,7 @@ export function sarifRuleToMarkdown(sarif: SarifDocument, ruleId: string): strin
   lines.push(`## ${ruleId}`);
   lines.push('');
   if (rule) {
-    const name = rule.shortDescription?.text ?? rule.name ?? ruleId;
+    const name = getRuleDisplayName(rule);
     lines.push(`**Name**: ${name}`);
 
     const props = rule.properties as Record<string, unknown> | undefined;
@@ -549,7 +564,7 @@ export function listSarifRules(sarif: SarifDocument): SarifRuleSummary[] {
     const props = rule.properties as Record<string, unknown> | undefined;
     summaries.push({
       kind: props?.kind as string | undefined,
-      name: rule.shortDescription?.text ?? rule.name,
+      name: getRuleDisplayName(rule),
       precision: props?.precision as string | undefined,
       resultCount: countByRule.get(rule.id) ?? 0,
       ruleId: rule.id,
 
@@ -227,29 +227,17 @@ function registerQueryResultsCacheCompareTool(server: McpServer): void {
       }
 
       const comparison = Array.from(byDatabase.entries()).map(([db, dbEntries]) => {
-        // For each entry, prefer the stored resultCount; fall back to
-        // parsing the cached SARIF content to extract the result count.
-        let totalResultCount = 0;
-        for (const e of dbEntries) {
-          if (e.resultCount != null) {
-            totalResultCount += e.resultCount;
-          } else if (e.outputFormat.includes('sarif')) {
-            // Attempt to derive result count from cached SARIF content
-            try {
-              const content = store.getCacheContent(e.cacheKey);
-              if (content) {
-                const sarif = JSON.parse(content);
-                const count = (sarif?.runs?.[0]?.results as unknown[] | undefined)?.length ?? 0;
-                totalResultCount += count;
-              }
-            } catch { /* malformed SARIF or missing content */ }
-          }
-        }
+        // Use the latest entry's result count (entries are sorted by createdAt DESC).
+        // When multiple cache entries exist for the same ruleId on the same database
+        // (e.g. one from query_run and another from database_analyze decomposition),
+        // the latest entry is the most representative.
+        const latestEntry = dbEntries[0];
+        const resultCount = latestEntry.resultCount ?? 0;
         return {
           database: db,
           languages: [...new Set(dbEntries.map(e => e.language))],
           formats: [...new Set(dbEntries.map(e => e.outputFormat))],
-          totalResultCount,
+          resultCount,
           cachedRuns: dbEntries.length,
           latestCachedAt: dbEntries[0].createdAt,
         };