C++: Fix queries. Since there's no longer indirect -> direct flow in

taint-tracking we need to make sure the affected sink definitions also handle indirect flow.
2025-12-23 20:26:32 +01:00 · 2023-02-26 17:58:45 +00:00
parent 1db24dd28d
commit 354a12c906
17 changed files with 443 additions and 377 deletions
--- a/cpp/ql/src/Critical/OverflowDestination.ql
+++ b/cpp/ql/src/Critical/OverflowDestination.ql
@@ -71,7 +71,7 @@ class OverflowDestinationConfig extends TaintTracking::Configuration {
  override predicate isSource(DataFlow::Node source) { source instanceof FlowSource }
-  override predicate isSink(DataFlow::Node sink) { sourceSized(_, sink.asConvertedExpr()) }
+  override predicate isSink(DataFlow::Node sink) { sourceSized(_, sink.asIndirectConvertedExpr()) }
  override predicate isSanitizer(DataFlow::Node node) {
    exists(Variable checkedVar |
@@ -91,6 +91,6 @@ from
  DataFlow::PathNode sink
 where
  conf.hasFlowPath(source, sink) and
-  sourceSized(fc, sink.getNode().asConvertedExpr())
+  sourceSized(fc, sink.getNode().asIndirectConvertedExpr())
 select fc, source, sink,
  "To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size."
--- a/Bugs/Format/NonConstantFormat.ql
+++ b/Bugs/Format/NonConstantFormat.ql
@@ -57,9 +57,12 @@ predicate underscoreMacro(Expr e) {
 */
 predicate cannotContainString(Type t, boolean isIndirect) {
  isIndirect = false and
-  (
+  exists(Type unspecified |
-    t.getUnspecifiedType() instanceof BuiltInType or
+    unspecified = t.getUnspecifiedType() and
-    t.getUnspecifiedType() instanceof IntegralOrEnumType
+    not unspecified instanceof UnknownType
  |
    unspecified instanceof BuiltInType or
    unspecified instanceof IntegralOrEnumType
  )
 }
@@ -124,6 +127,11 @@ predicate isSanitizerNode(DataFlow::Node node) {
  cannotContainString(node.getType(), false)
 }
 predicate isSinkImpl(DataFlow::Node sink, Expr formatString) {
  [sink.asExpr(), sink.asIndirectExpr()] = formatString and
  exists(FormattingFunctionCall fc | formatString = fc.getArgument(fc.getFormatParameterIndex()))
 }
 class NonConstFlow extends TaintTracking::Configuration {
  NonConstFlow() { this = "NonConstFlow" }
@@ -135,9 +143,7 @@ class NonConstFlow extends TaintTracking::Configuration {
    )
  }
-  override predicate isSink(DataFlow::Node sink) {
+  override predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }
    exists(FormattingFunctionCall fc | sink.asExpr() = fc.getArgument(fc.getFormatParameterIndex()))
  }
  override predicate isSanitizer(DataFlow::Node node) { isSanitizerNode(node) }
 }
@@ -147,7 +153,7 @@ where
  call.getArgument(call.getFormatParameterIndex()) = formatString and
  exists(NonConstFlow cf, DataFlow::Node sink |
    cf.hasFlowTo(sink) and
-    sink.asExpr() = formatString
+    isSinkImpl(sink, formatString)
  )
 select formatString,
  "The format string argument to " + call.getTarget().getName() +
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
@@ -48,9 +48,11 @@ class ToBufferConfiguration extends TaintTracking::Configuration {
    node.asExpr().getUnspecifiedType() instanceof IntegralType
  }
-  override predicate isSink(DataFlow::Node sink) {
+  override predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _) }
-    exists(SensitiveBufferWrite w | w.getASource() = sink.asExpr())
+}
-  }
+
 predicate isSinkImpl(DataFlow::Node sink, SensitiveBufferWrite w) {
  w.getASource() = sink.asIndirectExpr()
 }
 from
@@ -59,7 +61,7 @@ from
 where
  config.hasFlowPath(sourceNode, sinkNode) and
  sourceNode.getNode() = source and
-  w.getASource() = sinkNode.getNode().asExpr()
+  isSinkImpl(sinkNode.getNode(), w)
 select w, sourceNode, sinkNode,
  "This write into buffer '" + w.getDest().toString() + "' may contain unencrypted data from $@.",
  source, "user input (" + source.getSourceType() + ")"
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -26,15 +26,32 @@ import DataFlow::PathGraph
 class FromSensitiveConfiguration extends TaintTracking::Configuration {
  FromSensitiveConfiguration() { this = "FromSensitiveConfiguration" }
-  override predicate isSource(DataFlow::Node source) { source.asExpr() instanceof SensitiveExpr }
+  override predicate isSource(DataFlow::Node source) { isSourceImpl(source, _) }
-  override predicate isSink(DataFlow::Node sink) { any(FileWrite w).getASource() = sink.asExpr() }
+  override predicate isSink(DataFlow::Node sink) { isSinkImpl(sink, _, _) }
  override predicate isSanitizer(DataFlow::Node node) {
    node.asExpr().getUnspecifiedType() instanceof IntegralType
  }
 }
 predicate isSinkImpl(DataFlow::Node sink, FileWrite w, Expr dest) {
  exists(Expr e |
    e = [sink.asExpr(), sink.asIndirectExpr()] and
    w.getASource() = e and
    dest = w.getDest() and
    // ignore things written with other conversion characters
    not exists(string convChar | convChar = w.getSourceConvChar(e) | not convChar = ["s", "S"]) and
    // exclude calls with standard streams
    not dest.(VariableAccess).getTarget().getName() = ["stdin", "stdout", "stderr"]
  )
 }
 predicate isSourceImpl(DataFlow::Node source, SensitiveExpr sensitive) {
  not isFileName(globalValueNumber(sensitive)) and // file names are not passwords
  source.asExpr() = sensitive
 }
 /**
 * An operation on a filename.
 */
@@ -61,17 +78,12 @@ predicate isFileName(GVN gvn) {
 }
 from
-  FromSensitiveConfiguration config, SensitiveExpr source, DataFlow::PathNode sourceNode, Expr mid,
+  FromSensitiveConfiguration config, SensitiveExpr source, DataFlow::PathNode sourceNode,
  DataFlow::PathNode midNode, FileWrite w, Expr dest
 where
  config.hasFlowPath(sourceNode, midNode) and
-  sourceNode.getNode().asExpr() = source and
+  isSourceImpl(sourceNode.getNode(), source) and
-  midNode.getNode().asExpr() = mid and
+  isSinkImpl(midNode.getNode(), w, dest)
  mid = w.getASource() and
  dest = w.getDest() and
  not dest.(VariableAccess).getTarget().getName() = ["stdin", "stdout", "stderr"] and // exclude calls with standard streams
  not isFileName(globalValueNumber(source)) and // file names are not passwords
  not exists(string convChar | convChar = w.getSourceConvChar(mid) | not convChar = ["s", "S"]) // ignore things written with other conversion characters
 select w, sourceNode, midNode,
  "This write into file '" + dest.toString() + "' may contain unencrypted data from $@.", source,
  "this source."
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextTransmission.ql
@@ -208,7 +208,7 @@ class Encrypted extends Expr {
 * operation `nsr`.
 */
 predicate isSinkSendRecv(DataFlow::Node sink, NetworkSendRecv nsr) {
-  sink.asConvertedExpr() = nsr.getDataExpr().getFullyConverted()
+  [sink.asIndirectConvertedExpr(), sink.asConvertedExpr()] = nsr.getDataExpr().getFullyConverted()
 }
 /**
--- a/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
+++ b/cpp/ql/src/Security/CWE/CWE-319/UseOfHttp.ql
@@ -59,11 +59,11 @@ class HttpStringToUrlOpenConfig extends TaintTracking::Configuration {
  override predicate isSource(DataFlow::Node src) {
    // Sources are strings containing an HTTP URL not in a private domain.
-    src.asExpr() instanceof HttpStringLiteral and
+    src.asIndirectExpr() instanceof HttpStringLiteral and
    // block taint starting at `strstr`, which is likely testing an existing URL, rather than constructing an HTTP URL.
    not exists(FunctionCall fc |
      fc.getTarget().getName() = ["strstr", "strcasestr"] and
-      fc.getArgument(1) = globalValueNumber(src.asExpr()).getAnExpr()
+      fc.getArgument(1) = globalValueNumber(src.asIndirectExpr()).getAnExpr()
    )
  }
@@ -77,16 +77,16 @@ class HttpStringToUrlOpenConfig extends TaintTracking::Configuration {
              "system", "gethostbyname", "gethostbyname2", "gethostbyname_r", "getaddrinfo",
              "X509_load_http", "X509_CRL_load_http"
            ]) and
-      sink.asExpr() = fc.getArgument(0)
+      sink.asIndirectExpr() = fc.getArgument(0)
      or
      fc.getTarget().hasGlobalOrStdName(["send", "URLDownloadToFile", "URLDownloadToCacheFile"]) and
-      sink.asExpr() = fc.getArgument(1)
+      sink.asIndirectExpr() = fc.getArgument(1)
      or
      fc.getTarget().hasGlobalOrStdName(["curl_easy_setopt", "getnameinfo"]) and
-      sink.asExpr() = fc.getArgument(2)
+      sink.asIndirectExpr() = fc.getArgument(2)
      or
      fc.getTarget().hasGlobalOrStdName(["ShellExecute", "ShellExecuteA", "ShellExecuteW"]) and
-      sink.asExpr() = fc.getArgument(3)
+      sink.asIndirectExpr() = fc.getArgument(3)
    )
  }
 }
@@ -96,5 +96,5 @@ from
  HttpStringLiteral str
 where
  config.hasFlowPath(source, sink) and
-  str = source.getNode().asExpr()
+  str = source.getNode().asIndirectExpr()
 select str, source, sink, "This URL may be constructed with the HTTP protocol."
--- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -27,7 +27,7 @@ class ExposedSystemDataConfiguration extends TaintTracking::Configuration {
    exists(FunctionCall fc, FunctionInput input, int arg |
      fc.getTarget().(RemoteFlowSinkFunction).hasRemoteFlowSink(input, _) and
      input.isParameterDeref(arg) and
-      fc.getArgument(arg).getAChild*() = sink.asExpr()
+      fc.getArgument(arg).getAChild*() = sink.asIndirectExpr()
    )
  }
 }
@@ -39,7 +39,7 @@ where
    DataFlow::Node alt // remove duplicate results on conversions
  |
    config.hasFlow(source.getNode(), alt) and
-    alt.asConvertedExpr() = sink.getNode().asExpr() and
+    alt.asConvertedExpr() = sink.getNode().asIndirectExpr() and
    alt != sink.getNode()
  )
 select sink, source, sink, "This operation exposes system data from $@.", source,
--- a/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/PotentiallyExposedSystemData.ql
@@ -39,7 +39,7 @@ class PotentiallyExposedSystemDataConfiguration extends TaintTracking::Configura
  }
  override predicate isSink(DataFlow::Node sink) {
-    exists(OutputWrite ow | ow.getASource().getAChild*() = sink.asExpr())
+    exists(OutputWrite ow | ow.getASource().getAChild*() = sink.asIndirectExpr())
  }
 }
--- a/cpp/ql/src/Security/CWE/CWE-497/SystemData.qll
+++ b/cpp/ql/src/Security/CWE/CWE-497/SystemData.qll
@@ -34,7 +34,7 @@ class EnvData extends SystemData {
        .regexpMatch(".*(user|host|admin|root|home|path|http|ssl|snmp|sock|port|proxy|pass|token|crypt|key).*")
  }
-  override DataFlow::Node getAnExpr() { result.asConvertedExpr() = this }
+  override DataFlow::Node getAnExpr() { result.asIndirectConvertedExpr() = this }
  override predicate isSensitive() {
    this.(EnvironmentRead)
@@ -50,7 +50,7 @@ class EnvData extends SystemData {
 class SqlClientInfo extends SystemData {
  SqlClientInfo() { this.(FunctionCall).getTarget().hasName("mysql_get_client_info") }
-  override DataFlow::Node getAnExpr() { result.asConvertedExpr() = this }
+  override DataFlow::Node getAnExpr() { result.asIndirectConvertedExpr() = this }
  override predicate isSensitive() { any() }
 }
@@ -72,7 +72,7 @@ private predicate sqlConnectInfo(FunctionCall source, Expr use) {
 class SqlConnectInfo extends SystemData {
  SqlConnectInfo() { sqlConnectInfo(this, _) }
-  override DataFlow::Node getAnExpr() { sqlConnectInfo(this, result.asConvertedExpr()) }
+  override DataFlow::Node getAnExpr() { sqlConnectInfo(this, result.asExpr()) }
  override predicate isSensitive() { any() }
 }
@@ -114,7 +114,7 @@ private predicate posixPWInfo(FunctionCall source, DataFlow::Node use) {
  source
      .getTarget()
      .hasName(["getpwnam", "getpwuid", "getpwent", "getgrnam", "getgrgid", "getgrent"]) and
-  use.asConvertedExpr() = source
+  use.asIndirectExpr() = source
  or
  // int getpwnam_r(const char *name, struct passwd *pwd,
  //                char *buf, size_t buflen, struct passwd **result);
@@ -126,7 +126,7 @@ private predicate posixPWInfo(FunctionCall source, DataFlow::Node use) {
  //                char *buf, size_t buflen, struct group **result);
  source.getTarget().hasName(["getpwnam_r", "getpwuid_r", "getgrgid_r", "getgrnam_r"]) and
  (
-    use.asConvertedExpr() = source.getArgument([1, 2]) or
+    use.asExpr() = source.getArgument([1, 2]) or
    use.asDefiningArgument() = source.getArgument(4)
  )
  or
@@ -136,7 +136,7 @@ private predicate posixPWInfo(FunctionCall source, DataFlow::Node use) {
  //                size_t buflen, struct group **gbufp);
  source.getTarget().hasName(["getpwent_r", "getgrent_r"]) and
  (
-    use.asConvertedExpr() = source.getArgument([0, 1]) or
+    use.asExpr() = source.getArgument([0, 1]) or
    use.asDefiningArgument() = source.getArgument(3)
  )
 }
@@ -155,7 +155,7 @@ class PosixPWInfo extends SystemData {
 private predicate windowsSystemInfo(FunctionCall source, DataFlow::Node use) {
  // DWORD WINAPI GetVersion(void);
  source.getTarget().hasGlobalName("GetVersion") and
-  use.asConvertedExpr() = source
+  use.asExpr() = source
  or
  // BOOL WINAPI GetVersionEx(_Inout_ LPOSVERSIONINFO lpVersionInfo);
  // void WINAPI GetSystemInfo(_Out_ LPSYSTEM_INFO lpSystemInfo);
@@ -236,7 +236,7 @@ class WindowsFolderPath extends SystemData {
  override DataFlow::Node getAnExpr() { windowsFolderPath(this, result.asDefiningArgument()) }
 }
-private predicate logonUser(FunctionCall source, VariableAccess use) {
+private predicate logonUser(FunctionCall source, Expr use) {
  source.getTarget().hasGlobalName(["LogonUser", "LogonUserW", "LogonUserA"]) and
  use = source.getAnArgument()
 }
@@ -247,7 +247,7 @@ private predicate logonUser(FunctionCall source, VariableAccess use) {
 class LogonUser extends SystemData {
  LogonUser() { logonUser(this, _) }
-  override DataFlow::Node getAnExpr() { logonUser(this, result.asConvertedExpr()) }
+  override DataFlow::Node getAnExpr() { logonUser(this, result.asIndirectExpr()) }
  override predicate isSensitive() { any() }
 }
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-119/semmle/tests/OverflowDestination.expected
@@ -1,70 +1,49 @@
 edges
 | main.cpp:6:27:6:30 | argv | main.cpp:7:33:7:36 | argv |
 | main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | argv |
 | main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | argv |
 | main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | argv indirection |
 | main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | argv indirection |
 | main.cpp:6:27:6:30 | argv indirection | main.cpp:7:33:7:36 | argv indirection |
 | main.cpp:7:33:7:36 | argv | overflowdestination.cpp:23:45:23:48 | argv |
 | main.cpp:7:33:7:36 | argv indirection | overflowdestination.cpp:23:45:23:48 | argv indirection |
 | main.cpp:7:33:7:36 | argv indirection | overflowdestination.cpp:23:45:23:48 | argv indirection |
-| overflowdestination.cpp:23:45:23:48 | argv | overflowdestination.cpp:30:17:30:20 | arg1 |
+| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
-| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 |
+| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
-| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 |
+| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
-| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src |
+| overflowdestination.cpp:23:45:23:48 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection |
-| overflowdestination.cpp:50:52:50:54 | src | overflowdestination.cpp:53:9:53:12 | memcpy output argument |
+| overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src indirection |
-| overflowdestination.cpp:50:52:50:54 | src | overflowdestination.cpp:53:15:53:17 | src |
+| overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:15:53:17 | src indirection |
-| overflowdestination.cpp:50:52:50:54 | src | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
+| overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:15:53:17 | src indirection |
-| overflowdestination.cpp:50:52:50:54 | src indirection | overflowdestination.cpp:53:15:53:17 | src |
+| overflowdestination.cpp:57:52:57:54 | src indirection | overflowdestination.cpp:64:16:64:19 | src2 indirection |
-| overflowdestination.cpp:53:9:53:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
+| overflowdestination.cpp:57:52:57:54 | src indirection | overflowdestination.cpp:64:16:64:19 | src2 indirection |
 | overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:54:9:54:12 | memcpy output argument |
 | overflowdestination.cpp:57:52:57:54 | src | overflowdestination.cpp:64:16:64:19 | src2 |
 | overflowdestination.cpp:57:52:57:54 | src indirection | overflowdestination.cpp:64:16:64:19 | src2 |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | src |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:75:30:75:32 | src indirection |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | src |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
 | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | overflowdestination.cpp:76:30:76:32 | src |
 | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | overflowdestination.cpp:76:30:76:32 | src indirection |
 | overflowdestination.cpp:75:30:75:32 | src | overflowdestination.cpp:50:52:50:54 | src |
 | overflowdestination.cpp:75:30:75:32 | src | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
 | overflowdestination.cpp:75:30:75:32 | src indirection | overflowdestination.cpp:50:52:50:54 | src indirection |
 | overflowdestination.cpp:76:30:76:32 | src | overflowdestination.cpp:57:52:57:54 | src |
 | overflowdestination.cpp:76:30:76:32 | src indirection | overflowdestination.cpp:57:52:57:54 | src indirection |
 nodes
 | main.cpp:6:27:6:30 | argv | semmle.label | argv |
 | main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
 | main.cpp:6:27:6:30 | argv indirection | semmle.label | argv indirection |
 | main.cpp:7:33:7:36 | argv | semmle.label | argv |
 | main.cpp:7:33:7:36 | argv indirection | semmle.label | argv indirection |
 | main.cpp:7:33:7:36 | argv indirection | semmle.label | argv indirection |
 | overflowdestination.cpp:23:45:23:48 | argv | semmle.label | argv |
 | overflowdestination.cpp:23:45:23:48 | argv indirection | semmle.label | argv indirection |
 | overflowdestination.cpp:23:45:23:48 | argv indirection | semmle.label | argv indirection |
-| overflowdestination.cpp:30:17:30:20 | arg1 | semmle.label | arg1 |
+| overflowdestination.cpp:30:17:30:20 | arg1 indirection | semmle.label | arg1 indirection |
 | overflowdestination.cpp:30:17:30:20 | arg1 indirection | semmle.label | arg1 indirection |
 | overflowdestination.cpp:43:8:43:10 | fgets output argument | semmle.label | fgets output argument |
-| overflowdestination.cpp:46:15:46:17 | src | semmle.label | src |
+| overflowdestination.cpp:46:15:46:17 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:50:52:50:54 | src | semmle.label | src |
 | overflowdestination.cpp:50:52:50:54 | src indirection | semmle.label | src indirection |
-| overflowdestination.cpp:53:9:53:12 | memcpy output argument | semmle.label | memcpy output argument |
+| overflowdestination.cpp:53:15:53:17 | src indirection | semmle.label | src indirection |
-| overflowdestination.cpp:53:15:53:17 | src | semmle.label | src |
+| overflowdestination.cpp:53:15:53:17 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:54:9:54:12 | memcpy output argument | semmle.label | memcpy output argument |
 | overflowdestination.cpp:57:52:57:54 | src | semmle.label | src |
 | overflowdestination.cpp:57:52:57:54 | src indirection | semmle.label | src indirection |
-| overflowdestination.cpp:64:16:64:19 | src2 | semmle.label | src2 |
+| overflowdestination.cpp:64:16:64:19 | src2 indirection | semmle.label | src2 indirection |
 | overflowdestination.cpp:64:16:64:19 | src2 indirection | semmle.label | src2 indirection |
 | overflowdestination.cpp:73:8:73:10 | fgets output argument | semmle.label | fgets output argument |
 | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument | semmle.label | overflowdest_test2 output argument |
 | overflowdestination.cpp:75:30:75:32 | src | semmle.label | src |
 | overflowdestination.cpp:75:30:75:32 | src indirection | semmle.label | src indirection |
 | overflowdestination.cpp:76:30:76:32 | src | semmle.label | src |
 | overflowdestination.cpp:76:30:76:32 | src indirection | semmle.label | src indirection |
 subpaths
 | overflowdestination.cpp:75:30:75:32 | src | overflowdestination.cpp:50:52:50:54 | src | overflowdestination.cpp:53:9:53:12 | memcpy output argument | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
 | overflowdestination.cpp:75:30:75:32 | src | overflowdestination.cpp:50:52:50:54 | src | overflowdestination.cpp:54:9:54:12 | memcpy output argument | overflowdestination.cpp:75:30:75:32 | overflowdest_test2 output argument |
 #select
-| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv | overflowdestination.cpp:30:17:30:20 | arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:30:2:30:8 | call to strncpy | main.cpp:6:27:6:30 | argv indirection | overflowdestination.cpp:30:17:30:20 | arg1 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | src | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:46:2:46:7 | call to memcpy | overflowdestination.cpp:43:8:43:10 | fgets output argument | overflowdestination.cpp:46:15:46:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
-| overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | src2 | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
+| overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
 | overflowdestination.cpp:53:2:53:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:53:15:53:17 | src indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
 | overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | src2 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
 | overflowdestination.cpp:64:2:64:7 | call to memcpy | overflowdestination.cpp:73:8:73:10 | fgets output argument | overflowdestination.cpp:64:16:64:19 | src2 indirection | To avoid overflow, this operation should be bounded by destination-buffer size, not source-buffer size. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected
@@ -1,16 +1,22 @@
 edges
-| test.cpp:53:27:53:30 | argv | test.cpp:58:25:58:29 | input |
+| test.cpp:53:27:53:30 | argv | test.cpp:58:25:58:29 | input indirection |
-| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input |
+| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
-| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input |
+| test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
 | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
 | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
 | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection |
 nodes
 | test2.cpp:110:3:110:6 | call to gets | semmle.label | call to gets |
 | test.cpp:53:27:53:30 | argv | semmle.label | argv |
 | test.cpp:53:27:53:30 | argv indirection | semmle.label | argv indirection |
 | test.cpp:53:27:53:30 | argv indirection | semmle.label | argv indirection |
-| test.cpp:58:25:58:29 | input | semmle.label | input |
+| test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
 | test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
 | test.cpp:58:25:58:29 | input indirection | semmle.label | input indirection |
 subpaths
 #select
-| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | call to gets | user input (string read by gets) |
+| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv | user input (a command-line argument) |
-| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv | user input (a command-line argument) |
+| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
-| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
+| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
-| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
+| test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
 | test.cpp:58:3:58:9 | call to sprintf | test.cpp:53:27:53:30 | argv indirection | test.cpp:58:25:58:29 | input indirection | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:53:27:53:30 | argv indirection | user input (a command-line argument) |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextFileWrite.expected
@@ -1,17 +1,14 @@
 edges
 | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 |
-| test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | buf |
+| test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 indirection |
-| test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | buf |
+| test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | buf indirection |
-| test2.cpp:72:17:72:24 | password | test2.cpp:73:30:73:32 | buf |
+| test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | buf indirection |
-| test2.cpp:72:17:72:24 | password | test2.cpp:76:30:76:32 | buf |
+| test2.cpp:72:17:72:24 | password | test2.cpp:73:30:73:32 | buf indirection |
-| test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | buffer |
+| test2.cpp:72:17:72:24 | password | test2.cpp:76:30:76:32 | buf indirection |
-| test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword |
+| test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | buffer indirection |
 | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword |
 | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword |
 | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword |
 | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword |
 | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword |
 | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword |
 | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
 | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
 | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
@@ -19,8 +16,6 @@ edges
 | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
 | test.cpp:70:38:70:48 | thePassword | test.cpp:73:43:73:53 | thePassword |
 | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword |
 | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword |
 | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword |
 | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword |
 | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword |
 nodes
@@ -33,14 +28,13 @@ nodes
 | test2.cpp:57:39:57:49 | call to getPassword | semmle.label | call to getPassword |
 | test2.cpp:62:18:62:25 | password | semmle.label | password |
 | test2.cpp:65:31:65:34 | cpy1 | semmle.label | cpy1 |
 | test2.cpp:65:31:65:34 | cpy1 indirection | semmle.label | cpy1 indirection |
 | test2.cpp:72:15:72:24 | password | semmle.label | password |
 | test2.cpp:72:17:72:24 | password | semmle.label | password |
-| test2.cpp:73:30:73:32 | buf | semmle.label | buf |
+| test2.cpp:73:30:73:32 | buf indirection | semmle.label | buf indirection |
-| test2.cpp:76:30:76:32 | buf | semmle.label | buf |
+| test2.cpp:76:30:76:32 | buf indirection | semmle.label | buf indirection |
 | test2.cpp:86:36:86:43 | password | semmle.label | password |
 | test2.cpp:91:50:91:63 | passwd_config2 | semmle.label | passwd_config2 |
 | test2.cpp:98:45:98:52 | password | semmle.label | password |
-| test2.cpp:99:27:99:32 | buffer | semmle.label | buffer |
+| test2.cpp:99:27:99:32 | buffer indirection | semmle.label | buffer indirection |
 | test.cpp:45:9:45:19 | thePassword | semmle.label | thePassword |
 | test.cpp:45:9:45:19 | thePassword | semmle.label | thePassword |
 | test.cpp:45:9:45:19 | thePassword | semmle.label | thePassword |
@@ -63,16 +57,15 @@ subpaths
 | test2.cpp:55:2:55:8 | call to fprintf | test2.cpp:55:40:55:51 | widepassword | test2.cpp:55:40:55:51 | widepassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:55:40:55:51 | widepassword | this source. |
 | test2.cpp:57:2:57:8 | call to fprintf | test2.cpp:57:39:57:49 | call to getPassword | test2.cpp:57:39:57:49 | call to getPassword | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:57:39:57:49 | call to getPassword | this source. |
 | test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:62:18:62:25 | password | this source. |
-| test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | buf | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
+| test2.cpp:65:3:65:9 | call to fprintf | test2.cpp:62:18:62:25 | password | test2.cpp:65:31:65:34 | cpy1 indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:62:18:62:25 | password | this source. |
-| test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:17:72:24 | password | test2.cpp:73:30:73:32 | buf | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
+| test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:73:30:73:32 | buf indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
-| test2.cpp:76:3:76:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | buf | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
+| test2.cpp:73:3:73:9 | call to fprintf | test2.cpp:72:17:72:24 | password | test2.cpp:73:30:73:32 | buf indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
-| test2.cpp:76:3:76:9 | call to fprintf | test2.cpp:72:17:72:24 | password | test2.cpp:76:30:76:32 | buf | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
+| test2.cpp:76:3:76:9 | call to fprintf | test2.cpp:72:15:72:24 | password | test2.cpp:76:30:76:32 | buf indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
-| test2.cpp:99:3:99:9 | call to fprintf | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | buffer | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:98:45:98:52 | password | this source. |
+| test2.cpp:76:3:76:9 | call to fprintf | test2.cpp:72:17:72:24 | password | test2.cpp:76:30:76:32 | buf indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:72:17:72:24 | password | this source. |
 | test2.cpp:99:3:99:9 | call to fprintf | test2.cpp:98:45:98:52 | password | test2.cpp:99:27:99:32 | buffer indirection | This write into file 'log' may contain unencrypted data from $@. | test2.cpp:98:45:98:52 | password | this source. |
 | test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. |
 | test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. |
 | test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. |
 | test.cpp:45:3:45:7 | call to fputs | test.cpp:45:9:45:19 | thePassword | test.cpp:45:9:45:19 | thePassword | This write into file 'file' may contain unencrypted data from $@. | test.cpp:45:9:45:19 | thePassword | this source. |
 | test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. |
 | test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. |
 | test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. |
 | test.cpp:70:35:70:35 | call to operator<< | test.cpp:70:38:70:48 | thePassword | test.cpp:70:38:70:48 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:70:38:70:48 | thePassword | this source. |
@@ -83,6 +76,5 @@ subpaths
 | test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. |
 | test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. |
 | test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. |
 | test.cpp:73:37:73:41 | call to write | test.cpp:73:43:73:53 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:43:73:53 | thePassword | this source. |
 | test.cpp:73:37:73:41 | call to write | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:63:73:73 | thePassword | this source. |
 | test.cpp:73:37:73:41 | call to write | test.cpp:73:63:73:73 | thePassword | test.cpp:73:43:73:53 | thePassword | This write into file 'mystream' may contain unencrypted data from $@. | test.cpp:73:63:73:73 | thePassword | this source. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextTransmission.expected
@@ -10,8 +10,8 @@ edges
 | test3.cpp:138:24:138:32 | password1 | test3.cpp:117:28:117:33 | buffer |
 | test3.cpp:138:24:138:32 | password1 | test3.cpp:138:21:138:22 | call to id |
 | test3.cpp:144:16:144:29 | call to get_global_str | test3.cpp:146:15:146:18 | data |
-| test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | buffer |
+| test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | buffer indirection |
-| test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | data |
+| test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | data indirection |
 | test3.cpp:278:20:278:23 | data | test3.cpp:280:14:280:17 | data |
 | test3.cpp:283:20:283:23 | data | test3.cpp:285:14:285:17 | data |
 | test3.cpp:288:20:288:23 | data | test3.cpp:290:14:290:17 | data |
@@ -26,10 +26,10 @@ edges
 | test3.cpp:324:11:324:14 | data | test3.cpp:293:20:293:23 | data |
 | test3.cpp:325:11:325:14 | data | test3.cpp:298:20:298:23 | data |
 | test3.cpp:400:16:400:23 | password | test3.cpp:400:15:400:23 | & ... |
-| test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | buffer |
+| test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | buffer indirection |
-| test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | buffer |
+| test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | buffer indirection |
-| test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | buffer |
+| test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | buffer indirection |
-| test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | buffer |
+| test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | buffer indirection |
 | test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str |
 | test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str |
 nodes
@@ -55,7 +55,7 @@ nodes
 | test3.cpp:144:16:144:29 | call to get_global_str | semmle.label | call to get_global_str |
 | test3.cpp:146:15:146:18 | data | semmle.label | data |
 | test3.cpp:157:19:157:26 | password | semmle.label | password |
-| test3.cpp:159:15:159:20 | buffer | semmle.label | buffer |
+| test3.cpp:159:15:159:20 | buffer indirection | semmle.label | buffer indirection |
 | test3.cpp:173:15:173:22 | password | semmle.label | password |
 | test3.cpp:181:15:181:22 | password | semmle.label | password |
 | test3.cpp:191:15:191:22 | password | semmle.label | password |
@@ -67,7 +67,7 @@ nodes
 | test3.cpp:254:15:254:23 | password1 | semmle.label | password1 |
 | test3.cpp:264:15:264:23 | password2 | semmle.label | password2 |
 | test3.cpp:270:16:270:23 | password | semmle.label | password |
-| test3.cpp:272:15:272:18 | data | semmle.label | data |
+| test3.cpp:272:15:272:18 | data indirection | semmle.label | data indirection |
 | test3.cpp:278:20:278:23 | data | semmle.label | data |
 | test3.cpp:280:14:280:17 | data | semmle.label | data |
 | test3.cpp:283:20:283:23 | data | semmle.label | data |
@@ -107,13 +107,13 @@ nodes
 | test3.cpp:517:14:517:29 | medical_info | semmle.label | medical_info |
 | test3.cpp:518:14:518:28 | license_key | semmle.label | license_key |
 | test3.cpp:526:44:526:54 | my_latitude | semmle.label | my_latitude |
-| test3.cpp:527:15:527:20 | buffer | semmle.label | buffer |
+| test3.cpp:527:15:527:20 | buffer indirection | semmle.label | buffer indirection |
 | test3.cpp:532:45:532:58 | home_longitude | semmle.label | home_longitude |
-| test3.cpp:533:15:533:20 | buffer | semmle.label | buffer |
+| test3.cpp:533:15:533:20 | buffer indirection | semmle.label | buffer indirection |
 | test3.cpp:551:47:551:58 | salaryString | semmle.label | salaryString |
-| test3.cpp:552:15:552:20 | buffer | semmle.label | buffer |
+| test3.cpp:552:15:552:20 | buffer indirection | semmle.label | buffer indirection |
 | test3.cpp:556:19:556:30 | salaryString | semmle.label | salaryString |
-| test3.cpp:559:15:559:20 | buffer | semmle.label | buffer |
+| test3.cpp:559:15:559:20 | buffer indirection | semmle.label | buffer indirection |
 | test3.cpp:571:8:571:21 | call to get_home_phone | semmle.label | call to get_home_phone |
 | test3.cpp:572:14:572:16 | str | semmle.label | str |
 | test3.cpp:577:8:577:23 | call to get_home_address | semmle.label | call to get_home_address |
@@ -131,10 +131,10 @@ subpaths
 | test3.cpp:114:2:114:5 | call to recv | test3.cpp:134:11:134:18 | password | test3.cpp:114:14:114:19 | buffer | This operation receives into 'buffer', which may put unencrypted sensitive data into $@. | test3.cpp:134:11:134:18 | password | password |
 | test3.cpp:140:3:140:6 | call to send | test3.cpp:138:24:138:32 | password1 | test3.cpp:140:15:140:17 | ptr | This operation transmits 'ptr', which may contain unencrypted sensitive data from $@. | test3.cpp:138:24:138:32 | password1 | password1 |
 | test3.cpp:146:3:146:6 | call to send | test3.cpp:126:9:126:23 | global_password | test3.cpp:146:15:146:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:126:9:126:23 | global_password | global_password |
-| test3.cpp:159:3:159:6 | call to send | test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:157:19:157:26 | password | password |
+| test3.cpp:159:3:159:6 | call to send | test3.cpp:157:19:157:26 | password | test3.cpp:159:15:159:20 | buffer indirection | This operation transmits 'buffer indirection', which may contain unencrypted sensitive data from $@. | test3.cpp:157:19:157:26 | password | password |
 | test3.cpp:228:2:228:5 | call to send | test3.cpp:228:26:228:33 | password | test3.cpp:228:26:228:33 | password | This operation transmits 'password', which may contain unencrypted sensitive data from $@. | test3.cpp:228:26:228:33 | password | password |
 | test3.cpp:241:2:241:6 | call to fgets | test3.cpp:241:8:241:15 | password | test3.cpp:241:8:241:15 | password | This operation receives into 'password', which may put unencrypted sensitive data into $@. | test3.cpp:241:8:241:15 | password | password |
-| test3.cpp:272:3:272:6 | call to send | test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:270:16:270:23 | password | password |
+| test3.cpp:272:3:272:6 | call to send | test3.cpp:270:16:270:23 | password | test3.cpp:272:15:272:18 | data indirection | This operation transmits 'data indirection', which may contain unencrypted sensitive data from $@. | test3.cpp:270:16:270:23 | password | password |
 | test3.cpp:290:2:290:5 | call to send | test3.cpp:317:11:317:19 | password1 | test3.cpp:290:14:290:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:317:11:317:19 | password1 | password1 |
 | test3.cpp:295:2:295:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:295:14:295:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 |
 | test3.cpp:300:2:300:5 | call to send | test3.cpp:322:16:322:24 | password2 | test3.cpp:300:14:300:17 | data | This operation transmits 'data', which may contain unencrypted sensitive data from $@. | test3.cpp:322:16:322:24 | password2 | password2 |
@@ -155,9 +155,9 @@ subpaths
 | test3.cpp:516:2:516:5 | call to send | test3.cpp:516:14:516:29 | employerName | test3.cpp:516:14:516:29 | employerName | This operation transmits 'employerName', which may contain unencrypted sensitive data from $@. | test3.cpp:516:14:516:29 | employerName | employerName |
 | test3.cpp:517:2:517:5 | call to send | test3.cpp:517:14:517:29 | medical_info | test3.cpp:517:14:517:29 | medical_info | This operation transmits 'medical_info', which may contain unencrypted sensitive data from $@. | test3.cpp:517:14:517:29 | medical_info | medical_info |
 | test3.cpp:518:2:518:5 | call to send | test3.cpp:518:14:518:28 | license_key | test3.cpp:518:14:518:28 | license_key | This operation transmits 'license_key', which may contain unencrypted sensitive data from $@. | test3.cpp:518:14:518:28 | license_key | license_key |
-| test3.cpp:527:3:527:6 | call to send | test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:526:44:526:54 | my_latitude | my_latitude |
+| test3.cpp:527:3:527:6 | call to send | test3.cpp:526:44:526:54 | my_latitude | test3.cpp:527:15:527:20 | buffer indirection | This operation transmits 'buffer indirection', which may contain unencrypted sensitive data from $@. | test3.cpp:526:44:526:54 | my_latitude | my_latitude |
-| test3.cpp:533:3:533:6 | call to send | test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:532:45:532:58 | home_longitude | home_longitude |
+| test3.cpp:533:3:533:6 | call to send | test3.cpp:532:45:532:58 | home_longitude | test3.cpp:533:15:533:20 | buffer indirection | This operation transmits 'buffer indirection', which may contain unencrypted sensitive data from $@. | test3.cpp:532:45:532:58 | home_longitude | home_longitude |
-| test3.cpp:552:3:552:6 | call to send | test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:551:47:551:58 | salaryString | salaryString |
+| test3.cpp:552:3:552:6 | call to send | test3.cpp:551:47:551:58 | salaryString | test3.cpp:552:15:552:20 | buffer indirection | This operation transmits 'buffer indirection', which may contain unencrypted sensitive data from $@. | test3.cpp:551:47:551:58 | salaryString | salaryString |
-| test3.cpp:559:3:559:6 | call to send | test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | buffer | This operation transmits 'buffer', which may contain unencrypted sensitive data from $@. | test3.cpp:556:19:556:30 | salaryString | salaryString |
+| test3.cpp:559:3:559:6 | call to send | test3.cpp:556:19:556:30 | salaryString | test3.cpp:559:15:559:20 | buffer indirection | This operation transmits 'buffer indirection', which may contain unencrypted sensitive data from $@. | test3.cpp:556:19:556:30 | salaryString | salaryString |
 | test3.cpp:572:2:572:5 | call to send | test3.cpp:571:8:571:21 | call to get_home_phone | test3.cpp:572:14:572:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:571:8:571:21 | call to get_home_phone | call to get_home_phone |
 | test3.cpp:578:2:578:5 | call to send | test3.cpp:577:8:577:23 | call to get_home_address | test3.cpp:578:14:578:16 | str | This operation transmits 'str', which may contain unencrypted sensitive data from $@. | test3.cpp:577:8:577:23 | call to get_home_address | call to get_home_address |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-319/UseOfHttp/UseOfHttp.expected
@@ -1,73 +1,84 @@
 edges
-| test.cpp:11:26:11:28 | url | test.cpp:15:30:15:32 | url |
+| test.cpp:11:26:11:28 | url | test.cpp:15:30:15:32 | url indirection |
-| test.cpp:11:26:11:28 | url indirection | test.cpp:15:30:15:32 | url |
+| test.cpp:11:26:11:28 | url indirection | test.cpp:15:30:15:32 | url indirection |
-| test.cpp:24:13:24:17 | url_g | test.cpp:38:11:38:15 | url_g |
+| test.cpp:11:26:11:28 | url indirection | test.cpp:15:30:15:32 | url indirection |
-| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:13:24:17 | url_g |
+| test.cpp:24:13:24:17 | url_g indirection | test.cpp:38:11:38:15 | url_g indirection |
-| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:13:24:17 | url_g |
+| test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:24:13:24:17 | url_g indirection |
-| test.cpp:28:10:28:29 | http://example.com | test.cpp:11:26:11:28 | url |
+| test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:24:13:24:17 | url_g indirection |
-| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com |
+| test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:11:26:11:28 | url indirection |
-| test.cpp:35:23:35:42 | http://example.com | test.cpp:39:11:39:15 | url_l |
+| test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:28:10:28:29 | http://example.com indirection |
-| test.cpp:35:23:35:42 | http://example.com | test.cpp:39:11:39:15 | url_l |
+| test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:39:11:39:15 | url_l indirection |
-| test.cpp:36:26:36:45 | http://example.com | test.cpp:40:11:40:17 | access to array |
+| test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:39:11:39:15 | url_l indirection |
-| test.cpp:36:26:36:45 | http://example.com | test.cpp:40:11:40:17 | access to array |
+| test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:40:11:40:17 | access to array indirection |
-| test.cpp:36:26:36:45 | http://example.com | test.cpp:40:11:40:17 | access to array indirection |
+| test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:40:11:40:17 | access to array indirection |
-| test.cpp:36:26:36:45 | http://example.com | test.cpp:40:11:40:17 | access to array indirection |
+| test.cpp:38:11:38:15 | url_g indirection | test.cpp:11:26:11:28 | url indirection |
-| test.cpp:38:11:38:15 | url_g | test.cpp:11:26:11:28 | url |
+| test.cpp:39:11:39:15 | url_l indirection | test.cpp:11:26:11:28 | url indirection |
 | test.cpp:39:11:39:15 | url_l | test.cpp:11:26:11:28 | url |
 | test.cpp:40:11:40:17 | access to array | test.cpp:11:26:11:28 | url |
 | test.cpp:40:11:40:17 | access to array indirection | test.cpp:11:26:11:28 | url indirection |
-| test.cpp:46:18:46:26 | http:// | test.cpp:49:11:49:16 | buffer |
+| test.cpp:46:18:46:26 | http:// indirection | test.cpp:49:11:49:16 | buffer indirection |
-| test.cpp:46:18:46:26 | http:// | test.cpp:49:11:49:16 | buffer |
+| test.cpp:46:18:46:26 | http:// indirection | test.cpp:49:11:49:16 | buffer indirection |
 | test.cpp:46:18:46:26 | http:// | test.cpp:49:11:49:16 | buffer indirection |
 | test.cpp:46:18:46:26 | http:// | test.cpp:49:11:49:16 | buffer indirection |
 | test.cpp:49:11:49:16 | buffer | test.cpp:11:26:11:28 | url |
 | test.cpp:49:11:49:16 | buffer indirection | test.cpp:11:26:11:28 | url indirection |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:121:11:121:13 | ptr |
+| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:121:11:121:13 | ptr |
+| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:121:11:121:13 | ptr |
+| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:121:11:121:13 | ptr indirection |
+| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:121:11:121:13 | ptr indirection |
+| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:121:11:121:13 | ptr indirection |
+| test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:121:11:121:13 | ptr indirection |
 | test.cpp:121:11:121:13 | ptr | test.cpp:11:26:11:28 | url |
 | test.cpp:121:11:121:13 | ptr indirection | test.cpp:11:26:11:28 | url indirection |
 nodes
 | test.cpp:11:26:11:28 | url | semmle.label | url |
 | test.cpp:11:26:11:28 | url indirection | semmle.label | url indirection |
-| test.cpp:15:30:15:32 | url | semmle.label | url |
+| test.cpp:15:30:15:32 | url indirection | semmle.label | url indirection |
-| test.cpp:24:13:24:17 | url_g | semmle.label | url_g |
+| test.cpp:15:30:15:32 | url indirection | semmle.label | url indirection |
-| test.cpp:24:21:24:40 | http://example.com | semmle.label | http://example.com |
+| test.cpp:15:30:15:32 | url indirection | semmle.label | url indirection |
-| test.cpp:24:21:24:40 | http://example.com | semmle.label | http://example.com |
+| test.cpp:24:13:24:17 | url_g indirection | semmle.label | url_g indirection |
-| test.cpp:28:10:28:29 | http://example.com | semmle.label | http://example.com |
+| test.cpp:24:21:24:40 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:28:10:28:29 | http://example.com | semmle.label | http://example.com |
+| test.cpp:24:21:24:40 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:35:23:35:42 | http://example.com | semmle.label | http://example.com |
+| test.cpp:28:10:28:29 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:35:23:35:42 | http://example.com | semmle.label | http://example.com |
+| test.cpp:28:10:28:29 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:36:26:36:45 | http://example.com | semmle.label | http://example.com |
+| test.cpp:35:23:35:42 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:36:26:36:45 | http://example.com | semmle.label | http://example.com |
+| test.cpp:35:23:35:42 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:38:11:38:15 | url_g | semmle.label | url_g |
+| test.cpp:36:26:36:45 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:39:11:39:15 | url_l | semmle.label | url_l |
+| test.cpp:36:26:36:45 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:40:11:40:17 | access to array | semmle.label | access to array |
+| test.cpp:38:11:38:15 | url_g indirection | semmle.label | url_g indirection |
 | test.cpp:39:11:39:15 | url_l indirection | semmle.label | url_l indirection |
 | test.cpp:40:11:40:17 | access to array indirection | semmle.label | access to array indirection |
-| test.cpp:46:18:46:26 | http:// | semmle.label | http:// |
+| test.cpp:46:18:46:26 | http:// indirection | semmle.label | http:// indirection |
-| test.cpp:46:18:46:26 | http:// | semmle.label | http:// |
+| test.cpp:46:18:46:26 | http:// indirection | semmle.label | http:// indirection |
 | test.cpp:49:11:49:16 | buffer | semmle.label | buffer |
 | test.cpp:49:11:49:16 | buffer indirection | semmle.label | buffer indirection |
-| test.cpp:110:21:110:40 | http://example.com | semmle.label | http://example.com |
+| test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:110:21:110:40 | http://example.com | semmle.label | http://example.com |
+| test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
-| test.cpp:110:21:110:40 | http://example.com | semmle.label | http://example.com |
+| test.cpp:110:21:110:40 | http://example.com indirection | semmle.label | http://example.com indirection |
 | test.cpp:121:11:121:13 | ptr | semmle.label | ptr |
 | test.cpp:121:11:121:13 | ptr indirection | semmle.label | ptr indirection |
 subpaths
 #select
-| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:24:21:24:40 | http://example.com | test.cpp:24:21:24:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:28:10:28:29 | http://example.com | test.cpp:28:10:28:29 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:35:23:35:42 | http://example.com | test.cpp:35:23:35:42 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
-| test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com | test.cpp:15:30:15:32 | url | This URL may be constructed with the HTTP protocol. |
+| test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:36:26:36:45 | http://example.com | test.cpp:36:26:36:45 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:46:18:46:26 | http:// | test.cpp:46:18:46:26 | http:// indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
 | test.cpp:110:21:110:40 | http://example.com | test.cpp:110:21:110:40 | http://example.com indirection | test.cpp:15:30:15:32 | url indirection | This URL may be constructed with the HTTP protocol. |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/SAMATE/PotentiallyExposedSystemData.expected
@@ -1,8 +1,14 @@
 edges
-| tests.c:57:21:57:28 | password | tests.c:70:70:70:77 | password |
+| tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection |
 | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection |
 | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection |
 nodes
-| tests.c:57:21:57:28 | password | semmle.label | password |
+| tests.c:57:21:57:28 | password indirection | semmle.label | password indirection |
-| tests.c:70:70:70:77 | password | semmle.label | password |
+| tests.c:57:21:57:28 | password indirection | semmle.label | password indirection |
 | tests.c:57:21:57:28 | password indirection | semmle.label | password indirection |
 | tests.c:70:70:70:77 | password indirection | semmle.label | password indirection |
 subpaths
 #select
-| tests.c:70:70:70:77 | password | tests.c:57:21:57:28 | password | tests.c:70:70:70:77 | password | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password | password |
+| tests.c:70:70:70:77 | password indirection | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password indirection | password indirection |
 | tests.c:70:70:70:77 | password indirection | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password indirection | password indirection |
 | tests.c:70:70:70:77 | password indirection | tests.c:57:21:57:28 | password indirection | tests.c:70:70:70:77 | password indirection | This operation potentially exposes sensitive system data from $@. | tests.c:57:21:57:28 | password indirection | password indirection |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/ExposedSystemData.expected
@@ -1,87 +1,118 @@
 edges
-| tests2.cpp:50:13:50:19 | global1 | tests2.cpp:82:14:82:20 | global1 |
+| tests2.cpp:50:13:50:19 | global1 indirection | tests2.cpp:82:14:82:20 | global1 indirection |
-| tests2.cpp:50:23:50:43 | call to mysql_get_client_info | tests2.cpp:50:13:50:19 | global1 |
+| tests2.cpp:50:13:50:19 | global1 indirection | tests2.cpp:82:14:82:20 | global1 indirection |
-| tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:26 | call to getenv |
+| tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | tests2.cpp:50:13:50:19 | global1 indirection |
-| tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:26 | call to getenv |
+| tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:26 | call to getenv indirection |
-| tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:30 | call to getenv |
+| tests2.cpp:64:13:64:18 | call to getenv indirection | tests2.cpp:64:13:64:26 | call to getenv indirection |
-| tests2.cpp:66:13:66:18 | call to getenv | tests2.cpp:66:13:66:34 | call to getenv |
+| tests2.cpp:65:13:65:18 | call to getenv indirection | tests2.cpp:65:13:65:30 | call to getenv indirection |
-| tests2.cpp:78:18:78:38 | call to mysql_get_client_info | tests2.cpp:81:14:81:19 | buffer |
+| tests2.cpp:66:13:66:18 | call to getenv indirection | tests2.cpp:66:13:66:34 | call to getenv indirection |
-| tests2.cpp:91:42:91:45 | str1 | tests2.cpp:93:14:93:17 | str1 |
+| tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | tests2.cpp:81:14:81:19 | buffer indirection |
-| tests2.cpp:101:8:101:15 | call to getpwuid | tests2.cpp:102:14:102:15 | pw |
+| tests2.cpp:91:42:91:45 | str1 | tests2.cpp:93:14:93:17 | str1 indirection |
-| tests2.cpp:109:3:109:36 | ... = ... | tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr] |
+| tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection |
-| tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr] | tests2.cpp:111:14:111:15 | c1 indirection [ptr] |
+| tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection |
-| tests2.cpp:109:12:109:17 | call to getenv | tests2.cpp:109:3:109:36 | ... = ... |
+| tests2.cpp:109:3:109:36 | ... = ... indirection | tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr indirection] |
-| tests2.cpp:111:14:111:15 | c1 indirection [ptr] | tests2.cpp:111:14:111:19 | ptr |
+| tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr indirection] | tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] |
-| tests2.cpp:111:14:111:15 | c1 indirection [ptr] | tests2.cpp:111:17:111:19 | ptr indirection |
+| tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:109:3:109:36 | ... = ... indirection |
-| tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:14:111:19 | ptr |
+| tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | tests2.cpp:111:14:111:19 | ptr indirection |
-| tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:17:111:19 | ptr |
+| tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | tests2.cpp:111:17:111:19 | ptr indirection |
-| tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:39:19:39:22 | path |
+| tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:14:111:19 | ptr indirection |
-| tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:39:19:39:22 | path |
+| tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:111:17:111:19 | ptr indirection |
-| tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:43:20:43:23 | path |
+| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection |
-| tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:43:20:43:23 | path |
+| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection |
-| tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:76:19:76:22 | path |
+| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection |
-| tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:76:19:76:22 | path |
+| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection |
-| tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:80:20:80:23 | path |
+| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection |
-| tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:80:20:80:23 | path |
+| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection |
-| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf |
+| tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection |
-| tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf |
+| tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection |
 | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection |
 | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection |
 | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection |
 | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection |
 nodes
-| tests2.cpp:50:13:50:19 | global1 | semmle.label | global1 |
+| tests2.cpp:50:13:50:19 | global1 indirection | semmle.label | global1 indirection |
-| tests2.cpp:50:23:50:43 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
+| tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | semmle.label | call to mysql_get_client_info indirection |
-| tests2.cpp:63:13:63:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:63:13:63:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:63:13:63:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:63:13:63:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:63:13:63:26 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:63:13:63:26 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:64:13:64:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:64:13:64:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:64:13:64:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:64:13:64:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:64:13:64:26 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:64:13:64:26 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:65:13:65:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:65:13:65:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:65:13:65:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:65:13:65:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:65:13:65:30 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:65:13:65:30 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:66:13:66:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:66:13:66:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:66:13:66:18 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:66:13:66:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:66:13:66:34 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:66:13:66:34 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:78:18:78:38 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
+| tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | semmle.label | call to mysql_get_client_info indirection |
-| tests2.cpp:80:14:80:34 | call to mysql_get_client_info | semmle.label | call to mysql_get_client_info |
+| tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | semmle.label | call to mysql_get_client_info indirection |
-| tests2.cpp:81:14:81:19 | buffer | semmle.label | buffer |
+| tests2.cpp:81:14:81:19 | buffer indirection | semmle.label | buffer indirection |
-| tests2.cpp:82:14:82:20 | global1 | semmle.label | global1 |
+| tests2.cpp:82:14:82:20 | global1 indirection | semmle.label | global1 indirection |
 | tests2.cpp:82:14:82:20 | global1 indirection | semmle.label | global1 indirection |
 | tests2.cpp:91:42:91:45 | str1 | semmle.label | str1 |
-| tests2.cpp:93:14:93:17 | str1 | semmle.label | str1 |
+| tests2.cpp:93:14:93:17 | str1 indirection | semmle.label | str1 indirection |
-| tests2.cpp:101:8:101:15 | call to getpwuid | semmle.label | call to getpwuid |
+| tests2.cpp:101:8:101:15 | call to getpwuid indirection | semmle.label | call to getpwuid indirection |
-| tests2.cpp:102:14:102:15 | pw | semmle.label | pw |
+| tests2.cpp:102:14:102:15 | pw indirection | semmle.label | pw indirection |
-| tests2.cpp:109:3:109:36 | ... = ... | semmle.label | ... = ... |
+| tests2.cpp:102:14:102:15 | pw indirection | semmle.label | pw indirection |
-| tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr] | semmle.label | c1 indirection [post update] [ptr] |
+| tests2.cpp:109:3:109:36 | ... = ... indirection | semmle.label | ... = ... indirection |
-| tests2.cpp:109:12:109:17 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:109:6:109:8 | c1 indirection [post update] [ptr indirection] | semmle.label | c1 indirection [post update] [ptr indirection] |
-| tests2.cpp:111:14:111:15 | c1 indirection [ptr] | semmle.label | c1 indirection [ptr] |
+| tests2.cpp:109:12:109:17 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests2.cpp:111:14:111:19 | ptr | semmle.label | ptr |
+| tests2.cpp:111:14:111:15 | c1 indirection [ptr indirection] | semmle.label | c1 indirection [ptr indirection] |
-| tests2.cpp:111:17:111:19 | ptr | semmle.label | ptr |
+| tests2.cpp:111:14:111:19 | ptr indirection | semmle.label | ptr indirection |
 | tests2.cpp:111:17:111:19 | ptr indirection | semmle.label | ptr indirection |
-| tests_sockets.cpp:26:15:26:20 | call to getenv | semmle.label | call to getenv |
+| tests2.cpp:111:17:111:19 | ptr indirection | semmle.label | ptr indirection |
-| tests_sockets.cpp:39:19:39:22 | path | semmle.label | path |
+| tests_sockets.cpp:26:15:26:20 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests_sockets.cpp:39:19:39:22 | path | semmle.label | path |
+| tests_sockets.cpp:39:19:39:22 | path indirection | semmle.label | path indirection |
-| tests_sockets.cpp:43:20:43:23 | path | semmle.label | path |
+| tests_sockets.cpp:39:19:39:22 | path indirection | semmle.label | path indirection |
-| tests_sockets.cpp:43:20:43:23 | path | semmle.label | path |
+| tests_sockets.cpp:39:19:39:22 | path indirection | semmle.label | path indirection |
-| tests_sockets.cpp:63:15:63:20 | call to getenv | semmle.label | call to getenv |
+| tests_sockets.cpp:43:20:43:23 | path indirection | semmle.label | path indirection |
-| tests_sockets.cpp:76:19:76:22 | path | semmle.label | path |
+| tests_sockets.cpp:43:20:43:23 | path indirection | semmle.label | path indirection |
-| tests_sockets.cpp:76:19:76:22 | path | semmle.label | path |
+| tests_sockets.cpp:43:20:43:23 | path indirection | semmle.label | path indirection |
-| tests_sockets.cpp:80:20:80:23 | path | semmle.label | path |
+| tests_sockets.cpp:63:15:63:20 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests_sockets.cpp:80:20:80:23 | path | semmle.label | path |
+| tests_sockets.cpp:76:19:76:22 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | semmle.label | path indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | semmle.label | path indirection |
 | tests_sysconf.cpp:36:21:36:27 | confstr output argument | semmle.label | confstr output argument |
-| tests_sysconf.cpp:39:19:39:25 | pathbuf | semmle.label | pathbuf |
+| tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
-| tests_sysconf.cpp:39:19:39:25 | pathbuf | semmle.label | pathbuf |
+| tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | semmle.label | pathbuf indirection |
 subpaths
 #select
-| tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:18 | call to getenv | tests2.cpp:63:13:63:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv | call to getenv |
+| tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:18 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:18 | call to getenv | tests2.cpp:64:13:64:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:64:13:64:18 | call to getenv | call to getenv |
+| tests2.cpp:63:13:63:26 | call to getenv indirection | tests2.cpp:63:13:63:18 | call to getenv indirection | tests2.cpp:63:13:63:26 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:63:13:63:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:18 | call to getenv | tests2.cpp:65:13:65:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:65:13:65:18 | call to getenv | call to getenv |
+| tests2.cpp:64:13:64:18 | call to getenv indirection | tests2.cpp:64:13:64:18 | call to getenv indirection | tests2.cpp:64:13:64:18 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:64:13:64:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:66:13:66:18 | call to getenv | tests2.cpp:66:13:66:18 | call to getenv | tests2.cpp:66:13:66:18 | call to getenv | This operation exposes system data from $@. | tests2.cpp:66:13:66:18 | call to getenv | call to getenv |
+| tests2.cpp:64:13:64:26 | call to getenv indirection | tests2.cpp:64:13:64:18 | call to getenv indirection | tests2.cpp:64:13:64:26 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:64:13:64:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:80:14:80:34 | call to mysql_get_client_info | tests2.cpp:80:14:80:34 | call to mysql_get_client_info | tests2.cpp:80:14:80:34 | call to mysql_get_client_info | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | call to mysql_get_client_info | call to mysql_get_client_info |
+| tests2.cpp:65:13:65:18 | call to getenv indirection | tests2.cpp:65:13:65:18 | call to getenv indirection | tests2.cpp:65:13:65:18 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:65:13:65:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:81:14:81:19 | buffer | tests2.cpp:78:18:78:38 | call to mysql_get_client_info | tests2.cpp:81:14:81:19 | buffer | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | call to mysql_get_client_info | call to mysql_get_client_info |
+| tests2.cpp:65:13:65:30 | call to getenv indirection | tests2.cpp:65:13:65:18 | call to getenv indirection | tests2.cpp:65:13:65:30 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:65:13:65:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:82:14:82:20 | global1 | tests2.cpp:50:23:50:43 | call to mysql_get_client_info | tests2.cpp:82:14:82:20 | global1 | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | call to mysql_get_client_info | call to mysql_get_client_info |
+| tests2.cpp:66:13:66:18 | call to getenv indirection | tests2.cpp:66:13:66:18 | call to getenv indirection | tests2.cpp:66:13:66:18 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:66:13:66:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:93:14:93:17 | str1 | tests2.cpp:91:42:91:45 | str1 | tests2.cpp:93:14:93:17 | str1 | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | str1 | str1 |
+| tests2.cpp:66:13:66:34 | call to getenv indirection | tests2.cpp:66:13:66:18 | call to getenv indirection | tests2.cpp:66:13:66:34 | call to getenv indirection | This operation exposes system data from $@. | tests2.cpp:66:13:66:18 | call to getenv indirection | call to getenv indirection |
-| tests2.cpp:102:14:102:15 | pw | tests2.cpp:101:8:101:15 | call to getpwuid | tests2.cpp:102:14:102:15 | pw | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | call to getpwuid | call to getpwuid |
+| tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | This operation exposes system data from $@. | tests2.cpp:80:14:80:34 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
-| tests2.cpp:111:17:111:19 | ptr | tests2.cpp:109:12:109:17 | call to getenv | tests2.cpp:111:17:111:19 | ptr | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | call to getenv | call to getenv |
+| tests2.cpp:81:14:81:19 | buffer indirection | tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | tests2.cpp:81:14:81:19 | buffer indirection | This operation exposes system data from $@. | tests2.cpp:78:18:78:38 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
-| tests_sockets.cpp:39:19:39:22 | path | tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:39:19:39:22 | path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv | call to getenv |
+| tests2.cpp:82:14:82:20 | global1 indirection | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | tests2.cpp:82:14:82:20 | global1 indirection | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
-| tests_sockets.cpp:43:20:43:23 | path | tests_sockets.cpp:26:15:26:20 | call to getenv | tests_sockets.cpp:43:20:43:23 | path | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv | call to getenv |
+| tests2.cpp:82:14:82:20 | global1 indirection | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | tests2.cpp:82:14:82:20 | global1 indirection | This operation exposes system data from $@. | tests2.cpp:50:23:50:43 | call to mysql_get_client_info indirection | call to mysql_get_client_info indirection |
-| tests_sockets.cpp:76:19:76:22 | path | tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:76:19:76:22 | path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv | call to getenv |
+| tests2.cpp:93:14:93:17 | str1 indirection | tests2.cpp:91:42:91:45 | str1 | tests2.cpp:93:14:93:17 | str1 indirection | This operation exposes system data from $@. | tests2.cpp:91:42:91:45 | str1 | str1 |
-| tests_sockets.cpp:80:20:80:23 | path | tests_sockets.cpp:63:15:63:20 | call to getenv | tests_sockets.cpp:80:20:80:23 | path | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv | call to getenv |
+| tests2.cpp:102:14:102:15 | pw indirection | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | call to getpwuid indirection | call to getpwuid indirection |
-| tests_sysconf.cpp:39:19:39:25 | pathbuf | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
+| tests2.cpp:102:14:102:15 | pw indirection | tests2.cpp:101:8:101:15 | call to getpwuid indirection | tests2.cpp:102:14:102:15 | pw indirection | This operation exposes system data from $@. | tests2.cpp:101:8:101:15 | call to getpwuid indirection | call to getpwuid indirection |
 | tests2.cpp:111:14:111:19 | ptr indirection | tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:111:14:111:19 | ptr indirection | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | call to getenv indirection | call to getenv indirection |
 | tests2.cpp:111:17:111:19 | ptr indirection | tests2.cpp:109:12:109:17 | call to getenv indirection | tests2.cpp:111:17:111:19 | ptr indirection | This operation exposes system data from $@. | tests2.cpp:109:12:109:17 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:39:19:39:22 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:39:19:39:22 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:39:19:39:22 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:39:19:39:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:43:20:43:23 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:43:20:43:23 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:43:20:43:23 | path indirection | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | tests_sockets.cpp:43:20:43:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:26:15:26:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:76:19:76:22 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:76:19:76:22 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sockets.cpp:80:20:80:23 | path indirection | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | tests_sockets.cpp:80:20:80:23 | path indirection | This operation exposes system data from $@. | tests_sockets.cpp:63:15:63:20 | call to getenv indirection | call to getenv indirection |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
 | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | tests_sysconf.cpp:36:21:36:27 | confstr output argument | tests_sysconf.cpp:39:19:39:25 | pathbuf indirection | This operation exposes system data from $@. | tests_sysconf.cpp:36:21:36:27 | confstr output argument | confstr output argument |
--- a/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected
+++ b/cpp/ql/test/query-tests/Security/CWE/CWE-497/semmle/tests/PotentiallyExposedSystemData.expected
@@ -1,98 +1,119 @@
 edges
-| tests.cpp:48:15:48:20 | call to getenv | tests.cpp:48:15:48:36 | call to getenv |
+| tests.cpp:48:15:48:20 | call to getenv indirection | tests.cpp:48:15:48:36 | call to getenv indirection |
-| tests.cpp:49:15:49:20 | call to getenv | tests.cpp:49:15:49:36 | call to getenv |
+| tests.cpp:49:15:49:20 | call to getenv indirection | tests.cpp:49:15:49:36 | call to getenv indirection |
-| tests.cpp:50:15:50:20 | call to getenv | tests.cpp:50:15:50:36 | call to getenv |
+| tests.cpp:50:15:50:20 | call to getenv indirection | tests.cpp:50:15:50:36 | call to getenv indirection |
-| tests.cpp:57:18:57:23 | call to getenv | tests.cpp:57:18:57:39 | call to getenv |
+| tests.cpp:57:18:57:23 | call to getenv indirection | tests.cpp:57:18:57:39 | call to getenv indirection |
-| tests.cpp:58:41:58:46 | call to getenv | tests.cpp:58:41:58:62 | call to getenv |
+| tests.cpp:58:41:58:46 | call to getenv indirection | tests.cpp:58:41:58:62 | call to getenv indirection |
-| tests.cpp:59:43:59:48 | call to getenv | tests.cpp:59:43:59:64 | call to getenv |
+| tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:64 | call to getenv indirection |
-| tests.cpp:62:7:62:18 | global_token | tests.cpp:71:27:71:38 | global_token |
+| tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:71:27:71:38 | global_token indirection |
-| tests.cpp:62:7:62:18 | global_token | tests.cpp:73:27:73:31 | maybe |
+| tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:71:27:71:38 | global_token indirection |
-| tests.cpp:62:22:62:27 | call to getenv | tests.cpp:62:7:62:18 | global_token |
+| tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:73:27:73:31 | maybe indirection |
-| tests.cpp:86:29:86:31 | msg | tests.cpp:88:15:88:17 | msg |
+| tests.cpp:62:7:62:18 | global_token indirection | tests.cpp:73:27:73:31 | maybe indirection |
-| tests.cpp:97:13:97:18 | call to getenv | tests.cpp:97:13:97:34 | call to getenv |
+| tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:62:7:62:18 | global_token indirection |
-| tests.cpp:97:13:97:18 | call to getenv | tests.cpp:97:13:97:34 | call to getenv |
+| tests.cpp:86:29:86:31 | msg indirection | tests.cpp:88:15:88:17 | msg indirection |
-| tests.cpp:97:13:97:34 | call to getenv | tests.cpp:86:29:86:31 | msg |
+| tests.cpp:86:29:86:31 | msg indirection | tests.cpp:88:15:88:17 | msg indirection |
-| tests.cpp:107:30:107:32 | msg | tests.cpp:111:15:111:17 | tmp |
+| tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection |
-| tests.cpp:114:30:114:32 | msg | tests.cpp:119:7:119:12 | buffer |
+| tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection |
-| tests.cpp:122:30:122:32 | msg | tests.cpp:124:15:124:17 | msg |
+| tests.cpp:97:13:97:34 | call to getenv indirection | tests.cpp:86:29:86:31 | msg indirection |
-| tests.cpp:131:14:131:19 | call to getenv | tests.cpp:131:14:131:35 | call to getenv |
+| tests.cpp:107:30:107:32 | msg indirection | tests.cpp:111:15:111:17 | tmp indirection |
-| tests.cpp:131:14:131:35 | call to getenv | tests.cpp:107:30:107:32 | msg |
+| tests.cpp:107:30:107:32 | msg indirection | tests.cpp:111:15:111:17 | tmp indirection |
-| tests.cpp:132:14:132:19 | call to getenv | tests.cpp:132:14:132:35 | call to getenv |
+| tests.cpp:114:30:114:32 | msg indirection | tests.cpp:119:7:119:12 | buffer indirection |
-| tests.cpp:132:14:132:35 | call to getenv | tests.cpp:114:30:114:32 | msg |
+| tests.cpp:122:30:122:32 | msg indirection | tests.cpp:124:15:124:17 | msg indirection |
-| tests.cpp:133:14:133:19 | call to getenv | tests.cpp:133:14:133:35 | call to getenv |
+| tests.cpp:122:30:122:32 | msg indirection | tests.cpp:124:15:124:17 | msg indirection |
-| tests.cpp:133:14:133:19 | call to getenv | tests.cpp:133:14:133:35 | call to getenv |
+| tests.cpp:131:14:131:19 | call to getenv indirection | tests.cpp:131:14:131:35 | call to getenv indirection |
-| tests.cpp:133:14:133:35 | call to getenv | tests.cpp:122:30:122:32 | msg |
+| tests.cpp:131:14:131:35 | call to getenv indirection | tests.cpp:107:30:107:32 | msg indirection |
-| tests_passwd.cpp:16:8:16:15 | call to getpwnam | tests_passwd.cpp:18:29:18:31 | pwd |
+| tests.cpp:132:14:132:19 | call to getenv indirection | tests.cpp:132:14:132:35 | call to getenv indirection |
-| tests_passwd.cpp:16:8:16:15 | call to getpwnam | tests_passwd.cpp:19:26:19:28 | pwd |
+| tests.cpp:132:14:132:35 | call to getenv indirection | tests.cpp:114:30:114:32 | msg indirection |
 | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:35 | call to getenv indirection |
 | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:35 | call to getenv indirection |
 | tests.cpp:133:14:133:35 | call to getenv indirection | tests.cpp:122:30:122:32 | msg indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection |
 nodes
-| tests.cpp:48:15:48:20 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:48:15:48:20 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:48:15:48:20 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:48:15:48:20 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:48:15:48:36 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:48:15:48:36 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:49:15:49:20 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:49:15:49:20 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:49:15:49:20 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:49:15:49:20 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:49:15:49:36 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:49:15:49:36 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:50:15:50:20 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:50:15:50:20 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:50:15:50:20 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:50:15:50:20 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:50:15:50:36 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:50:15:50:36 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:57:18:57:23 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:57:18:57:23 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:57:18:57:23 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:57:18:57:23 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:57:18:57:39 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:57:18:57:39 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:58:41:58:46 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:58:41:58:46 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:58:41:58:46 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:58:41:58:46 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:58:41:58:62 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:58:41:58:62 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:59:43:59:48 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:59:43:59:48 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:59:43:59:48 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:59:43:59:48 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:59:43:59:64 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:59:43:59:64 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:62:7:62:18 | global_token | semmle.label | global_token |
+| tests.cpp:62:7:62:18 | global_token indirection | semmle.label | global_token indirection |
-| tests.cpp:62:22:62:27 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:62:22:62:27 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:71:27:71:38 | global_token | semmle.label | global_token |
+| tests.cpp:71:27:71:38 | global_token indirection | semmle.label | global_token indirection |
-| tests.cpp:73:27:73:31 | maybe | semmle.label | maybe |
+| tests.cpp:71:27:71:38 | global_token indirection | semmle.label | global_token indirection |
-| tests.cpp:86:29:86:31 | msg | semmle.label | msg |
+| tests.cpp:73:27:73:31 | maybe indirection | semmle.label | maybe indirection |
-| tests.cpp:88:15:88:17 | msg | semmle.label | msg |
+| tests.cpp:73:27:73:31 | maybe indirection | semmle.label | maybe indirection |
-| tests.cpp:97:13:97:18 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:86:29:86:31 | msg indirection | semmle.label | msg indirection |
-| tests.cpp:97:13:97:18 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:88:15:88:17 | msg indirection | semmle.label | msg indirection |
-| tests.cpp:97:13:97:34 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:88:15:88:17 | msg indirection | semmle.label | msg indirection |
-| tests.cpp:97:13:97:34 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:97:13:97:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:107:30:107:32 | msg | semmle.label | msg |
+| tests.cpp:97:13:97:18 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:111:15:111:17 | tmp | semmle.label | tmp |
+| tests.cpp:97:13:97:34 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:114:30:114:32 | msg | semmle.label | msg |
+| tests.cpp:97:13:97:34 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:119:7:119:12 | buffer | semmle.label | buffer |
+| tests.cpp:107:30:107:32 | msg indirection | semmle.label | msg indirection |
-| tests.cpp:122:30:122:32 | msg | semmle.label | msg |
+| tests.cpp:111:15:111:17 | tmp indirection | semmle.label | tmp indirection |
-| tests.cpp:124:15:124:17 | msg | semmle.label | msg |
+| tests.cpp:111:15:111:17 | tmp indirection | semmle.label | tmp indirection |
-| tests.cpp:131:14:131:19 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:114:30:114:32 | msg indirection | semmle.label | msg indirection |
-| tests.cpp:131:14:131:35 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:119:7:119:12 | buffer indirection | semmle.label | buffer indirection |
-| tests.cpp:132:14:132:19 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:122:30:122:32 | msg indirection | semmle.label | msg indirection |
-| tests.cpp:132:14:132:35 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:124:15:124:17 | msg indirection | semmle.label | msg indirection |
-| tests.cpp:133:14:133:19 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:124:15:124:17 | msg indirection | semmle.label | msg indirection |
-| tests.cpp:133:14:133:19 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:131:14:131:19 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:133:14:133:35 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:131:14:131:35 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests.cpp:133:14:133:35 | call to getenv | semmle.label | call to getenv |
+| tests.cpp:132:14:132:19 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests_passwd.cpp:16:8:16:15 | call to getpwnam | semmle.label | call to getpwnam |
+| tests.cpp:132:14:132:35 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests_passwd.cpp:18:29:18:31 | pwd | semmle.label | pwd |
+| tests.cpp:133:14:133:19 | call to getenv indirection | semmle.label | call to getenv indirection |
-| tests_passwd.cpp:19:26:19:28 | pwd | semmle.label | pwd |
+| tests.cpp:133:14:133:19 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:133:14:133:35 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests.cpp:133:14:133:35 | call to getenv indirection | semmle.label | call to getenv indirection |
 | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | semmle.label | call to getpwnam indirection |
 | tests_passwd.cpp:18:29:18:31 | pwd indirection | semmle.label | pwd indirection |
 | tests_passwd.cpp:18:29:18:31 | pwd indirection | semmle.label | pwd indirection |
 | tests_passwd.cpp:19:26:19:28 | pwd indirection | semmle.label | pwd indirection |
 | tests_passwd.cpp:19:26:19:28 | pwd indirection | semmle.label | pwd indirection |
 subpaths
 #select
-| tests.cpp:48:15:48:20 | call to getenv | tests.cpp:48:15:48:20 | call to getenv | tests.cpp:48:15:48:20 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:20 | call to getenv | call to getenv |
+| tests.cpp:48:15:48:20 | call to getenv indirection | tests.cpp:48:15:48:20 | call to getenv indirection | tests.cpp:48:15:48:20 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:20 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:48:15:48:36 | call to getenv | tests.cpp:48:15:48:20 | call to getenv | tests.cpp:48:15:48:36 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:20 | call to getenv | call to getenv |
+| tests.cpp:48:15:48:36 | call to getenv indirection | tests.cpp:48:15:48:20 | call to getenv indirection | tests.cpp:48:15:48:36 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:48:15:48:20 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:49:15:49:20 | call to getenv | tests.cpp:49:15:49:20 | call to getenv | tests.cpp:49:15:49:20 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:20 | call to getenv | call to getenv |
+| tests.cpp:49:15:49:20 | call to getenv indirection | tests.cpp:49:15:49:20 | call to getenv indirection | tests.cpp:49:15:49:20 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:20 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:49:15:49:36 | call to getenv | tests.cpp:49:15:49:20 | call to getenv | tests.cpp:49:15:49:36 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:20 | call to getenv | call to getenv |
+| tests.cpp:49:15:49:36 | call to getenv indirection | tests.cpp:49:15:49:20 | call to getenv indirection | tests.cpp:49:15:49:36 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:49:15:49:20 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:50:15:50:20 | call to getenv | tests.cpp:50:15:50:20 | call to getenv | tests.cpp:50:15:50:20 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:20 | call to getenv | call to getenv |
+| tests.cpp:50:15:50:20 | call to getenv indirection | tests.cpp:50:15:50:20 | call to getenv indirection | tests.cpp:50:15:50:20 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:20 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:50:15:50:36 | call to getenv | tests.cpp:50:15:50:20 | call to getenv | tests.cpp:50:15:50:36 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:20 | call to getenv | call to getenv |
+| tests.cpp:50:15:50:36 | call to getenv indirection | tests.cpp:50:15:50:20 | call to getenv indirection | tests.cpp:50:15:50:36 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:50:15:50:20 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:57:18:57:23 | call to getenv | tests.cpp:57:18:57:23 | call to getenv | tests.cpp:57:18:57:23 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:23 | call to getenv | call to getenv |
+| tests.cpp:57:18:57:23 | call to getenv indirection | tests.cpp:57:18:57:23 | call to getenv indirection | tests.cpp:57:18:57:23 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:23 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:57:18:57:39 | call to getenv | tests.cpp:57:18:57:23 | call to getenv | tests.cpp:57:18:57:39 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:23 | call to getenv | call to getenv |
+| tests.cpp:57:18:57:39 | call to getenv indirection | tests.cpp:57:18:57:23 | call to getenv indirection | tests.cpp:57:18:57:39 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:57:18:57:23 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:58:41:58:46 | call to getenv | tests.cpp:58:41:58:46 | call to getenv | tests.cpp:58:41:58:46 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:46 | call to getenv | call to getenv |
+| tests.cpp:58:41:58:46 | call to getenv indirection | tests.cpp:58:41:58:46 | call to getenv indirection | tests.cpp:58:41:58:46 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:46 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:58:41:58:62 | call to getenv | tests.cpp:58:41:58:46 | call to getenv | tests.cpp:58:41:58:62 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:46 | call to getenv | call to getenv |
+| tests.cpp:58:41:58:62 | call to getenv indirection | tests.cpp:58:41:58:46 | call to getenv indirection | tests.cpp:58:41:58:62 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:58:41:58:46 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:59:43:59:48 | call to getenv | tests.cpp:59:43:59:48 | call to getenv | tests.cpp:59:43:59:48 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:48 | call to getenv | call to getenv |
+| tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:48 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:48 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:59:43:59:64 | call to getenv | tests.cpp:59:43:59:48 | call to getenv | tests.cpp:59:43:59:64 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:48 | call to getenv | call to getenv |
+| tests.cpp:59:43:59:64 | call to getenv indirection | tests.cpp:59:43:59:48 | call to getenv indirection | tests.cpp:59:43:59:64 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:59:43:59:48 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:71:27:71:38 | global_token | tests.cpp:62:22:62:27 | call to getenv | tests.cpp:71:27:71:38 | global_token | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv | call to getenv |
+| tests.cpp:71:27:71:38 | global_token indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:71:27:71:38 | global_token indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:73:27:73:31 | maybe | tests.cpp:62:22:62:27 | call to getenv | tests.cpp:73:27:73:31 | maybe | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv | call to getenv |
+| tests.cpp:71:27:71:38 | global_token indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:71:27:71:38 | global_token indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:88:15:88:17 | msg | tests.cpp:97:13:97:18 | call to getenv | tests.cpp:88:15:88:17 | msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv | call to getenv |
+| tests.cpp:73:27:73:31 | maybe indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:73:27:73:31 | maybe indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:97:13:97:18 | call to getenv | tests.cpp:97:13:97:18 | call to getenv | tests.cpp:97:13:97:18 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv | call to getenv |
+| tests.cpp:73:27:73:31 | maybe indirection | tests.cpp:62:22:62:27 | call to getenv indirection | tests.cpp:73:27:73:31 | maybe indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:62:22:62:27 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:97:13:97:34 | call to getenv | tests.cpp:97:13:97:18 | call to getenv | tests.cpp:97:13:97:34 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv | call to getenv |
+| tests.cpp:88:15:88:17 | msg indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:88:15:88:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:111:15:111:17 | tmp | tests.cpp:131:14:131:19 | call to getenv | tests.cpp:111:15:111:17 | tmp | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:19 | call to getenv | call to getenv |
+| tests.cpp:88:15:88:17 | msg indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:88:15:88:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:119:7:119:12 | buffer | tests.cpp:132:14:132:19 | call to getenv | tests.cpp:119:7:119:12 | buffer | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:19 | call to getenv | call to getenv |
+| tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:18 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:124:15:124:17 | msg | tests.cpp:133:14:133:19 | call to getenv | tests.cpp:124:15:124:17 | msg | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv | call to getenv |
+| tests.cpp:97:13:97:34 | call to getenv indirection | tests.cpp:97:13:97:18 | call to getenv indirection | tests.cpp:97:13:97:34 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:97:13:97:18 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:133:14:133:19 | call to getenv | tests.cpp:133:14:133:19 | call to getenv | tests.cpp:133:14:133:19 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv | call to getenv |
+| tests.cpp:111:15:111:17 | tmp indirection | tests.cpp:131:14:131:19 | call to getenv indirection | tests.cpp:111:15:111:17 | tmp indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:19 | call to getenv indirection | call to getenv indirection |
-| tests.cpp:133:14:133:35 | call to getenv | tests.cpp:133:14:133:19 | call to getenv | tests.cpp:133:14:133:35 | call to getenv | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv | call to getenv |
+| tests.cpp:111:15:111:17 | tmp indirection | tests.cpp:131:14:131:19 | call to getenv indirection | tests.cpp:111:15:111:17 | tmp indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:131:14:131:19 | call to getenv indirection | call to getenv indirection |
-| tests_passwd.cpp:18:29:18:31 | pwd | tests_passwd.cpp:16:8:16:15 | call to getpwnam | tests_passwd.cpp:18:29:18:31 | pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam | call to getpwnam |
+| tests.cpp:119:7:119:12 | buffer indirection | tests.cpp:132:14:132:19 | call to getenv indirection | tests.cpp:119:7:119:12 | buffer indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:132:14:132:19 | call to getenv indirection | call to getenv indirection |
-| tests_passwd.cpp:19:26:19:28 | pwd | tests_passwd.cpp:16:8:16:15 | call to getpwnam | tests_passwd.cpp:19:26:19:28 | pwd | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam | call to getpwnam |
+| tests.cpp:124:15:124:17 | msg indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:124:15:124:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:124:15:124:17 | msg indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:124:15:124:17 | msg indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:19 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
 | tests.cpp:133:14:133:35 | call to getenv indirection | tests.cpp:133:14:133:19 | call to getenv indirection | tests.cpp:133:14:133:35 | call to getenv indirection | This operation potentially exposes sensitive system data from $@. | tests.cpp:133:14:133:19 | call to getenv indirection | call to getenv indirection |
 | tests_passwd.cpp:18:29:18:31 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |
 | tests_passwd.cpp:18:29:18:31 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:18:29:18:31 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |
 | tests_passwd.cpp:19:26:19:28 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |
 | tests_passwd.cpp:19:26:19:28 | pwd indirection | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | tests_passwd.cpp:19:26:19:28 | pwd indirection | This operation potentially exposes sensitive system data from $@. | tests_passwd.cpp:16:8:16:15 | call to getpwnam indirection | call to getpwnam indirection |