Merge pull request #1 from RasmusWL/python-use-sqlalchemy

Minor updates to SQL alchemy PR
2025-12-22 11:46:32 +01:00 · 2021-06-29 18:15:44 -04:00
parent 3ace49549a a5a7f3e38a
commit 2a65917bb5
2573 changed files with 241511 additions and 30054 deletions
--- a/.codeqlmanifest.json
+++ b/.codeqlmanifest.json
@@ -1,5 +1,6 @@
 { "provide": [ "*/ql/src/qlpack.yml",
               "*/ql/test/qlpack.yml",
               "cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/qlpack.yml",
               "*/ql/examples/qlpack.yml",
               "*/upgrades/qlpack.yml",
               "misc/legacy-support/*/qlpack.yml",
--- a/.github/workflows/check-change-note.yml
+++ b/.github/workflows/check-change-note.yml
@@ -19,5 +19,5 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
-          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate |
+          gh api 'repos/${{github.repository}}/pulls/${{github.event.number}}/files' --paginate --jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' |
-          jq 'any(.[].filename ; test("/change-notes/.*[.]md$"))' --exit-status
+          grep true -c
--- a/.github/workflows/close-stale.yml
+++ b/.github/workflows/close-stale.yml
@@ -15,11 +15,11 @@ jobs:
    - uses: actions/stale@v3
      with:
        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `stale` label in order to avoid having this issue closed in 7 days.'
+        stale-issue-message: 'This issue is stale because it has been open 14 days with no activity. Comment or remove the `Stale` label in order to avoid having this issue closed in 7 days.'
        close-issue-message: 'This issue was closed because it has been inactive for 7 days.'
        days-before-stale: 14
        days-before-close: 7
-        only-labels: question
+        only-labels: awaiting-response
        # do not mark PRs as stale
        days-before-pr-stale: -1
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -19,13 +19,18 @@ jobs:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
      pull-requests: read
    steps:
    - name: Checkout repository
      uses: actions/checkout@v2
    # Initializes the CodeQL tools for scanning.
    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@main
      # Override language selection by uncommenting this and choosing your languages
      with:
        languages: csharp
@@ -34,7 +39,7 @@ jobs:
    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
    # If this step fails, then you should remove it and run the build manually (see below)
    - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@main
    # ℹ️ Command-line programs to run using the OS shell.
    # 📚 https://git.io/JvXDl
@@ -48,4 +53,4 @@ jobs:
    #   make release
    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@main
--- a/.github/workflows/csv-coverage-pr-artifacts.yml
+++ b/.github/workflows/csv-coverage-pr-artifacts.yml
@@ -0,0 +1,97 @@
 name: Check framework coverage changes
 on:
  pull_request:
    paths:
      - '.github/workflows/csv-coverage-pr-comment.yml'
      - '*/ql/src/**/*.ql'
      - '*/ql/src/**/*.qll'
      - 'misc/scripts/library-coverage/*.py'
      # input data files
      - '*/documentation/library-coverage/cwe-sink.csv'
      - '*/documentation/library-coverage/frameworks.csv'
    branches:
      - main
      - 'rc/*'
 jobs:
  generate:
    name: Generate framework coverage artifacts
    runs-on: ubuntu-latest
    steps:
    - name: Dump GitHub context
      env:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql) - MERGE
      uses: actions/checkout@v2
      with:
        path: merge
    - name: Clone self (github/codeql) - BASE
      uses: actions/checkout@v2
      with:
        fetch-depth: 2
        path: base
    - run: |
        git checkout HEAD^1
        git log -1 --format='%H'
      working-directory: base
    - name: Set up Python 3.8
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
      env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
    - name: Unzip CodeQL CLI
      run: unzip -d codeql-cli codeql-linux64.zip
    - name: Generate CSV files on merge commit of the PR
      run: |
        echo "Running generator on merge"
        PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
        mkdir out_merge
        cp framework-coverage-*.csv out_merge/
        cp framework-coverage-*.rst out_merge/
    - name: Generate CSV files on base commit of the PR
      run: |
        echo "Running generator on base"
        PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
        mkdir out_base
        cp framework-coverage-*.csv out_base/
        cp framework-coverage-*.rst out_base/
    - name: Generate diff of coverage reports
      run: |
        python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
    - name: Upload CSV package list
      uses: actions/upload-artifact@v2
      with:
        name: csv-framework-coverage-merge
        path: |
          out_merge/framework-coverage-*.csv
          out_merge/framework-coverage-*.rst
    - name: Upload CSV package list
      uses: actions/upload-artifact@v2
      with:
        name: csv-framework-coverage-base
        path: |
          out_base/framework-coverage-*.csv
          out_base/framework-coverage-*.rst
    - name: Upload comparison results
      uses: actions/upload-artifact@v2
      with:
        name: comparison
        path: |
          comparison.md
    - name: Save PR number
      run: |
        mkdir -p pr
        echo ${{ github.event.pull_request.number }} > pr/NR
    - name: Upload PR number
      uses: actions/upload-artifact@v2
      with:
        name: pr
        path: pr/
--- a/.github/workflows/csv-coverage-pr-comment.yml
+++ b/.github/workflows/csv-coverage-pr-comment.yml
@@ -0,0 +1,34 @@
 name: Comment on PR with framework coverage changes
 on:
  workflow_run:
    workflows: ["Check framework coverage changes"]
    types:
      - completed
 jobs:
  check:
    name: Check framework coverage differences and comment
    runs-on: ubuntu-latest
    if: >
      ${{ github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success' }}
    steps:
    - name: Dump GitHub context
      env:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql)
      uses: actions/checkout@v2
    - name: Set up Python 3.8
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Check coverage difference file and comment
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        RUN_ID: ${{ github.event.workflow_run.id }}
      run: |
        python misc/scripts/library-coverage/comment-pr.py "$GITHUB_REPOSITORY" "$RUN_ID"
--- a/.github/workflows/csv-coverage-timeseries.yml
+++ b/.github/workflows/csv-coverage-timeseries.yml
@@ -0,0 +1,42 @@
 name: Build framework coverage timeseries reports
 on:
  workflow_dispatch:
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Clone self (github/codeql)
      uses: actions/checkout@v2
      with:
        path: script
    - name: Clone self (github/codeql) for analysis
      uses: actions/checkout@v2
      with:
        path: codeqlModels
        fetch-depth: 0
    - name: Set up Python 3.8
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
      env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
    - name: Unzip CodeQL CLI
      run: unzip -d codeql-cli codeql-linux64.zip
    - name: Build modeled package list
      run: |
        CLI=$(realpath "codeql-cli/codeql")
        echo $CLI
        PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
    - name: Upload timeseries CSV
      uses: actions/upload-artifact@v2
      with:
        name: framework-coverage-timeseries
        path: framework-coverage-timeseries-*.csv
--- a/.github/workflows/csv-coverage-update.yml
+++ b/.github/workflows/csv-coverage-update.yml
@@ -0,0 +1,44 @@
 name: Update framework coverage reports
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 0 * * *"
 jobs:
  update:
    name: Update framework coverage report
    if: github.event.repository.fork == false
    runs-on: ubuntu-latest
    steps:
    - name: Dump GitHub context
      env:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql)
      uses: actions/checkout@v2
      with:
        path: ql
        fetch-depth: 0
    - name: Set up Python 3.8
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
      env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
    - name: Unzip CodeQL CLI
      run: unzip -d codeql-cli codeql-linux64.zip
    - name: Generate coverage files
      run: |
        PATH="$PATH:codeql-cli/codeql" python ql/misc/scripts/library-coverage/generate-report.py ci ql ql
    - name: Create pull request with changes
      env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        python ql/misc/scripts/library-coverage/create-pr.py ql "$GITHUB_REPOSITORY"
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -0,0 +1,49 @@
 name: Build framework coverage reports
 on:
  workflow_dispatch:
    inputs:
      qlModelShaOverride:
        description: 'github/codeql repo SHA used for looking up the CSV models'
        required: false
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Clone self (github/codeql)
      uses: actions/checkout@v2
      with:
        path: script
    - name: Clone self (github/codeql) for analysis
      uses: actions/checkout@v2
      with:
        path: codeqlModels
        ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
    - name: Set up Python 3.8
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
      env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
    - name: Unzip CodeQL CLI
      run: unzip -d codeql-cli codeql-linux64.zip
    - name: Build modeled package list
      run: |
        PATH="$PATH:codeql-cli/codeql" python script/misc/scripts/library-coverage/generate-report.py ci codeqlModels script
    - name: Upload CSV package list
      uses: actions/upload-artifact@v2
      with:
        name: framework-coverage-csv
        path: framework-coverage-*.csv
    - name: Upload RST package list
      uses: actions/upload-artifact@v2
      with:
        name: framework-coverage-rst
        path: framework-coverage-*.rst
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -5,6 +5,7 @@
    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll",
    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll",
    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll",
    "java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl6.qll",
    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll",
    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll",
    "cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll",
@@ -249,6 +250,10 @@
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysis.qll",
    "csharp/ql/src/experimental/ir/implementation/unaliased_ssa/internal/AliasAnalysis.qll"
  ],
  "SSA PrintAliasAnalysis": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/PrintAliasAnalysis.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/PrintAliasAnalysis.qll"
  ],
  "C++ SSA AliasAnalysisImports": [
    "cpp/ql/src/semmle/code/cpp/ir/implementation/unaliased_ssa/internal/AliasAnalysisImports.qll",
    "cpp/ql/src/semmle/code/cpp/ir/implementation/aliased_ssa/internal/AliasAnalysisImports.qll"
@@ -438,6 +443,10 @@
  ],
  "CryptoAlgorithms Python/JS": [
    "javascript/ql/src/semmle/javascript/security/CryptoAlgorithms.qll",
-    "python/ql/src/semmle/crypto/Crypto.qll"
+    "python/ql/src/semmle/python/concepts/CryptoAlgorithms.qll"
  ],
  "SensitiveDataHeuristics Python/JS": [
    "javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
    "python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
  ]
 }
--- a/cpp/change-notes/2021-03-11-overflow-abs.md
+++ b/cpp/change-notes/2021-03-11-overflow-abs.md
@@ -0,0 +1,2 @@
 lgtm
 * The `cpp/tainted-arithmetic`, `cpp/arithmetic-with-extreme-values`, and `cpp/uncontrolled-arithmetic` queries now recognize more functions as returning the absolute value of their input. As a result, they produce fewer false positives.
--- a/cpp/change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md
+++ b/cpp/change-notes/2021-04-09-unsigned-difference-expression-compared-zero.md
@@ -0,0 +1,2 @@
 lgtm,codescanning
 * The 'Unsigned difference expression compared to zero' (cpp/unsigned-difference-expression-compared-zero) query has been improved to produce fewer false positive results.
--- a/cpp/change-notes/2021-04-13-arithmetic-queries.md
+++ b/cpp/change-notes/2021-04-13-arithmetic-queries.md
@@ -0,0 +1,2 @@
 lgtm
 * The queries cpp/tainted-arithmetic, cpp/uncontrolled-arithmetic, and cpp/arithmetic-with-extreme-values have been improved to produce fewer false positives.
--- a/cpp/change-notes/2021-04-21-return-stack-allocated-object.md
+++ b/cpp/change-notes/2021-04-21-return-stack-allocated-object.md
@@ -0,0 +1,2 @@
 codescanning
 * The 'Pointer to stack object used as return value' (cpp/return-stack-allocated-object) query has been deprecated, and any uses should be replaced with `Returning stack-allocated memory` (cpp/return-stack-allocated-memory).
--- a/cpp/change-notes/2021-04-26-more-sound-expr-might-overflow.md
+++ b/cpp/change-notes/2021-04-26-more-sound-expr-might-overflow.md
@@ -0,0 +1,2 @@
 lgtm,codescanning
 * The `exprMightOverflowPositively` and `exprMightOverflowNegatively` predicates from the `SimpleRangeAnalysis` library now recognize more expressions that might overflow.
--- a/cpp/change-notes/2021-05-10-comparison-with-wider-type.md
+++ b/cpp/change-notes/2021-05-10-comparison-with-wider-type.md
@@ -0,0 +1,2 @@
 lgtm,codescanning
 * The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.
--- a/cpp/change-notes/2021-05-12-uncontrolled-arithmetic.md
+++ b/cpp/change-notes/2021-05-12-uncontrolled-arithmetic.md
@@ -0,0 +1,2 @@
 lgtm,codescanning
 * The query "Uncontrolled arithmetic" (`cpp/uncontrolled-arithmetic`) has been improved to produce fewer false positives.
--- a/cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md
+++ b/cpp/change-notes/2021-05-14-uncontrolled-allocation-size.md
@@ -0,0 +1,2 @@
 lgtm
 * The "Tainted allocation size" query (cpp/uncontrolled-allocation-size) has been improved to produce fewer false positives.
--- a/cpp/change-notes/2021-05-18-static-buffer-overflow.md
+++ b/cpp/change-notes/2021-05-18-static-buffer-overflow.md
@@ -0,0 +1,2 @@
 lgtm
 * The "Static buffer overflow" query (cpp/static-buffer-overflow) has been improved to produce fewer false positives.
--- a/cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md
+++ b/cpp/change-notes/2021-05-19-weak-cryptographic-algorithm.md
@@ -0,0 +1,2 @@
 lgtm,codescanning
 * The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been enhanced to reduce false positive results, and (rarely) find more true positive results.
--- a/cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md
+++ b/cpp/change-notes/2021-05-20-incorrect-allocation-error-handling.md
@@ -0,0 +1,2 @@
 lgtm
 * A new query (`cpp/incorrect-allocation-error-handling`) has been added. The query finds incorrect error-handling of calls to `operator new`. This query was originally [submitted as an experimental query by @ihsinme](https://github.com/github/codeql/pull/5010).
--- a/cpp/change-notes/2021-05-20-ref-qualifiers.md
+++ b/cpp/change-notes/2021-05-20-ref-qualifiers.md
@@ -0,0 +1,2 @@
 lgtm,codescanning
 * lvalue/rvalue ref qualifiers are now accessible via the new predicates on `MemberFunction`(`.isLValueRefQualified`, `.isRValueRefQualified`, and `isRefQualified`).
--- a/cpp/change-notes/2021-05-21-unsafe-strncat.md
+++ b/cpp/change-notes/2021-05-21-unsafe-strncat.md
@@ -0,0 +1,2 @@
 lgtm
 * The "Potentially unsafe call to strncat" query (cpp/unsafe-strncat) query has been improved to detect more cases of unsafe calls to `strncat`.
--- a/cpp/change-notes/2021-06-10-std-types.md
+++ b/cpp/change-notes/2021-06-10-std-types.md
@@ -0,0 +1,4 @@
 lgtm,codescanning
 * Added definitions for types found in `cstdint`. Added types `FixedWidthIntegralType`, `MinimumWidthIntegralType`, `FastestMinimumWidthIntegralType`, and `MaximumWidthIntegralType` to describe types such as `int8_t`, `int_least8_t`, `int_fast8_t`, and `intmax_t` respectively. 
 * Changed definition of `Intmax_t` and `Uintmax_t` to be part of the new type structure. 
 * Added a type `FixedWidthEnumType` which describes enums based on a fixed-width integer type. For instance, `enum e: uint8_t = { a, b };`.
--- a/cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md
+++ b/cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md
@@ -0,0 +1,2 @@
 lgtm,codescanning
 * The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.
--- a/cpp/change-notes/2021-06-24-dataflow-implicit-reads.md
+++ b/cpp/change-notes/2021-06-24-dataflow-implicit-reads.md
@@ -0,0 +1,2 @@
 lgtm,codescanning
 * The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.
--- a/Errors/OffsetUseBeforeRangeCheck.ql
+++ b/Errors/OffsetUseBeforeRangeCheck.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/offset-use-before-range-check
 * @problem.severity warning
 * @security-severity 8.2
 * @precision medium
 * @tags reliability
 *       security
--- a/Constants/MagicConstantsNumbers.qhelp
+++ b/Constants/MagicConstantsNumbers.qhelp
@@ -39,7 +39,7 @@ then replace all the relevant occurrences in the code.</p>
 </li>
 <li>
  Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
  <a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>
--- a/Constants/MagicConstantsString.qhelp
+++ b/Constants/MagicConstantsString.qhelp
@@ -38,7 +38,7 @@ constant.</p>
 </li>
 <li>
  Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 5: Object Life Cycle, Rec 5.4 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
  <a href="https://www.securecoding.cert.org/confluence/display/c/DCL06-C.+Use+meaningful+symbolic+constants+to+represent+literal+values">DCL06-C. Use meaningful symbolic constants to represent literal values</a>
--- a/Practices/SloppyGlobal.qhelp
+++ b/Practices/SloppyGlobal.qhelp
@@ -21,7 +21,7 @@ Review the purpose of the each global variable flagged by this rule and update e
 <li>
  Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, published by Prentice Hall PTR (1997). 
-  Chapter 1: Naming, Rec 1.1 (<a href="http://mongers.org/industrial-c++/">PDF</a>).
+  Chapter 1: Naming, Rec 1.1 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
  <a href="http://www.learncpp.com/cpp-tutorial/42-global-variables/">Global variables</a>.
--- a/Practices/UseOfGoto.qhelp
+++ b/Practices/UseOfGoto.qhelp
@@ -45,7 +45,7 @@ this rule.
 </li>
 <li>
  Mats Henricson and Erik Nyquist, <i>Industrial Strength C++</i>, Rule 4.6. Prentice Hall PTR, 1997.
-  (<a href="http://mongers.org/industrial-c++/">PDF</a>).
+  (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">PDF</a>).
 </li>
 <li>
  cplusplus.com: <a href="http://www.cplusplus.com/doc/tutorial/control/">Control Structures</a>.
--- a/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/descriptor-may-not-be-closed
 * @problem.severity warning
 * @security-severity 7.8
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/DescriptorNeverClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorNeverClosed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/descriptor-never-closed
 * @problem.severity warning
 * @security-severity 7.8
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/FileMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/FileMayNotBeClosed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/file-may-not-be-closed
 * @problem.severity warning
 * @security-severity 7.8
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/FileNeverClosed.ql
+++ b/cpp/ql/src/Critical/FileNeverClosed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/file-never-closed
 * @problem.severity warning
 * @security-severity 7.8
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
+++ b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/global-use-before-init
 * @problem.severity warning
 * @security-severity 7.8
 * @tags reliability
 *       security
 *       external/cwe/cwe-457
--- a/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
+++ b/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/inconsistent-nullness-testing
 * @problem.severity warning
 * @security-severity 7.5
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
--- a/cpp/ql/src/Critical/InitialisationNotRun.ql
+++ b/cpp/ql/src/Critical/InitialisationNotRun.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/initialization-not-run
 * @problem.severity warning
 * @security-severity 7.5
 * @tags reliability
 *       security
 *       external/cwe/cwe-456
--- a/cpp/ql/src/Critical/LateNegativeTest.ql
+++ b/cpp/ql/src/Critical/LateNegativeTest.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/late-negative-test
 * @problem.severity warning
 * @security-severity 9.3
 * @tags reliability
 *       security
 *       external/cwe/cwe-823
--- a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
+++ b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/memory-may-not-be-freed
 * @problem.severity warning
 * @security-severity 7.5
 * @tags efficiency
 *       security
 *       external/cwe/cwe-401
--- a/cpp/ql/src/Critical/MemoryNeverFreed.ql
+++ b/cpp/ql/src/Critical/MemoryNeverFreed.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/memory-never-freed
 * @problem.severity warning
 * @security-severity 7.5
 * @tags efficiency
 *       security
 *       external/cwe/cwe-401
--- a/cpp/ql/src/Critical/MissingNegativityTest.ql
+++ b/cpp/ql/src/Critical/MissingNegativityTest.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/missing-negativity-test
 * @problem.severity warning
 * @security-severity 9.3
 * @tags reliability
 *       security
 *       external/cwe/cwe-823
--- a/cpp/ql/src/Critical/MissingNullTest.ql
+++ b/cpp/ql/src/Critical/MissingNullTest.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/missing-null-test
 * @problem.severity recommendation
 * @security-severity 7.5
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
--- a/cpp/ql/src/Critical/NewFreeMismatch.ql
+++ b/cpp/ql/src/Critical/NewFreeMismatch.ql
@@ -3,6 +3,7 @@
 * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
 * @kind problem
 * @problem.severity warning
 * @security-severity 7.5
 * @precision high
 * @id cpp/new-free-mismatch
 * @tags reliability
--- a/cpp/ql/src/Critical/OverflowCalculated.ql
+++ b/cpp/ql/src/Critical/OverflowCalculated.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/overflow-calculated
 * @problem.severity warning
 * @security-severity 9.8
 * @tags reliability
 *       security
 *       external/cwe/cwe-131
--- a/cpp/ql/src/Critical/OverflowDestination.ql
+++ b/cpp/ql/src/Critical/OverflowDestination.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/overflow-destination
 * @problem.severity warning
 * @security-severity 9.3
 * @precision low
 * @tags reliability
 *       security
--- a/cpp/ql/src/Critical/OverflowStatic.ql
+++ b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -4,6 +4,7 @@
 *              may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
 * @security-severity 9.3
 * @precision medium
 * @id cpp/static-buffer-overflow
 * @tags reliability
@@ -14,6 +15,7 @@
 import cpp
 import semmle.code.cpp.commons.Buffer
 import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 import LoopBounds
 private predicate staticBufferBase(VariableAccess access, Variable v) {
@@ -51,6 +53,8 @@ predicate overflowOffsetInLoop(BufferAccess bufaccess, string msg) {
    loop.getStmt().getAChild*() = bufaccess.getEnclosingStmt() and
    loop.limit() >= bufaccess.bufferSize() and
    loop.counter().getAnAccess() = bufaccess.getArrayOffset() and
    // Ensure that we don't have an upper bound on the array index that's less than the buffer size.
    not upperBound(bufaccess.getArrayOffset().getFullyConverted()) < bufaccess.bufferSize() and
    msg =
      "Potential buffer-overflow: counter '" + loop.counter().toString() + "' <= " +
        loop.limit().toString() + " but '" + bufaccess.buffer().getName() + "' has " +
@@ -94,17 +98,22 @@ class CallWithBufferSize extends FunctionCall {
  }
  int statedSizeValue() {
-    exists(Expr statedSizeSrc |
+    // `upperBound(e)` defaults to `exprMaxVal(e)` when `e` isn't analyzable. So to get a meaningful
-      DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr()) and
+    // result in this case we pick the minimum value obtainable from dataflow and range analysis.
-      result = statedSizeSrc.getValue().toInt()
+    result =
-    )
+      upperBound(statedSizeExpr())
          .minimum(min(Expr statedSizeSrc |
              DataFlow::localExprFlow(statedSizeSrc, statedSizeExpr())
            |
              statedSizeSrc.getValue().toInt()
            ))
  }
 }
 predicate wrongBufferSize(Expr error, string msg) {
  exists(CallWithBufferSize call, int bufsize, Variable buf, int statedSize |
    staticBuffer(call.buffer(), buf, bufsize) and
-    statedSize = min(call.statedSizeValue()) and
+    statedSize = call.statedSizeValue() and
    statedSize > bufsize and
    error = call.statedSizeExpr() and
    msg =
--- a/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
+++ b/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
@@ -4,9 +4,12 @@
 * @kind problem
 * @id cpp/return-stack-allocated-object
 * @problem.severity warning
 * @security-severity 2.1
 * @tags reliability
 *       security
 *       external/cwe/cwe-562
 * @deprecated This query is not suitable for production use and has been deprecated. Use
 *             cpp/return-stack-allocated-memory instead.
 */
 import semmle.code.cpp.pointsto.PointsTo
--- a/cpp/ql/src/Critical/ReturnValueIgnored.qhelp
+++ b/cpp/ql/src/Critical/ReturnValueIgnored.qhelp
@@ -7,7 +7,7 @@
 <overview>
 <p>
 This rule finds calls to a function that ignore the return value. A function call is only marked 
-as a violation if at least 80% of the total calls to that function check the return value. Not 
+as a violation if at least 90% of the total calls to that function check the return value. Not
 checking a return value is a common source of defects from standard library functions like <code>malloc</code> or <code>fread</code>.
 These functions return the status information and the return values should always be checked 
 to see if the operation succeeded before operating on any data modified or resources allocated by these functions.
@@ -32,7 +32,7 @@ Check the return value of functions that return status information.
 <references>
 <li>
-  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
+  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 12: Error handling. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>).
 </li>
 <li>
  The CERT C Secure Coding Standard: <a href="https://www.securecoding.cert.org/confluence/display/perl/EXP32-PL.+Do+not+ignore+function+return+values">EXP32-PL. Do not ignore function return values</a>.
--- a/cpp/ql/src/Critical/ReturnValueIgnored.ql
+++ b/cpp/ql/src/Critical/ReturnValueIgnored.ql
@@ -1,6 +1,6 @@
 /**
 * @name Return value of a function is ignored
- * @description A call to a function ignores its return value, but more than 80% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
+ * @description A call to a function ignores its return value, but at least 90% of the total number of calls to the function check the return value. Check the return value of functions consistently, especially for functions like 'fread' or the 'scanf' functions that return the status of the operation.
 * @kind problem
 * @id cpp/return-value-ignored
 * @problem.severity recommendation
--- a/cpp/ql/src/Critical/SizeCheck.ql
+++ b/cpp/ql/src/Critical/SizeCheck.ql
@@ -4,6 +4,7 @@
 *              an instance of the type of the pointer may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
 * @security-severity 8.1
 * @precision medium
 * @id cpp/allocation-too-small
 * @tags reliability
--- a/cpp/ql/src/Critical/SizeCheck2.ql
+++ b/cpp/ql/src/Critical/SizeCheck2.ql
@@ -4,6 +4,7 @@
 *              multiple instances of the type of the pointer may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
 * @security-severity 8.1
 * @precision medium
 * @id cpp/suspicious-allocation-size
 * @tags reliability
--- a/cpp/ql/src/Critical/UseAfterFree.ql
+++ b/cpp/ql/src/Critical/UseAfterFree.ql
@@ -4,6 +4,7 @@
 * @kind problem
 * @id cpp/use-after-free
 * @problem.severity warning
 * @security-severity 9.3
 * @tags reliability
 *       security
 *       external/cwe/cwe-416
--- a/Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+++ b/Bugs/Arithmetic/BadAdditionOverflowCheck.ql
@@ -6,6 +6,7 @@
 *              to a larger type.
 * @kind problem
 * @problem.severity error
 * @security-severity 8.1
 * @precision very-high
 * @id cpp/bad-addition-overflow-check
 * @tags reliability
--- a/Bugs/Arithmetic/IntMultToLong.ql
+++ b/Bugs/Arithmetic/IntMultToLong.ql
@@ -4,6 +4,7 @@
 *              be a sign that the result can overflow the type converted from.
 * @kind problem
 * @problem.severity warning
 * @security-severity 8.1
 * @precision high
 * @id cpp/integer-multiplication-cast-to-long
 * @tags reliability
--- a/Bugs/Arithmetic/SignedOverflowCheck.ql
+++ b/Bugs/Arithmetic/SignedOverflowCheck.ql
@@ -5,10 +5,13 @@
 *              unsigned integer values.
 * @kind problem
 * @problem.severity warning
 * @security-severity 8.1
 * @precision high
 * @id cpp/signed-overflow-check
 * @tags correctness
 *       security
 *       external/cwe/cwe-128
 *       external/cwe/cwe-190
 */
 import cpp
--- a/Bugs/Conversion/CastArrayPointerArithmetic.ql
+++ b/Bugs/Conversion/CastArrayPointerArithmetic.ql
@@ -6,13 +6,14 @@
 *              use the width of the base type, leading to misaligned reads.
 * @kind path-problem
 * @problem.severity warning
 * @security-severity 9.3
 * @precision high
 * @id cpp/upcast-array-pointer-arithmetic
 * @tags correctness
 *       reliability
 *       security
 *       external/cwe/cwe-119
 *       external/cwe/cwe-843
 * @id cpp/upcast-array-pointer-arithmetic
 */
 import cpp
--- a/Bugs/Format/NonConstantFormat.ql
+++ b/Bugs/Format/NonConstantFormat.ql
@@ -6,6 +6,7 @@
 *              from an untrusted source, this can be used for exploits.
 * @kind problem
 * @problem.severity recommendation
 * @security-severity 9.3
 * @precision high
 * @id cpp/non-constant-format
 * @tags maintainability
--- a/Bugs/Format/SnprintfOverflow.ql
+++ b/Bugs/Format/SnprintfOverflow.ql
@@ -3,11 +3,14 @@
 * @description Using the return value from snprintf without proper checks can cause overflow.
 * @kind problem
 * @problem.severity warning
 * @security-severity 8.1
 * @precision high
 * @id cpp/overflowing-snprintf
 * @tags reliability
 *       correctness
 *       security
 *       external/cwe/cwe-190
 *       external/cwe/cwe-253
 */
 import cpp
--- a/Bugs/Format/WrongNumberOfFormatArguments.ql
+++ b/Bugs/Format/WrongNumberOfFormatArguments.ql
@@ -4,11 +4,13 @@
 *              a source of security issues.
 * @kind problem
 * @problem.severity error
 * @security-severity 5.0
 * @precision high
 * @id cpp/wrong-number-format-arguments
 * @tags reliability
 *       correctness
 *       security
 *       external/cwe/cwe-234
 *       external/cwe/cwe-685
 */
--- a/Bugs/Format/WrongTypeFormatArguments.ql
+++ b/Bugs/Format/WrongTypeFormatArguments.ql
@@ -4,6 +4,7 @@
 *              behavior.
 * @kind problem
 * @problem.severity error
 * @security-severity 7.5
 * @precision high
 * @id cpp/wrong-type-format-argument
 * @tags reliability
--- a/Typos/IncorrectNotOperatorUsage.ql
+++ b/Typos/IncorrectNotOperatorUsage.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/incorrect-not-operator-usage
 * @problem.severity warning
 * @security-severity 7.5
 * @precision medium
 * @tags security
 *       external/cwe/cwe-480
--- a/Typos/MissingEnumCaseInSwitch.qhelp
+++ b/Typos/MissingEnumCaseInSwitch.qhelp
@@ -26,7 +26,7 @@ indication that there may be cases unhandled by the <code>switch</code> statemen
  MSDN Library: <a href="https://docs.microsoft.com/en-us/cpp/cpp/switch-statement-cpp">switch statement (C++)</a>
 </li>
 <li>
-  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="http://mongers.org/industrial-c++/">available online</a>).
+  M. Henricson and E. Nyquist, <i>Industrial Strength C++</i>, Chapter 4: Control Flow, Rec 4.5. Prentice Hall PTR, 1997 (<a href="https://web.archive.org/web/20190919025638/https://mongers.org/industrial-c++/">available online</a>).
 </li>
--- a/Management/AllocaInLoop.ql
+++ b/Management/AllocaInLoop.ql
@@ -3,6 +3,7 @@
 * @description Using alloca in a loop can lead to a stack overflow
 * @kind problem
 * @problem.severity warning
 * @security-severity 7.5
 * @precision high
 * @id cpp/alloca-in-loop
 * @tags reliability
--- a/Management/ImproperNullTermination.ql
+++ b/Management/ImproperNullTermination.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/improper-null-termination
 * @problem.severity warning
 * @security-severity 7.8
 * @tags security
 *       external/cwe/cwe-170
 *       external/cwe/cwe-665
--- a/Management/PointerOverflow.ql
+++ b/Management/PointerOverflow.ql
@@ -4,10 +4,12 @@
 *              on undefined behavior and may lead to memory corruption.
 * @kind problem
 * @problem.severity error
 * @security-severity 2.1
 * @precision high
 * @id cpp/pointer-overflow-check
 * @tags reliability
 *       security
 *       external/cwe/cwe-758
 */
 import cpp
--- a/Management/PotentialBufferOverflow.ql
+++ b/Management/PotentialBufferOverflow.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/potential-buffer-overflow
 * @problem.severity warning
 * @security-severity 10.0
 * @tags reliability
 *       security
 *       external/cwe/cwe-676
--- a/Management/ReturnStackAllocatedMemory.ql
+++ b/Management/ReturnStackAllocatedMemory.ql
@@ -13,6 +13,7 @@
 import cpp
 import semmle.code.cpp.dataflow.EscapesTree
 import semmle.code.cpp.models.interfaces.PointerWrapper
 import semmle.code.cpp.dataflow.DataFlow
 /**
@@ -39,6 +40,10 @@ predicate hasNontrivialConversion(Expr e) {
    e instanceof ParenthesisExpr
  )
  or
  // A smart pointer can be stack-allocated while the data it points to is heap-allocated.
  // So we exclude such "conversions" from this predicate.
  e = any(PointerWrapper wrapper).getAnUnwrapperFunction().getACallToThisFunction()
  or
  hasNontrivialConversion(e.getConversion())
 }
--- a/Management/StrncpyFlippedArgs.ql
+++ b/Management/StrncpyFlippedArgs.ql
@@ -4,6 +4,7 @@
 *              as the third argument may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
 * @security-severity 9.3
 * @precision medium
 * @id cpp/bad-strncpy-size
 * @tags reliability
--- a/Management/SuspiciousCallToMemset.ql
+++ b/Management/SuspiciousCallToMemset.ql
@@ -7,6 +7,7 @@
 * @kind problem
 * @id cpp/suspicious-call-to-memset
 * @problem.severity recommendation
 * @security-severity 10.0
 * @precision medium
 * @tags reliability
 *       correctness
--- a/Management/SuspiciousCallToStrncat.cpp
+++ b/Management/SuspiciousCallToStrncat.cpp
@@ -2,3 +2,7 @@ strncat(dest, src, strlen(dest)); //wrong: should use remaining size of dest
 strncat(dest, src, sizeof(dest)); //wrong: should use remaining size of dest. 
                                  //Also fails if dest is a pointer and not an array.
 strncat(dest, source, sizeof(dest) - strlen(dest)); // wrong: writes a zero byte past the `dest` buffer.
 strncat(dest, source, sizeof(dest) - strlen(dest) - 1); // correct: reserves space for the zero byte.
--- a/Management/SuspiciousCallToStrncat.qhelp
+++ b/Management/SuspiciousCallToStrncat.qhelp
@@ -4,7 +4,17 @@
 <qhelp>
 <overview>
 <p>The standard library function <code>strncat</code> appends a source string to a target string. 
-The third argument defines the maximum number of characters to append and should be less than or equal to the remaining space in the destination buffer. Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set the third argument to the entire size of the destination buffer. Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty. Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
+The third argument defines the maximum number of characters to append and should be less than or equal
 to the remaining space in the destination buffer.</p>
 <p>Calls of the form <code>strncat(dest, src, strlen(dest))</code> or <code>strncat(dest, src, sizeof(dest))</code> set
 the third argument to the entire size of the destination buffer.
 Executing a call of this type may cause a buffer overflow unless the buffer is known to be empty.</p>
 <p>Similarly, calls of the form <code>strncat(dest, src, sizeof (dest) - strlen (dest))</code> allow one
 byte to be written ouside the <code>dest</code> buffer.</p>
 <p>Buffer overflows can lead to anything from a segmentation fault to a security vulnerability.</p>
 </overview>
 <recommendation>
@@ -25,6 +35,10 @@ The third argument defines the maximum number of characters to append and should
 <li>
  M. Donaldson, <em>Inside the Buffer Overflow Attack: Mechanism, Method &amp; Prevention</em>. SANS Institute InfoSec Reading Room, 2002.
 </li>
 <li>
  CERT C Coding Standard:
 <a href="https://wiki.sei.cmu.edu/confluence/display/c/STR31-C.+Guarantee+that+storage+for+strings+has+sufficient+space+for+character+data+and+the+null+terminator">STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator</a>.
 </li>
 </references>
--- a/Management/SuspiciousCallToStrncat.ql
+++ b/Management/SuspiciousCallToStrncat.ql
@@ -1,14 +1,15 @@
 /**
 * @name Potentially unsafe call to strncat
- * @description Calling 'strncat' with the size of the destination buffer
+ * @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
 *              as the third argument may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
 * @security-severity 9.3
 * @precision medium
 * @id cpp/unsafe-strncat
 * @tags reliability
 *       correctness
 *       security
 *       external/cwe/cwe-788
 *       external/cwe/cwe-676
 *       external/cwe/cwe-119
 *       external/cwe/cwe-251
@@ -16,11 +17,53 @@
 import cpp
 import Buffer
 import semmle.code.cpp.models.implementations.Strcat
 import semmle.code.cpp.valuenumbering.GlobalValueNumbering
-from FunctionCall fc, VariableAccess va1, VariableAccess va2
+/**
-where
+ * Holds if `call` is a call to `strncat` such that `sizeArg` and `destArg` are the size and
-  fc.getTarget().(Function).hasName("strncat") and
+ * destination arguments, respectively.
-  va1 = fc.getArgument(0) and
+ */
-  va2 = fc.getArgument(2).(BufferSizeExpr).getArg() and
+predicate interestringCallWithArgs(Call call, Expr sizeArg, Expr destArg) {
-  va1.getTarget() = va2.getTarget()
+  exists(StrcatFunction strcat |
    strcat = call.getTarget() and
    sizeArg = call.getArgument(strcat.getParamSize()) and
    destArg = call.getArgument(strcat.getParamDest())
  )
 }
 /**
 * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
 * argument `destArg`, and `destArg` is the size of the buffer pointed to by `destArg`.
 */
 predicate case1(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
  interestringCallWithArgs(fc, sizeArg, destArg) and
  exists(VariableAccess va |
    va = sizeArg.(BufferSizeExpr).getArg() and
    destArg.getTarget() = va.getTarget()
  )
 }
 /**
 * Holds if `fc` is a call to `strncat` with size argument `sizeArg` and destination
 * argument `destArg`, and `sizeArg` computes the value `sizeof (dest) - strlen (dest)`.
 */
 predicate case2(FunctionCall fc, Expr sizeArg, VariableAccess destArg) {
  interestringCallWithArgs(fc, sizeArg, destArg) and
  exists(SubExpr sub, int n |
    // The destination buffer is an array of size n
    destArg.getUnspecifiedType().(ArrayType).getSize() = n and
    // The size argument is equivalent to a subtraction
    globalValueNumber(sizeArg).getAnExpr() = sub and
    // ... where the left side of the subtraction is the constant n
    globalValueNumber(sub.getLeftOperand()).getAnExpr().getValue().toInt() = n and
    // ... and the right side of the subtraction is a call to `strlen` where the argument is the
    // destination buffer.
    globalValueNumber(sub.getRightOperand()).getAnExpr().(StrlenCall).getStringExpr() =
      globalValueNumber(destArg).getAnExpr()
  )
 }
 from FunctionCall fc, Expr sizeArg, Expr destArg
 where case1(fc, sizeArg, destArg) or case2(fc, sizeArg, destArg)
 select fc, "Potentially unsafe call to strncat."
--- a/Management/SuspiciousSizeof.ql
+++ b/Management/SuspiciousSizeof.ql
@@ -5,6 +5,7 @@
 *              the machine pointer size.
 * @kind problem
 * @problem.severity warning
 * @security-severity 8.8
 * @precision medium
 * @id cpp/suspicious-sizeof
 * @tags reliability
--- a/Management/UninitializedLocal.ql
+++ b/Management/UninitializedLocal.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/uninitialized-local
 * @problem.severity warning
 * @security-severity 7.8
 * @precision medium
 * @tags security
 *       external/cwe/cwe-665
--- a/Management/UnsafeUseOfStrcat.ql
+++ b/Management/UnsafeUseOfStrcat.ql
@@ -4,6 +4,7 @@
 *              may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
 * @security-severity 9.8
 * @precision medium
 * @id cpp/unsafe-strcat
 * @tags reliability
--- a/Bugs/OO/SelfAssignmentCheck.ql
+++ b/Bugs/OO/SelfAssignmentCheck.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/self-assignment-check
 * @problem.severity warning
 * @security-severity 7.0
 * @tags reliability
 *       security
 *       external/cwe/cwe-826
--- a/Bugs/OO/UnsafeUseOfThis.ql
+++ b/Bugs/OO/UnsafeUseOfThis.ql
@@ -6,10 +6,12 @@
 * @kind path-problem
 * @id cpp/unsafe-use-of-this
 * @problem.severity error
 * @security-severity 7.5
 * @precision very-high
 * @tags correctness
 *       language-features
 *       security
 *       external/cwe/cwe-670
 */
 import cpp
--- a/Functions/TooFewArguments.ql
+++ b/Functions/TooFewArguments.ql
@@ -7,11 +7,14 @@
 *              undefined data.
 * @kind problem
 * @problem.severity error
 * @security-severity 5.0
 * @precision very-high
 * @id cpp/too-few-arguments
 * @tags correctness
 *       maintainability
 *       security
 *       external/cwe/cwe-234
 *       external/cwe/cwe-685
 */
 import cpp
--- a/cpp/ql/src/Metrics/Files/FTransitiveIncludes.qhelp
+++ b/cpp/ql/src/Metrics/Files/FTransitiveIncludes.qhelp
@@ -29,7 +29,7 @@ build time: the more included files, the longer the compilation time.</p>
  <a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a>
 </li>
 <li>
-  <a href="https://wiki.hsr.ch/Prog3/files/overload72-FINAL_DesigningHeaderFiles.pdf">C++ Best Practice -
+  <a href="https://accu.org/journals/overload/14/72/griffiths_1995/">C++ Best Practice -
 Designing Header Files</a>
 </li>
--- a/cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.qhelp
+++ b/cpp/ql/src/Metrics/Files/FTransitiveSourceIncludes.qhelp
@@ -35,7 +35,7 @@ they are contributing to unnecessarily long build times and creating artificial
  <a href="http://www.drdobbs.com/cpp/decoupling-c-header-files/212701130">Decoupling C Header Files</a>
 </li>
 <li>
-  <a href="https://wiki.hsr.ch/Prog3/files/overload72-FINAL_DesigningHeaderFiles.pdf">C++ Best Practice -
+  <a href="https://accu.org/journals/overload/14/72/griffiths_1995/">C++ Best Practice -
 Designing Header Files</a>
 </li>
 </references>
--- a/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/memset-may-be-deleted
 * @problem.severity warning
 * @security-severity 7.8
 * @precision high
 * @tags security
 *       external/cwe/cwe-14
--- a/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
@@ -5,6 +5,7 @@
 * @kind path-problem
 * @precision low
 * @problem.severity error
 * @security-severity 7.8
 * @tags security external/cwe/cwe-20
 */
--- a/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
@@ -5,6 +5,7 @@
 * @kind path-problem
 * @precision low
 * @problem.severity error
 * @security-severity 7.8
 * @tags security external/cwe/cwe-20
 */
--- a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+++ b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -4,6 +4,7 @@
 *              attacker to access unexpected resources.
 * @kind path-problem
 * @problem.severity warning
 * @security-severity 7.5
 * @precision medium
 * @id cpp/path-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -5,6 +5,7 @@
 *              to command injection.
 * @kind problem
 * @problem.severity error
 * @security-severity 9.8
 * @precision low
 * @id cpp/command-line-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -4,6 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
 * @security-severity 6.1
 * @precision high
 * @id cpp/cgi-xss
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -5,6 +5,7 @@
 *              to SQL Injection.
 * @kind path-problem
 * @problem.severity error
 * @security-severity 8.8
 * @precision high
 * @id cpp/sql-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -5,6 +5,7 @@
 *              commands.
 * @kind path-problem
 * @problem.severity warning
 * @security-severity 8.2
 * @precision medium
 * @id cpp/uncontrolled-process-operation
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+++ b/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/overflow-buffer
 * @problem.severity recommendation
 * @security-severity 9.3
 * @tags security
 *       external/cwe/cwe-119
 *       external/cwe/cwe-121
--- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
@@ -5,6 +5,7 @@
 *              overflow.
 * @kind problem
 * @problem.severity error
 * @security-severity 9.3
 * @precision high
 * @id cpp/badly-bounded-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
@@ -4,6 +4,7 @@
 *              of data written may overflow.
 * @kind problem
 * @problem.severity error
 * @security-severity 9.3
 * @precision medium
 * @id cpp/overrunning-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
@@ -5,6 +5,7 @@
 *              take extreme values.
 * @kind problem
 * @problem.severity error
 * @security-severity 9.3
 * @precision medium
 * @id cpp/overrunning-write-with-float
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -4,6 +4,7 @@
 *              of data written may overflow.
 * @kind path-problem
 * @problem.severity error
 * @security-severity 9.3
 * @precision medium
 * @id cpp/unbounded-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
@@ -5,6 +5,7 @@
 *              a specific value to terminate the argument list.
 * @kind problem
 * @problem.severity warning
 * @security-severity 8.8
 * @precision medium
 * @id cpp/unterminated-variadic-call
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
@@ -6,6 +6,7 @@
 * @kind problem
 * @id cpp/unclear-array-index-validation
 * @problem.severity warning
 * @security-severity 8.8
 * @tags security
 *       external/cwe/cwe-129
 */
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -5,6 +5,7 @@
 *              terminator can cause a buffer overrun.
 * @kind problem
 * @problem.severity error
 * @security-severity 9.8
 * @precision high
 * @id cpp/no-space-for-terminator
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -5,6 +5,7 @@
 *              or data representation problems.
 * @kind path-problem
 * @problem.severity warning
 * @security-severity 9.3
 * @precision high
 * @id cpp/tainted-format-string
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
@@ -5,6 +5,7 @@
 *              or data representation problems.
 * @kind path-problem
 * @problem.severity warning
 * @security-severity 9.3
 * @precision high
 * @id cpp/tainted-format-string-through-global
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-170/ImproperNullTerminationTainted.ql
@@ -5,6 +5,7 @@
 * @kind problem
 * @id cpp/user-controlled-null-termination-tainted
 * @problem.severity warning
 * @security-severity 10.0
 * @tags security
 *       external/cwe/cwe-170
 */
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`lgtm`
							* The `cpp/tainted-arithmetic`, `cpp/arithmetic-with-extreme-values`, and `cpp/uncontrolled-arithmetic` queries now recognize more functions as returning the absolute value of their input. As a result, they produce fewer false positives.
		`@@ -0,0 +1,2 @@`
							`lgtm,codescanning`
							`* The 'Unsigned difference expression compared to zero' (cpp/unsigned-difference-expression-compared-zero) query has been improved to produce fewer false positive results.`
		`@@ -0,0 +1,2 @@`
							`lgtm`
							`* The queries cpp/tainted-arithmetic, cpp/uncontrolled-arithmetic, and cpp/arithmetic-with-extreme-values have been improved to produce fewer false positives.`
		`@@ -0,0 +1,2 @@`
							`codescanning`
							* The 'Pointer to stack object used as return value' (cpp/return-stack-allocated-object) query has been deprecated, and any uses should be replaced with `Returning stack-allocated memory` (cpp/return-stack-allocated-memory).
		`@@ -0,0 +1,2 @@`
							`lgtm,codescanning`
							* The `exprMightOverflowPositively` and `exprMightOverflowNegatively` predicates from the `SimpleRangeAnalysis` library now recognize more expressions that might overflow.
		`@@ -0,0 +1,2 @@`
							`lgtm,codescanning`
							`* The 'Comparison with wider type' (cpp/comparison-with-wider-type) query has been improved to produce fewer false positives.`
		`@@ -0,0 +1,2 @@`
							`lgtm,codescanning`
							* The query "Uncontrolled arithmetic" (`cpp/uncontrolled-arithmetic`) has been improved to produce fewer false positives.
		`@@ -0,0 +1,2 @@`
							`lgtm`
							`* The "Tainted allocation size" query (cpp/uncontrolled-allocation-size) has been improved to produce fewer false positives.`
		`@@ -0,0 +1,2 @@`
							`lgtm`
							`* The "Static buffer overflow" query (cpp/static-buffer-overflow) has been improved to produce fewer false positives.`
		`@@ -0,0 +1,2 @@`
							`lgtm,codescanning`
							* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been enhanced to reduce false positive results, and (rarely) find more true positive results.