From 8e2d74a7b1d9bb731a3faf9b872e38fd62ba8718 Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Mon, 12 Jan 2026 12:45:06 +0100
Subject: [PATCH 1/2] Java: Add TypeFlow base case for partially unbound types.

---
 java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll b/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll
index 21cfc54fdf8a..361b4feb54a8 100644
--- a/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll
+++ b/java/ql/lib/semmle/code/java/dataflow/TypeFlow.qll
@@ -202,6 +202,13 @@ private module Input implements TypeFlowInput<Location> {
       t1e = t2e and
       unbound(t2) and
       not unbound(t1)
+      or
+      t1e = t2e and
+      exists(int pos |
+        partiallyUnbound(t2, pos) and
+        not partiallyUnbound(t1, pos) and
+        not unbound(t1)
+      )
     )
   }
 
@@ -370,6 +377,11 @@ private module Input implements TypeFlowInput<Location> {
     )
   }
 
+  /** Holds if `t` is a parameterised type with unrestricted type argument at position `pos`. */
+  private predicate partiallyUnbound(ParameterizedType t, int pos) {
+    unconstrained(t.getTypeArgument(pos))
+  }
+
   Type getErasure(Type t) { result = t.getErasure() }
 
   Type getAnAncestor(Type sub) { result = sub.getAnAncestor() }

From 8b555ca514bf79363ed81123f46dc260b881e75b Mon Sep 17 00:00:00 2001
From: Anders Schack-Mulligen <aschackmull@github.com>
Date: Tue, 13 Jan 2026 11:20:13 +0100
Subject: [PATCH 2/2] Java: Add test.

---
 java/ql/test/library-tests/typeflow/A.java            | 8 ++++++++
 java/ql/test/library-tests/typeflow/typeflow.expected | 1 +
 2 files changed, 9 insertions(+)

diff --git a/java/ql/test/library-tests/typeflow/A.java b/java/ql/test/library-tests/typeflow/A.java
index ad19901f1514..751ad525d153 100644
--- a/java/ql/test/library-tests/typeflow/A.java
+++ b/java/ql/test/library-tests/typeflow/A.java
@@ -118,4 +118,12 @@ public void m10(Object o) {
       default -> { }
     }
   }
+
+  private static <T> T lookupFoo(Map<String, T> m) {
+    return m.get("foo");
+  }
+
+  public void m11(Map<String, String> m) {
+    lookupFoo(m);
+  }
 }
diff --git a/java/ql/test/library-tests/typeflow/typeflow.expected b/java/ql/test/library-tests/typeflow/typeflow.expected
index f0cb2356cb81..03dcb0e07666 100644
--- a/java/ql/test/library-tests/typeflow/typeflow.expected
+++ b/java/ql/test/library-tests/typeflow/typeflow.expected
@@ -18,5 +18,6 @@
 | A.java:112:23:112:24 | cs | String | false |
 | A.java:116:13:116:14 | o2 | String | false |
 | A.java:117:49:117:50 | cs | String | false |
+| A.java:123:12:123:12 | m | Map<String,String> | false |
 | UnionTypes.java:45:7:45:7 | x | Inter | false |
 | UnionTypes.java:48:23:48:23 | x | Inter | false |