Merge remote-tracking branch 'origin/main' into fix/sensitive-log-hash-sanitizer

# Conflicts:
#	java/ql/test/query-tests/security/CWE-532/SensitiveLogInfo.expected
#	java/ql/test/query-tests/security/CWE-532/Test.java

MODULE.bazel

@@ -27,7 +27,7 @@ bazel_dep(name = "abseil-cpp", version = "20260107.1", repo_name = "absl")
 bazel_dep(name = "nlohmann_json", version = "3.11.3", repo_name = "json")
 bazel_dep(name = "fmt", version = "12.1.0-codeql.1")
 bazel_dep(name = "rules_kotlin", version = "2.2.2-codeql.1")
-bazel_dep(name = "gazelle", version = "0.47.0")
+bazel_dep(name = "gazelle", version = "0.50.0")
 bazel_dep(name = "rules_dotnet", version = "0.21.5-codeql.1")
 bazel_dep(name = "googletest", version = "1.17.0.bcr.2")
 bazel_dep(name = "rules_rust", version = "0.69.0")

actions/ql/lib/CHANGELOG.md

@@ -1,3 +1,13 @@
+## 0.4.34
+
+### Minor Analysis Improvements
+
+* Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.
+
+## 0.4.33
+
+No user-facing changes.
+
 ## 0.4.32
 
 No user-facing changes.

actions/ql/lib/change-notes/released/0.4.33.md

@@ -0,0 +1,3 @@
+## 0.4.33
+
+No user-facing changes.

actions/ql/lib/change-notes/released/0.4.34.md

@@ -0,0 +1,5 @@
+## 0.4.34
+
+### Minor Analysis Improvements
+
+* Removed false positive injection sink models for the `context` input of `docker/build-push-action` and the `allowed-endpoints` input of `step-security/harden-runner`.

actions/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.4.32
+lastReleaseVersion: 0.4.34

actions/ql/lib/ext/manual/docker_build-push-action.model.yml

@@ -1,6 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/actions-all
-      extensible: actionsSinkModel
-    data:
-      - ["docker/build-push-action", "*", "input.context", "code-injection", "manual"]

actions/ql/lib/ext/manual/step-security_harden-runner.model.yml

@@ -1,6 +0,0 @@
-extensions:
-  - addsTo:
-      pack: codeql/actions-all
-      extensible: actionsSinkModel
-    data:
-      - ["step-security/harden-runner", "*", "input.allowed-endpoints", "command-injection", "manual"]

actions/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-all
-version: 0.4.33-dev
+version: 0.4.35-dev
 library: true
 warnOnImplicitThis: true
 dependencies:

actions/ql/src/CHANGELOG.md

@@ -1,3 +1,17 @@
+## 0.6.26
+
+### Major Analysis Improvements
+
+* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also improved the wording to make it clearer that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Finally, changed the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
+
+### Minor Analysis Improvements
+
+* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.
+
+## 0.6.25
+
+No user-facing changes.
+
 ## 0.6.24
 
 No user-facing changes.
@@ -159,7 +173,7 @@ No user-facing changes.
   * `actions/if-expression-always-true/critical`
   * `actions/if-expression-always-true/high`
   * `actions/unnecessary-use-of-advanced-config`
-  
+
 * The following query has been moved from the `code-scanning` suite to the `security-extended`
   suite. Any existing alerts for this query will be closed automatically unless the analysis is
   configured to use the `security-extended` suite.

actions/ql/src/Security/CWE-275/MissingActionsPermissions.ql

@@ -26,10 +26,23 @@ string permissionsForJob(Job job) {
     "{" + concat(string permission | permission = jobNeedsPermission(job) | permission, ", ") + "}"
 }
 
+predicate jobHasPermissions(Job job) {
+  exists(job.getPermissions())
+  or
+  exists(job.getEnclosingWorkflow().getPermissions())
+  or
+  // The workflow is reusable and cannot be triggered in any other way; check callers
+  exists(ReusableWorkflow r | r = job.getEnclosingWorkflow() |
+    not exists(Event e | e = r.getOn().getAnEvent() | e.getName() != "workflow_call") and
+    forall(Job caller | caller = job.getEnclosingWorkflow().(ReusableWorkflow).getACaller() |
+      jobHasPermissions(caller)
+    )
+  )
+}
+
 from Job job, string permissions
 where
-  not exists(job.getPermissions()) and
-  not exists(job.getEnclosingWorkflow().getPermissions()) and
+  not jobHasPermissions(job) and
   // exists a trigger event that is not a workflow_call
   exists(Event e |
     e = job.getATriggerEvent() and

actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql

@@ -20,6 +20,6 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin
 where
   ArtifactPoisoningFlow::flowPath(source, sink) and
   event = getRelevantEventInPrivilegedContext(sink.getNode())
-select sink.getNode(), source, sink,
-  "Potential artifact poisoning in $@, which may be controlled by an external user ($@).", sink,
-  sink.getNode().toString(), event, event.getName()
+select source.getNode(), source, sink,
+  "Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@).",
+  event, event.getName()

actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql

@@ -20,6 +20,5 @@ from ArtifactPoisoningFlow::PathNode source, ArtifactPoisoningFlow::PathNode sin
 where
   ArtifactPoisoningFlow::flowPath(source, sink) and
   inNonPrivilegedContext(sink.getNode().asExpr())
-select sink.getNode(), source, sink,
-  "Potential artifact poisoning in $@, which may be controlled by an external user.", sink,
-  sink.getNode().toString()
+select source.getNode(), source, sink,
+  "Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user."

actions/ql/src/change-notes/released/0.6.25.md

@@ -0,0 +1,3 @@
+## 0.6.25
+
+No user-facing changes.

actions/ql/src/change-notes/released/0.6.26.md

@@ -0,0 +1,9 @@
+## 0.6.26
+
+### Major Analysis Improvements
+
+* Fixed alert messages in `actions/artifact-poisoning/critical` and `actions/artifact-poisoning/medium` as they previously included a redundant placeholder in the alert message that would on occasion contain a long block of yml that makes the alert difficult to understand. Also improved the wording to make it clearer that it is not the artifact that is being poisoned, but instead a potentially untrusted artifact that is consumed. Finally, changed the alert location to be the source, to align more with other queries reporting an artifact (e.g. zipslip) which is more useful.
+
+### Minor Analysis Improvements
+
+* The query `actions/missing-workflow-permissions` no longer produces false positive results on reusable workflows where all callers set permissions.

actions/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.6.24
+lastReleaseVersion: 0.6.26

actions/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/actions-queries
-version: 0.6.25-dev
+version: 0.6.27-dev
 library: false
 warnOnImplicitThis: true
 groups: [actions, queries]

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms11.yml

@@ -0,0 +1,9 @@
+on:
+  workflow_call:
+
+jobs:
+  build:
+    name: Build and test
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/deploy-pages

actions/ql/test/query-tests/Security/CWE-275/.github/workflows/perms12.yml

@@ -0,0 +1,11 @@
+on:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write
+  pages: write
+
+jobs:
+  call-workflow:
+    uses: ./.github/workflows/perms11.yml

actions/ql/test/query-tests/Security/CWE-829/ArtifactPoisoningCritical.expected

@@ -55,21 +55,21 @@ nodes
 | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | semmle.label | ./gradlew buildScanPublishPrevious\n |
 subpaths
 #select
-| .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | python foo/x.py | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | sh foo/cmd\n | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | sh cmd | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | ./bar/cmd\n | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | npm install\nnpm run lint\n | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | ./foo/cmd | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | ./cmd | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | sed -f config foo.md > bar.md\n | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | python test.py | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target |
-| .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Uses Step | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | make snapshot | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | npm install | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run |
-| .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target |
-| .github/workflows/test18.yml:36:15:40:58 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Uses Step | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run |
-| .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning in $@, which may be controlled by an external user ($@). | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | ./gradlew buildScanPublishPrevious\n | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:28:9:29:6 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
+| .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/actions/download-artifact-2/action.yaml:6:7:25:4 | Uses Step | .github/workflows/artifactpoisoning92.yml:29:14:29:26 | make snapshot | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning92.yml:3:3:3:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning11.yml:38:11:38:77 | ./sonarcloud-data/x.py build -j$(nproc) --compiler gcc --skip-build | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning11.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:13:9:32:6 | Uses Step | .github/workflows/artifactpoisoning12.yml:38:11:38:25 | python foo/x.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning12.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning21.yml:19:14:20:21 | sh foo/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning21.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:13:9:17:6 | Uses Step | .github/workflows/artifactpoisoning22.yml:18:14:18:19 | sh cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning22.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:13:9:15:6 | Run Step | .github/workflows/artifactpoisoning31.yml:19:14:19:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning31.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning32.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning32.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning33.yml:17:14:18:20 | ./bar/cmd\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning33.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:13:9:16:6 | Run Step | .github/workflows/artifactpoisoning34.yml:20:14:22:23 | npm install\nnpm run lint\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning34.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning41.yml:22:14:22:22 | ./foo/cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning41.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:13:9:21:6 | Run Step | .github/workflows/artifactpoisoning42.yml:22:14:22:18 | ./cmd | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning42.yml:4:3:4:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:9:9:16:6 | Uses Step | .github/workflows/artifactpoisoning71.yml:17:14:18:40 | sed -f config foo.md > bar.md\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning71.yml:4:5:4:16 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:28:9:31:6 | Uses Step | .github/workflows/artifactpoisoning81.yml:31:14:31:27 | python test.py | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning81.yml:3:5:3:23 | pull_request_target | pull_request_target |
+| .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:13:9:18:6 | Uses Step | .github/workflows/artifactpoisoning96.yml:18:14:18:24 | npm install | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning96.yml:2:3:2:14 | workflow_run | workflow_run |
+| .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:10:9:16:6 | Uses Step | .github/workflows/artifactpoisoning101.yml:17:14:19:59 | PR_NUMBER=$(./get_pull_request_number.sh pr_number.txt)\necho "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT \n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/artifactpoisoning101.yml:4:3:4:21 | pull_request_target | pull_request_target |
+| .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:12:15:33:12 | Uses Step | .github/workflows/test18.yml:36:15:40:58 | Uses Step | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test18.yml:3:5:3:16 | workflow_run | workflow_run |
+| .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:22:9:32:6 | Uses Step: downloadBuildScan | .github/workflows/test25.yml:39:14:40:45 | ./gradlew buildScanPublishPrevious\n | Potential artifact poisoning; the artifact being consumed has contents that may be controlled by an external user ($@). | .github/workflows/test25.yml:2:3:2:14 | workflow_run | workflow_run |

cpp/ql/integration-tests/query-suite/cpp-code-scanning.qls.expected

@@ -7,10 +7,12 @@ ql/cpp/ql/src/Diagnostics/ExtractedFiles.ql
 ql/cpp/ql/src/Diagnostics/ExtractionWarnings.ql
 ql/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
 ql/cpp/ql/src/Likely Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+ql/cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql
 ql/cpp/ql/src/Likely Bugs/Arithmetic/SignedOverflowCheck.ql
 ql/cpp/ql/src/Likely Bugs/Conversion/CastArrayPointerArithmetic.ql
 ql/cpp/ql/src/Likely Bugs/Format/SnprintfOverflow.ql
 ql/cpp/ql/src/Likely Bugs/Format/WrongNumberOfFormatArguments.ql
+ql/cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/AllocaInLoop.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/PointerOverflow.ql
 ql/cpp/ql/src/Likely Bugs/Memory Management/ReturnStackAllocatedMemory.ql
@@ -28,6 +30,7 @@ ql/cpp/ql/src/Security/CWE/CWE-120/VeryLikelyOverrunWrite.ql
 ql/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
 ql/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
 ql/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+ql/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
 ql/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
 ql/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
 ql/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -40,6 +43,7 @@ ql/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/IteratorToExpiredContainer.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/UseOfStringAfterLifetimeEnds.ql
 ql/cpp/ql/src/Security/CWE/CWE-416/UseOfUniquePointerAfterLifetimeEnds.ql
+ql/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
 ql/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
 ql/cpp/ql/src/Security/CWE/CWE-611/XXE.ql
 ql/cpp/ql/src/Security/CWE/CWE-676/DangerousFunctionOverflow.ql

cpp/ql/lib/CHANGELOG.md

@@ -1,3 +1,34 @@
+## 10.0.0
+
+### Breaking Changes
+
+* The deprecated `NonThrowingFunction` class has been removed, use `NonCppThrowingFunction` instead.
+* The deprecated `ThrowingFunction` class has been removed, use `AlwaysSehThrowingFunction` instead.
+
+### New Features
+
+* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.
+
+## 9.0.0
+
+### Breaking Changes
+
+* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
+
+### New Features
+
+* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
+* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
+* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
+* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
+* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
+* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
+
+### Minor Analysis Improvements
+
+* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
+* Added dataflow through members initialized via non-static data member initialization (NSDMI).
+
 ## 8.0.3
 
 No user-facing changes.

cpp/ql/lib/change-notes/2026-03-20-add-indirect-uninitialized-node.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.

cpp/ql/lib/change-notes/2026-03-20-data-extensions-barriers.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* Data flow barriers and barrier guards can now be added using data extensions. For more information see [Customizing library models for C and C++](https://codeql.github.com/docs/codeql-language-guides/customizing-library-models-for-cpp/).

cpp/ql/lib/change-notes/2026-03-23-indirect-parameter-nodes-and-indirect-instructions.md

@@ -1,5 +0,0 @@
----
-category: feature
----
-* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
-* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.

cpp/ql/lib/change-notes/2026-03-24-field-init.md

@@ -1,5 +0,0 @@
----
-category: feature
----
-* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
-* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.

cpp/ql/lib/change-notes/2026-03-26-convert-csv-models-to-yml.md

@@ -1,4 +0,0 @@
----
-category: breaking
----
-* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.

cpp/ql/lib/change-notes/2026-03-28-switch-stmt.md

@@ -0,0 +1,4 @@
+---
+category: feature
+---
+* A new predicate `getSwitchCase` was added to the `SwitchStmt` class, which yields the `n`th `case` statement from a `switch` statement.

cpp/ql/lib/change-notes/2026-03-30-nsdmi-dataflow.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added dataflow through members initialized via non-static data member initialization (NSDMI).

cpp/ql/lib/change-notes/2026-03-31-http-flow-sources.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.

cpp/ql/lib/change-notes/2026-03-31-meson.md

@@ -1,4 +0,0 @@
----
-category: feature
----
-* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.

cpp/ql/lib/change-notes/2026-04-28-strsafe.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added taint flow models for the `Strsafe.h` header from the Windows SDK.

cpp/ql/lib/change-notes/released/10.0.0.md

@@ -0,0 +1,10 @@
+## 10.0.0
+
+### Breaking Changes
+
+* The deprecated `NonThrowingFunction` class has been removed, use `NonCppThrowingFunction` instead.
+* The deprecated `ThrowingFunction` class has been removed, use `AlwaysSehThrowingFunction` instead.
+
+### New Features
+
+* Added a subclass `AutoconfConfigureTestFile` of `ConfigurationTestFile` that represents files created by GNU autoconf configure scripts to test the build configuration.

cpp/ql/lib/change-notes/released/9.0.0.md

@@ -0,0 +1,19 @@
+## 9.0.0
+
+### Breaking Changes
+
+* The `SourceModelCsv`, `SinkModelCsv`, and `SummaryModelCsv` classes and the associated CSV parsing infrastructure have been removed from `ExternalFlow.qll`. New models should be added as `.model.yml` files in the `ext/` directory.
+
+### New Features
+
+* Added a subclass `MesonPrivateTestFile` of `ConfigurationTestFile` that represents files created by Meson to test the build configuration.
+* Added a class `ConstructorDirectFieldInit` to represent field initializations that occur in member initializer lists.
+* Added a class `ConstructorDefaultFieldInit` to represent default field initializations.
+* Added a class `DataFlow::IndirectParameterNode` to represent the indirection of a parameter as a dataflow node.
+* Added a predicate `Node::asIndirectInstruction` which returns the `Instruction` that defines the indirect dataflow node, if any.
+* Added a class `IndirectUninitializedNode` to represent the indirection of an uninitialized local variable as a dataflow node.
+
+### Minor Analysis Improvements
+
+* Added `HttpReceiveHttpRequest`, `HttpReceiveRequestEntityBody`, and `HttpReceiveClientCertificate` from Win32's `http.h` as remote flow sources.
+* Added dataflow through members initialized via non-static data member initialization (NSDMI).

cpp/ql/lib/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 8.0.3
+lastReleaseVersion: 10.0.0

cpp/ql/lib/ext/Strsafe.model.yml

@@ -0,0 +1,94 @@
+# Models for strsafe.h safe string functions
+extensions:
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: sourceModel
+    data: # namespace, type, subtypes, name, signature, ext, output, kind, provenance
+      # StringCchGets: (pszDest, cchDest)
+      - ["", "", False, "StringCchGetsA", "", "", "Argument[*0]", "local", "manual"]
+      - ["", "", False, "StringCchGetsW", "", "", "Argument[*0]", "local", "manual"]
+      # StringCbGets: (pszDest, cbDest)
+      - ["", "", False, "StringCbGetsA", "", "", "Argument[*0]", "local", "manual"]
+      - ["", "", False, "StringCbGetsW", "", "", "Argument[*0]", "local", "manual"]
+      # StringCchGetsEx: (pszDest, cchDest, ppszDestEnd, pcchRemaining, dwFlags)
+      - ["", "", False, "StringCchGetsExA", "", "", "Argument[*0]", "local", "manual"]
+      - ["", "", False, "StringCchGetsExW", "", "", "Argument[*0]", "local", "manual"]
+      # StringCbGetsEx: (pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags)
+      - ["", "", False, "StringCbGetsExA", "", "", "Argument[*0]", "local", "manual"]
+      - ["", "", False, "StringCbGetsExW", "", "", "Argument[*0]", "local", "manual"]
+  - addsTo:
+      pack: codeql/cpp-all
+      extensible: summaryModel
+    data: # namespace, type, subtypes, name, signature, ext, input, output, kind, provenance
+      # StringCchCopy: (pszDest, cchDest, pszSrc)
+      - ["", "", False, "StringCchCopyA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCchCopyW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCbCopy: (pszDest, cbDest, pszSrc)
+      - ["", "", False, "StringCbCopyA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCbCopyW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCchCopyEx: (pszDest, cchDest, pszSrc, ppszDestEnd, pcchRemaining, dwFlags)
+      - ["", "", False, "StringCchCopyExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCchCopyExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCbCopyEx: (pszDest, cbDest, pszSrc, ppszDestEnd, pcbRemaining, dwFlags)
+      - ["", "", False, "StringCbCopyExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCbCopyExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCchCopyN: (pszDest, cchDest, pszSrc, cchToCopy)
+      - ["", "", False, "StringCchCopyNA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCchCopyNW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCbCopyN: (pszDest, cbDest, pszSrc, cbToCopy)
+      - ["", "", False, "StringCbCopyNA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCbCopyNW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCchCopyNEx: (pszDest, cchDest, pszSrc, cchToCopy, ppszDestEnd, pcchRemaining, dwFlags)
+      - ["", "", False, "StringCchCopyNExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCchCopyNExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCbCopyNEx: (pszDest, cbDest, pszSrc, cbToCopy, ppszDestEnd, pcbRemaining, dwFlags)
+      - ["", "", False, "StringCbCopyNExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCbCopyNExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCchCat: (pszDest, cchDest, pszSrc)
+      - ["", "", False, "StringCchCatA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCchCatW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCbCat: (pszDest, cbDest, pszSrc)
+      - ["", "", False, "StringCbCatA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCbCatW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCchCatEx: (pszDest, cchDest, pszSrc, ppszDestEnd, pcchRemaining, dwFlags)
+      - ["", "", False, "StringCchCatExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCchCatExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCbCatEx: (pszDest, cbDest, pszSrc, ppszDestEnd, pcbRemaining, dwFlags)
+      - ["", "", False, "StringCbCatExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCbCatExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCchCatN: (pszDest, cchDest, pszSrc, cchToAppend)
+      - ["", "", False, "StringCchCatNA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCchCatNW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCbCatN: (pszDest, cbDest, pszSrc, cbToAppend)
+      - ["", "", False, "StringCbCatNA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCbCatNW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCchCatNEx: (pszDest, cchDest, pszSrc, cchToAppend, ppszDestEnd, pcchRemaining, dwFlags)
+      - ["", "", False, "StringCchCatNExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCchCatNExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCbCatNEx: (pszDest, cbDest, pszSrc, cbToAppend, ppszDestEnd, pcbRemaining, dwFlags)
+      - ["", "", False, "StringCbCatNExA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCbCatNExW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCchPrintf: (pszDest, cchDest, pszFormat, ...)
+      - ["", "", False, "StringCchPrintfA", "", "", "Argument[*2..8]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCchPrintfW", "", "", "Argument[*2..8]", "Argument[*0]", "taint", "manual"]
+      # StringCbPrintf: (pszDest, cbDest, pszFormat, ...)
+      - ["", "", False, "StringCbPrintfA", "", "", "Argument[*2..8]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCbPrintfW", "", "", "Argument[*2..8]", "Argument[*0]", "taint", "manual"]
+      # StringCchPrintfEx: (pszDest, cchDest, ppszDestEnd, pcchRemaining, dwFlags, pszFormat, ...)
+      - ["", "", False, "StringCchPrintfExA", "", "", "Argument[*5..11]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCchPrintfExW", "", "", "Argument[*5..11]", "Argument[*0]", "taint", "manual"]
+      # StringCbPrintfEx: (pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags, pszFormat, ...)
+      - ["", "", False, "StringCbPrintfExA", "", "", "Argument[*5..11]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCbPrintfExW", "", "", "Argument[*5..11]", "Argument[*0]", "taint", "manual"]
+      # StringCchVPrintf: (pszDest, cchDest, pszFormat, argList)
+      - ["", "", False, "StringCchVPrintfA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCchVPrintfW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCbVPrintf: (pszDest, cbDest, pszFormat, argList)
+      - ["", "", False, "StringCbVPrintfA", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCbVPrintfW", "", "", "Argument[*2]", "Argument[*0]", "taint", "manual"]
+      # StringCchVPrintfEx: (pszDest, cchDest, ppszDestEnd, pcchRemaining, dwFlags, pszFormat, argList)
+      - ["", "", False, "StringCchVPrintfExA", "", "", "Argument[*5]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCchVPrintfExW", "", "", "Argument[*5]", "Argument[*0]", "taint", "manual"]
+      # StringCbVPrintfEx: (pszDest, cbDest, ppszDestEnd, pcbRemaining, dwFlags, pszFormat, argList)
+      - ["", "", False, "StringCbVPrintfExA", "", "", "Argument[*5]", "Argument[*0]", "taint", "manual"]
+      - ["", "", False, "StringCbVPrintfExW", "", "", "Argument[*5]", "Argument[*0]", "taint", "manual"]

cpp/ql/lib/ext/allocation/Std.allocation.model.yml

@@ -12,4 +12,7 @@ extensions:
       - ["", "", False, "_malloca", "0", "", "", False]
       - ["", "", False, "calloc", "1", "0", "", True]
       - ["std", "", False, "calloc", "1", "0", "", True]
-      - ["bsl", "", False, "calloc", "1", "0", "", True]
+      - ["bsl", "", False, "calloc", "1", "0", "", True]
+      - ["", "", False, "aligned_alloc", "1", "", "", True]
+      - ["std", "", False, "aligned_alloc", "1", "", "", True]
+      - ["bsl", "", False, "aligned_alloc", "1", "", "", True]

cpp/ql/lib/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-all
-version: 8.0.4-dev
+version: 10.0.1-dev
 groups: cpp
 dbscheme: semmlecode.cpp.dbscheme
 extractor: cpp

cpp/ql/lib/semmle/code/cpp/ConfigurationTestFile.qll

@@ -42,3 +42,10 @@ class MesonPrivateTestFile extends ConfigurationTestFile {
     )
   }
 }
+
+/**
+ * A file created by a GNU autoconf configure script to test the system configuration.
+ */
+class AutoconfConfigureTestFile extends ConfigurationTestFile {
+  AutoconfConfigureTestFile() { this.getBaseName().regexpMatch("conftest[0-9]*\\.c(pp)?") }
+}

cpp/ql/lib/semmle/code/cpp/commons/Printf.qll

@@ -459,6 +459,13 @@ class FormatLiteral extends Literal instanceof StringLiteral {
    */
   int getConvSpecOffset(int n) { result = this.getFormat().indexOf("%", n, 0) }
 
+  /**
+   * Gets the nth conversion specifier string.
+   */
+  private string getConvSpecString(int n) {
+    n >= 0 and result = "%" + this.getFormat().splitAt("%", n + 1)
+  }
+
   /*
    * Each of these predicates gets a regular expressions to match each individual
    * parts of a conversion specifier.
@@ -524,22 +531,20 @@ class FormatLiteral extends Literal instanceof StringLiteral {
     int n, string spec, string params, string flags, string width, string prec, string len,
     string conv
   ) {
-    exists(int offset, string fmt, string rst, string regexp |
-      offset = this.getConvSpecOffset(n) and
-      fmt = this.getFormat() and
-      rst = fmt.substring(offset, fmt.length()) and
+    exists(string convSpec, string regexp |
+      convSpec = this.getConvSpecString(n) and
       regexp = this.getConvSpecRegexp() and
       (
-        spec = rst.regexpCapture(regexp, 1) and
-        params = rst.regexpCapture(regexp, 2) and
-        flags = rst.regexpCapture(regexp, 3) and
-        width = rst.regexpCapture(regexp, 4) and
-        prec = rst.regexpCapture(regexp, 5) and
-        len = rst.regexpCapture(regexp, 6) and
-        conv = rst.regexpCapture(regexp, 7)
+        spec = convSpec.regexpCapture(regexp, 1) and
+        params = convSpec.regexpCapture(regexp, 2) and
+        flags = convSpec.regexpCapture(regexp, 3) and
+        width = convSpec.regexpCapture(regexp, 4) and
+        prec = convSpec.regexpCapture(regexp, 5) and
+        len = convSpec.regexpCapture(regexp, 6) and
+        conv = convSpec.regexpCapture(regexp, 7)
         or
-        spec = rst.regexpCapture(regexp, 1) and
-        not exists(rst.regexpCapture(regexp, 2)) and
+        spec = convSpec.regexpCapture(regexp, 1) and
+        not exists(convSpec.regexpCapture(regexp, 2)) and
         params = "" and
         flags = "" and
         width = "" and
@@ -554,12 +559,10 @@ class FormatLiteral extends Literal instanceof StringLiteral {
    * Gets the nth conversion specifier (including the initial `%`).
    */
   string getConvSpec(int n) {
-    exists(int offset, string fmt, string rst, string regexp |
-      offset = this.getConvSpecOffset(n) and
-      fmt = this.getFormat() and
-      rst = fmt.substring(offset, fmt.length()) and
+    exists(string convSpec, string regexp |
+      convSpec = this.getConvSpecString(n) and
       regexp = this.getConvSpecRegexp() and
-      result = rst.regexpCapture(regexp, 1)
+      result = convSpec.regexpCapture(regexp, 1)
     )
   }
 

cpp/ql/lib/semmle/code/cpp/commons/Scanf.qll

@@ -194,6 +194,13 @@ class ScanfFormatLiteral extends Expr {
     )
   }
 
+  /**
+   * Gets the nth conversion specifier string.
+   */
+  private string getConvSpecString(int n) {
+    n >= 0 and result = "%" + this.getFormat().splitAt("%", n + 1)
+  }
+
   /**
    * Gets the regular expression to match each individual part of a conversion specifier.
    */
@@ -227,16 +234,14 @@ class ScanfFormatLiteral extends Expr {
    * specifier.
    */
   predicate parseConvSpec(int n, string spec, string width, string len, string conv) {
-    exists(int offset, string fmt, string rst, string regexp |
-      offset = this.getConvSpecOffset(n) and
-      fmt = this.getFormat() and
-      rst = fmt.substring(offset, fmt.length()) and
+    exists(string convSpec, string regexp |
+      convSpec = this.getConvSpecString(n) and
       regexp = this.getConvSpecRegexp() and
       (
-        spec = rst.regexpCapture(regexp, 1) and
-        width = rst.regexpCapture(regexp, 2) and
-        len = rst.regexpCapture(regexp, 3) and
-        conv = rst.regexpCapture(regexp, 4)
+        spec = convSpec.regexpCapture(regexp, 1) and
+        width = convSpec.regexpCapture(regexp, 2) and
+        len = convSpec.regexpCapture(regexp, 3) and
+        conv = convSpec.regexpCapture(regexp, 4)
       )
     )
   }

cpp/ql/lib/semmle/code/cpp/dataflow/ExternalFlow.qll

@@ -6,11 +6,15 @@
  *
  * The extensible relations have the following columns:
  * - Sources:
- *   `namespace; type; subtypes; name; signature; ext; output; kind`
+ *   `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
  * - Sinks:
- *   `namespace; type; subtypes; name; signature; ext; input; kind`
+ *   `namespace; type; subtypes; name; signature; ext; input; kind; provenance`
  * - Summaries:
- *   `namespace; type; subtypes; name; signature; ext; input; output; kind`
+ *   `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance`
+ * - Barriers:
+ *   `namespace; type; subtypes; name; signature; ext; output; kind; provenance`
+ * - BarrierGuards:
+ *   `namespace; type; subtypes; name; signature; ext; input; acceptingValue; kind; provenance`
  *
  * The interpretation of a row is similar to API-graphs with a left-to-right
  * reading.
@@ -87,11 +91,23 @@
  *    value, and
  *    - flow from the _second_ indirection of the 0th argument to the first
  *    indirection of the return value, etc.
- * 8. The `kind` column is a tag that can be referenced from QL to determine to
+ * 8. The `acceptingValue` column of barrier guard models specifies the condition
+ *    under which the guard blocks flow. It can be one of "true" or "false". In
+ *    the future "no-exception", "not-zero", "null", "not-null" may be supported.
+ * 9. The `kind` column is a tag that can be referenced from QL to determine to
  *    which classes the interpreted elements should be added. For example, for
  *    sources "remote" indicates a default remote flow source, and for summaries
  *    "taint" indicates a default additional taint step and "value" indicates a
  *    globally applicable value-preserving step.
+ * 10. The `provenance` column is a tag to indicate the origin and verification of a model.
+ *    The format is {origin}-{verification} or just "manual" where the origin describes
+ *    the origin of the model and verification describes how the model has been verified.
+ *    Some examples are:
+ *    - "df-generated": The model has been generated by the model generator tool.
+ *    - "df-manual": The model has been generated by the model generator and verified by a human.
+ *    - "manual": The model has been written by hand.
+ *    This information is used in a heuristic for dataflow analysis to determine, if a
+ *    model or source code should be used for determining flow.
  */
 
 import cpp
@@ -931,13 +947,13 @@ private module Cached {
 
   private predicate barrierGuardChecks(IRGuardCondition g, Expr e, boolean gv, TKindModelPair kmp) {
     exists(
-      SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingvalue,
+      SourceSinkInterpretationInput::InterpretNode n, Public::AcceptingValue acceptingValue,
       string kind, string model
     |
-      isBarrierGuardNode(n, acceptingvalue, kind, model) and
+      isBarrierGuardNode(n, acceptingValue, kind, model) and
       n.asNode().asExpr() = e and
       kmp = TMkPair(kind, model) and
-      gv = convertAcceptingValue(acceptingvalue).asBooleanValue() and
+      gv = convertAcceptingValue(acceptingValue).asBooleanValue() and
       n.asNode().(Private::ArgumentNode).getCall().asCallInstruction() = g
     )
   }
@@ -954,14 +970,14 @@ private module Cached {
   ) {
     exists(
       SourceSinkInterpretationInput::InterpretNode interpretNode,
-      Public::AcceptingValue acceptingvalue, string kind, string model, int indirectionIndex,
+      Public::AcceptingValue acceptingValue, string kind, string model, int indirectionIndex,
       Private::ArgumentNode arg
     |
-      isBarrierGuardNode(interpretNode, acceptingvalue, kind, model) and
+      isBarrierGuardNode(interpretNode, acceptingValue, kind, model) and
       arg = interpretNode.asNode() and
       arg.asIndirectExpr(indirectionIndex) = e and
       kmp = MkKindModelPairIntPair(TMkPair(kind, model), indirectionIndex) and
-      gv = convertAcceptingValue(acceptingvalue).asBooleanValue() and
+      gv = convertAcceptingValue(acceptingValue).asBooleanValue() and
       arg.getCall().asCallInstruction() = g
     )
   }

cpp/ql/lib/semmle/code/cpp/dataflow/internal/ExternalFlowExtensions.qll

@@ -33,7 +33,7 @@ extensible predicate barrierModel(
  */
 extensible predicate barrierGuardModel(
   string namespace, string type, boolean subtypes, string name, string signature, string ext,
-  string input, string acceptingvalue, string kind, string provenance, QlBuiltins::ExtensionId madId
+  string input, string acceptingValue, string kind, string provenance, QlBuiltins::ExtensionId madId
 );
 
 /**

cpp/ql/lib/semmle/code/cpp/dataflow/internal/FlowSummaryImpl.qll

@@ -162,13 +162,13 @@ module SourceSinkInterpretationInput implements
   }
 
   predicate barrierGuardElement(
-    Element e, string input, Public::AcceptingValue acceptingvalue, string kind,
+    Element e, string input, Public::AcceptingValue acceptingValue, string kind,
     Public::Provenance provenance, string model
   ) {
     exists(
       string package, string type, boolean subtypes, string name, string signature, string ext
     |
-      barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingvalue, kind,
+      barrierGuardModel(package, type, subtypes, name, signature, ext, input, acceptingValue, kind,
         provenance, model) and
       e = interpretElement(package, type, subtypes, name, signature, ext)
     )

cpp/ql/lib/semmle/code/cpp/internal/QualifiedName.qll

@@ -18,7 +18,7 @@ class Namespace extends @namespace {
     if namespacembrs(_, this)
     then
       exists(Namespace ns |
-        namespacembrs(ns, this) and
+        namespacembrs(ns, pragma[only_bind_out](this)) and
         result = ns.getQualifiedName() + "::" + this.getName()
       )
     else result = this.getName()
@@ -37,7 +37,7 @@ class Namespace extends @namespace {
   string getAQualifierForMembers() {
     if namespacembrs(_, this)
     then
-      exists(Namespace ns | namespacembrs(ns, this) |
+      exists(Namespace ns | namespacembrs(ns, pragma[only_bind_out](this)) |
         result = ns.getAQualifierForMembers() + "::" + this.getName()
         or
         // If this is an inline namespace, its members are also visible in any

cpp/ql/lib/semmle/code/cpp/ir/implementation/raw/internal/TranslatedAssertion.qll

@@ -114,6 +114,7 @@ private predicate parseArgument(string arg, string s, int i, Opcode opcode) {
 
 private Element getAChildScope(Element scope) { result.getParentScope() = scope }
 
+pragma[nomagic]
 private predicate hasAVariable(MacroInvocation mi, Stmt s, Element scope) {
   assertion0(mi, s, _) and
   s.getParent() = scope
@@ -121,15 +122,32 @@ private predicate hasAVariable(MacroInvocation mi, Stmt s, Element scope) {
   hasAVariable(mi, s, getAChildScope(scope))
 }
 
-private LocalScopeVariable getVariable(MacroInvocation mi, int i) {
-  exists(string operand, string arg, Stmt s |
+private predicate hasParentScope(Variable v, Element scope) { v.getParentScope() = scope }
+
+pragma[nomagic]
+private predicate hasAssertionOperand(MacroInvocation mi, int i, Stmt s, string operand) {
+  exists(string arg |
     assertion0(mi, s, arg) and
-    parseArgument(arg, operand, i, _) and
+    parseArgument(arg, operand, i, _)
+  )
+}
+
+pragma[nomagic]
+private predicate hasNameAndParentScope(string name, Element scope, Variable v) {
+  v.hasName(name) and
+  hasParentScope(v, scope)
+}
+
+pragma[nomagic]
+private LocalScopeVariable getVariable(MacroInvocation mi, int i) {
+  exists(string name, Stmt s |
+    hasAssertionOperand(mi, i, s, name) and
     result =
-      unique(Variable v |
+      unique(Variable v, Element parentScope |
+        hasAssertionOperand(mi, _, s, name) and
         v.getLocation().getStartLine() < s.getLocation().getStartLine() and
-        hasAVariable(mi, s, v.getParentScope()) and
-        v.hasName(operand)
+        hasAVariable(mi, s, parentScope) and
+        hasNameAndParentScope(name, parentScope, v)
       |
         v
       )

cpp/ql/lib/semmle/code/cpp/models/interfaces/NonThrowing.qll

@@ -11,10 +11,3 @@ import semmle.code.cpp.models.Models
  * The function may still raise a structured exception handling (SEH) exception.
  */
 abstract class NonCppThrowingFunction extends Function { }
-
-/**
- * A function that is guaranteed to never throw.
- *
- * DEPRECATED: use `NonCppThrowingFunction` instead.
- */
-deprecated class NonThrowingFunction = NonCppThrowingFunction;

cpp/ql/lib/semmle/code/cpp/models/interfaces/Throwing.qll

@@ -10,19 +10,6 @@ import semmle.code.cpp.Function
 import semmle.code.cpp.models.Models
 import semmle.code.cpp.models.interfaces.FunctionInputsAndOutputs
 
-/**
- * A function that is known to raise an exception.
- *
- * DEPRECATED: use `AlwaysSehThrowingFunction` instead.
- */
-abstract deprecated class ThrowingFunction extends Function {
-  /**
-   * Holds if this function may throw an exception during evaluation.
-   * If `unconditional` is `true` the function always throws an exception.
-   */
-  abstract predicate mayThrowException(boolean unconditional);
-}
-
 /**
  * A function that unconditionally raises a structured exception handling (SEH) exception.
  */

cpp/ql/lib/semmle/code/cpp/stmts/Stmt.qll

@@ -1412,9 +1412,9 @@ private int indexOfSwitchCaseRank(BlockStmt b, int rnk) {
  * switch (i)
  * {
  * case 5:
- *   ...
+ *     ...
  * default:
- *   ...
+ *     ...
  * }
  * ```
  */
@@ -1516,8 +1516,10 @@ class SwitchCase extends Stmt, @stmt_switch_case {
    * which has result `default:`, which has no result.
    */
   SwitchCase getNextSwitchCase() {
-    result.getSwitchStmt() = this.getSwitchStmt() and
-    result.getChildNum() = this.getChildNum() + 1
+    exists(SwitchStmt s, int n |
+      this = s.getSwitchCase(n) and
+      result = s.getSwitchCase(n + 1)
+    )
   }
 
   /**
@@ -1707,9 +1709,9 @@ class SwitchCase extends Stmt, @stmt_switch_case {
  * switch (i)
  * {
  * case 5:
- *   ...
+ *     ...
  * default:
- *   ...
+ *     ...
  * }
  * ```
  */
@@ -1731,9 +1733,9 @@ class DefaultCase extends SwitchCase {
  * switch (i)
  * {
  * case 5:
- *   ...
+ *     ...
  * default:
- *   ...
+ *     ...
  * }
  * ```
  */
@@ -1768,10 +1770,10 @@ class SwitchStmt extends ConditionalStmt, @stmt_switch {
    * For example, for
    * ```
    * switch(i) {
-   *     case 1:
-   *     case 2:
+   * case 1:
+   * case 2:
    *     break;
-   *     default:
+   * default:
    *     break;
    * }
    * ```
@@ -1790,20 +1792,20 @@ class SwitchStmt extends ConditionalStmt, @stmt_switch {
    * For example, for
    * ```
    * switch(i) {
-   *     case 1:
-   *     case 2:
+   * case 1:
+   * case 2:
    *     break;
-   *     default:
+   * default:
    *     break;
    * }
    * ```
    * the result is
    * ```
    * {
-   *     case 1:
-   *     case 2:
+   * case 1:
+   * case 2:
    *     break;
-   *     default:
+   * default:
    *     break;
    * }
    * ```
@@ -1816,10 +1818,10 @@ class SwitchStmt extends ConditionalStmt, @stmt_switch {
    * For example, for
    * ```
    * switch(i) {
-   *     case 1:
-   *     case 2:
+   * case 1:
+   * case 2:
    *     break;
-   *     default:
+   * default:
    *     break;
    * }
    * ```
@@ -1827,6 +1829,23 @@ class SwitchStmt extends ConditionalStmt, @stmt_switch {
    */
   SwitchCase getASwitchCase() { switch_case(underlyingElement(this), _, unresolveElement(result)) }
 
+  /**
+   * Gets the `n`th 'switch case' statement of this 'switch' statement, where
+   * `n` is 0-based.
+   *
+   * For example, for
+   * ```
+   * switch(i) {
+   * case 5:
+   * case 6:
+   * default:
+   * }   * ```
+   * 0 yields `case 5:`, 1 yields `case 6:`, and 2 yields `default:`.
+   */
+  SwitchCase getSwitchCase(int n) {
+    switch_case(underlyingElement(this), n, unresolveElement(result))
+  }
+
   /**
    * Gets the 'default case' statement of this 'switch' statement,
    * if any.
@@ -1834,18 +1853,18 @@ class SwitchStmt extends ConditionalStmt, @stmt_switch {
    * For example, for
    * ```
    * switch(i) {
-   *     case 1:
-   *     case 2:
+   * case 1:
+   * case 2:
    *     break;
-   *     default:
+   * default:
    *     break;
    * }
    * ```
    * the result is `default:`, but there is no result for
    * ```
    * switch(i) {
-   *     case 1:
-   *     case 2:
+   * case 1:
+   * case 2:
    *     break;
    * }
    * ```
@@ -1858,18 +1877,18 @@ class SwitchStmt extends ConditionalStmt, @stmt_switch {
    * For example, this holds for
    * ```
    * switch(i) {
-   *     case 1:
-   *     case 2:
+   * case 1:
+   * case 2:
    *     break;
-   *     default:
+   * default:
    *     break;
    * }
    * ```
    * but not for
    * ```
    * switch(i) {
-   *     case 1:
-   *     case 2:
+   * case 1:
+   * case 2:
    *     break;
    * }
    * ```

cpp/ql/src/CHANGELOG.md

@@ -1,3 +1,28 @@
+## 1.6.1
+
+### Minor Analysis Improvements
+
+* Added `AllocationFunction` models for `aligned_alloc`, `std::aligned_alloc`, and `bsl::aligned_alloc`.
+* The "Comparison of narrow type with wide type in loop condition" (`cpp/comparison-with-wider-type`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
+* The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
+* The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
+* The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
+* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.
+
+## 1.6.0
+
+### Query Metadata Changes
+
+* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+### Minor Analysis Improvements
+
+* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
+* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
+* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
+* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
+* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.
+
 ## 1.5.15
 
 No user-facing changes.
@@ -341,7 +366,7 @@ No user-facing changes.
 ### Minor Analysis Improvements
 
 * The "non-constant format string" query (`cpp/non-constant-format`) has been updated to produce fewer false positives.
-* Added dataflow models for the `gettext` function variants. 
+* Added dataflow models for the `gettext` function variants.
 
 ## 0.9.4
 

cpp/ql/src/Likely Bugs/Arithmetic/IntMultToLong.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 8.1
- * @precision medium
+ * @precision high
  * @id cpp/integer-multiplication-cast-to-long
  * @tags reliability
  *       security

cpp/ql/src/Likely Bugs/Format/WrongTypeFormatArguments.ql

@@ -5,7 +5,7 @@
  * @kind problem
  * @problem.severity error
  * @security-severity 7.5
- * @precision medium
+ * @precision high
  * @id cpp/wrong-type-format-argument
  * @tags reliability
  *       correctness

cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.qhelp

@@ -14,6 +14,9 @@ function may behave unpredictably.</p>
 <p>This may indicate a misspelled function name, or that the required header containing
 the function declaration has not been included.</p>
 
+<p>Note: This query is not compatible with <code>build mode: none</code> databases, and produces
+no results on those databases.</p>
+
 </overview>
 <recommendation>
 <p>Provide an explicit declaration of the function before invoking it.</p>
@@ -26,4 +29,4 @@ the function declaration has not been included.</p>
 <references>
 <li>SEI CERT C Coding Standard: <a href="https://wiki.sei.cmu.edu/confluence/display/c/DCL31-C.+Declare+identifiers+before+using+them">DCL31-C. Declare identifiers before using them</a></li>
 </references>
-</qhelp>
+</qhelp>

cpp/ql/src/Likely Bugs/Underspecified Functions/ImplicitFunctionDeclaration.ql

@@ -5,7 +5,7 @@
  * may lead to unpredictable behavior.
  * @kind problem
  * @problem.severity warning
- * @precision medium
+ * @precision high
  * @id cpp/implicit-function-declaration
  * @tags correctness
  *       maintainability
@@ -17,6 +17,11 @@ import TooFewArguments
 import TooManyArguments
 import semmle.code.cpp.commons.Exclusions
 
+/*
+ * This query is not compatible with build mode: none databases, and produces
+ * no results on those databases.
+ */
+
 predicate locInfo(Locatable e, File file, int line, int col) {
   e.getFile() = file and
   e.getLocation().getStartLine() = line and
@@ -39,6 +44,7 @@ predicate isCompiledAsC(File f) {
 from FunctionDeclarationEntry fdeIm, FunctionCall fc
 where
   isCompiledAsC(fdeIm.getFile()) and
+  not any(Compilation c).buildModeNone() and
   not isFromMacroDefinition(fc) and
   fdeIm.isImplicit() and
   sameLocation(fdeIm, fc) and

cpp/ql/src/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.qll

@@ -79,9 +79,7 @@ private predicate hasZeroParamDecl(Function f) {
 
 // True if this file (or header) was compiled as a C file
 private predicate isCompiledAsC(File f) {
-  f.compiledAsC()
-  or
-  exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
+  exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
 }
 
 predicate mistypedFunctionArguments(FunctionCall fc, Function f, Parameter p) {

cpp/ql/src/Likely Bugs/Underspecified Functions/TooFewArguments.qll

@@ -28,9 +28,7 @@ private predicate hasZeroParamDecl(Function f) {
 
 /* Holds if this file (or header) was compiled as a C file. */
 private predicate isCompiledAsC(File f) {
-  f.compiledAsC()
-  or
-  exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
+  exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
 }
 
 /** Holds if `fc` is a call to `f` with too few arguments. */

cpp/ql/src/Likely Bugs/Underspecified Functions/TooManyArguments.qll

@@ -19,9 +19,7 @@ private predicate hasZeroParamDecl(Function f) {
 
 // True if this file (or header) was compiled as a C file
 private predicate isCompiledAsC(File f) {
-  f.compiledAsC()
-  or
-  exists(File src | isCompiledAsC(src) | src.getAnIncludedFile() = f)
+  exists(File src | src.compiledAsC() | src.getAnIncludedFile*() = f)
 }
 
 predicate tooManyArguments(FunctionCall fc, Function f) {

cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 7.8
- * @precision medium
+ * @precision high
  * @tags reliability
  *       security
  *       external/cwe/cwe-190

cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql

@@ -6,7 +6,7 @@
  * @kind problem
  * @problem.severity warning
  * @security-severity 8.8
- * @precision medium
+ * @precision high
  * @id cpp/suspicious-add-sizeof
  * @tags security
  *       external/cwe/cwe-468

cpp/ql/src/change-notes/2026-03-11-integer-multiplication-cast-to-long.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-13-adjust-xss-and-log-injection-severity.md

@@ -1,4 +0,0 @@
----
-category: queryMetadata
----
-* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).

cpp/ql/src/change-notes/2026-03-16-wrong-type-format-argument.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-19-suspicious-add-sizeof.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/2026-03-19-tainted-format-string.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.

cpp/ql/src/change-notes/2026-03-30-warning-diagnostics.md

@@ -1,4 +0,0 @@
----
-category: minorAnalysis
----
-* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.

cpp/ql/src/change-notes/released/1.6.0.md

@@ -0,0 +1,13 @@
+## 1.6.0
+
+### Query Metadata Changes
+
+* The `@security-severity` metadata of `cpp/cgi-xss` has been increased from 6.1 (medium) to 7.8 (high).
+
+### Minor Analysis Improvements
+
+* The "Extraction warnings" (`cpp/diagnostics/extraction-warnings`) diagnostics query no longer yields `ExtractionRecoverableWarning`s for `build-mode: none` databases. The results were found to significantly increase the sizes of the produced SARIF files, making them unprocessable in some cases.
+* Fixed an issue with the "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query causing false positive results in `build-mode: none` databases.
+* Fixed an issue with the "Uncontrolled format string" (`cpp/tainted-format-string`) query involving certain kinds of formatting function implementations.
+* Fixed an issue with the "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query causing false positive results in `build-mode: none` databases.
+* Fixed an issue with the "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query causing false positive results in `build-mode: none` databases.

cpp/ql/src/change-notes/released/1.6.1.md

@@ -0,0 +1,10 @@
+## 1.6.1
+
+### Minor Analysis Improvements
+
+* Added `AllocationFunction` models for `aligned_alloc`, `std::aligned_alloc`, and `bsl::aligned_alloc`.
+* The "Comparison of narrow type with wide type in loop condition" (`cpp/comparison-with-wider-type`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
+* The "Multiplication result converted to larger type" (`cpp/integer-multiplication-cast-to-long`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
+* The "Suspicious add with sizeof" (`cpp/suspicious-add-sizeof`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
+* The "Wrong type of arguments to formatting function" (`cpp/wrong-type-format-argument`) query has been upgraded to `high` precision. This query will now run in the default code scanning suite.
+* The "Implicit function declaration" (`cpp/implicit-function-declaration`) query has been upgraded to `high` precision. However, for `build mode: none` databases, it no longer produces any results. The results in this mode were found to be very noisy and fundamentally imprecise.

cpp/ql/src/codeql-pack.release.yml

@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 1.5.15
+lastReleaseVersion: 1.6.1

cpp/ql/src/qlpack.yml

@@ -1,5 +1,5 @@
 name: codeql/cpp-queries
-version: 1.5.16-dev
+version: 1.6.2-dev
 groups:
   - cpp
   - queries

cpp/ql/test/library-tests/builtins/complex/builtin.expected

@@ -1,4 +1,4 @@
 | complex.c:3:23:3:51 | __builtin_complex | file://:0:0:0:0 | _Complex double | complex.c:3:41:3:44 | real | file://:0:0:0:0 | double | complex.c:3:47:3:50 | imag | file://:0:0:0:0 | double |
-| complex.c:4:23:4:57 | __builtin_complex | file://:0:0:0:0 | _Complex double | complex.c:4:41:4:47 | 2.71828000000000003 | file://:0:0:0:0 | double | complex.c:4:50:4:56 | 3.141589999999999883 | file://:0:0:0:0 | double |
+| complex.c:4:23:4:57 | __builtin_complex | file://:0:0:0:0 | _Complex double | complex.c:4:41:4:47 | 2.71828 | file://:0:0:0:0 | double | complex.c:4:50:4:56 | 3.14159 | file://:0:0:0:0 | double |
 | complex.c:8:22:8:52 | __builtin_complex | file://:0:0:0:0 | _Complex float | complex.c:8:40:8:44 | realf | file://:0:0:0:0 | float | complex.c:8:47:8:51 | imagf | file://:0:0:0:0 | float |
-| complex.c:9:22:9:52 | __builtin_complex | file://:0:0:0:0 | _Complex float | complex.c:9:40:9:44 | 1.230000019 | file://:0:0:0:0 | float | complex.c:9:47:9:51 | 4.559999943 | file://:0:0:0:0 | float |
+| complex.c:9:22:9:52 | __builtin_complex | file://:0:0:0:0 | _Complex float | complex.c:9:40:9:44 | 1.23 | file://:0:0:0:0 | float | complex.c:9:47:9:51 | 4.56 | file://:0:0:0:0 | float |

cpp/ql/test/library-tests/controlflow/guards/GuardsCompare.expected

@@ -298,16 +298,16 @@
 | test.c:182:8:182:34 | ! ... | ! ... == 1 when ! ... is true |
 | test.c:182:8:182:34 | ! ... | ... && ... != 0 when ! ... is false |
 | test.c:182:8:182:34 | ! ... | ... && ... == 0 when ! ... is true |
-| test.c:182:10:182:20 | ... >= ... | 9.999999999999999547e-07 < foo+1 when ... >= ... is true |
-| test.c:182:10:182:20 | ... >= ... | 9.999999999999999547e-07 >= foo+1 when ... >= ... is false |
+| test.c:182:10:182:20 | ... >= ... | 1.0E-6 < foo+1 when ... >= ... is true |
+| test.c:182:10:182:20 | ... >= ... | 1.0E-6 >= foo+1 when ... >= ... is false |
 | test.c:182:10:182:20 | ... >= ... | ... >= ... != 0 when ... >= ... is true |
 | test.c:182:10:182:20 | ... >= ... | ... >= ... != 1 when ... >= ... is false |
 | test.c:182:10:182:20 | ... >= ... | ... >= ... == 0 when ... >= ... is false |
 | test.c:182:10:182:20 | ... >= ... | ... >= ... == 1 when ... >= ... is true |
-| test.c:182:10:182:20 | ... >= ... | foo < 9.999999999999999547e-07+0 when ... >= ... is false |
-| test.c:182:10:182:20 | ... >= ... | foo >= 9.999999999999999547e-07+0 when ... >= ... is true |
+| test.c:182:10:182:20 | ... >= ... | foo < 1.0E-6+0 when ... >= ... is false |
+| test.c:182:10:182:20 | ... >= ... | foo >= 1.0E-6+0 when ... >= ... is true |
 | test.c:182:10:182:33 | ... && ... | 1.0 >= foo+1 when ... && ... is true |
-| test.c:182:10:182:33 | ... && ... | 9.999999999999999547e-07 < foo+1 when ... && ... is true |
+| test.c:182:10:182:33 | ... && ... | 1.0E-6 < foo+1 when ... && ... is true |
 | test.c:182:10:182:33 | ... && ... | ! ... != 0 when ... && ... is false |
 | test.c:182:10:182:33 | ... && ... | ! ... != 1 when ... && ... is true |
 | test.c:182:10:182:33 | ... && ... | ! ... == 0 when ... && ... is true |
@@ -319,7 +319,7 @@
 | test.c:182:10:182:33 | ... && ... | ... >= ... != 0 when ... && ... is true |
 | test.c:182:10:182:33 | ... && ... | ... >= ... == 1 when ... && ... is true |
 | test.c:182:10:182:33 | ... && ... | foo < 1.0+0 when ... && ... is true |
-| test.c:182:10:182:33 | ... && ... | foo >= 9.999999999999999547e-07+0 when ... && ... is true |
+| test.c:182:10:182:33 | ... && ... | foo >= 1.0E-6+0 when ... && ... is true |
 | test.c:182:25:182:33 | ... < ... | 1.0 < foo+1 when ... < ... is false |
 | test.c:182:25:182:33 | ... < ... | 1.0 >= foo+1 when ... < ... is true |
 | test.c:182:25:182:33 | ... < ... | ... < ... != 0 when ... < ... is true |

cpp/ql/test/library-tests/controlflow/guards/GuardsEnsure.expected

@@ -169,12 +169,12 @@ binary
 | test.c:176:8:176:15 | ! ... | test.c:176:14:176:14 | b | < | test.c:176:10:176:10 | a | 1 | test.c:176:18:178:5 | { ... } |
 | test.c:176:10:176:14 | ... < ... | test.c:176:10:176:10 | a | >= | test.c:176:14:176:14 | b | 0 | test.c:176:18:178:5 | { ... } |
 | test.c:176:10:176:14 | ... < ... | test.c:176:14:176:14 | b | < | test.c:176:10:176:10 | a | 1 | test.c:176:18:178:5 | { ... } |
-| test.c:182:10:182:20 | ... >= ... | test.c:182:10:182:12 | foo | >= | test.c:182:17:182:20 | 9.999999999999999547e-07 | 0 | test.c:181:25:182:20 | { ... } |
-| test.c:182:10:182:20 | ... >= ... | test.c:182:10:182:12 | foo | >= | test.c:182:17:182:20 | 9.999999999999999547e-07 | 0 | test.c:182:25:182:33 | foo |
-| test.c:182:10:182:20 | ... >= ... | test.c:182:17:182:20 | 9.999999999999999547e-07 | < | test.c:182:10:182:12 | foo | 1 | test.c:181:25:182:20 | { ... } |
-| test.c:182:10:182:20 | ... >= ... | test.c:182:17:182:20 | 9.999999999999999547e-07 | < | test.c:182:10:182:12 | foo | 1 | test.c:182:25:182:33 | foo |
-| test.c:182:10:182:33 | ... && ... | test.c:182:10:182:12 | foo | >= | test.c:182:17:182:20 | 9.999999999999999547e-07 | 0 | test.c:181:25:182:20 | { ... } |
-| test.c:182:10:182:33 | ... && ... | test.c:182:17:182:20 | 9.999999999999999547e-07 | < | test.c:182:10:182:12 | foo | 1 | test.c:181:25:182:20 | { ... } |
+| test.c:182:10:182:20 | ... >= ... | test.c:182:10:182:12 | foo | >= | test.c:182:17:182:20 | 1.0E-6 | 0 | test.c:181:25:182:20 | { ... } |
+| test.c:182:10:182:20 | ... >= ... | test.c:182:10:182:12 | foo | >= | test.c:182:17:182:20 | 1.0E-6 | 0 | test.c:182:25:182:33 | foo |
+| test.c:182:10:182:20 | ... >= ... | test.c:182:17:182:20 | 1.0E-6 | < | test.c:182:10:182:12 | foo | 1 | test.c:181:25:182:20 | { ... } |
+| test.c:182:10:182:20 | ... >= ... | test.c:182:17:182:20 | 1.0E-6 | < | test.c:182:10:182:12 | foo | 1 | test.c:182:25:182:33 | foo |
+| test.c:182:10:182:33 | ... && ... | test.c:182:10:182:12 | foo | >= | test.c:182:17:182:20 | 1.0E-6 | 0 | test.c:181:25:182:20 | { ... } |
+| test.c:182:10:182:33 | ... && ... | test.c:182:17:182:20 | 1.0E-6 | < | test.c:182:10:182:12 | foo | 1 | test.c:181:25:182:20 | { ... } |
 | test.c:182:10:182:33 | ... && ... | test.c:182:25:182:27 | foo | < | test.c:182:31:182:33 | 1.0 | 0 | test.c:181:25:182:20 | { ... } |
 | test.c:182:10:182:33 | ... && ... | test.c:182:31:182:33 | 1.0 | >= | test.c:182:25:182:27 | foo | 1 | test.c:181:25:182:20 | { ... } |
 | test.c:182:25:182:33 | ... < ... | test.c:182:25:182:27 | foo | < | test.c:182:31:182:33 | 1.0 | 0 | test.c:181:25:182:20 | { ... } |

cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp

@@ -115,3 +115,19 @@ void test_zmc(void *socket) {
     // ...
   }
 }
+
+long StringCchGetsA(char *, size_t);
+long StringCchGetsExA(char *, size_t, char **, size_t *, unsigned long);
+
+void test_strsafe_gets() {
+	{
+		char dest[256] = {0};
+		StringCchGetsA(dest, sizeof(dest)); // $ local_source
+	}
+	{
+		char dest[256] = {0};
+		char *end;
+		size_t remaining;
+		StringCchGetsExA(dest, sizeof(dest), &end, &remaining, 0); // $ local_source
+	}
+}

cpp/ql/test/library-tests/dataflow/taint-tests/localTaint.expected

@@ -8008,6 +8008,174 @@ WARNING: module 'TaintTracking' has been deprecated and may be removed in future
 | taint.cpp:866:26:866:34 | ref arg & ... | taint.cpp:866:27:866:34 | size_out [inner post update] |  |
 | taint.cpp:866:27:866:34 | size_out | taint.cpp:866:26:866:34 | & ... |  |
 | taint.cpp:867:8:867:8 | p | taint.cpp:867:7:867:8 | * ... | TAINT |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:897:38:897:43 | source |  |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:907:37:907:42 | source |  |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:914:40:914:45 | source |  |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:919:39:919:44 | source |  |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:926:41:926:46 | source |  |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:931:37:931:42 | source |  |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:941:36:941:41 | source |  |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:948:39:948:44 | source |  |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:953:38:953:43 | source |  |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:960:40:960:45 | source |  |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:965:46:965:51 | source |  |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:975:45:975:50 | source |  |
+| taint.cpp:892:17:892:31 | call to indirect_source | taint.cpp:982:69:982:74 | source |  |
+| taint.cpp:893:32:893:46 | call to indirect_source | taint.cpp:902:38:902:44 | wsource |  |
+| taint.cpp:893:32:893:46 | call to indirect_source | taint.cpp:936:37:936:43 | wsource |  |
+| taint.cpp:893:32:893:46 | call to indirect_source | taint.cpp:970:47:970:53 | wsource |  |
+| taint.cpp:896:19:896:22 | {...} | taint.cpp:897:18:897:21 | dest |  |
+| taint.cpp:896:19:896:22 | {...} | taint.cpp:897:31:897:34 | dest |  |
+| taint.cpp:896:19:896:22 | {...} | taint.cpp:898:9:898:12 | dest |  |
+| taint.cpp:896:21:896:21 | 0 | taint.cpp:896:19:896:22 | {...} | TAINT |
+| taint.cpp:897:18:897:21 | ref arg dest | taint.cpp:898:9:898:12 | dest |  |
+| taint.cpp:898:9:898:12 | dest | taint.cpp:898:8:898:12 | * ... |  |
+| taint.cpp:901:22:901:25 | {...} | taint.cpp:902:18:902:21 | dest |  |
+| taint.cpp:901:22:901:25 | {...} | taint.cpp:902:31:902:34 | dest |  |
+| taint.cpp:901:22:901:25 | {...} | taint.cpp:903:9:903:12 | dest |  |
+| taint.cpp:901:24:901:24 | 0 | taint.cpp:901:22:901:25 | {...} | TAINT |
+| taint.cpp:902:18:902:21 | ref arg dest | taint.cpp:903:9:903:12 | dest |  |
+| taint.cpp:903:9:903:12 | dest | taint.cpp:903:8:903:12 | * ... |  |
+| taint.cpp:906:19:906:22 | {...} | taint.cpp:907:17:907:20 | dest |  |
+| taint.cpp:906:19:906:22 | {...} | taint.cpp:907:30:907:33 | dest |  |
+| taint.cpp:906:19:906:22 | {...} | taint.cpp:908:9:908:12 | dest |  |
+| taint.cpp:906:21:906:21 | 0 | taint.cpp:906:19:906:22 | {...} | TAINT |
+| taint.cpp:907:17:907:20 | ref arg dest | taint.cpp:908:9:908:12 | dest |  |
+| taint.cpp:908:9:908:12 | dest | taint.cpp:908:8:908:12 | * ... |  |
+| taint.cpp:911:19:911:22 | {...} | taint.cpp:914:20:914:23 | dest |  |
+| taint.cpp:911:19:911:22 | {...} | taint.cpp:914:33:914:36 | dest |  |
+| taint.cpp:911:19:911:22 | {...} | taint.cpp:915:9:915:12 | dest |  |
+| taint.cpp:911:21:911:21 | 0 | taint.cpp:911:19:911:22 | {...} | TAINT |
+| taint.cpp:912:9:912:11 | end | taint.cpp:914:49:914:51 | end |  |
+| taint.cpp:913:10:913:18 | remaining | taint.cpp:914:55:914:63 | remaining |  |
+| taint.cpp:914:20:914:23 | ref arg dest | taint.cpp:915:9:915:12 | dest |  |
+| taint.cpp:914:48:914:51 | ref arg & ... | taint.cpp:914:49:914:51 | end [inner post update] |  |
+| taint.cpp:914:49:914:51 | end | taint.cpp:914:48:914:51 | & ... |  |
+| taint.cpp:914:54:914:63 | ref arg & ... | taint.cpp:914:55:914:63 | remaining [inner post update] |  |
+| taint.cpp:914:55:914:63 | remaining | taint.cpp:914:54:914:63 | & ... |  |
+| taint.cpp:915:9:915:12 | dest | taint.cpp:915:8:915:12 | * ... |  |
+| taint.cpp:918:19:918:22 | {...} | taint.cpp:919:19:919:22 | dest |  |
+| taint.cpp:918:19:918:22 | {...} | taint.cpp:919:32:919:35 | dest |  |
+| taint.cpp:918:19:918:22 | {...} | taint.cpp:920:9:920:12 | dest |  |
+| taint.cpp:918:21:918:21 | 0 | taint.cpp:918:19:918:22 | {...} | TAINT |
+| taint.cpp:919:19:919:22 | ref arg dest | taint.cpp:920:9:920:12 | dest |  |
+| taint.cpp:920:9:920:12 | dest | taint.cpp:920:8:920:12 | * ... |  |
+| taint.cpp:923:19:923:22 | {...} | taint.cpp:926:21:926:24 | dest |  |
+| taint.cpp:923:19:923:22 | {...} | taint.cpp:926:34:926:37 | dest |  |
+| taint.cpp:923:19:923:22 | {...} | taint.cpp:927:8:927:11 | dest |  |
+| taint.cpp:923:21:923:21 | 0 | taint.cpp:923:19:923:22 | {...} | TAINT |
+| taint.cpp:924:9:924:11 | end | taint.cpp:926:55:926:57 | end |  |
+| taint.cpp:925:10:925:18 | remaining | taint.cpp:926:61:926:69 | remaining |  |
+| taint.cpp:926:21:926:24 | ref arg dest | taint.cpp:927:8:927:11 | dest |  |
+| taint.cpp:926:54:926:57 | ref arg & ... | taint.cpp:926:55:926:57 | end [inner post update] |  |
+| taint.cpp:926:55:926:57 | end | taint.cpp:926:54:926:57 | & ... |  |
+| taint.cpp:926:60:926:69 | ref arg & ... | taint.cpp:926:61:926:69 | remaining [inner post update] |  |
+| taint.cpp:926:61:926:69 | remaining | taint.cpp:926:60:926:69 | & ... |  |
+| taint.cpp:930:20:930:27 | prefix | taint.cpp:931:17:931:20 | dest |  |
+| taint.cpp:930:20:930:27 | prefix | taint.cpp:931:30:931:33 | dest |  |
+| taint.cpp:930:20:930:27 | prefix | taint.cpp:932:9:932:12 | dest |  |
+| taint.cpp:931:17:931:20 | ref arg dest | taint.cpp:932:9:932:12 | dest |  |
+| taint.cpp:932:9:932:12 | dest | taint.cpp:932:8:932:12 | * ... |  |
+| taint.cpp:935:23:935:31 | prefix | taint.cpp:936:17:936:20 | dest |  |
+| taint.cpp:935:23:935:31 | prefix | taint.cpp:936:30:936:33 | dest |  |
+| taint.cpp:935:23:935:31 | prefix | taint.cpp:937:9:937:12 | dest |  |
+| taint.cpp:936:17:936:20 | ref arg dest | taint.cpp:937:9:937:12 | dest |  |
+| taint.cpp:937:9:937:12 | dest | taint.cpp:937:8:937:12 | * ... |  |
+| taint.cpp:940:20:940:27 | prefix | taint.cpp:941:16:941:19 | dest |  |
+| taint.cpp:940:20:940:27 | prefix | taint.cpp:941:29:941:32 | dest |  |
+| taint.cpp:940:20:940:27 | prefix | taint.cpp:942:9:942:12 | dest |  |
+| taint.cpp:941:16:941:19 | ref arg dest | taint.cpp:942:9:942:12 | dest |  |
+| taint.cpp:942:9:942:12 | dest | taint.cpp:942:8:942:12 | * ... |  |
+| taint.cpp:945:20:945:27 | prefix | taint.cpp:948:19:948:22 | dest |  |
+| taint.cpp:945:20:945:27 | prefix | taint.cpp:948:32:948:35 | dest |  |
+| taint.cpp:945:20:945:27 | prefix | taint.cpp:949:9:949:12 | dest |  |
+| taint.cpp:946:9:946:11 | end | taint.cpp:948:48:948:50 | end |  |
+| taint.cpp:947:10:947:18 | remaining | taint.cpp:948:54:948:62 | remaining |  |
+| taint.cpp:948:19:948:22 | ref arg dest | taint.cpp:949:9:949:12 | dest |  |
+| taint.cpp:948:47:948:50 | ref arg & ... | taint.cpp:948:48:948:50 | end [inner post update] |  |
+| taint.cpp:948:48:948:50 | end | taint.cpp:948:47:948:50 | & ... |  |
+| taint.cpp:948:53:948:62 | ref arg & ... | taint.cpp:948:54:948:62 | remaining [inner post update] |  |
+| taint.cpp:948:54:948:62 | remaining | taint.cpp:948:53:948:62 | & ... |  |
+| taint.cpp:949:9:949:12 | dest | taint.cpp:949:8:949:12 | * ... |  |
+| taint.cpp:952:20:952:27 | prefix | taint.cpp:953:18:953:21 | dest |  |
+| taint.cpp:952:20:952:27 | prefix | taint.cpp:953:31:953:34 | dest |  |
+| taint.cpp:952:20:952:27 | prefix | taint.cpp:954:9:954:12 | dest |  |
+| taint.cpp:953:18:953:21 | ref arg dest | taint.cpp:954:9:954:12 | dest |  |
+| taint.cpp:954:9:954:12 | dest | taint.cpp:954:8:954:12 | * ... |  |
+| taint.cpp:957:20:957:27 | prefix | taint.cpp:960:20:960:23 | dest |  |
+| taint.cpp:957:20:957:27 | prefix | taint.cpp:960:33:960:36 | dest |  |
+| taint.cpp:957:20:957:27 | prefix | taint.cpp:961:9:961:12 | dest |  |
+| taint.cpp:958:9:958:11 | end | taint.cpp:960:54:960:56 | end |  |
+| taint.cpp:959:10:959:18 | remaining | taint.cpp:960:60:960:68 | remaining |  |
+| taint.cpp:960:20:960:23 | ref arg dest | taint.cpp:961:9:961:12 | dest |  |
+| taint.cpp:960:53:960:56 | ref arg & ... | taint.cpp:960:54:960:56 | end [inner post update] |  |
+| taint.cpp:960:54:960:56 | end | taint.cpp:960:53:960:56 | & ... |  |
+| taint.cpp:960:59:960:68 | ref arg & ... | taint.cpp:960:60:960:68 | remaining [inner post update] |  |
+| taint.cpp:960:60:960:68 | remaining | taint.cpp:960:59:960:68 | & ... |  |
+| taint.cpp:961:9:961:12 | dest | taint.cpp:961:8:961:12 | * ... |  |
+| taint.cpp:964:19:964:22 | {...} | taint.cpp:965:20:965:23 | dest |  |
+| taint.cpp:964:19:964:22 | {...} | taint.cpp:965:33:965:36 | dest |  |
+| taint.cpp:964:19:964:22 | {...} | taint.cpp:966:9:966:12 | dest |  |
+| taint.cpp:964:21:964:21 | 0 | taint.cpp:964:19:964:22 | {...} | TAINT |
+| taint.cpp:965:20:965:23 | ref arg dest | taint.cpp:966:9:966:12 | dest |  |
+| taint.cpp:965:40:965:43 | %s | taint.cpp:965:20:965:23 | ref arg dest | TAINT |
+| taint.cpp:965:46:965:51 | ref arg source | taint.cpp:975:45:975:50 | source |  |
+| taint.cpp:965:46:965:51 | ref arg source | taint.cpp:982:69:982:74 | source |  |
+| taint.cpp:965:46:965:51 | source | taint.cpp:965:20:965:23 | ref arg dest | TAINT |
+| taint.cpp:966:9:966:12 | dest | taint.cpp:966:8:966:12 | * ... |  |
+| taint.cpp:969:22:969:25 | {...} | taint.cpp:970:20:970:23 | dest |  |
+| taint.cpp:969:22:969:25 | {...} | taint.cpp:970:33:970:36 | dest |  |
+| taint.cpp:969:22:969:25 | {...} | taint.cpp:971:9:971:12 | dest |  |
+| taint.cpp:969:24:969:24 | 0 | taint.cpp:969:22:969:25 | {...} | TAINT |
+| taint.cpp:970:20:970:23 | ref arg dest | taint.cpp:971:9:971:12 | dest |  |
+| taint.cpp:970:40:970:44 | %s | taint.cpp:970:20:970:23 | ref arg dest | TAINT |
+| taint.cpp:970:47:970:53 | wsource | taint.cpp:970:20:970:23 | ref arg dest | TAINT |
+| taint.cpp:971:9:971:12 | dest | taint.cpp:971:8:971:12 | * ... |  |
+| taint.cpp:974:19:974:22 | {...} | taint.cpp:975:19:975:22 | dest |  |
+| taint.cpp:974:19:974:22 | {...} | taint.cpp:975:32:975:35 | dest |  |
+| taint.cpp:974:19:974:22 | {...} | taint.cpp:976:9:976:12 | dest |  |
+| taint.cpp:974:21:974:21 | 0 | taint.cpp:974:19:974:22 | {...} | TAINT |
+| taint.cpp:975:19:975:22 | ref arg dest | taint.cpp:976:9:976:12 | dest |  |
+| taint.cpp:975:39:975:42 | %s | taint.cpp:975:19:975:22 | ref arg dest | TAINT |
+| taint.cpp:975:45:975:50 | ref arg source | taint.cpp:982:69:982:74 | source |  |
+| taint.cpp:975:45:975:50 | source | taint.cpp:975:19:975:22 | ref arg dest | TAINT |
+| taint.cpp:976:9:976:12 | dest | taint.cpp:976:8:976:12 | * ... |  |
+| taint.cpp:979:19:979:22 | {...} | taint.cpp:982:22:982:25 | dest |  |
+| taint.cpp:979:19:979:22 | {...} | taint.cpp:982:35:982:38 | dest |  |
+| taint.cpp:979:19:979:22 | {...} | taint.cpp:983:9:983:12 | dest |  |
+| taint.cpp:979:21:979:21 | 0 | taint.cpp:979:19:979:22 | {...} | TAINT |
+| taint.cpp:980:9:980:11 | end | taint.cpp:982:43:982:45 | end |  |
+| taint.cpp:981:10:981:18 | remaining | taint.cpp:982:49:982:57 | remaining |  |
+| taint.cpp:982:22:982:25 | ref arg dest | taint.cpp:983:9:983:12 | dest |  |
+| taint.cpp:982:42:982:45 | ref arg & ... | taint.cpp:982:43:982:45 | end [inner post update] |  |
+| taint.cpp:982:43:982:45 | end | taint.cpp:982:42:982:45 | & ... |  |
+| taint.cpp:982:48:982:57 | ref arg & ... | taint.cpp:982:49:982:57 | remaining [inner post update] |  |
+| taint.cpp:982:49:982:57 | remaining | taint.cpp:982:48:982:57 | & ... |  |
+| taint.cpp:982:63:982:66 | %s | taint.cpp:982:22:982:25 | ref arg dest | TAINT |
+| taint.cpp:982:69:982:74 | source | taint.cpp:982:22:982:25 | ref arg dest | TAINT |
+| taint.cpp:983:9:983:12 | dest | taint.cpp:983:8:983:12 | * ... |  |
+| taint.cpp:986:19:986:22 | {...} | taint.cpp:988:20:988:23 | dest |  |
+| taint.cpp:986:19:986:22 | {...} | taint.cpp:988:33:988:36 | dest |  |
+| taint.cpp:986:19:986:22 | {...} | taint.cpp:989:9:989:12 | dest |  |
+| taint.cpp:986:21:986:21 | 0 | taint.cpp:986:19:986:22 | {...} | TAINT |
+| taint.cpp:987:15:987:29 | call to indirect_source | taint.cpp:988:40:988:42 | fmt |  |
+| taint.cpp:988:20:988:23 | ref arg dest | taint.cpp:989:9:989:12 | dest |  |
+| taint.cpp:988:40:988:42 | fmt | taint.cpp:988:20:988:23 | ref arg dest | TAINT |
+| taint.cpp:989:9:989:12 | dest | taint.cpp:989:8:989:12 | * ... |  |
+| taint.cpp:992:19:992:22 | {...} | taint.cpp:993:20:993:23 | dest |  |
+| taint.cpp:992:19:992:22 | {...} | taint.cpp:993:33:993:36 | dest |  |
+| taint.cpp:992:19:992:22 | {...} | taint.cpp:994:9:994:12 | dest |  |
+| taint.cpp:992:21:992:21 | 0 | taint.cpp:992:19:992:22 | {...} | TAINT |
+| taint.cpp:993:20:993:23 | ref arg dest | taint.cpp:994:9:994:12 | dest |  |
+| taint.cpp:993:40:993:43 | %d | taint.cpp:993:20:993:23 | ref arg dest | TAINT |
+| taint.cpp:993:46:993:47 | 42 | taint.cpp:993:20:993:23 | ref arg dest | TAINT |
+| taint.cpp:994:9:994:12 | dest | taint.cpp:994:8:994:12 | * ... |  |
+| taint.cpp:997:19:997:22 | {...} | taint.cpp:998:18:998:21 | dest |  |
+| taint.cpp:997:19:997:22 | {...} | taint.cpp:998:31:998:34 | dest |  |
+| taint.cpp:997:19:997:22 | {...} | taint.cpp:999:9:999:12 | dest |  |
+| taint.cpp:997:21:997:21 | 0 | taint.cpp:997:19:997:22 | {...} | TAINT |
+| taint.cpp:998:18:998:21 | ref arg dest | taint.cpp:999:9:999:12 | dest |  |
+| taint.cpp:999:9:999:12 | dest | taint.cpp:999:8:999:12 | * ... |  |
 | thread.cpp:10:27:10:27 | s | thread.cpp:10:27:10:27 | s |  |
 | thread.cpp:10:27:10:27 | s | thread.cpp:11:8:11:8 | s |  |
 | thread.cpp:14:26:14:26 | s | thread.cpp:15:8:15:8 | s |  |

cpp/ql/test/library-tests/dataflow/taint-tests/taint.cpp

@@ -866,3 +866,136 @@ void test_iconv(size_t size) {
 	iconv(0, &s, &size, &p, &size_out);
 	sink(*p); // $ ast,ir
 }
+
+using va_list = void*;
+
+long StringCchCopyA(char *, size_t, const char *);
+long StringCchCopyW(wchar_t *, size_t, const wchar_t *);
+long StringCbCopyA(char *, size_t, const char *);
+long StringCchCopyExA(char *, size_t, const char *, char **, size_t *, unsigned long);
+long StringCchCopyNA(char *, size_t, const char *, size_t);
+long StringCchCopyNExA(char *, size_t, const char *, size_t, char **, size_t *, unsigned long);
+long StringCchCatA(char *, size_t, const char *);
+long StringCchCatW(wchar_t *, size_t, const wchar_t *);
+long StringCbCatA(char *, size_t, const char *);
+long StringCchCatExA(char *, size_t, const char *, char **, size_t *, unsigned long);
+long StringCchCatNA(char *, size_t, const char *, size_t);
+long StringCchCatNExA(char *, size_t, const char *, size_t, char **, size_t *, unsigned long);
+long StringCchPrintfA(char *, size_t, const char *, ...);
+long StringCchPrintfW(wchar_t *, size_t, const wchar_t *, ...);
+long StringCbPrintfA(char *, size_t, const char *, ...);
+long StringCchPrintfExA(char *, size_t, char **, size_t *, unsigned long, const char *, ...);
+long StringCchVPrintfA(char *, size_t, const char *, va_list);
+long StringCchVPrintfExA(char *, size_t, char **, size_t *, unsigned long, const char *, va_list);
+
+void test_strsafe() {
+	char *source = indirect_source();
+	wchar_t *wsource = (wchar_t *)indirect_source();
+
+	{
+		char dest[256] = {0};
+		StringCchCopyA(dest, sizeof(dest), source);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		wchar_t dest[256] = {0};
+		StringCchCopyW(dest, sizeof(dest), wsource);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = {0};
+		StringCbCopyA(dest, sizeof(dest), source);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = {0};
+		char *end;
+		size_t remaining;
+		StringCchCopyExA(dest, sizeof(dest), source, &end, &remaining, 0);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = {0};
+		StringCchCopyNA(dest, sizeof(dest), source, 128);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = {0};
+		char *end;
+		size_t remaining;
+		StringCchCopyNExA(dest, sizeof(dest), source, 128, &end, &remaining, 0);
+		sink(dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = "prefix";
+		StringCchCatA(dest, sizeof(dest), source);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		wchar_t dest[256] = L"prefix";
+		StringCchCatW(dest, sizeof(dest), wsource);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = "prefix";
+		StringCbCatA(dest, sizeof(dest), source);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = "prefix";
+		char *end;
+		size_t remaining;
+		StringCchCatExA(dest, sizeof(dest), source, &end, &remaining, 0);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = "prefix";
+		StringCchCatNA(dest, sizeof(dest), source, 128);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = "prefix";
+		char *end;
+		size_t remaining;
+		StringCchCatNExA(dest, sizeof(dest), source, 128, &end, &remaining, 0);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = {0};
+		StringCchPrintfA(dest, sizeof(dest), "%s", source);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		wchar_t dest[256] = {0};
+		StringCchPrintfW(dest, sizeof(dest), L"%s", wsource);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = {0};
+		StringCbPrintfA(dest, sizeof(dest), "%s", source);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = {0};
+		char *end;
+		size_t remaining;
+		StringCchPrintfExA(dest, sizeof(dest), &end, &remaining, 0, "%s", source);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = {0};
+		char *fmt = indirect_source();
+		StringCchPrintfA(dest, sizeof(dest), fmt);
+		sink(*dest); // $ ir MISSING: ast
+	}
+	{
+		char dest[256] = {0};
+		StringCchPrintfA(dest, sizeof(dest), "%d", 42);
+		sink(*dest); // clean
+	}
+	{
+		char dest[256] = {0};
+		StringCchCopyA(dest, sizeof(dest), "hello");
+		sink(*dest); // clean
+	}
+}

cpp/ql/test/library-tests/dataflow/taint-tests/test_mad-signatures.expected

@@ -28044,6 +28044,118 @@ getParameterTypeName
 | taint.cpp:859:8:859:12 | iconv | 4 | unsigned long * |
 | taint.cpp:861:6:861:15 | test_iconv | 0 | size_t |
 | taint.cpp:861:6:861:15 | test_iconv | 0 | unsigned long |
+| taint.cpp:872:6:872:19 | StringCchCopyA | 0 | char * |
+| taint.cpp:872:6:872:19 | StringCchCopyA | 1 | size_t |
+| taint.cpp:872:6:872:19 | StringCchCopyA | 1 | unsigned long |
+| taint.cpp:872:6:872:19 | StringCchCopyA | 2 | const char * |
+| taint.cpp:873:6:873:19 | StringCchCopyW | 0 | wchar_t * |
+| taint.cpp:873:6:873:19 | StringCchCopyW | 1 | size_t |
+| taint.cpp:873:6:873:19 | StringCchCopyW | 1 | unsigned long |
+| taint.cpp:873:6:873:19 | StringCchCopyW | 2 | const wchar_t * |
+| taint.cpp:874:6:874:18 | StringCbCopyA | 0 | char * |
+| taint.cpp:874:6:874:18 | StringCbCopyA | 1 | size_t |
+| taint.cpp:874:6:874:18 | StringCbCopyA | 1 | unsigned long |
+| taint.cpp:874:6:874:18 | StringCbCopyA | 2 | const char * |
+| taint.cpp:875:6:875:21 | StringCchCopyExA | 0 | char * |
+| taint.cpp:875:6:875:21 | StringCchCopyExA | 1 | size_t |
+| taint.cpp:875:6:875:21 | StringCchCopyExA | 1 | unsigned long |
+| taint.cpp:875:6:875:21 | StringCchCopyExA | 2 | const char * |
+| taint.cpp:875:6:875:21 | StringCchCopyExA | 3 | char ** |
+| taint.cpp:875:6:875:21 | StringCchCopyExA | 4 | size_t * |
+| taint.cpp:875:6:875:21 | StringCchCopyExA | 4 | unsigned long * |
+| taint.cpp:875:6:875:21 | StringCchCopyExA | 5 | unsigned long |
+| taint.cpp:876:6:876:20 | StringCchCopyNA | 0 | char * |
+| taint.cpp:876:6:876:20 | StringCchCopyNA | 1 | size_t |
+| taint.cpp:876:6:876:20 | StringCchCopyNA | 1 | unsigned long |
+| taint.cpp:876:6:876:20 | StringCchCopyNA | 2 | const char * |
+| taint.cpp:876:6:876:20 | StringCchCopyNA | 3 | size_t |
+| taint.cpp:876:6:876:20 | StringCchCopyNA | 3 | unsigned long |
+| taint.cpp:877:6:877:22 | StringCchCopyNExA | 0 | char * |
+| taint.cpp:877:6:877:22 | StringCchCopyNExA | 1 | size_t |
+| taint.cpp:877:6:877:22 | StringCchCopyNExA | 1 | unsigned long |
+| taint.cpp:877:6:877:22 | StringCchCopyNExA | 2 | const char * |
+| taint.cpp:877:6:877:22 | StringCchCopyNExA | 3 | size_t |
+| taint.cpp:877:6:877:22 | StringCchCopyNExA | 3 | unsigned long |
+| taint.cpp:877:6:877:22 | StringCchCopyNExA | 4 | char ** |
+| taint.cpp:877:6:877:22 | StringCchCopyNExA | 5 | size_t * |
+| taint.cpp:877:6:877:22 | StringCchCopyNExA | 5 | unsigned long * |
+| taint.cpp:877:6:877:22 | StringCchCopyNExA | 6 | unsigned long |
+| taint.cpp:878:6:878:18 | StringCchCatA | 0 | char * |
+| taint.cpp:878:6:878:18 | StringCchCatA | 1 | size_t |
+| taint.cpp:878:6:878:18 | StringCchCatA | 1 | unsigned long |
+| taint.cpp:878:6:878:18 | StringCchCatA | 2 | const char * |
+| taint.cpp:879:6:879:18 | StringCchCatW | 0 | wchar_t * |
+| taint.cpp:879:6:879:18 | StringCchCatW | 1 | size_t |
+| taint.cpp:879:6:879:18 | StringCchCatW | 1 | unsigned long |
+| taint.cpp:879:6:879:18 | StringCchCatW | 2 | const wchar_t * |
+| taint.cpp:880:6:880:17 | StringCbCatA | 0 | char * |
+| taint.cpp:880:6:880:17 | StringCbCatA | 1 | size_t |
+| taint.cpp:880:6:880:17 | StringCbCatA | 1 | unsigned long |
+| taint.cpp:880:6:880:17 | StringCbCatA | 2 | const char * |
+| taint.cpp:881:6:881:20 | StringCchCatExA | 0 | char * |
+| taint.cpp:881:6:881:20 | StringCchCatExA | 1 | size_t |
+| taint.cpp:881:6:881:20 | StringCchCatExA | 1 | unsigned long |
+| taint.cpp:881:6:881:20 | StringCchCatExA | 2 | const char * |
+| taint.cpp:881:6:881:20 | StringCchCatExA | 3 | char ** |
+| taint.cpp:881:6:881:20 | StringCchCatExA | 4 | size_t * |
+| taint.cpp:881:6:881:20 | StringCchCatExA | 4 | unsigned long * |
+| taint.cpp:881:6:881:20 | StringCchCatExA | 5 | unsigned long |
+| taint.cpp:882:6:882:19 | StringCchCatNA | 0 | char * |
+| taint.cpp:882:6:882:19 | StringCchCatNA | 1 | size_t |
+| taint.cpp:882:6:882:19 | StringCchCatNA | 1 | unsigned long |
+| taint.cpp:882:6:882:19 | StringCchCatNA | 2 | const char * |
+| taint.cpp:882:6:882:19 | StringCchCatNA | 3 | size_t |
+| taint.cpp:882:6:882:19 | StringCchCatNA | 3 | unsigned long |
+| taint.cpp:883:6:883:21 | StringCchCatNExA | 0 | char * |
+| taint.cpp:883:6:883:21 | StringCchCatNExA | 1 | size_t |
+| taint.cpp:883:6:883:21 | StringCchCatNExA | 1 | unsigned long |
+| taint.cpp:883:6:883:21 | StringCchCatNExA | 2 | const char * |
+| taint.cpp:883:6:883:21 | StringCchCatNExA | 3 | size_t |
+| taint.cpp:883:6:883:21 | StringCchCatNExA | 3 | unsigned long |
+| taint.cpp:883:6:883:21 | StringCchCatNExA | 4 | char ** |
+| taint.cpp:883:6:883:21 | StringCchCatNExA | 5 | size_t * |
+| taint.cpp:883:6:883:21 | StringCchCatNExA | 5 | unsigned long * |
+| taint.cpp:883:6:883:21 | StringCchCatNExA | 6 | unsigned long |
+| taint.cpp:884:6:884:21 | StringCchPrintfA | 0 | char * |
+| taint.cpp:884:6:884:21 | StringCchPrintfA | 1 | size_t |
+| taint.cpp:884:6:884:21 | StringCchPrintfA | 1 | unsigned long |
+| taint.cpp:884:6:884:21 | StringCchPrintfA | 2 | const char * |
+| taint.cpp:884:6:884:21 | StringCchPrintfA | 3 | ... |
+| taint.cpp:885:6:885:21 | StringCchPrintfW | 0 | wchar_t * |
+| taint.cpp:885:6:885:21 | StringCchPrintfW | 1 | size_t |
+| taint.cpp:885:6:885:21 | StringCchPrintfW | 1 | unsigned long |
+| taint.cpp:885:6:885:21 | StringCchPrintfW | 2 | const wchar_t * |
+| taint.cpp:885:6:885:21 | StringCchPrintfW | 3 | ... |
+| taint.cpp:886:6:886:20 | StringCbPrintfA | 0 | char * |
+| taint.cpp:886:6:886:20 | StringCbPrintfA | 1 | size_t |
+| taint.cpp:886:6:886:20 | StringCbPrintfA | 1 | unsigned long |
+| taint.cpp:886:6:886:20 | StringCbPrintfA | 2 | const char * |
+| taint.cpp:886:6:886:20 | StringCbPrintfA | 3 | ... |
+| taint.cpp:887:6:887:23 | StringCchPrintfExA | 0 | char * |
+| taint.cpp:887:6:887:23 | StringCchPrintfExA | 1 | size_t |
+| taint.cpp:887:6:887:23 | StringCchPrintfExA | 1 | unsigned long |
+| taint.cpp:887:6:887:23 | StringCchPrintfExA | 2 | char ** |
+| taint.cpp:887:6:887:23 | StringCchPrintfExA | 3 | size_t * |
+| taint.cpp:887:6:887:23 | StringCchPrintfExA | 3 | unsigned long * |
+| taint.cpp:887:6:887:23 | StringCchPrintfExA | 4 | unsigned long |
+| taint.cpp:887:6:887:23 | StringCchPrintfExA | 5 | const char * |
+| taint.cpp:887:6:887:23 | StringCchPrintfExA | 6 | ... |
+| taint.cpp:888:6:888:22 | StringCchVPrintfA | 0 | char * |
+| taint.cpp:888:6:888:22 | StringCchVPrintfA | 1 | size_t |
+| taint.cpp:888:6:888:22 | StringCchVPrintfA | 1 | unsigned long |
+| taint.cpp:888:6:888:22 | StringCchVPrintfA | 2 | const char * |
+| taint.cpp:888:6:888:22 | StringCchVPrintfA | 3 | va_list |
+| taint.cpp:888:6:888:22 | StringCchVPrintfA | 3 | void * |
+| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 0 | char * |
+| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 1 | size_t |
+| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 1 | unsigned long |
+| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 2 | char ** |
+| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 3 | size_t * |
+| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 3 | unsigned long * |
+| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 4 | unsigned long |
+| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 5 | const char * |
+| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 6 | va_list |
+| taint.cpp:889:6:889:24 | StringCchVPrintfExA | 6 | void * |
 | thread.cpp:4:6:4:9 | sink | 0 | int |
 | thread.cpp:6:8:6:8 | operator= | 0 | S && |
 | thread.cpp:6:8:6:8 | operator= | 0 | const S & |

cpp/ql/test/library-tests/ir/ir/PrintAST.expected

@@ -25796,9 +25796,9 @@ ir.cpp:
 # 2919|     getExpr(): [FunctionCall] call to VariableTemplateFunc
 # 2919|         Type = [DoubleType] double
 # 2919|         ValueCategory = prvalue
-# 2919|       getArgument(0): [Literal] 2.299999999999999822
+# 2919|       getArgument(0): [Literal] 2.3
 # 2919|           Type = [DoubleType] double
-# 2919|           Value = [Literal] 2.299999999999999822
+# 2919|           Value = [Literal] 2.3
 # 2919|           ValueCategory = prvalue
 # 2919|     getExpr().getFullyConverted(): [CStyleCast] (int)...
 # 2919|         Conversion = [FloatingPointToIntegralConversion] floating point to integral conversion

cpp/ql/test/library-tests/ir/ir/aliased_ir.expected

@@ -12954,21 +12954,21 @@ ir.cpp:
 
 # 1592| double StructuredBindingTupleRefGet::d
 # 1592|   Block 0
-# 1592|     v1592_1(void)                                = EnterFunction                  : 
-# 1592|     m1592_2(unknown)                             = AliasedDefinition              : 
-# 1592|     m1592_3(unknown)                             = InitializeNonLocal             : 
-# 1592|     m1592_4(unknown)                             = Chi                            : total:m1592_2, partial:m1592_3
-# 1592|     r1592_5(glval<unknown>)                      = VariableAddress[#this]         : 
-# 1592|     m1592_6(glval<StructuredBindingTupleRefGet>) = InitializeParameter[#this]     : &:r1592_5
-# 1592|     r1592_7(glval<StructuredBindingTupleRefGet>) = Load[#this]                    : &:r1592_5, m1592_6
-# 1592|     m1592_8(StructuredBindingTupleRefGet)        = InitializeIndirection[#this]   : &:r1592_7
-# 1592|     r1592_9(glval<double>)                       = FieldAddress[d]                : r1592_7
-# 1592|     r1592_10(double)                             = Constant[2.200000000000000178] : 
-# 1592|     m1592_11(double)                             = Store[?]                       : &:r1592_9, r1592_10
-# 1592|     m1592_12(unknown)                            = Chi                            : total:m1592_8, partial:m1592_11
-# 1592|     v1592_13(void)                               = ReturnVoid                     : 
-# 1592|     v1592_14(void)                               = AliasedUse                     : m1592_3
-# 1592|     v1592_15(void)                               = ExitFunction                   : 
+# 1592|     v1592_1(void)                                = EnterFunction                : 
+# 1592|     m1592_2(unknown)                             = AliasedDefinition            : 
+# 1592|     m1592_3(unknown)                             = InitializeNonLocal           : 
+# 1592|     m1592_4(unknown)                             = Chi                          : total:m1592_2, partial:m1592_3
+# 1592|     r1592_5(glval<unknown>)                      = VariableAddress[#this]       : 
+# 1592|     m1592_6(glval<StructuredBindingTupleRefGet>) = InitializeParameter[#this]   : &:r1592_5
+# 1592|     r1592_7(glval<StructuredBindingTupleRefGet>) = Load[#this]                  : &:r1592_5, m1592_6
+# 1592|     m1592_8(StructuredBindingTupleRefGet)        = InitializeIndirection[#this] : &:r1592_7
+# 1592|     r1592_9(glval<double>)                       = FieldAddress[d]              : r1592_7
+# 1592|     r1592_10(double)                             = Constant[2.2]                : 
+# 1592|     m1592_11(double)                             = Store[?]                     : &:r1592_9, r1592_10
+# 1592|     m1592_12(unknown)                            = Chi                          : total:m1592_8, partial:m1592_11
+# 1592|     v1592_13(void)                               = ReturnVoid                   : 
+# 1592|     v1592_14(void)                               = AliasedUse                   : m1592_3
+# 1592|     v1592_15(void)                               = ExitFunction                 : 
 
 # 1593| int& StructuredBindingTupleRefGet::r
 # 1593|   Block 0
@@ -21761,7 +21761,7 @@ ir.cpp:
 # 2919|     m2919_2(unknown)        = AliasedDefinition                        : 
 # 2919|     r2919_3(glval<int>)     = VariableAddress[VariableTemplateFuncUse] : 
 # 2919|     r2919_4(glval<unknown>) = FunctionAddress[VariableTemplateFunc]    : 
-# 2919|     r2919_5(double)         = Constant[2.299999999999999822]           : 
+# 2919|     r2919_5(double)         = Constant[2.3]                            : 
 # 2919|     r2919_6(double)         = Call[VariableTemplateFunc]               : func:r2919_4, 0:r2919_5
 # 2919|     m2919_7(unknown)        = ^CallSideEffect                          : ~m2919_2
 # 2919|     m2919_8(unknown)        = Chi                                      : total:m2919_2, partial:m2919_7

cpp/ql/test/library-tests/ir/ir/raw_ir.expected

@@ -11861,19 +11861,19 @@ ir.cpp:
 
 # 1592| double StructuredBindingTupleRefGet::d
 # 1592|   Block 0
-# 1592|     v1592_1(void)                                 = EnterFunction                  : 
-# 1592|     mu1592_2(unknown)                             = AliasedDefinition              : 
-# 1592|     mu1592_3(unknown)                             = InitializeNonLocal             : 
-# 1592|     r1592_4(glval<unknown>)                       = VariableAddress[#this]         : 
-# 1592|     mu1592_5(glval<StructuredBindingTupleRefGet>) = InitializeParameter[#this]     : &:r1592_4
-# 1592|     r1592_6(glval<StructuredBindingTupleRefGet>)  = Load[#this]                    : &:r1592_4, ~m?
-# 1592|     mu1592_7(StructuredBindingTupleRefGet)        = InitializeIndirection[#this]   : &:r1592_6
-# 1592|     r1592_8(glval<double>)                        = FieldAddress[d]                : r1592_6
-# 1592|     r1592_9(double)                               = Constant[2.200000000000000178] : 
-# 1592|     mu1592_10(double)                             = Store[?]                       : &:r1592_8, r1592_9
-# 1592|     v1592_11(void)                                = ReturnVoid                     : 
-# 1592|     v1592_12(void)                                = AliasedUse                     : ~m?
-# 1592|     v1592_13(void)                                = ExitFunction                   : 
+# 1592|     v1592_1(void)                                 = EnterFunction                : 
+# 1592|     mu1592_2(unknown)                             = AliasedDefinition            : 
+# 1592|     mu1592_3(unknown)                             = InitializeNonLocal           : 
+# 1592|     r1592_4(glval<unknown>)                       = VariableAddress[#this]       : 
+# 1592|     mu1592_5(glval<StructuredBindingTupleRefGet>) = InitializeParameter[#this]   : &:r1592_4
+# 1592|     r1592_6(glval<StructuredBindingTupleRefGet>)  = Load[#this]                  : &:r1592_4, ~m?
+# 1592|     mu1592_7(StructuredBindingTupleRefGet)        = InitializeIndirection[#this] : &:r1592_6
+# 1592|     r1592_8(glval<double>)                        = FieldAddress[d]              : r1592_6
+# 1592|     r1592_9(double)                               = Constant[2.2]                : 
+# 1592|     mu1592_10(double)                             = Store[?]                     : &:r1592_8, r1592_9
+# 1592|     v1592_11(void)                                = ReturnVoid                   : 
+# 1592|     v1592_12(void)                                = AliasedUse                   : ~m?
+# 1592|     v1592_13(void)                                = ExitFunction                 : 
 
 # 1593| int& StructuredBindingTupleRefGet::r
 # 1593|   Block 0
@@ -19768,7 +19768,7 @@ ir.cpp:
 # 2919|     mu2919_2(unknown)       = AliasedDefinition                        : 
 # 2919|     r2919_3(glval<int>)     = VariableAddress[VariableTemplateFuncUse] : 
 # 2919|     r2919_4(glval<unknown>) = FunctionAddress[VariableTemplateFunc]    : 
-# 2919|     r2919_5(double)         = Constant[2.299999999999999822]           : 
+# 2919|     r2919_5(double)         = Constant[2.3]                            : 
 # 2919|     r2919_6(double)         = Call[VariableTemplateFunc]               : func:r2919_4, 0:r2919_5
 # 2919|     mu2919_7(unknown)       = ^CallSideEffect                          : ~m?
 # 2919|     r2919_8(int)            = Convert                                  : r2919_6

cpp/ql/test/library-tests/rangeanalysis/SimpleRangeAnalysis/nrOfBounds.expected

@@ -1293,12 +1293,12 @@ estimateNrOfBounds
 | test.c:415:26:415:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:415:30:415:30 | q | 1.0 | 1.0 | 1.0 |
 | test.c:415:30:415:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
-| test.c:415:34:415:43 | 0.4743882700000000008 | 1.0 | -1.0 | -1.0 |
-| test.c:415:47:415:56 | 0.1433388700000000071 | 1.0 | -1.0 | -1.0 |
-| test.c:415:60:415:69 | 0.3527920299999999787 | 1.0 | -1.0 | -1.0 |
-| test.c:415:73:415:82 | 0.3920645799999999959 | 1.0 | -1.0 | -1.0 |
-| test.c:415:86:415:95 | 0.2154022499999999896 | 1.0 | -1.0 | -1.0 |
-| test.c:415:99:415:108 | 0.4049680500000000238 | 1.0 | -1.0 | -1.0 |
+| test.c:415:34:415:43 | 0.47438827 | 1.0 | -1.0 | -1.0 |
+| test.c:415:47:415:56 | 0.14333887 | 1.0 | -1.0 | -1.0 |
+| test.c:415:60:415:69 | 0.35279203 | 1.0 | -1.0 | -1.0 |
+| test.c:415:73:415:82 | 0.39206458 | 1.0 | -1.0 | -1.0 |
+| test.c:415:86:415:95 | 0.21540225 | 1.0 | -1.0 | -1.0 |
+| test.c:415:99:415:108 | 0.40496805 | 1.0 | -1.0 | -1.0 |
 | test.c:416:14:416:14 | m | 2.0 | 1.0 | 1.0 |
 | test.c:416:14:416:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:416:18:416:18 | n | 3.0 | 1.0 | 1.0 |
@@ -1309,12 +1309,12 @@ estimateNrOfBounds
 | test.c:416:26:416:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:416:30:416:30 | q | 3.0 | 1.0 | 1.0 |
 | test.c:416:30:416:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
-| test.c:416:34:416:43 | 0.3418334800000000229 | 1.0 | -1.0 | -1.0 |
-| test.c:416:47:416:56 | 0.3533464000000000049 | 1.0 | -1.0 | -1.0 |
-| test.c:416:60:416:69 | 0.2224785300000000077 | 1.0 | -1.0 | -1.0 |
-| test.c:416:73:416:82 | 0.326618929999999974 | 1.0 | -1.0 | -1.0 |
-| test.c:416:86:416:95 | 0.5927046500000000551 | 1.0 | -1.0 | -1.0 |
-| test.c:416:99:416:108 | 0.5297741000000000255 | 1.0 | -1.0 | -1.0 |
+| test.c:416:34:416:43 | 0.34183348 | 1.0 | -1.0 | -1.0 |
+| test.c:416:47:416:56 | 0.3533464 | 1.0 | -1.0 | -1.0 |
+| test.c:416:60:416:69 | 0.22247853 | 1.0 | -1.0 | -1.0 |
+| test.c:416:73:416:82 | 0.32661893 | 1.0 | -1.0 | -1.0 |
+| test.c:416:86:416:95 | 0.59270465 | 1.0 | -1.0 | -1.0 |
+| test.c:416:99:416:108 | 0.5297741 | 1.0 | -1.0 | -1.0 |
 | test.c:417:14:417:14 | m | 3.5 | 1.0 | 1.0 |
 | test.c:417:14:417:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:417:18:417:18 | n | 8.0 | 1.0 | 1.0 |
@@ -1325,12 +1325,12 @@ estimateNrOfBounds
 | test.c:417:26:417:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:417:30:417:30 | q | 8.0 | 1.0 | 1.0 |
 | test.c:417:30:417:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
-| test.c:417:34:417:43 | 0.774296030000000024 | 1.0 | -1.0 | -1.0 |
-| test.c:417:47:417:56 | 0.3147808400000000062 | 1.0 | -1.0 | -1.0 |
-| test.c:417:60:417:69 | 0.3123551399999999756 | 1.0 | -1.0 | -1.0 |
-| test.c:417:73:417:82 | 0.05121255999999999725 | 1.0 | -1.0 | -1.0 |
-| test.c:417:86:417:95 | 0.7931074500000000471 | 1.0 | -1.0 | -1.0 |
-| test.c:417:99:417:108 | 0.6798145100000000385 | 1.0 | -1.0 | -1.0 |
+| test.c:417:34:417:43 | 0.77429603 | 1.0 | -1.0 | -1.0 |
+| test.c:417:47:417:56 | 0.31478084 | 1.0 | -1.0 | -1.0 |
+| test.c:417:60:417:69 | 0.31235514 | 1.0 | -1.0 | -1.0 |
+| test.c:417:73:417:82 | 0.05121256 | 1.0 | -1.0 | -1.0 |
+| test.c:417:86:417:95 | 0.79310745 | 1.0 | -1.0 | -1.0 |
+| test.c:417:99:417:108 | 0.67981451 | 1.0 | -1.0 | -1.0 |
 | test.c:418:14:418:14 | m | 5.75 | 1.0 | 1.0 |
 | test.c:418:14:418:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:418:18:418:18 | n | 20.5 | 1.0 | 1.0 |
@@ -1341,12 +1341,12 @@ estimateNrOfBounds
 | test.c:418:26:418:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:418:30:418:30 | q | 20.5 | 1.0 | 1.0 |
 | test.c:418:30:418:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
-| test.c:418:34:418:43 | 0.4472955599999999809 | 1.0 | -1.0 | -1.0 |
-| test.c:418:47:418:56 | 0.8059920200000000312 | 1.0 | -1.0 | -1.0 |
-| test.c:418:60:418:69 | 0.9899726199999999698 | 1.0 | -1.0 | -1.0 |
-| test.c:418:73:418:82 | 0.5995273199999999747 | 1.0 | -1.0 | -1.0 |
-| test.c:418:86:418:95 | 0.3697694799999999837 | 1.0 | -1.0 | -1.0 |
-| test.c:418:99:418:108 | 0.8386683499999999514 | 1.0 | -1.0 | -1.0 |
+| test.c:418:34:418:43 | 0.44729556 | 1.0 | -1.0 | -1.0 |
+| test.c:418:47:418:56 | 0.80599202 | 1.0 | -1.0 | -1.0 |
+| test.c:418:60:418:69 | 0.98997262 | 1.0 | -1.0 | -1.0 |
+| test.c:418:73:418:82 | 0.59952732 | 1.0 | -1.0 | -1.0 |
+| test.c:418:86:418:95 | 0.36976948 | 1.0 | -1.0 | -1.0 |
+| test.c:418:99:418:108 | 0.83866835 | 1.0 | -1.0 | -1.0 |
 | test.c:419:14:419:14 | m | 9.125 | 1.0 | 1.0 |
 | test.c:419:14:419:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:419:18:419:18 | n | 51.75 | 1.0 | 1.0 |
@@ -1357,12 +1357,12 @@ estimateNrOfBounds
 | test.c:419:26:419:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:419:30:419:30 | q | 51.75 | 1.0 | 1.0 |
 | test.c:419:30:419:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
-| test.c:419:34:419:43 | 0.4931182800000000199 | 1.0 | -1.0 | -1.0 |
-| test.c:419:47:419:56 | 0.9038991100000000056 | 1.0 | -1.0 | -1.0 |
-| test.c:419:60:419:69 | 0.1059771199999999941 | 1.0 | -1.0 | -1.0 |
-| test.c:419:73:419:82 | 0.2177842600000000073 | 1.0 | -1.0 | -1.0 |
-| test.c:419:86:419:95 | 0.7248596600000000167 | 1.0 | -1.0 | -1.0 |
-| test.c:419:99:419:108 | 0.6873487400000000136 | 1.0 | -1.0 | -1.0 |
+| test.c:419:34:419:43 | 0.49311828 | 1.0 | -1.0 | -1.0 |
+| test.c:419:47:419:56 | 0.90389911 | 1.0 | -1.0 | -1.0 |
+| test.c:419:60:419:69 | 0.10597712 | 1.0 | -1.0 | -1.0 |
+| test.c:419:73:419:82 | 0.21778426 | 1.0 | -1.0 | -1.0 |
+| test.c:419:86:419:95 | 0.72485966 | 1.0 | -1.0 | -1.0 |
+| test.c:419:99:419:108 | 0.68734874 | 1.0 | -1.0 | -1.0 |
 | test.c:420:14:420:14 | m | 14.1875 | 1.0 | 1.0 |
 | test.c:420:14:420:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:420:18:420:18 | n | 129.875 | 1.0 | 1.0 |
@@ -1373,12 +1373,12 @@ estimateNrOfBounds
 | test.c:420:26:420:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:420:30:420:30 | q | 129.875 | 1.0 | 1.0 |
 | test.c:420:30:420:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
-| test.c:420:34:420:43 | 0.4745284799999999747 | 1.0 | -1.0 | -1.0 |
-| test.c:420:47:420:56 | 0.107866500000000004 | 1.0 | -1.0 | -1.0 |
-| test.c:420:60:420:69 | 0.1188457599999999947 | 1.0 | -1.0 | -1.0 |
-| test.c:420:73:420:82 | 0.7616405200000000431 | 1.0 | -1.0 | -1.0 |
-| test.c:420:86:420:95 | 0.3480889200000000239 | 1.0 | -1.0 | -1.0 |
-| test.c:420:99:420:108 | 0.584408649999999974 | 1.0 | -1.0 | -1.0 |
+| test.c:420:34:420:43 | 0.47452848 | 1.0 | -1.0 | -1.0 |
+| test.c:420:47:420:56 | 0.1078665 | 1.0 | -1.0 | -1.0 |
+| test.c:420:60:420:69 | 0.11884576 | 1.0 | -1.0 | -1.0 |
+| test.c:420:73:420:82 | 0.76164052 | 1.0 | -1.0 | -1.0 |
+| test.c:420:86:420:95 | 0.34808892 | 1.0 | -1.0 | -1.0 |
+| test.c:420:99:420:108 | 0.58440865 | 1.0 | -1.0 | -1.0 |
 | test.c:421:14:421:14 | m | 21.78125 | 1.0 | 1.0 |
 | test.c:421:14:421:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:421:18:421:18 | n | 325.1875 | 1.0 | 1.0 |
@@ -1390,11 +1390,11 @@ estimateNrOfBounds
 | test.c:421:30:421:30 | q | 325.1875 | 1.0 | 1.0 |
 | test.c:421:30:421:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:421:34:421:43 | 0.02524326 | 1.0 | -1.0 | -1.0 |
-| test.c:421:47:421:56 | 0.8290504600000000446 | 1.0 | -1.0 | -1.0 |
-| test.c:421:60:421:69 | 0.95823075000000002 | 1.0 | -1.0 | -1.0 |
-| test.c:421:73:421:82 | 0.1251655799999999985 | 1.0 | -1.0 | -1.0 |
-| test.c:421:86:421:95 | 0.8523517900000000536 | 1.0 | -1.0 | -1.0 |
-| test.c:421:99:421:108 | 0.3623238400000000081 | 1.0 | -1.0 | -1.0 |
+| test.c:421:47:421:56 | 0.82905046 | 1.0 | -1.0 | -1.0 |
+| test.c:421:60:421:69 | 0.95823075 | 1.0 | -1.0 | -1.0 |
+| test.c:421:73:421:82 | 0.12516558 | 1.0 | -1.0 | -1.0 |
+| test.c:421:86:421:95 | 0.85235179 | 1.0 | -1.0 | -1.0 |
+| test.c:421:99:421:108 | 0.36232384 | 1.0 | -1.0 | -1.0 |
 | test.c:422:14:422:14 | m | 33.171875 | 1.0 | 1.0 |
 | test.c:422:14:422:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:422:18:422:18 | n | 813.46875 | 1.0 | 1.0 |
@@ -1405,12 +1405,12 @@ estimateNrOfBounds
 | test.c:422:26:422:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:422:30:422:30 | q | 813.46875 | 1.0 | 1.0 |
 | test.c:422:30:422:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
-| test.c:422:34:422:43 | 0.3870862600000000153 | 1.0 | -1.0 | -1.0 |
-| test.c:422:47:422:56 | 0.3287604399999999871 | 1.0 | -1.0 | -1.0 |
-| test.c:422:60:422:69 | 0.1496348500000000137 | 1.0 | -1.0 | -1.0 |
-| test.c:422:73:422:82 | 0.4504110800000000192 | 1.0 | -1.0 | -1.0 |
-| test.c:422:86:422:95 | 0.4864090899999999884 | 1.0 | -1.0 | -1.0 |
-| test.c:422:99:422:108 | 0.8433127200000000157 | 1.0 | -1.0 | -1.0 |
+| test.c:422:34:422:43 | 0.38708626 | 1.0 | -1.0 | -1.0 |
+| test.c:422:47:422:56 | 0.32876044 | 1.0 | -1.0 | -1.0 |
+| test.c:422:60:422:69 | 0.14963485 | 1.0 | -1.0 | -1.0 |
+| test.c:422:73:422:82 | 0.45041108 | 1.0 | -1.0 | -1.0 |
+| test.c:422:86:422:95 | 0.48640909 | 1.0 | -1.0 | -1.0 |
+| test.c:422:99:422:108 | 0.84331272 | 1.0 | -1.0 | -1.0 |
 | test.c:423:14:423:14 | m | 50.2578125 | 1.0 | 1.0 |
 | test.c:423:14:423:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:423:18:423:18 | n | 2034.171875 | 1.0 | 1.0 |
@@ -1421,12 +1421,12 @@ estimateNrOfBounds
 | test.c:423:26:423:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:423:30:423:30 | q | 2034.171875 | 1.0 | 1.0 |
 | test.c:423:30:423:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
-| test.c:423:34:423:43 | 0.1575506299999999971 | 1.0 | -1.0 | -1.0 |
-| test.c:423:47:423:56 | 0.7708683299999999905 | 1.0 | -1.0 | -1.0 |
-| test.c:423:60:423:69 | 0.2642848099999999811 | 1.0 | -1.0 | -1.0 |
-| test.c:423:73:423:82 | 0.1480050800000000111 | 1.0 | -1.0 | -1.0 |
-| test.c:423:86:423:95 | 0.374281430000000026 | 1.0 | -1.0 | -1.0 |
-| test.c:423:99:423:108 | 0.05328182000000000057 | 1.0 | -1.0 | -1.0 |
+| test.c:423:34:423:43 | 0.15755063 | 1.0 | -1.0 | -1.0 |
+| test.c:423:47:423:56 | 0.77086833 | 1.0 | -1.0 | -1.0 |
+| test.c:423:60:423:69 | 0.26428481 | 1.0 | -1.0 | -1.0 |
+| test.c:423:73:423:82 | 0.14800508 | 1.0 | -1.0 | -1.0 |
+| test.c:423:86:423:95 | 0.37428143 | 1.0 | -1.0 | -1.0 |
+| test.c:423:99:423:108 | 0.05328182 | 1.0 | -1.0 | -1.0 |
 | test.c:424:14:424:14 | m | 75.88671875 | 1.0 | 1.0 |
 | test.c:424:14:424:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:424:18:424:18 | n | 5085.9296875 | 1.0 | 1.0 |
@@ -1437,12 +1437,12 @@ estimateNrOfBounds
 | test.c:424:26:424:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:424:30:424:30 | q | 5085.9296875 | 1.0 | 1.0 |
 | test.c:424:30:424:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
-| test.c:424:34:424:43 | 0.4173653600000000186 | 1.0 | -1.0 | -1.0 |
-| test.c:424:47:424:56 | 0.7682662799999999681 | 1.0 | -1.0 | -1.0 |
-| test.c:424:60:424:69 | 0.2764323799999999776 | 1.0 | -1.0 | -1.0 |
-| test.c:424:73:424:82 | 0.5567927400000000082 | 1.0 | -1.0 | -1.0 |
-| test.c:424:86:424:95 | 0.3946885700000000163 | 1.0 | -1.0 | -1.0 |
-| test.c:424:99:424:108 | 0.6907214400000000198 | 1.0 | -1.0 | -1.0 |
+| test.c:424:34:424:43 | 0.41736536 | 1.0 | -1.0 | -1.0 |
+| test.c:424:47:424:56 | 0.76826628 | 1.0 | -1.0 | -1.0 |
+| test.c:424:60:424:69 | 0.27643238 | 1.0 | -1.0 | -1.0 |
+| test.c:424:73:424:82 | 0.55679274 | 1.0 | -1.0 | -1.0 |
+| test.c:424:86:424:95 | 0.39468857 | 1.0 | -1.0 | -1.0 |
+| test.c:424:99:424:108 | 0.69072144 | 1.0 | -1.0 | -1.0 |
 | test.c:425:14:425:14 | m | 114.330078125 | 1.0 | 1.0 |
 | test.c:425:14:425:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:425:18:425:18 | n | 12715.32421875 | 1.0 | 1.0 |
@@ -1453,12 +1453,12 @@ estimateNrOfBounds
 | test.c:425:26:425:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:425:30:425:30 | q | 12715.32421875 | 1.0 | 1.0 |
 | test.c:425:30:425:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
-| test.c:425:34:425:43 | 0.8895534499999999678 | 1.0 | -1.0 | -1.0 |
-| test.c:425:47:425:56 | 0.2990482400000000207 | 1.0 | -1.0 | -1.0 |
-| test.c:425:60:425:69 | 0.7624258299999999711 | 1.0 | -1.0 | -1.0 |
-| test.c:425:73:425:82 | 0.2051910999999999874 | 1.0 | -1.0 | -1.0 |
-| test.c:425:86:425:95 | 0.8874555899999999609 | 1.0 | -1.0 | -1.0 |
-| test.c:425:99:425:108 | 0.8137279800000000174 | 1.0 | -1.0 | -1.0 |
+| test.c:425:34:425:43 | 0.88955345 | 1.0 | -1.0 | -1.0 |
+| test.c:425:47:425:56 | 0.29904824 | 1.0 | -1.0 | -1.0 |
+| test.c:425:60:425:69 | 0.76242583 | 1.0 | -1.0 | -1.0 |
+| test.c:425:73:425:82 | 0.2051911 | 1.0 | -1.0 | -1.0 |
+| test.c:425:86:425:95 | 0.88745559 | 1.0 | -1.0 | -1.0 |
+| test.c:425:99:425:108 | 0.81372798 | 1.0 | -1.0 | -1.0 |
 | test.c:426:14:426:14 | m | 171.9951171875 | 1.0 | 1.0 |
 | test.c:426:14:426:108 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:426:18:426:18 | n | 31788.810546875 | 1.0 | 1.0 |
@@ -1469,12 +1469,12 @@ estimateNrOfBounds
 | test.c:426:26:426:69 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
 | test.c:426:30:426:30 | q | 31788.810546875 | 1.0 | 1.0 |
 | test.c:426:30:426:56 | ... ? ... : ... | 1.0 | 1.0 | 1.0 |
-| test.c:426:34:426:43 | 0.4218627600000000033 | 1.0 | -1.0 | -1.0 |
-| test.c:426:47:426:56 | 0.5384335799999999672 | 1.0 | -1.0 | -1.0 |
-| test.c:426:60:426:69 | 0.4499667900000000054 | 1.0 | -1.0 | -1.0 |
-| test.c:426:73:426:82 | 0.1320411400000000013 | 1.0 | -1.0 | -1.0 |
-| test.c:426:86:426:95 | 0.5203124099999999475 | 1.0 | -1.0 | -1.0 |
-| test.c:426:99:426:108 | 0.4276264699999999808 | 1.0 | -1.0 | -1.0 |
+| test.c:426:34:426:43 | 0.42186276 | 1.0 | -1.0 | -1.0 |
+| test.c:426:47:426:56 | 0.53843358 | 1.0 | -1.0 | -1.0 |
+| test.c:426:60:426:69 | 0.44996679 | 1.0 | -1.0 | -1.0 |
+| test.c:426:73:426:82 | 0.13204114 | 1.0 | -1.0 | -1.0 |
+| test.c:426:86:426:95 | 0.52031241 | 1.0 | -1.0 | -1.0 |
+| test.c:426:99:426:108 | 0.42762647 | 1.0 | -1.0 | -1.0 |
 | test.c:432:19:432:19 | a | 1.0 | 1.0 | 1.0 |
 | test.c:432:19:432:23 | ... + ... | 1.0 | 1.0 | 1.0 |
 | test.c:432:19:432:27 | ... + ... | 1.0 | 1.0 | 1.0 |

cpp/ql/test/query-tests/Likely Bugs/Format/NonConstantFormat/NonConstantFormat.expected

@@ -11,8 +11,13 @@ edges
 | nested.cpp:86:19:86:46 | *call to __builtin_alloca | nested.cpp:87:18:87:20 | *fmt | provenance |  |
 | test.cpp:46:27:46:30 | **argv | test.cpp:130:20:130:26 | *access to array | provenance |  |
 | test.cpp:167:31:167:34 | *data | test.cpp:170:12:170:14 | *res | provenance | DataFlowFunction |
+| test.cpp:179:6:179:21 | [summary param] *2 in StringCchPrintfW | test.cpp:179:6:179:21 | [summary param] *0 in StringCchPrintfW [Return] | provenance | MaD:403 |
+| test.cpp:193:32:193:34 | *str | test.cpp:195:31:195:33 | *str | provenance |  |
 | test.cpp:193:32:193:34 | *str | test.cpp:195:31:195:33 | *str | provenance |  |
 | test.cpp:193:32:193:34 | *str | test.cpp:197:11:197:14 | *wstr | provenance | TaintFunction |
+| test.cpp:195:20:195:23 | StringCchPrintfW output argument | test.cpp:197:11:197:14 | *wstr | provenance |  |
+| test.cpp:195:31:195:33 | *str | test.cpp:179:6:179:21 | [summary param] *2 in StringCchPrintfW | provenance |  |
+| test.cpp:195:31:195:33 | *str | test.cpp:195:20:195:23 | StringCchPrintfW output argument | provenance | MaD:403 |
 | test.cpp:204:25:204:36 | *call to get_string | test.cpp:204:25:204:36 | *call to get_string | provenance |  |
 | test.cpp:204:25:204:36 | *call to get_string | test.cpp:205:12:205:20 | *... + ... | provenance |  |
 | test.cpp:204:25:204:36 | *call to get_string | test.cpp:206:12:206:16 | *hello | provenance |  |
@@ -55,7 +60,11 @@ nodes
 | test.cpp:130:20:130:26 | *access to array | semmle.label | *access to array |
 | test.cpp:167:31:167:34 | *data | semmle.label | *data |
 | test.cpp:170:12:170:14 | *res | semmle.label | *res |
+| test.cpp:179:6:179:21 | [summary param] *0 in StringCchPrintfW [Return] | semmle.label | [summary param] *0 in StringCchPrintfW [Return] |
+| test.cpp:179:6:179:21 | [summary param] *2 in StringCchPrintfW | semmle.label | [summary param] *2 in StringCchPrintfW |
 | test.cpp:193:32:193:34 | *str | semmle.label | *str |
+| test.cpp:195:20:195:23 | StringCchPrintfW output argument | semmle.label | StringCchPrintfW output argument |
+| test.cpp:195:31:195:33 | *str | semmle.label | *str |
 | test.cpp:195:31:195:33 | *str | semmle.label | *str |
 | test.cpp:197:11:197:14 | *wstr | semmle.label | *wstr |
 | test.cpp:204:25:204:36 | *call to get_string | semmle.label | *call to get_string |
@@ -88,6 +97,7 @@ nodes
 | test.cpp:245:25:245:36 | *call to get_string | semmle.label | *call to get_string |
 | test.cpp:247:12:247:16 | *hello | semmle.label | *hello |
 subpaths
+| test.cpp:195:31:195:33 | *str | test.cpp:179:6:179:21 | [summary param] *2 in StringCchPrintfW | test.cpp:179:6:179:21 | [summary param] *0 in StringCchPrintfW [Return] | test.cpp:195:20:195:23 | StringCchPrintfW output argument |
 #select
 | NonConstantFormat.c:30:10:30:16 | *access to array | NonConstantFormat.c:28:27:28:30 | **argv | NonConstantFormat.c:30:10:30:16 | *access to array | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:30:3:30:8 | call to printf | printf |
 | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | NonConstantFormat.c:41:9:41:45 | *call to any_random_function | The format string argument to $@ has a source which cannot be verified to originate from a string literal. | NonConstantFormat.c:41:2:41:7 | call to printf | printf |

cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.expected

@@ -0,0 +1,2 @@
+| conftest.c.c:4:3:4:8 | call to strlen | This expression has no effect (because $@ has no external side effects). | conftest.h:3:8:3:13 | strlen | strlen |
+| conftest_abc.c:4:3:4:8 | call to strlen | This expression has no effect (because $@ has no external side effects). | conftest.h:3:8:3:13 | strlen | strlen |

cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/ExprHasNoEffect.qlref

@@ -0,0 +1 @@
+Likely Bugs/Likely Typos/ExprHasNoEffect.ql

cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c

@@ -0,0 +1,6 @@
+#include "conftest.h"
+
+int main2() {
+  strlen(""); // GOOD: conftest files are ignored
+  return 0;
+}

cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.c.c

@@ -0,0 +1,6 @@
+#include "conftest.h"
+
+int main3() {
+  strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers.
+  return 0;
+}

cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.cpp

@@ -0,0 +1,6 @@
+#include "conftest.h"
+
+int main4() {
+  strlen(""); // GOOD: conftest files are ignored
+  return 0;
+}

cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest.h

@@ -0,0 +1,3 @@
+typedef long long size_t;
+
+size_t strlen(const char *s);

cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest123.c

@@ -0,0 +1,6 @@
+#include "conftest.h"
+
+int main5() {
+  strlen(""); // GOOD: conftest files are ignored
+  return 0;
+}

cpp/ql/test/query-tests/Likely Bugs/Likely Typos/ExprHasNoEffect/autoconf/conftest_abc.c

@@ -0,0 +1,6 @@
+#include "conftest.h"
+
+int main1() {
+  strlen(""); // BAD: not a `conftest` file, as `conftest` is not directly followed by the extension or a sequence of numbers.
+  return 0;
+}

cpp/ql/test/query-tests/Likely Bugs/Underspecified Functions/MistypedFunctionArguments.expected

@@ -2,10 +2,10 @@
 | test.c:33:3:33:19 | call to not_yet_declared2 | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:77:6:77:22 | not_yet_declared2 | not_yet_declared2 | test.c:33:21:33:22 | ca | ca | file://:0:0:0:0 | int[4] | int[4] | test.c:77:24:77:26 | (unnamed parameter 0) | int (unnamed parameter 0) |
 | test.c:41:3:41:29 | call to declared_empty_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:78:6:78:32 | declared_empty_defined_with | declared_empty_defined_with | test.c:41:31:41:32 | & ... | & ... | file://:0:0:0:0 | int * | int * | test.c:78:38:78:38 | x | int x |
 | test.c:45:3:45:27 | call to not_declared_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:81:6:81:30 | not_declared_defined_with | not_declared_defined_with | test.c:45:29:45:31 | 4 | 4 | file://:0:0:0:0 | long long | long long | test.c:81:36:81:36 | x | int x |
-| test.c:45:3:45:27 | call to not_declared_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:81:6:81:30 | not_declared_defined_with | not_declared_defined_with | test.c:45:37:45:42 | 2500000000.0 | 2500000000.0 | file://:0:0:0:0 | float | float | test.c:81:50:81:50 | z | int z |
-| test.c:48:3:48:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:5:6:5:27 | declared_with_pointers | declared_with_pointers | test.c:48:26:48:31 | 3500000000000000.0 | 3500000000000000.0 | file://:0:0:0:0 | double | double | test.c:93:34:93:34 | x | int * x |
+| test.c:45:3:45:27 | call to not_declared_defined_with | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:81:6:81:30 | not_declared_defined_with | not_declared_defined_with | test.c:45:37:45:42 | 2.5E9 | 2.5E9 | file://:0:0:0:0 | float | float | test.c:81:50:81:50 | z | int z |
+| test.c:48:3:48:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:5:6:5:27 | declared_with_pointers | declared_with_pointers | test.c:48:26:48:31 | 3.5E15 | 3.5E15 | file://:0:0:0:0 | double | double | test.c:93:34:93:34 | x | int * x |
 | test.c:48:3:48:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:5:6:5:27 | declared_with_pointers | declared_with_pointers | test.c:48:34:48:34 | 0 | 0 | file://:0:0:0:0 | int | int | test.c:93:43:93:43 | y | void * y |
-| test.c:48:3:48:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:93:6:93:27 | declared_with_pointers | declared_with_pointers | test.c:48:26:48:31 | 3500000000000000.0 | 3500000000000000.0 | file://:0:0:0:0 | double | double | test.c:93:34:93:34 | x | int * x |
+| test.c:48:3:48:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:93:6:93:27 | declared_with_pointers | declared_with_pointers | test.c:48:26:48:31 | 3.5E15 | 3.5E15 | file://:0:0:0:0 | double | double | test.c:93:34:93:34 | x | int * x |
 | test.c:48:3:48:24 | call to declared_with_pointers | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:93:6:93:27 | declared_with_pointers | declared_with_pointers | test.c:48:34:48:34 | 0 | 0 | file://:0:0:0:0 | int | int | test.c:93:43:93:43 | y | void * y |
 | test.c:50:3:50:21 | call to declared_with_array | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:6:6:6:24 | declared_with_array | declared_with_array | test.c:50:23:50:24 | & ... | & ... | file://:0:0:0:0 | int * | int * | test.c:94:31:94:31 | a | char[6] a |
 | test.c:50:3:50:21 | call to declared_with_array | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:94:6:94:24 | declared_with_array | declared_with_array | test.c:50:23:50:24 | & ... | & ... | file://:0:0:0:0 | int * | int * | test.c:94:31:94:31 | a | char[6] a |
@@ -15,4 +15,4 @@
 | test.c:58:3:58:24 | call to defined_with_long_long | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:104:11:104:32 | defined_with_long_long | defined_with_long_long | test.c:58:26:58:28 | 99 | 99 | file://:0:0:0:0 | int | int | test.c:104:44:104:45 | ll | long long ll |
 | test.c:59:3:59:24 | call to defined_with_long_long | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:104:11:104:32 | defined_with_long_long | defined_with_long_long | test.c:59:26:59:26 | 3 | 3 | file://:0:0:0:0 | int | int | test.c:104:44:104:45 | ll | long long ll |
 | test.c:61:3:61:21 | call to defined_with_double | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:100:8:100:26 | defined_with_double | defined_with_double | test.c:61:23:61:25 | 2 | 2 | file://:0:0:0:0 | long long | long long | test.c:100:35:100:35 | d | double d |
-| test.c:62:3:62:24 | call to defined_with_long_long | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:104:11:104:32 | defined_with_long_long | defined_with_long_long | test.c:62:26:62:31 | 3500000000000000.0 | 3500000000000000.0 | file://:0:0:0:0 | double | double | test.c:104:44:104:45 | ll | long long ll |
+| test.c:62:3:62:24 | call to defined_with_long_long | Calling $@: argument $@ of type $@ is incompatible with parameter $@. | test.c:104:11:104:32 | defined_with_long_long | defined_with_long_long | test.c:62:26:62:31 | 3.5E15 | 3.5E15 | file://:0:0:0:0 | double | double | test.c:104:44:104:45 | ll | long long ll |