Merge branch 'main' of https://github.com/github/codeql into oscarsj/merge-back-rc-3.21

2026-03-30 20:28:15 +02:00 · 2026-03-06 16:20:36 +01:00
parent 13ce515aab 84bef5d4bc
commit 3b9eba2afc
846 changed files with 87321 additions and 58588 deletions
--- a/csharp/documentation/library-coverage/coverage.csv
+++ b/csharp/documentation/library-coverage/coverage.csv
@@ -44,5 +44,5 @@ NHibernate,3,,,,,,,,,,,,3,,,,,,,,,,
 Newtonsoft.Json,,,91,,,,,,,,,,,,,,,,,,,73,18
 ServiceStack,194,,7,27,,,,,75,,,,92,,,,,,,,,7,
 SourceGenerators,,,5,,,,,,,,,,,,,,,,,,,,5
-System,59,47,12495,,6,5,12,,,4,1,,31,2,,6,15,17,4,3,,6382,6113
+System,59,48,12495,,6,5,12,,,4,1,,31,2,,6,15,17,5,3,,6382,6113
 Windows.Security.Cryptography.Core,1,,,,,,,1,,,,,,,,,,,,,,,
--- a/csharp/documentation/library-coverage/coverage.rst
+++ b/csharp/documentation/library-coverage/coverage.rst
@@ -8,7 +8,7 @@ C# framework & library support

   Framework / library,Package,Flow sources,Taint & value steps,Sinks (total),`CWE-079` :sub:`Cross-site scripting`
   `ServiceStack <https://servicestack.net/>`_,"``ServiceStack.*``, ``ServiceStack``",,7,194,
-   System,"``System.*``, ``System``",47,12495,59,5
+   System,"``System.*``, ``System``",48,12495,59,5
   Others,"``Amazon.Lambda.APIGatewayEvents``, ``Amazon.Lambda.Core``, ``Dapper``, ``ILCompiler``, ``ILLink.RoslynAnalyzer``, ``ILLink.Shared``, ``ILLink.Tasks``, ``Internal.IL``, ``Internal.Pgo``, ``Internal.TypeSystem``, ``Microsoft.ApplicationBlocks.Data``, ``Microsoft.AspNetCore.Components``, ``Microsoft.AspNetCore.Http``, ``Microsoft.AspNetCore.Mvc``, ``Microsoft.AspNetCore.WebUtilities``, ``Microsoft.CSharp``, ``Microsoft.Data.SqlClient``, ``Microsoft.Diagnostics.Tools.Pgo``, ``Microsoft.DotNet.Build.Tasks``, ``Microsoft.DotNet.PlatformAbstractions``, ``Microsoft.EntityFrameworkCore``, ``Microsoft.Extensions.Caching.Distributed``, ``Microsoft.Extensions.Caching.Memory``, ``Microsoft.Extensions.Configuration``, ``Microsoft.Extensions.DependencyInjection``, ``Microsoft.Extensions.DependencyModel``, ``Microsoft.Extensions.Diagnostics.Metrics``, ``Microsoft.Extensions.FileProviders``, ``Microsoft.Extensions.FileSystemGlobbing``, ``Microsoft.Extensions.Hosting``, ``Microsoft.Extensions.Http``, ``Microsoft.Extensions.Logging``, ``Microsoft.Extensions.Options``, ``Microsoft.Extensions.Primitives``, ``Microsoft.Interop``, ``Microsoft.JSInterop``, ``Microsoft.NET.Build.Tasks``, ``Microsoft.VisualBasic``, ``Microsoft.Win32``, ``Mono.Linker``, ``MySql.Data.MySqlClient``, ``NHibernate``, ``Newtonsoft.Json``, ``SourceGenerators``, ``Windows.Security.Cryptography.Core``",60,2406,162,4
-   Totals,,107,14908,415,9
+   Totals,,108,14908,415,9

--- a/csharp/downgrades/e73ca2c93df8aae162f1704edc4817a5cb330529/old.dbscheme
+++ b/csharp/downgrades/e73ca2c93df8aae162f1704edc4817a5cb330529/old.dbscheme
--- a/csharp/downgrades/e73ca2c93df8aae162f1704edc4817a5cb330529/semmlecode.csharp.dbscheme
+++ b/csharp/downgrades/e73ca2c93df8aae162f1704edc4817a5cb330529/semmlecode.csharp.dbscheme
--- a/csharp/downgrades/e73ca2c93df8aae162f1704edc4817a5cb330529/upgrade.properties
+++ b/csharp/downgrades/e73ca2c93df8aae162f1704edc4817a5cb330529/upgrade.properties
@@ -0,0 +1,2 @@
+description: Remove inclusion of @assign_expr in @bin_op
+compatibility: full
--- a/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
+++ b/csharp/extractor/Semmle.Extraction.CSharp/Entities/Constructor.cs
@@ -1,3 +1,4 @@
+using System;
 using System.Collections.Generic;
 using System.Diagnostics.CodeAnalysis;
 using System.IO;
@@ -12,7 +13,9 @@ namespace Semmle.Extraction.CSharp.Entities
    internal class Constructor : Method
    {
        private readonly List<SyntaxNode> declaringReferenceSyntax;
-
+        private readonly Lazy<ConstructorDeclarationSyntax?> ordinaryConstructorSyntaxLazy;
+        private readonly Lazy<TypeDeclarationSyntax?> primaryConstructorSyntaxLazy;
+        private readonly Lazy<PrimaryConstructorBaseTypeSyntax?> primaryBaseLazy;
        private Constructor(Context cx, IMethodSymbol init)
            : base(cx, init)
        {
@@ -20,8 +23,28 @@ namespace Semmle.Extraction.CSharp.Entities
                Symbol.DeclaringSyntaxReferences
                    .Select(r => r.GetSyntax())
                    .ToList();
+            ordinaryConstructorSyntaxLazy = new Lazy<ConstructorDeclarationSyntax?>(() =>
+                declaringReferenceSyntax
+                .OfType<ConstructorDeclarationSyntax>()
+                .FirstOrDefault());
+            primaryConstructorSyntaxLazy = new Lazy<TypeDeclarationSyntax?>(() =>
+                declaringReferenceSyntax
+                    .OfType<TypeDeclarationSyntax>()
+                    .FirstOrDefault(t => t is ClassDeclarationSyntax or StructDeclarationSyntax or RecordDeclarationSyntax));
+            primaryBaseLazy = new Lazy<PrimaryConstructorBaseTypeSyntax?>(() =>
+                PrimaryConstructorSyntax?
+                    .BaseList?
+                    .Types
+                    .OfType<PrimaryConstructorBaseTypeSyntax>()
+                    .FirstOrDefault());
        }

+        private ConstructorDeclarationSyntax? OrdinaryConstructorSyntax => ordinaryConstructorSyntaxLazy.Value;
+
+        private TypeDeclarationSyntax? PrimaryConstructorSyntax => primaryConstructorSyntaxLazy.Value;
+
+        private PrimaryConstructorBaseTypeSyntax? PrimaryBase => primaryBaseLazy.Value;
+
        public override void Populate(TextWriter trapFile)
        {
            PopulateMethod(trapFile);
@@ -176,23 +199,6 @@ namespace Semmle.Extraction.CSharp.Entities
            init.PopulateArguments(trapFile, arguments, 0);
        }

-        private ConstructorDeclarationSyntax? OrdinaryConstructorSyntax =>
-            declaringReferenceSyntax
-                .OfType<ConstructorDeclarationSyntax>()
-                .FirstOrDefault();
-
-        private TypeDeclarationSyntax? PrimaryConstructorSyntax =>
-            declaringReferenceSyntax
-                    .OfType<TypeDeclarationSyntax>()
-                    .FirstOrDefault(t => t is ClassDeclarationSyntax or StructDeclarationSyntax or RecordDeclarationSyntax);
-
-        private PrimaryConstructorBaseTypeSyntax? PrimaryBase =>
-            PrimaryConstructorSyntax?
-                .BaseList?
-                .Types
-                .OfType<PrimaryConstructorBaseTypeSyntax>()
-                .FirstOrDefault();
-
        private bool IsPrimary => PrimaryConstructorSyntax is not null;

        // This is a default constructor in a class or struct declared in source.
@@ -223,7 +229,7 @@ namespace Semmle.Extraction.CSharp.Entities
            {
                case MethodKind.StaticConstructor:
                case MethodKind.Constructor:
-                    return ConstructorFactory.Instance.CreateEntityFromSymbol(cx, constructor);
+                    return ConstructorFactory.Instance.CreateEntityFromSymbol(cx, constructor.GetBodyDeclaringSymbol());
                default:
                    throw new InternalError(constructor, "Attempt to create a Constructor from a symbol that isn't a constructor");
            }
--- a/csharp/ql/lib/change-notes/2026-02-24-partial-constructors.md
+++ b/csharp/ql/lib/change-notes/2026-02-24-partial-constructors.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* C# 14: Added support for partial constructors.
--- a/csharp/ql/lib/change-notes/2026-03-02-post-update-nodes.md
+++ b/csharp/ql/lib/change-notes/2026-03-02-post-update-nodes.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added post-update nodes for struct-type arguments, allowing data flow out of method calls via those arguments.
--- a/csharp/ql/lib/change-notes/2026-03-03-implicit-conversion-reverse-flow.md
+++ b/csharp/ql/lib/change-notes/2026-03-03-implicit-conversion-reverse-flow.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added reverse taint flow from implicit conversion operator calls to their arguments.
--- a/csharp/ql/lib/change-notes/2026-03-04-websocket-receiveasync.md
+++ b/csharp/ql/lib/change-notes/2026-03-04-websocket-receiveasync.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Added `System.Net.WebSockets::ReceiveAsync` as a remote flow source.
--- a/csharp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
+++ b/csharp/ql/lib/change-notes/2026-03-05-inline-expectation-space-after-$.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Inline expectations test comments, which are of the form `// $ tag` or `// $ tag=value`, are now parsed more strictly and will not be recognized if there isn't a space after the `$` symbol.
--- a/csharp/ql/lib/ext/System.Net.WebSockets.model.yml
+++ b/csharp/ql/lib/ext/System.Net.WebSockets.model.yml
@@ -0,0 +1,6 @@
+extensions:
+  - addsTo:
+      pack: codeql/csharp-all
+      extensible: sourceModel
+    data:
+      - ["System.Net.WebSockets", "WebSocket", True, "ReceiveAsync", "", "", "Argument[0]", "remote", "manual"]
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/Guards.qll
@@ -142,6 +142,7 @@ private module GuardsInput implements
    }
  }

+  pragma[nomagic]
  predicate equalityTest(Expr eqtest, Expr left, Expr right, boolean polarity) {
    exists(ComparisonTest ct |
      ct.getExpr() = eqtest and
@@ -410,6 +411,22 @@ private predicate typePattern(PatternMatch pm, TypePatternExpr tpe, Type t) {
  t = pm.getExpr().getType()
 }

+pragma[nomagic]
+private predicate dereferenceableExpr(Expr e, boolean isNullableType) {
+  exists(Type t | t = e.getType() |
+    t instanceof NullableType and
+    isNullableType = true
+    or
+    t instanceof RefType and
+    isNullableType = false
+  )
+  or
+  exists(Expr parent |
+    dereferenceableExpr(parent, isNullableType) and
+    e = getNullEquivParent(parent)
+  )
+}
+
 /**
 * An expression that evaluates to a value that can be dereferenced. That is,
 * an expression that may evaluate to `null`.
@@ -418,21 +435,12 @@ class DereferenceableExpr extends Expr {
  private boolean isNullableType;

  DereferenceableExpr() {
-    exists(Expr e, Type t |
-      // There is currently a bug in the extractor: the type of `x?.Length` is
-      // incorrectly `int`, while it should have been `int?`. We apply
-      // `getNullEquivParent()` as a workaround
-      this = getNullEquivParent*(e) and
-      t = e.getType() and
-      not this instanceof SwitchCaseExpr and
-      not this instanceof PatternExpr
-    |
-      t instanceof NullableType and
-      isNullableType = true
-      or
-      t instanceof RefType and
-      isNullableType = false
-    )
+    // There is currently a bug in the extractor: the type of `x?.Length` is
+    // incorrectly `int`, while it should have been `int?`. We apply
+    // `getNullEquivParent()` as a workaround
+    dereferenceableExpr(this, isNullableType) and
+    not this instanceof SwitchCaseExpr and
+    not this instanceof PatternExpr
  }

  /** Holds if this expression has a nullable type `T?`. */
--- a/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
+++ b/csharp/ql/lib/semmle/code/csharp/controlflow/internal/ControlFlowGraphImpl.qll
@@ -94,9 +94,19 @@ private Element getAChild(Element p) {
  result = p.(AssignOperation).getExpandedAssignment()
 }

+pragma[nomagic]
+private predicate astNode(Element e) {
+  e = any(@top_level_exprorstmt_parent p | not p instanceof Attribute)
+  or
+  exists(Element parent |
+    astNode(parent) and
+    e = getAChild(parent)
+  )
+}
+
 /** An AST node. */
 class AstNode extends Element, TAstNode {
-  AstNode() { this = getAChild*(any(@top_level_exprorstmt_parent p | not p instanceof Attribute)) }
+  AstNode() { astNode(this) }

  int getId() { idOf(this, result) }
 }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ControlFlowReachability.qll
@@ -15,16 +15,47 @@ private class ControlFlowScope extends ControlFlowElement {
  predicate isNonExact() { exactScope = false }
 }

-private ControlFlowElement getANonExactScopeChild(ControlFlowScope scope) {
-  scope.isNonExact() and
-  result = scope
-  or
-  result = getANonExactScopeChild(scope).getAChild()
+private newtype TControlFlowElementOrBasicBlock =
+  TControlFlowElement(ControlFlowElement cfe) or
+  TBasicBlock(ControlFlow::BasicBlock bb)
+
+class ControlFlowElementOrBasicBlock extends TControlFlowElementOrBasicBlock {
+  ControlFlowElement asControlFlowElement() { this = TControlFlowElement(result) }
+
+  ControlFlow::BasicBlock asBasicBlock() { this = TBasicBlock(result) }
+
+  string toString() {
+    result = this.asControlFlowElement().toString()
+    or
+    result = this.asBasicBlock().toString()
+  }
+
+  Location getLocation() {
+    result = this.asControlFlowElement().getLocation()
+    or
+    result = this.asBasicBlock().getLocation()
+  }
 }

+private predicate isBasicBlock(ControlFlowElementOrBasicBlock c) { c instanceof TBasicBlock }
+
+private predicate isNonExactScope(ControlFlowElementOrBasicBlock c) {
+  c.asControlFlowElement().(ControlFlowScope).isNonExact()
+}
+
+private predicate step(ControlFlowElementOrBasicBlock pred, ControlFlowElementOrBasicBlock succ) {
+  pred.asBasicBlock().getANode().getAstNode() = succ.asControlFlowElement()
+  or
+  pred.asControlFlowElement() = succ.asControlFlowElement().getAChild()
+}
+
+private predicate basicBlockInNonExactScope(
+  ControlFlowElementOrBasicBlock bb, ControlFlowElementOrBasicBlock scope
+) = doublyBoundedFastTC(step/2, isBasicBlock/1, isNonExactScope/1)(bb, scope)
+
 pragma[noinline]
 private ControlFlow::BasicBlock getABasicBlockInScope(ControlFlowScope scope, boolean exactScope) {
-  result.getANode().getAstNode() = getANonExactScopeChild(scope) and
+  basicBlockInNonExactScope(TBasicBlock(result), TControlFlowElement(scope)) and
  exactScope = false
  or
  scope.isExact() and
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll
@@ -6,7 +6,9 @@ private import ControlFlowReachability
 private import FlowSummaryImpl as FlowSummaryImpl
 private import semmle.code.csharp.dataflow.FlowSummary as FlowSummary
 private import semmle.code.csharp.dataflow.internal.ExternalFlow
+private import semmle.code.csharp.commons.Collections
 private import semmle.code.csharp.Conversion
+private import semmle.code.csharp.exprs.internal.Expr
 private import semmle.code.csharp.dataflow.internal.SsaImpl as SsaImpl
 private import semmle.code.csharp.ExprOrStmtParent
 private import semmle.code.csharp.Unification
@@ -16,7 +18,6 @@ private import semmle.code.csharp.frameworks.EntityFramework
 private import semmle.code.csharp.frameworks.system.linq.Expressions
 private import semmle.code.csharp.frameworks.NHibernate
 private import semmle.code.csharp.frameworks.Razor
-private import semmle.code.csharp.frameworks.system.Collections
 private import semmle.code.csharp.frameworks.system.threading.Tasks
 private import semmle.code.csharp.internal.Location
 private import codeql.util.Unit
@@ -1087,7 +1088,7 @@ predicate exprMayHavePostUpdateNode(Expr e) {
    or
    t = any(TypeParameter tp | not tp.isValueType())
    or
-    t.isRefLikeType()
+    t instanceof Struct
  )
 }

@@ -2377,6 +2378,16 @@ predicate storeStep(Node node1, ContentSet c, Node node2) {
  storeStepDelegateCall(node1, c, node2)
 }

+pragma[nomagic]
+private predicate isAssignExprLValueDescendant(Expr e) {
+  e = any(AssignExpr ae).getLValue()
+  or
+  exists(Expr parent |
+    isAssignExprLValueDescendant(parent) and
+    e = parent.getAChildExpr()
+  )
+}
+
 private class ReadStepConfiguration extends ControlFlowReachabilityConfiguration {
  ReadStepConfiguration() { this = "ReadStepConfiguration" }

@@ -2432,7 +2443,7 @@ private class ReadStepConfiguration extends ControlFlowReachabilityConfiguration
    scope =
      any(AssignExpr ae |
        ae = defTo.(AssignableDefinitions::TupleAssignmentDefinition).getAssignment() and
-        e = ae.getLValue().getAChildExpr*().(TupleExpr) and
+        isAssignExprLValueDescendant(e.(TupleExpr)) and
        exactScope = false and
        isSuccessor = true
      )
@@ -2488,7 +2499,7 @@ private predicate readContentStep(Node node1, Content c, Node node2) {
      )
      or
      // item = variable in node1 = (..., variable, ...) in a case/is var (..., ...)
-      te = any(PatternExpr pe).getAChildExpr*() and
+      isPatternExprDescendant(te) and
      exists(AssignableDefinitions::LocalVariableDefinition lvd |
        node2.(AssignableDefinitionNode).getDefinition() = lvd and
        lvd.getDeclaration() = item and
@@ -2545,6 +2556,7 @@ private predicate clearsCont(Node n, Content c) {
    a.getType() = s and
    f = s.getAField() and
    c.(FieldContent).getField() = f.getUnboundDeclaration() and
+    not f.getType() instanceof CollectionType and
    not f.isRef()
  )
  or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/ExternalFlow.qll
@@ -239,12 +239,25 @@ module ModelValidation {
    )
  }

+  string getIncorrectConstructorSummaryOutput() {
+    exists(string namespace, string type, string name, string output |
+      type = name or
+      type = name + "<" + any(string s)
+    |
+      summaryModel(namespace, type, _, name, _, _, _, output, _, _, _) and
+      output.matches("ReturnValue%") and
+      result =
+        "Constructor model for " + namespace + "." + type +
+          " should use `Argument[this]` in the output, not `ReturnValue`."
+    )
+  }
+
  /** Holds if some row in a MaD flow model appears to contain typos. */
  query predicate invalidModelRow(string msg) {
    msg =
      [
        getInvalidModelSignature(), getInvalidModelInput(), getInvalidModelOutput(),
-        KindVal::getInvalidModelKind()
+        getIncorrectConstructorSummaryOutput(), KindVal::getInvalidModelKind()
      ]
  }
 }
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/TaintTrackingPrivate.qll
@@ -109,6 +109,16 @@ private class LocalTaintExprStepConfiguration extends ControlFlowReachabilityCon
  }
 }

+private ControlFlow::Nodes::ExprNode getALastEvalNode(ControlFlow::Nodes::ExprNode cfn) {
+  exists(OperatorCall oc | any(LocalTaintExprStepConfiguration x).hasExprPath(_, result, oc, cfn) |
+    oc.getTarget() instanceof ImplicitConversionOperator
+  )
+}
+
+private ControlFlow::Nodes::ExprNode getPostUpdateReverseStep(ControlFlow::Nodes::ExprNode e) {
+  result = getALastEvalNode(e)
+}
+
 private predicate localTaintStepCommon(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
  hasNodePath(any(LocalTaintExprStepConfiguration x), nodeFrom, nodeTo)
 }
@@ -177,6 +187,16 @@ private module Cached {
      readStep(nodeFrom, any(DataFlow::ContentSet c | c.isElement()), nodeTo)
      or
      nodeTo = nodeFrom.(DataFlow::NonLocalJumpNode).getAJumpSuccessor(false)
+      or
+      // Allow reverse update flow for implicit conversion operator calls.
+      // This is needed to support flow out of method call arguments, where an implicit conversion is applied
+      // to a call argument.
+      nodeTo.(PostUpdateNode).getPreUpdateNode().(DataFlow::ExprNode).getControlFlowNode() =
+        getPostUpdateReverseStep(nodeFrom
+              .(PostUpdateNode)
+              .getPreUpdateNode()
+              .(DataFlow::ExprNode)
+              .getControlFlowNode())
    ) and
    model = ""
    or
--- a/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll
+++ b/csharp/ql/lib/semmle/code/csharp/dataflow/internal/rangeanalysis/ControlFlowReachability.qll
@@ -15,16 +15,47 @@ private class ControlFlowScope extends ControlFlowElement {
  predicate isNonExact() { exactScope = false }
 }

-private ControlFlowElement getANonExactScopeChild(ControlFlowScope scope) {
-  scope.isNonExact() and
-  result = scope
-  or
-  result = getANonExactScopeChild(scope).getAChild()
+private newtype TControlFlowElementOrBasicBlock =
+  TControlFlowElement(ControlFlowElement cfe) or
+  TBasicBlock(ControlFlow::BasicBlock bb)
+
+class ControlFlowElementOrBasicBlock extends TControlFlowElementOrBasicBlock {
+  ControlFlowElement asControlFlowElement() { this = TControlFlowElement(result) }
+
+  ControlFlow::BasicBlock asBasicBlock() { this = TBasicBlock(result) }
+
+  string toString() {
+    result = this.asControlFlowElement().toString()
+    or
+    result = this.asBasicBlock().toString()
+  }
+
+  Location getLocation() {
+    result = this.asControlFlowElement().getLocation()
+    or
+    result = this.asBasicBlock().getLocation()
+  }
 }

+private predicate isBasicBlock(ControlFlowElementOrBasicBlock c) { c instanceof TBasicBlock }
+
+private predicate isNonExactScope(ControlFlowElementOrBasicBlock c) {
+  c.asControlFlowElement().(ControlFlowScope).isNonExact()
+}
+
+private predicate step(ControlFlowElementOrBasicBlock pred, ControlFlowElementOrBasicBlock succ) {
+  pred.asBasicBlock().getANode().getAstNode() = succ.asControlFlowElement()
+  or
+  pred.asControlFlowElement() = succ.asControlFlowElement().getAChild()
+}
+
+private predicate basicBlockInNonExactScope(
+  ControlFlowElementOrBasicBlock bb, ControlFlowElementOrBasicBlock scope
+) = doublyBoundedFastTC(step/2, isBasicBlock/1, isNonExactScope/1)(bb, scope)
+
 pragma[noinline]
 private ControlFlow::BasicBlock getABasicBlockInScope(ControlFlowScope scope, boolean exactScope) {
-  result.getANode().getAstNode() = getANonExactScopeChild(scope) and
+  basicBlockInNonExactScope(TBasicBlock(result), TControlFlowElement(scope)) and
  exactScope = false
  or
  scope.isExact() and
--- a/csharp/ql/lib/semmle/code/csharp/exprs/Assignment.qll
+++ b/csharp/ql/lib/semmle/code/csharp/exprs/Assignment.qll
@@ -11,7 +11,7 @@ import Expr
 * (`LocalVariableDeclAndInitExpr`), a simple assignment (`AssignExpr`), or
 * an assignment operation (`AssignOperation`).
 */
-class Assignment extends Operation, @assign_expr {
+class Assignment extends BinaryOperation, @assign_expr {
  Assignment() {
    this instanceof LocalVariableDeclExpr
    implies
@@ -20,6 +20,10 @@ class Assignment extends Operation, @assign_expr {
    expr_parent(_, 0, this)
  }

+  override Expr getLeftOperand() { result = this.getChild(1) }
+
+  override Expr getRightOperand() { result = this.getChild(0) }
+
  /** Gets the left operand of this assignment. */
  Expr getLValue() { result = this.getChild(1) }

--- a/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll
+++ b/csharp/ql/lib/semmle/code/csharp/exprs/Expr.qll
@@ -21,6 +21,7 @@ import semmle.code.csharp.Type
 private import semmle.code.csharp.ExprOrStmtParent
 private import semmle.code.csharp.frameworks.System
 private import semmle.code.csharp.TypeRef
+private import internal.Expr

 /**
 * An expression. Either an access (`Access`), a call (`Call`), an object or
@@ -64,14 +65,24 @@ class Expr extends ControlFlowElement, @expr {
  /** Gets the enclosing callable of this expression, if any. */
  override Callable getEnclosingCallable() { enclosingCallable(this, result) }

+  pragma[nomagic]
+  private predicate isExpandedAssignmentRValueDescendant() {
+    this =
+      any(AssignOperation op).getExpandedAssignment().getRValue().getChildExpr(0).getAChildExpr()
+    or
+    exists(Expr parent |
+      parent.isExpandedAssignmentRValueDescendant() and
+      this = parent.getAChildExpr()
+    )
+  }
+
  /**
   * Holds if this expression is generated by the compiler and does not appear
   * explicitly in the source code.
   */
  final predicate isImplicit() {
    compiler_generated(this) or
-    this =
-      any(AssignOperation op).getExpandedAssignment().getRValue().getChildExpr(0).getAChildExpr+()
+    this.isExpandedAssignmentRValueDescendant()
  }

  /**
@@ -233,7 +244,8 @@ class UnaryOperation extends Operation, @un_op {
 * A binary operation. Either a binary arithmetic operation
 * (`BinaryArithmeticOperation`), a binary bitwise operation
 * (`BinaryBitwiseOperation`), a comparison operation (`ComparisonOperation`),
- * or a binary logical operation (`BinaryLogicalOperation`).
+ * a binary logical operation (`BinaryLogicalOperation`), or an
+ * assignment (`Assignment`).
 */
 class BinaryOperation extends Operation, @bin_op {
  /** Gets the left operand of this binary operation. */
@@ -1133,7 +1145,7 @@ class TupleExpr extends Expr, @tuple_expr {
  /** Holds if this expression is a tuple construction. */
  predicate isConstruction() {
    not this = getAnAssignOrForeachChild() and
-    not this = any(PatternExpr pe).getAChildExpr*()
+    not isPatternExprDescendant(this)
  }

  override string getAPrimaryQlClass() { result = "TupleExpr" }
--- a/csharp/ql/lib/semmle/code/csharp/exprs/internal/Expr.qll
+++ b/csharp/ql/lib/semmle/code/csharp/exprs/internal/Expr.qll
@@ -0,0 +1,11 @@
+private import csharp
+
+pragma[nomagic]
+predicate isPatternExprDescendant(Expr e) {
+  e instanceof PatternExpr
+  or
+  exists(Expr parent |
+    isPatternExprDescendant(parent) and
+    e = parent.getAChildExpr()
+  )
+}
--- a/csharp/ql/lib/semmlecode.csharp.dbscheme
+++ b/csharp/ql/lib/semmlecode.csharp.dbscheme
@@ -1261,10 +1261,10 @@ case @expr.kind of
@rel_op_expr = @gt_expr | @lt_expr| @ge_expr | @le_expr;
@comp_expr = @equality_op_expr | @rel_op_expr;

-@op_expr = @assign_expr | @un_op | @bin_op | @ternary_op;
+@op_expr = @un_op | @bin_op | @ternary_op;

@ternary_op = @ternary_log_op_expr;
-@bin_op = @bin_arith_op_expr | @bin_log_op_expr | @bin_bit_op_expr | @comp_expr;
+@bin_op = @assign_expr | @bin_arith_op_expr | @bin_log_op_expr | @bin_bit_op_expr | @comp_expr;
@un_op = @un_arith_op_expr | @un_log_op_expr | @un_bit_op_expr | @sizeof_expr
       | @pointer_indirection_expr | @address_of_expr;

--- a/csharp/ql/lib/upgrades/178a7e6cf335486d33d4e49543148e3f57f04a9a/old.dbscheme
+++ b/csharp/ql/lib/upgrades/178a7e6cf335486d33d4e49543148e3f57f04a9a/old.dbscheme
--- a/csharp/ql/lib/upgrades/178a7e6cf335486d33d4e49543148e3f57f04a9a/semmlecode.csharp.dbscheme
+++ b/csharp/ql/lib/upgrades/178a7e6cf335486d33d4e49543148e3f57f04a9a/semmlecode.csharp.dbscheme
--- a/csharp/ql/lib/upgrades/178a7e6cf335486d33d4e49543148e3f57f04a9a/upgrade.properties
+++ b/csharp/ql/lib/upgrades/178a7e6cf335486d33d4e49543148e3f57f04a9a/upgrade.properties
@@ -0,0 +1,2 @@
+description: Expand @bin_op union to include @assign_expr
+compatibility: full
--- a/Bugs/DangerousNonShortCircuitLogic.ql
+++ b/Bugs/DangerousNonShortCircuitLogic.ql
@@ -15,23 +15,6 @@

 import csharp

-/** An expression containing a qualified member access, a method call, or an array access. */
-class DangerousExpression extends Expr {
-  DangerousExpression() {
-    exists(Expr e | this = e.getParent*() |
-      exists(Expr q | q = e.(MemberAccess).getQualifier() |
-        not q instanceof ThisAccess and
-        not q instanceof BaseAccess
-      )
-      or
-      e instanceof MethodCall
-      or
-      e instanceof ArrayAccess
-    ) and
-    not exists(Expr e | this = e.getParent*() | e.(Call).getTarget().getAParameter().isOutOrRef())
-  }
-}
-
 /** A use of `&` or `|` on operands of type boolean. */
 class NonShortCircuit extends BinaryBitwiseOperation {
  NonShortCircuit() {
@@ -42,10 +25,40 @@ class NonShortCircuit extends BinaryBitwiseOperation {
    ) and
    not exists(AssignBitwiseOperation abo | abo.getExpandedAssignment().getRValue() = this) and
    this.getLeftOperand().getType() instanceof BoolType and
-    this.getRightOperand().getType() instanceof BoolType and
-    this.getRightOperand() instanceof DangerousExpression
+    this.getRightOperand().getType() instanceof BoolType
+  }
+
+  pragma[nomagic]
+  private predicate hasRightOperandDescendant(Expr e) {
+    e = this.getRightOperand()
+    or
+    exists(Expr parent |
+      this.hasRightOperandDescendant(parent) and
+      e.getParent() = parent
+    )
+  }
+
+  /**
+   * Holds if this non-short-circuit expression contains a qualified member access,
+   * a method call, or an array access inside the right operand.
+   */
+  predicate isDangerous() {
+    exists(Expr e | this.hasRightOperandDescendant(e) |
+      exists(Expr q | q = e.(MemberAccess).getQualifier() |
+        not q instanceof ThisAccess and
+        not q instanceof BaseAccess
+      )
+      or
+      e instanceof MethodCall
+      or
+      e instanceof ArrayAccess
+    ) and
+    not exists(Expr e | this.hasRightOperandDescendant(e) |
+      e.(Call).getTarget().getAParameter().isOutOrRef()
+    )
  }
 }

 from NonShortCircuit e
+where e.isDangerous()
 select e, "Potentially dangerous use of non-short circuit logic."
--- a/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected
+++ b/csharp/ql/test/library-tests/csharp7/LocalTaintFlow.expected
@@ -321,6 +321,7 @@
 | CSharp7.cs:283:20:283:62 | call to method Select<KeyValuePair<Int32,String>,(Int32,String)> | CSharp7.cs:283:13:283:16 | access to local variable list |
 | CSharp7.cs:283:32:283:35 | SSA param(item) | CSharp7.cs:283:41:283:44 | access to parameter item |
 | CSharp7.cs:283:32:283:35 | item | CSharp7.cs:283:32:283:35 | SSA param(item) |
+| CSharp7.cs:283:41:283:44 | [post] access to parameter item | CSharp7.cs:283:51:283:54 | access to parameter item |
 | CSharp7.cs:283:41:283:44 | access to parameter item | CSharp7.cs:283:41:283:48 | access to property Key |
 | CSharp7.cs:283:41:283:44 | access to parameter item | CSharp7.cs:283:51:283:54 | access to parameter item |
 | CSharp7.cs:283:51:283:54 | access to parameter item | CSharp7.cs:283:51:283:60 | access to property Value |
--- a/csharp/ql/test/library-tests/dataflow/constructors/ConstructorFlow.expected
+++ b/csharp/ql/test/library-tests/dataflow/constructors/ConstructorFlow.expected
@@ -122,6 +122,16 @@ edges
 | Constructors.cs:143:29:143:30 | access to local variable o2 : Object | Constructors.cs:143:18:143:31 | object creation of type R1 : R1 [property Obj2] : Object | provenance |  |
 | Constructors.cs:144:14:144:15 | access to local variable r1 : R1 [property Obj1] : Object | Constructors.cs:144:14:144:20 | access to property Obj1 | provenance |  |
 | Constructors.cs:145:14:145:15 | access to local variable r1 : R1 [property Obj2] : Object | Constructors.cs:145:14:145:20 | access to property Obj2 | provenance |  |
+| Constructors.cs:157:40:157:40 | o : Object | Constructors.cs:157:52:157:52 | access to parameter o : Object | provenance |  |
+| Constructors.cs:157:46:157:48 | [post] this access : CPartial [property Obj] : Object | Constructors.cs:157:24:157:31 | this [Return] : CPartial [property Obj] : Object | provenance |  |
+| Constructors.cs:157:52:157:52 | access to parameter o : Object | Constructors.cs:157:46:157:48 | [post] this access : CPartial [property Obj] : Object | provenance |  |
+| Constructors.cs:162:13:162:13 | access to local variable o : Object | Constructors.cs:163:37:163:37 | access to local variable o : Object | provenance |  |
+| Constructors.cs:162:17:162:34 | call to method Source<Object> : Object | Constructors.cs:162:13:162:13 | access to local variable o : Object | provenance |  |
+| Constructors.cs:163:13:163:20 | access to local variable cPartial : CPartial [property Obj] : Object | Constructors.cs:164:14:164:21 | access to local variable cPartial : CPartial [property Obj] : Object | provenance |  |
+| Constructors.cs:163:24:163:38 | object creation of type CPartial : CPartial [property Obj] : Object | Constructors.cs:163:13:163:20 | access to local variable cPartial : CPartial [property Obj] : Object | provenance |  |
+| Constructors.cs:163:37:163:37 | access to local variable o : Object | Constructors.cs:157:40:157:40 | o : Object | provenance |  |
+| Constructors.cs:163:37:163:37 | access to local variable o : Object | Constructors.cs:163:24:163:38 | object creation of type CPartial : CPartial [property Obj] : Object | provenance |  |
+| Constructors.cs:164:14:164:21 | access to local variable cPartial : CPartial [property Obj] : Object | Constructors.cs:164:14:164:25 | access to property Obj | provenance |  |
 nodes
 | Constructors.cs:3:18:3:26 | [post] this access : C_no_ctor [field s1] : Object | semmle.label | [post] this access : C_no_ctor [field s1] : Object |
 | Constructors.cs:5:24:5:25 | [post] this access : C_no_ctor [field s1] : Object | semmle.label | [post] this access : C_no_ctor [field s1] : Object |
@@ -255,6 +265,17 @@ nodes
 | Constructors.cs:144:14:144:20 | access to property Obj1 | semmle.label | access to property Obj1 |
 | Constructors.cs:145:14:145:15 | access to local variable r1 : R1 [property Obj2] : Object | semmle.label | access to local variable r1 : R1 [property Obj2] : Object |
 | Constructors.cs:145:14:145:20 | access to property Obj2 | semmle.label | access to property Obj2 |
+| Constructors.cs:157:24:157:31 | this [Return] : CPartial [property Obj] : Object | semmle.label | this [Return] : CPartial [property Obj] : Object |
+| Constructors.cs:157:40:157:40 | o : Object | semmle.label | o : Object |
+| Constructors.cs:157:46:157:48 | [post] this access : CPartial [property Obj] : Object | semmle.label | [post] this access : CPartial [property Obj] : Object |
+| Constructors.cs:157:52:157:52 | access to parameter o : Object | semmle.label | access to parameter o : Object |
+| Constructors.cs:162:13:162:13 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| Constructors.cs:162:17:162:34 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| Constructors.cs:163:13:163:20 | access to local variable cPartial : CPartial [property Obj] : Object | semmle.label | access to local variable cPartial : CPartial [property Obj] : Object |
+| Constructors.cs:163:24:163:38 | object creation of type CPartial : CPartial [property Obj] : Object | semmle.label | object creation of type CPartial : CPartial [property Obj] : Object |
+| Constructors.cs:163:37:163:37 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| Constructors.cs:164:14:164:21 | access to local variable cPartial : CPartial [property Obj] : Object | semmle.label | access to local variable cPartial : CPartial [property Obj] : Object |
+| Constructors.cs:164:14:164:25 | access to property Obj | semmle.label | access to property Obj |
 subpaths
 | Constructors.cs:44:18:44:19 | this access : C2 [parameter o21param] : Object | Constructors.cs:46:23:46:27 | this access : C2 [parameter o21param] : Object | Constructors.cs:46:23:46:27 | [post] this access : C2 [field Obj21] : Object | Constructors.cs:44:18:44:19 | [post] this access : C2 [field Obj21] : Object |
 | Constructors.cs:64:37:64:37 | access to parameter o : Object | Constructors.cs:57:54:57:55 | o2 : Object | Constructors.cs:59:13:59:14 | access to parameter o1 : Object | Constructors.cs:64:27:64:34 | access to parameter o22param : Object |
@@ -273,6 +294,7 @@ subpaths
 | Constructors.cs:132:29:132:30 | access to local variable o2 : Object | Constructors.cs:121:38:121:40 | oc2 : Object | Constructors.cs:121:16:121:17 | this [Return] : C4 [property Obj2] : Object | Constructors.cs:132:18:132:31 | object creation of type C4 : C4 [property Obj2] : Object |
 | Constructors.cs:143:25:143:26 | access to local variable o1 : Object | Constructors.cs:137:29:137:32 | Obj1 : Object | Constructors.cs:137:19:137:20 | this [Return] : R1 [property Obj1] : Object | Constructors.cs:143:18:143:31 | object creation of type R1 : R1 [property Obj1] : Object |
 | Constructors.cs:143:29:143:30 | access to local variable o2 : Object | Constructors.cs:137:42:137:45 | Obj2 : Object | Constructors.cs:137:19:137:20 | this [Return] : R1 [property Obj2] : Object | Constructors.cs:143:18:143:31 | object creation of type R1 : R1 [property Obj2] : Object |
+| Constructors.cs:163:37:163:37 | access to local variable o : Object | Constructors.cs:157:40:157:40 | o : Object | Constructors.cs:157:24:157:31 | this [Return] : CPartial [property Obj] : Object | Constructors.cs:163:24:163:38 | object creation of type CPartial : CPartial [property Obj] : Object |
 testFailures
 #select
 | Constructors.cs:15:18:15:19 | access to field s1 | Constructors.cs:5:29:5:45 | call to method Source<Object> : Object | Constructors.cs:15:18:15:19 | access to field s1 | $@ | Constructors.cs:5:29:5:45 | call to method Source<Object> : Object | call to method Source<Object> : Object |
@@ -288,3 +310,4 @@ testFailures
 | Constructors.cs:134:14:134:20 | access to property Obj2 | Constructors.cs:131:18:131:34 | call to method Source<Object> : Object | Constructors.cs:134:14:134:20 | access to property Obj2 | $@ | Constructors.cs:131:18:131:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Constructors.cs:144:14:144:20 | access to property Obj1 | Constructors.cs:141:18:141:34 | call to method Source<Object> : Object | Constructors.cs:144:14:144:20 | access to property Obj1 | $@ | Constructors.cs:141:18:141:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
 | Constructors.cs:145:14:145:20 | access to property Obj2 | Constructors.cs:142:18:142:35 | call to method Source<Object> : Object | Constructors.cs:145:14:145:20 | access to property Obj2 | $@ | Constructors.cs:142:18:142:35 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| Constructors.cs:164:14:164:25 | access to property Obj | Constructors.cs:162:17:162:34 | call to method Source<Object> : Object | Constructors.cs:164:14:164:25 | access to property Obj | $@ | Constructors.cs:162:17:162:34 | call to method Source<Object> : Object | call to method Source<Object> : Object |
--- a/csharp/ql/test/library-tests/dataflow/constructors/Constructors.cs
+++ b/csharp/ql/test/library-tests/dataflow/constructors/Constructors.cs
@@ -145,6 +145,25 @@ public class Constructors
        Sink(r1.Obj2); // $ hasValueFlow=10
    }

+    public partial class CPartial
+    {
+        public object Obj { get; }
+
+        public partial CPartial(object o);
+    }
+
+    public partial class CPartial
+    {
+        public partial CPartial(object o) => Obj = o;
+    }
+
+    public void M8()
+    {
+        var o = Source<object>(11);
+        var cPartial = new CPartial(o);
+        Sink(cPartial.Obj); // $ hasValueFlow=11
+    }
+
    public static void Sink(object o) { }

    public static T Source<T>(object source) => throw null;
--- a/csharp/ql/test/library-tests/dataflow/external-models/Sources.cs
+++ b/csharp/ql/test/library-tests/dataflow/external-models/Sources.cs
@@ -21,6 +21,9 @@ namespace My.Qltest

            x = TaggedSrcPropertyGetter;
            x = this[0];
+
+            S s;
+            StructSrc(s);
        }

        [SourceAttribute]
@@ -65,7 +68,10 @@ namespace My.Qltest

        [SourceAttribute]
        object this[int i] => null;
+
+        void StructSrc(S s) { }
    }

+    struct S { }
    class SourceAttribute : System.Attribute { }
 }
--- a/csharp/ql/test/library-tests/dataflow/external-models/srcs.expected
+++ b/csharp/ql/test/library-tests/dataflow/external-models/srcs.expected
@@ -11,9 +11,10 @@ invalidModelRow
 | Sources.cs:20:17:20:33 | call to method SrcTwoArg | local |
 | Sources.cs:22:17:22:39 | access to property TaggedSrcPropertyGetter | local |
 | Sources.cs:23:17:23:23 | access to indexer | local |
-| Sources.cs:27:14:27:20 | this | local |
-| Sources.cs:27:29:27:45 | taggedMethodParam | local |
-| Sources.cs:31:47:31:60 | taggedSrcParam | local |
-| Sources.cs:43:45:43:45 | p | local |
-| Sources.cs:50:50:50:50 | p | local |
-| Sources.cs:56:16:56:30 | this | local |
+| Sources.cs:26:23:26:23 | [post] access to local variable s | local |
+| Sources.cs:30:14:30:20 | this | local |
+| Sources.cs:30:29:30:45 | taggedMethodParam | local |
+| Sources.cs:34:47:34:60 | taggedSrcParam | local |
+| Sources.cs:46:45:46:45 | p | local |
+| Sources.cs:53:50:53:50 | p | local |
+| Sources.cs:59:16:59:30 | this | local |
--- a/csharp/ql/test/library-tests/dataflow/external-models/srcs.ext.yml
+++ b/csharp/ql/test/library-tests/dataflow/external-models/srcs.ext.yml
@@ -19,3 +19,4 @@ extensions:
      - ["My.Qltest", "SourceAttribute", false, "", "", "Attribute", "", "local", "manual"]
      - ["My.Qltest", "SourceAttribute", false, "", "", "Attribute.Getter", "ReturnValue", "local", "manual"]
      - ["My.Qltest", "A", false, "SrcTwoArg", "(System.String,System.String)", "", "ReturnValue", "local", "manual"]
+      - ["My.Qltest", "A", false, "StructSrc", "", "", "Argument[0]", "local", "manual"]
--- a/csharp/ql/test/library-tests/dataflow/flowsources/remote/RemoteFlowSource.cs
+++ b/csharp/ql/test/library-tests/dataflow/flowsources/remote/RemoteFlowSource.cs
@@ -44,5 +44,13 @@ namespace RemoteFlowSource
        {
            Use(request.Unvalidated.RawUrl);
        }
+
+        public static async void M3(System.Net.WebSockets.WebSocket webSocket)
+        {
+            var buffer = new byte[1024];
+            var segment = new ArraySegment<byte>(buffer);
+            var result = await webSocket.ReceiveAsync(segment, System.Threading.CancellationToken.None);
+            Use(segment);
+        }
    }
 }
--- a/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected
+++ b/csharp/ql/test/library-tests/dataflow/flowsources/remote/remoteFlowSource.expected
@@ -9,3 +9,4 @@
 | RemoteFlowSource.cs:40:17:40:23 | access to parameter request | ASP.NET query string |
 | RemoteFlowSource.cs:45:17:45:23 | access to parameter request | ASP.NET query string |
 | RemoteFlowSource.cs:45:17:45:42 | access to property RawUrl | ASP.NET unvalidated request data |
+| RemoteFlowSource.cs:52:55:52:61 | [post] access to local variable segment | external |
--- a/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
+++ b/csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected
@@ -185,6 +185,10 @@ source
 | System.IO;StreamWriter;StreamWriter;(System.String,System.IO.FileStreamOptions);Argument[this];file-write;manual |
 | System.IO;StreamWriter;StreamWriter;(System.String,System.Text.Encoding,System.IO.FileStreamOptions);Argument[this];file-write;manual |
 | System.Net.Sockets;TcpClient;GetStream;();ReturnValue;remote;manual |
+| System.Net.WebSockets;ClientWebSocket;ReceiveAsync;(System.ArraySegment<System.Byte>,System.Threading.CancellationToken);Argument[0];remote;manual |
+| System.Net.WebSockets;ClientWebSocket;ReceiveAsync;(System.Memory<System.Byte>,System.Threading.CancellationToken);Argument[0];remote;manual |
+| System.Net.WebSockets;WebSocket;ReceiveAsync;(System.ArraySegment<System.Byte>,System.Threading.CancellationToken);Argument[0];remote;manual |
+| System.Net.WebSockets;WebSocket;ReceiveAsync;(System.Memory<System.Byte>,System.Threading.CancellationToken);Argument[0];remote;manual |
 | System;Console;Read;();ReturnValue;stdin;manual |
 | System;Console;ReadKey;();ReturnValue;stdin;manual |
 | System;Console;ReadKey;(System.Boolean);ReturnValue;stdin;manual |
--- a/csharp/ql/test/library-tests/dataflow/operators/ImplicitConversionOperator.cs
+++ b/csharp/ql/test/library-tests/dataflow/operators/ImplicitConversionOperator.cs
@@ -0,0 +1,14 @@
+using System;
+
+public class TestImplicitConversionOperator
+{
+    static void Sink(object o) { }
+    static void TaintArgument(ArraySegment<byte> segment) { }
+
+    public void M1()
+    {
+        byte[] bytes = new byte[1];
+        TaintArgument(bytes);
+        Sink(bytes);
+    }
+}
--- a/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.expected
+++ b/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.expected
@@ -0,0 +1,8 @@
+edges
+| ImplicitConversionOperator.cs:11:23:11:27 | [post] call to operator implicit conversion : ArraySegment<Byte> | ImplicitConversionOperator.cs:12:14:12:18 | access to local variable bytes | provenance |  |
+nodes
+| ImplicitConversionOperator.cs:11:23:11:27 | [post] call to operator implicit conversion : ArraySegment<Byte> | semmle.label | [post] call to operator implicit conversion : ArraySegment<Byte> |
+| ImplicitConversionOperator.cs:12:14:12:18 | access to local variable bytes | semmle.label | access to local variable bytes |
+subpaths
+#select
+| ImplicitConversionOperator.cs:12:14:12:18 | access to local variable bytes | ImplicitConversionOperator.cs:11:23:11:27 | [post] call to operator implicit conversion : ArraySegment<Byte> | ImplicitConversionOperator.cs:12:14:12:18 | access to local variable bytes | $@ | ImplicitConversionOperator.cs:11:23:11:27 | [post] call to operator implicit conversion : ArraySegment<Byte> | [post] call to operator implicit conversion : ArraySegment<Byte> |
--- a/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.ql
+++ b/csharp/ql/test/library-tests/dataflow/operators/implicitConversionOperatorFlow.ql
@@ -0,0 +1,29 @@
+/**
+ * @kind path-problem
+ */
+
+import csharp
+import semmle.code.csharp.dataflow.internal.DataFlowPrivate as DataFlowPrivate
+import Taint::PathGraph
+
+module TaintConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node src) {
+    exists(MethodCall mc |
+      mc.getTarget().hasName("TaintArgument") and
+      mc.getAnArgument() = src.(DataFlowPrivate::PostUpdateNode).getPreUpdateNode().asExpr()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(MethodCall mc |
+      mc.getTarget().hasName("Sink") and
+      mc.getAnArgument() = sink.asExpr()
+    )
+  }
+}
+
+module Taint = TaintTracking::Global<TaintConfig>;
+
+from Taint::PathNode source, Taint::PathNode sink
+where Taint::flowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()
--- a/csharp/ql/test/library-tests/dataflow/structs/StructFlow.expected
+++ b/csharp/ql/test/library-tests/dataflow/structs/StructFlow.expected
@@ -0,0 +1,92 @@
+models
+edges
+| structs.cs:10:27:10:30 | args : Object[] [element] : Object | structs.cs:12:25:12:28 | access to parameter args : Object[] [element] : Object | provenance |  |
+| structs.cs:10:27:10:30 | args : Object[] [element] : Object | structs.cs:12:25:12:28 | access to parameter args : Object[] [element] : Object | provenance |  |
+| structs.cs:12:13:12:16 | [post] this access : S [field args, element] : Object | structs.cs:10:16:10:16 | this [Return] : S [field args, element] : Object | provenance |  |
+| structs.cs:12:13:12:16 | [post] this access : S [field args, element] : Object | structs.cs:10:16:10:16 | this [Return] : S [field args, element] : Object | provenance |  |
+| structs.cs:12:25:12:28 | access to parameter args : Object[] [element] : Object | structs.cs:12:13:12:16 | [post] this access : S [field args, element] : Object | provenance |  |
+| structs.cs:12:25:12:28 | access to parameter args : Object[] [element] : Object | structs.cs:12:13:12:16 | [post] this access : S [field args, element] : Object | provenance |  |
+| structs.cs:16:30:16:30 | s [Return] : S [field args, element] : Object | structs.cs:32:20:32:20 | [post] access to local variable s : S [field args, element] : Object | provenance |  |
+| structs.cs:16:30:16:30 | s [Return] : S [field args, element] : Object | structs.cs:32:20:32:20 | [post] access to local variable s : S [field args, element] : Object | provenance |  |
+| structs.cs:18:9:18:9 | [post] access to parameter s : S [field args, element] : Object | structs.cs:16:30:16:30 | s [Return] : S [field args, element] : Object | provenance |  |
+| structs.cs:18:9:18:9 | [post] access to parameter s : S [field args, element] : Object | structs.cs:16:30:16:30 | s [Return] : S [field args, element] : Object | provenance |  |
+| structs.cs:18:9:18:14 | [post] access to field args : Object[] [element] : Object | structs.cs:18:9:18:9 | [post] access to parameter s : S [field args, element] : Object | provenance |  |
+| structs.cs:18:9:18:14 | [post] access to field args : Object[] [element] : Object | structs.cs:18:9:18:9 | [post] access to parameter s : S [field args, element] : Object | provenance |  |
+| structs.cs:18:21:18:37 | call to method Source<Object> : Object | structs.cs:18:9:18:14 | [post] access to field args : Object[] [element] : Object | provenance |  |
+| structs.cs:18:21:18:37 | call to method Source<Object> : Object | structs.cs:18:9:18:14 | [post] access to field args : Object[] [element] : Object | provenance |  |
+| structs.cs:24:13:24:13 | access to local variable o : Object | structs.cs:25:24:25:24 | access to local variable o : Object | provenance |  |
+| structs.cs:24:13:24:13 | access to local variable o : Object | structs.cs:25:24:25:24 | access to local variable o : Object | provenance |  |
+| structs.cs:24:17:24:33 | call to method Source<Object> : Object | structs.cs:24:13:24:13 | access to local variable o : Object | provenance |  |
+| structs.cs:24:17:24:33 | call to method Source<Object> : Object | structs.cs:24:13:24:13 | access to local variable o : Object | provenance |  |
+| structs.cs:25:13:25:13 | access to local variable s : S [field args, element] : Object | structs.cs:26:14:26:14 | access to local variable s : S [field args, element] : Object | provenance |  |
+| structs.cs:25:13:25:13 | access to local variable s : S [field args, element] : Object | structs.cs:26:14:26:14 | access to local variable s : S [field args, element] : Object | provenance |  |
+| structs.cs:25:17:25:26 | object creation of type S : S [field args, element] : Object | structs.cs:25:13:25:13 | access to local variable s : S [field args, element] : Object | provenance |  |
+| structs.cs:25:17:25:26 | object creation of type S : S [field args, element] : Object | structs.cs:25:13:25:13 | access to local variable s : S [field args, element] : Object | provenance |  |
+| structs.cs:25:23:25:25 | [...] : Object[] [element] : Object | structs.cs:10:27:10:30 | args : Object[] [element] : Object | provenance |  |
+| structs.cs:25:23:25:25 | [...] : Object[] [element] : Object | structs.cs:10:27:10:30 | args : Object[] [element] : Object | provenance |  |
+| structs.cs:25:23:25:25 | [...] : Object[] [element] : Object | structs.cs:25:17:25:26 | object creation of type S : S [field args, element] : Object | provenance |  |
+| structs.cs:25:23:25:25 | [...] : Object[] [element] : Object | structs.cs:25:17:25:26 | object creation of type S : S [field args, element] : Object | provenance |  |
+| structs.cs:25:24:25:24 | access to local variable o : Object | structs.cs:25:23:25:25 | [...] : Object[] [element] : Object | provenance |  |
+| structs.cs:25:24:25:24 | access to local variable o : Object | structs.cs:25:23:25:25 | [...] : Object[] [element] : Object | provenance |  |
+| structs.cs:26:14:26:14 | access to local variable s : S [field args, element] : Object | structs.cs:26:14:26:19 | access to field args : Object[] [element] : Object | provenance |  |
+| structs.cs:26:14:26:14 | access to local variable s : S [field args, element] : Object | structs.cs:26:14:26:19 | access to field args : Object[] [element] : Object | provenance |  |
+| structs.cs:26:14:26:19 | access to field args : Object[] [element] : Object | structs.cs:26:14:26:22 | access to array element | provenance |  |
+| structs.cs:26:14:26:19 | access to field args : Object[] [element] : Object | structs.cs:26:14:26:22 | access to array element | provenance |  |
+| structs.cs:32:20:32:20 | [post] access to local variable s : S [field args, element] : Object | structs.cs:33:14:33:14 | access to local variable s : S [field args, element] : Object | provenance |  |
+| structs.cs:32:20:32:20 | [post] access to local variable s : S [field args, element] : Object | structs.cs:33:14:33:14 | access to local variable s : S [field args, element] : Object | provenance |  |
+| structs.cs:33:14:33:14 | access to local variable s : S [field args, element] : Object | structs.cs:33:14:33:19 | access to field args : Object[] [element] : Object | provenance |  |
+| structs.cs:33:14:33:14 | access to local variable s : S [field args, element] : Object | structs.cs:33:14:33:19 | access to field args : Object[] [element] : Object | provenance |  |
+| structs.cs:33:14:33:19 | access to field args : Object[] [element] : Object | structs.cs:33:14:33:22 | access to array element | provenance |  |
+| structs.cs:33:14:33:19 | access to field args : Object[] [element] : Object | structs.cs:33:14:33:22 | access to array element | provenance |  |
+nodes
+| structs.cs:10:16:10:16 | this [Return] : S [field args, element] : Object | semmle.label | this [Return] : S [field args, element] : Object |
+| structs.cs:10:16:10:16 | this [Return] : S [field args, element] : Object | semmle.label | this [Return] : S [field args, element] : Object |
+| structs.cs:10:27:10:30 | args : Object[] [element] : Object | semmle.label | args : Object[] [element] : Object |
+| structs.cs:10:27:10:30 | args : Object[] [element] : Object | semmle.label | args : Object[] [element] : Object |
+| structs.cs:12:13:12:16 | [post] this access : S [field args, element] : Object | semmle.label | [post] this access : S [field args, element] : Object |
+| structs.cs:12:13:12:16 | [post] this access : S [field args, element] : Object | semmle.label | [post] this access : S [field args, element] : Object |
+| structs.cs:12:25:12:28 | access to parameter args : Object[] [element] : Object | semmle.label | access to parameter args : Object[] [element] : Object |
+| structs.cs:12:25:12:28 | access to parameter args : Object[] [element] : Object | semmle.label | access to parameter args : Object[] [element] : Object |
+| structs.cs:16:30:16:30 | s [Return] : S [field args, element] : Object | semmle.label | s [Return] : S [field args, element] : Object |
+| structs.cs:16:30:16:30 | s [Return] : S [field args, element] : Object | semmle.label | s [Return] : S [field args, element] : Object |
+| structs.cs:18:9:18:9 | [post] access to parameter s : S [field args, element] : Object | semmle.label | [post] access to parameter s : S [field args, element] : Object |
+| structs.cs:18:9:18:9 | [post] access to parameter s : S [field args, element] : Object | semmle.label | [post] access to parameter s : S [field args, element] : Object |
+| structs.cs:18:9:18:14 | [post] access to field args : Object[] [element] : Object | semmle.label | [post] access to field args : Object[] [element] : Object |
+| structs.cs:18:9:18:14 | [post] access to field args : Object[] [element] : Object | semmle.label | [post] access to field args : Object[] [element] : Object |
+| structs.cs:18:21:18:37 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| structs.cs:18:21:18:37 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| structs.cs:24:13:24:13 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| structs.cs:24:13:24:13 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| structs.cs:24:17:24:33 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| structs.cs:24:17:24:33 | call to method Source<Object> : Object | semmle.label | call to method Source<Object> : Object |
+| structs.cs:25:13:25:13 | access to local variable s : S [field args, element] : Object | semmle.label | access to local variable s : S [field args, element] : Object |
+| structs.cs:25:13:25:13 | access to local variable s : S [field args, element] : Object | semmle.label | access to local variable s : S [field args, element] : Object |
+| structs.cs:25:17:25:26 | object creation of type S : S [field args, element] : Object | semmle.label | object creation of type S : S [field args, element] : Object |
+| structs.cs:25:17:25:26 | object creation of type S : S [field args, element] : Object | semmle.label | object creation of type S : S [field args, element] : Object |
+| structs.cs:25:23:25:25 | [...] : Object[] [element] : Object | semmle.label | [...] : Object[] [element] : Object |
+| structs.cs:25:23:25:25 | [...] : Object[] [element] : Object | semmle.label | [...] : Object[] [element] : Object |
+| structs.cs:25:24:25:24 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| structs.cs:25:24:25:24 | access to local variable o : Object | semmle.label | access to local variable o : Object |
+| structs.cs:26:14:26:14 | access to local variable s : S [field args, element] : Object | semmle.label | access to local variable s : S [field args, element] : Object |
+| structs.cs:26:14:26:14 | access to local variable s : S [field args, element] : Object | semmle.label | access to local variable s : S [field args, element] : Object |
+| structs.cs:26:14:26:19 | access to field args : Object[] [element] : Object | semmle.label | access to field args : Object[] [element] : Object |
+| structs.cs:26:14:26:19 | access to field args : Object[] [element] : Object | semmle.label | access to field args : Object[] [element] : Object |
+| structs.cs:26:14:26:22 | access to array element | semmle.label | access to array element |
+| structs.cs:26:14:26:22 | access to array element | semmle.label | access to array element |
+| structs.cs:32:20:32:20 | [post] access to local variable s : S [field args, element] : Object | semmle.label | [post] access to local variable s : S [field args, element] : Object |
+| structs.cs:32:20:32:20 | [post] access to local variable s : S [field args, element] : Object | semmle.label | [post] access to local variable s : S [field args, element] : Object |
+| structs.cs:33:14:33:14 | access to local variable s : S [field args, element] : Object | semmle.label | access to local variable s : S [field args, element] : Object |
+| structs.cs:33:14:33:14 | access to local variable s : S [field args, element] : Object | semmle.label | access to local variable s : S [field args, element] : Object |
+| structs.cs:33:14:33:19 | access to field args : Object[] [element] : Object | semmle.label | access to field args : Object[] [element] : Object |
+| structs.cs:33:14:33:19 | access to field args : Object[] [element] : Object | semmle.label | access to field args : Object[] [element] : Object |
+| structs.cs:33:14:33:22 | access to array element | semmle.label | access to array element |
+| structs.cs:33:14:33:22 | access to array element | semmle.label | access to array element |
+subpaths
+| structs.cs:25:23:25:25 | [...] : Object[] [element] : Object | structs.cs:10:27:10:30 | args : Object[] [element] : Object | structs.cs:10:16:10:16 | this [Return] : S [field args, element] : Object | structs.cs:25:17:25:26 | object creation of type S : S [field args, element] : Object |
+| structs.cs:25:23:25:25 | [...] : Object[] [element] : Object | structs.cs:10:27:10:30 | args : Object[] [element] : Object | structs.cs:10:16:10:16 | this [Return] : S [field args, element] : Object | structs.cs:25:17:25:26 | object creation of type S : S [field args, element] : Object |
+testFailures
+#select
+| structs.cs:26:14:26:22 | access to array element | structs.cs:24:17:24:33 | call to method Source<Object> : Object | structs.cs:26:14:26:22 | access to array element | $@ | structs.cs:24:17:24:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| structs.cs:26:14:26:22 | access to array element | structs.cs:24:17:24:33 | call to method Source<Object> : Object | structs.cs:26:14:26:22 | access to array element | $@ | structs.cs:24:17:24:33 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| structs.cs:33:14:33:22 | access to array element | structs.cs:18:21:18:37 | call to method Source<Object> : Object | structs.cs:33:14:33:22 | access to array element | $@ | structs.cs:18:21:18:37 | call to method Source<Object> : Object | call to method Source<Object> : Object |
+| structs.cs:33:14:33:22 | access to array element | structs.cs:18:21:18:37 | call to method Source<Object> : Object | structs.cs:33:14:33:22 | access to array element | $@ | structs.cs:18:21:18:37 | call to method Source<Object> : Object | call to method Source<Object> : Object |
--- a/csharp/ql/test/library-tests/dataflow/structs/StructFlow.ql
+++ b/csharp/ql/test/library-tests/dataflow/structs/StructFlow.ql
@@ -0,0 +1,12 @@
+/**
+ * @kind path-problem
+ */
+
+import csharp
+import utils.test.InlineFlowTest
+import DefaultFlowTest
+import PathGraph
+
+from PathNode source, PathNode sink
+where flowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()
--- a/csharp/ql/test/library-tests/dataflow/structs/structs.cs
+++ b/csharp/ql/test/library-tests/dataflow/structs/structs.cs
@@ -0,0 +1,40 @@
+using System;
+
+public class Test
+{
+    public struct S
+    {
+        public int field;
+        public object[] args;
+
+        public S(object[] args)
+        {
+            this.args = args;
+        }
+    }
+
+    public void SetTainted(S s)
+    {
+        s.args[0] = Source<object>(2);
+        s.field = Source<int>(3);
+    }
+
+    public void M1()
+    {
+        var o = Source<object>(1);
+        var s = new S([o]);
+        Sink(s.args[0]); // $ hasValueFlow=1
+    }
+
+    public void M2()
+    {
+        var s = new S(new object[1]);
+        SetTainted(s);
+        Sink(s.args[0]); // $ hasValueFlow=2
+        Sink(s.field); // $ no flow.
+    }
+
+    public static void Sink(object o) { }
+
+    static T Source<T>(object source) => throw null;
+}
--- a/csharp/ql/test/library-tests/dispatch/CallGraph.expected
+++ b/csharp/ql/test/library-tests/dispatch/CallGraph.expected
@@ -270,9 +270,10 @@
 | ViableCallable.cs:679:17:679:20 | Run3 | ViableCallable.cs:637:21:637:21 | M |
 | ViableCallable.cs:679:17:679:20 | Run3 | ViableCallable.cs:646:21:646:21 | M |
 | ViableCallable.cs:679:17:679:20 | Run3 | ViableCallable.cs:648:21:648:21 | M |
-| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:703:42:703:44 | get_Property |
-| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:703:63:703:65 | set_Property |
-| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:705:49:705:51 | get_Item |
-| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:705:70:705:72 | set_Item |
-| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:706:51:706:53 | add_Event |
-| ViableCallable.cs:709:17:709:20 | Run1 | ViableCallable.cs:706:59:706:64 | remove_Event |
+| ViableCallable.cs:711:17:711:20 | Run1 | ViableCallable.cs:704:24:704:31 | Partial1 |
+| ViableCallable.cs:711:17:711:20 | Run1 | ViableCallable.cs:705:42:705:44 | get_Property |
+| ViableCallable.cs:711:17:711:20 | Run1 | ViableCallable.cs:705:63:705:65 | set_Property |
+| ViableCallable.cs:711:17:711:20 | Run1 | ViableCallable.cs:707:49:707:51 | get_Item |
+| ViableCallable.cs:711:17:711:20 | Run1 | ViableCallable.cs:707:70:707:72 | set_Item |
+| ViableCallable.cs:711:17:711:20 | Run1 | ViableCallable.cs:708:51:708:53 | add_Event |
+| ViableCallable.cs:711:17:711:20 | Run1 | ViableCallable.cs:708:59:708:64 | remove_Event |
--- a/csharp/ql/test/library-tests/dispatch/GetADynamicTarget.expected
+++ b/csharp/ql/test/library-tests/dispatch/GetADynamicTarget.expected
@@ -518,9 +518,10 @@
 | ViableCallable.cs:683:9:683:16 | call to method M | C22+TestOverloadResolution2<System.Int32>.M(Int32[]) |
 | ViableCallable.cs:687:9:687:16 | call to method M | C22+TestOverloadResolution1<System.Int32>.M(List<int>) |
 | ViableCallable.cs:687:9:687:16 | call to method M | C22+TestOverloadResolution2<System.Int32>.M(List<int>) |
-| ViableCallable.cs:714:9:714:18 | access to property Property | C23+Partial1.set_Property(object) |
-| ViableCallable.cs:717:13:717:22 | access to property Property | C23+Partial1.get_Property() |
-| ViableCallable.cs:720:9:720:12 | access to indexer | C23+Partial1.set_Item(int, object) |
-| ViableCallable.cs:723:13:723:16 | access to indexer | C23+Partial1.get_Item(int) |
-| ViableCallable.cs:726:9:726:15 | access to event Event | C23+Partial1.add_Event(EventHandler) |
-| ViableCallable.cs:729:9:729:15 | access to event Event | C23+Partial1.remove_Event(EventHandler) |
+| ViableCallable.cs:716:9:716:18 | access to property Property | C23+Partial1.set_Property(object) |
+| ViableCallable.cs:719:13:719:22 | access to property Property | C23+Partial1.get_Property() |
+| ViableCallable.cs:722:9:722:12 | access to indexer | C23+Partial1.set_Item(int, object) |
+| ViableCallable.cs:725:13:725:16 | access to indexer | C23+Partial1.get_Item(int) |
+| ViableCallable.cs:728:9:728:15 | access to event Event | C23+Partial1.add_Event(EventHandler) |
+| ViableCallable.cs:731:9:731:15 | access to event Event | C23+Partial1.remove_Event(EventHandler) |
+| ViableCallable.cs:734:18:734:43 | object creation of type Partial1 | C23+Partial1.Partial1(object) |
--- a/csharp/ql/test/library-tests/dispatch/ViableCallable.cs
+++ b/csharp/ql/test/library-tests/dispatch/ViableCallable.cs
@@ -692,6 +692,7 @@ public class C23
 {
    public partial class Partial1
    {
+        public partial Partial1(object obj);
        public partial object Property { get; set; }

        public partial object this[int index] { get; set; }
@@ -700,6 +701,7 @@ public class C23

    public partial class Partial1
    {
+        public partial Partial1(object obj) { }
        public partial object Property { get { return null; } set { } }

        public partial object this[int index] { get { return null; } set { } }
@@ -727,5 +729,8 @@ public class C23

        // Viable callable: Partial1.remove_Event
        p.Event -= (sender, e) => { };
+
+        // Viable callable: Partial1.Partial1(object)
+        var p0 = new Partial1(new object());
    }
 }
--- a/csharp/ql/test/library-tests/linq/Linq2.ql
+++ b/csharp/ql/test/library-tests/linq/Linq2.ql
@@ -5,4 +5,5 @@
 import csharp

 from BinaryOperation e
+where not e instanceof Assignment
 select e, e.getAnOperand()
--- a/csharp/ql/test/library-tests/partial/MethodIsPartial.expected
+++ b/csharp/ql/test/library-tests/partial/MethodIsPartial.expected
@@ -1,8 +1,8 @@
-| Partial.cs:7:18:7:42 | PartialMethodWithoutBody1 | true |
-| Partial.cs:8:17:8:23 | Method2 | false |
-| Partial.cs:19:18:19:39 | PartialMethodWithBody1 | true |
-| Partial.cs:20:27:20:48 | PartialMethodWithBody2 | true |
-| Partial.cs:24:17:24:23 | Method3 | false |
-| Partial.cs:46:18:46:42 | PartialMethodWithoutBody2 | true |
-| Partial.cs:47:17:47:23 | Method4 | false |
-| Partial.cs:52:17:52:23 | Method5 | false |
+| Partial.cs:9:18:9:42 | PartialMethodWithoutBody1 | true |
+| Partial.cs:10:17:10:23 | Method2 | false |
+| Partial.cs:23:18:23:39 | PartialMethodWithBody1 | true |
+| Partial.cs:24:27:24:48 | PartialMethodWithBody2 | true |
+| Partial.cs:28:17:28:23 | Method3 | false |
+| Partial.cs:50:18:50:42 | PartialMethodWithoutBody2 | true |
+| Partial.cs:51:17:51:23 | Method4 | false |
+| Partial.cs:57:17:57:23 | Method5 | false |
--- a/csharp/ql/test/library-tests/partial/Partial.cs
+++ b/csharp/ql/test/library-tests/partial/Partial.cs
@@ -2,6 +2,8 @@ using System;

 partial class TwoPartClass
 {
+    // Declaring declaration.
+    public partial TwoPartClass(object obj);
    partial void PartialMethodWithBody1();
    public partial object PartialMethodWithBody2(object obj);
    partial void PartialMethodWithoutBody1();
@@ -16,6 +18,8 @@ partial class TwoPartClass

 partial class TwoPartClass
 {
+    // Implementation declaration.
+    public partial TwoPartClass(object obj) { }
    partial void PartialMethodWithBody1() { }
    public partial object PartialMethodWithBody2(object obj)
    {
@@ -49,6 +53,7 @@ partial class OnePartPartialClass

 class NonPartialClass
 {
+    public NonPartialClass(object obj) { }
    public void Method5() { }
    public object Property { get; set; }
    public object this[int index]
--- a/csharp/ql/test/library-tests/partial/Partial1.expected
+++ b/csharp/ql/test/library-tests/partial/Partial1.expected
@@ -1,18 +1,19 @@
 | Partial.cs:3:15:3:26 | TwoPartClass |
-| Partial.cs:7:18:7:42 | PartialMethodWithoutBody1 |
-| Partial.cs:17:15:17:26 | TwoPartClass |
-| Partial.cs:19:18:19:39 | PartialMethodWithBody1 |
-| Partial.cs:20:27:20:48 | PartialMethodWithBody2 |
-| Partial.cs:27:27:27:42 | PartialProperty1 |
-| Partial.cs:29:9:29:11 | get_PartialProperty1 |
-| Partial.cs:30:9:30:11 | set_PartialProperty1 |
-| Partial.cs:34:27:34:30 | Item |
-| Partial.cs:36:9:36:11 | get_Item |
-| Partial.cs:37:9:37:11 | set_Item |
-| Partial.cs:41:39:41:51 | PartialEvent1 |
-| Partial.cs:41:55:41:57 | add_PartialEvent1 |
-| Partial.cs:41:63:41:68 | remove_PartialEvent1 |
-| Partial.cs:44:15:44:33 | OnePartPartialClass |
-| Partial.cs:46:18:46:42 | PartialMethodWithoutBody2 |
+| Partial.cs:9:18:9:42 | PartialMethodWithoutBody1 |
+| Partial.cs:19:15:19:26 | TwoPartClass |
+| Partial.cs:22:20:22:31 | TwoPartClass |
+| Partial.cs:23:18:23:39 | PartialMethodWithBody1 |
+| Partial.cs:24:27:24:48 | PartialMethodWithBody2 |
+| Partial.cs:31:27:31:42 | PartialProperty1 |
+| Partial.cs:33:9:33:11 | get_PartialProperty1 |
+| Partial.cs:34:9:34:11 | set_PartialProperty1 |
+| Partial.cs:38:27:38:30 | Item |
+| Partial.cs:40:9:40:11 | get_Item |
+| Partial.cs:41:9:41:11 | set_Item |
+| Partial.cs:45:39:45:51 | PartialEvent1 |
+| Partial.cs:45:55:45:57 | add_PartialEvent1 |
+| Partial.cs:45:63:45:68 | remove_PartialEvent1 |
+| Partial.cs:48:15:48:33 | OnePartPartialClass |
+| Partial.cs:50:18:50:42 | PartialMethodWithoutBody2 |
 | PartialMultipleFiles1.cs:1:22:1:41 | PartialMultipleFiles |
 | PartialMultipleFiles2.cs:1:22:1:41 | PartialMultipleFiles |
--- a/csharp/ql/test/library-tests/partial/Partial2.expected
+++ b/csharp/ql/test/library-tests/partial/Partial2.expected
@@ -1,17 +1,17 @@
 | Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:3:15:3:26 | <object initializer> |
-| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:7:18:7:42 | PartialMethodWithoutBody1 |
-| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:8:17:8:23 | Method2 |
-| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:19:18:19:39 | PartialMethodWithBody1 |
-| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:20:27:20:48 | PartialMethodWithBody2 |
-| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:24:17:24:23 | Method3 |
-| Partial.cs:17:15:17:26 | TwoPartClass | Partial.cs:3:15:3:26 | <object initializer> |
-| Partial.cs:17:15:17:26 | TwoPartClass | Partial.cs:7:18:7:42 | PartialMethodWithoutBody1 |
-| Partial.cs:17:15:17:26 | TwoPartClass | Partial.cs:8:17:8:23 | Method2 |
-| Partial.cs:17:15:17:26 | TwoPartClass | Partial.cs:19:18:19:39 | PartialMethodWithBody1 |
-| Partial.cs:17:15:17:26 | TwoPartClass | Partial.cs:20:27:20:48 | PartialMethodWithBody2 |
-| Partial.cs:17:15:17:26 | TwoPartClass | Partial.cs:24:17:24:23 | Method3 |
-| Partial.cs:44:15:44:33 | OnePartPartialClass | Partial.cs:44:15:44:33 | <object initializer> |
-| Partial.cs:44:15:44:33 | OnePartPartialClass | Partial.cs:46:18:46:42 | PartialMethodWithoutBody2 |
-| Partial.cs:44:15:44:33 | OnePartPartialClass | Partial.cs:47:17:47:23 | Method4 |
+| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:9:18:9:42 | PartialMethodWithoutBody1 |
+| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:10:17:10:23 | Method2 |
+| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:23:18:23:39 | PartialMethodWithBody1 |
+| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:24:27:24:48 | PartialMethodWithBody2 |
+| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:28:17:28:23 | Method3 |
+| Partial.cs:19:15:19:26 | TwoPartClass | Partial.cs:3:15:3:26 | <object initializer> |
+| Partial.cs:19:15:19:26 | TwoPartClass | Partial.cs:9:18:9:42 | PartialMethodWithoutBody1 |
+| Partial.cs:19:15:19:26 | TwoPartClass | Partial.cs:10:17:10:23 | Method2 |
+| Partial.cs:19:15:19:26 | TwoPartClass | Partial.cs:23:18:23:39 | PartialMethodWithBody1 |
+| Partial.cs:19:15:19:26 | TwoPartClass | Partial.cs:24:27:24:48 | PartialMethodWithBody2 |
+| Partial.cs:19:15:19:26 | TwoPartClass | Partial.cs:28:17:28:23 | Method3 |
+| Partial.cs:48:15:48:33 | OnePartPartialClass | Partial.cs:48:15:48:33 | <object initializer> |
+| Partial.cs:48:15:48:33 | OnePartPartialClass | Partial.cs:50:18:50:42 | PartialMethodWithoutBody2 |
+| Partial.cs:48:15:48:33 | OnePartPartialClass | Partial.cs:51:17:51:23 | Method4 |
 | PartialMultipleFiles1.cs:1:22:1:41 | PartialMultipleFiles | PartialMultipleFiles1.cs:1:22:1:41 | <object initializer> |
 | PartialMultipleFiles2.cs:1:22:1:41 | PartialMultipleFiles | PartialMultipleFiles1.cs:1:22:1:41 | <object initializer> |
--- a/csharp/ql/test/library-tests/partial/PartialAccessors.expected
+++ b/csharp/ql/test/library-tests/partial/PartialAccessors.expected
@@ -1,12 +1,12 @@
-| Partial.cs:29:9:29:11 | get_PartialProperty1 | true |
-| Partial.cs:30:9:30:11 | set_PartialProperty1 | true |
-| Partial.cs:36:9:36:11 | get_Item | true |
-| Partial.cs:37:9:37:11 | set_Item | true |
-| Partial.cs:41:55:41:57 | add_PartialEvent1 | true |
-| Partial.cs:41:63:41:68 | remove_PartialEvent1 | true |
-| Partial.cs:53:30:53:32 | get_Property | false |
-| Partial.cs:53:35:53:37 | set_Property | false |
-| Partial.cs:56:9:56:11 | get_Item | false |
-| Partial.cs:57:9:57:11 | set_Item | false |
-| Partial.cs:59:31:59:35 | add_Event | false |
-| Partial.cs:59:31:59:35 | remove_Event | false |
+| Partial.cs:33:9:33:11 | get_PartialProperty1 | true |
+| Partial.cs:34:9:34:11 | set_PartialProperty1 | true |
+| Partial.cs:40:9:40:11 | get_Item | true |
+| Partial.cs:41:9:41:11 | set_Item | true |
+| Partial.cs:45:55:45:57 | add_PartialEvent1 | true |
+| Partial.cs:45:63:45:68 | remove_PartialEvent1 | true |
+| Partial.cs:58:30:58:32 | get_Property | false |
+| Partial.cs:58:35:58:37 | set_Property | false |
+| Partial.cs:61:9:61:11 | get_Item | false |
+| Partial.cs:62:9:62:11 | set_Item | false |
+| Partial.cs:64:31:64:35 | add_Event | false |
+| Partial.cs:64:31:64:35 | remove_Event | false |
--- a/csharp/ql/test/library-tests/partial/PartialConstructors.expected
+++ b/csharp/ql/test/library-tests/partial/PartialConstructors.expected
@@ -1,4 +1,4 @@
-| Partial.cs:3:15:3:26 | TwoPartClass | Partial.cs:3:15:3:26 | {...} |
-| Partial.cs:44:15:44:33 | OnePartPartialClass | Partial.cs:44:15:44:33 | {...} |
-| Partial.cs:50:7:50:21 | NonPartialClass | Partial.cs:50:7:50:21 | {...} |
+| Partial.cs:22:20:22:31 | TwoPartClass | Partial.cs:22:45:22:47 | {...} |
+| Partial.cs:48:15:48:33 | OnePartPartialClass | Partial.cs:48:15:48:33 | {...} |
+| Partial.cs:56:12:56:26 | NonPartialClass | Partial.cs:56:40:56:42 | {...} |
 | PartialMultipleFiles1.cs:1:22:1:41 | PartialMultipleFiles | PartialMultipleFiles1.cs:1:22:1:41 | {...} |
--- a/csharp/ql/test/library-tests/partial/PartialEvents.expected
+++ b/csharp/ql/test/library-tests/partial/PartialEvents.expected
@@ -1,2 +1,2 @@
-| Partial.cs:41:39:41:51 | PartialEvent1 | true |
-| Partial.cs:59:31:59:35 | Event | false |
+| Partial.cs:45:39:45:51 | PartialEvent1 | true |
+| Partial.cs:64:31:64:35 | Event | false |
--- a/csharp/ql/test/library-tests/partial/PartialIndexers.expected
+++ b/csharp/ql/test/library-tests/partial/PartialIndexers.expected
@@ -1,2 +1,2 @@
-| Partial.cs:34:27:34:30 | Item | true |
-| Partial.cs:54:19:54:22 | Item | false |
+| Partial.cs:38:27:38:30 | Item | true |
+| Partial.cs:59:19:59:22 | Item | false |
--- a/csharp/ql/test/library-tests/partial/PartialMethodBody.expected
+++ b/csharp/ql/test/library-tests/partial/PartialMethodBody.expected
@@ -1,4 +1,4 @@
-| Partial.cs:7:18:7:42 | PartialMethodWithoutBody1 | false | 0 |
-| Partial.cs:19:18:19:39 | PartialMethodWithBody1 | true | 1 |
-| Partial.cs:20:27:20:48 | PartialMethodWithBody2 | true | 1 |
-| Partial.cs:46:18:46:42 | PartialMethodWithoutBody2 | false | 0 |
+| Partial.cs:9:18:9:42 | PartialMethodWithoutBody1 | false | 0 |
+| Partial.cs:23:18:23:39 | PartialMethodWithBody1 | true | 1 |
+| Partial.cs:24:27:24:48 | PartialMethodWithBody2 | true | 1 |
+| Partial.cs:50:18:50:42 | PartialMethodWithoutBody2 | false | 0 |
--- a/csharp/ql/test/library-tests/partial/PartialProperties.expected
+++ b/csharp/ql/test/library-tests/partial/PartialProperties.expected
@@ -1,2 +1,2 @@
-| Partial.cs:27:27:27:42 | PartialProperty1 | true |
-| Partial.cs:53:19:53:26 | Property | false |
+| Partial.cs:31:27:31:42 | PartialProperty1 | true |
+| Partial.cs:58:19:58:26 | Property | false |
--- a/csharp/ql/test/library-tests/partial/PrintAst.expected
+++ b/csharp/ql/test/library-tests/partial/PrintAst.expected
@@ -1,116 +1,126 @@
 Partial.cs:
 #    3| [Class] TwoPartClass
-#    7|   6: [Method] PartialMethodWithoutBody1
-#    7|     -1: [TypeMention] Void
-#    8|   7: [Method] Method2
-#    8|     -1: [TypeMention] Void
-#    8|     4: [BlockStmt] {...}
-#   19|   8: [Method] PartialMethodWithBody1
-#   19|     -1: [TypeMention] Void
-#   19|     4: [BlockStmt] {...}
-#   20|   9: [Method] PartialMethodWithBody2
-#   20|     -1: [TypeMention] object
+#    9|   5: [Method] PartialMethodWithoutBody1
+#    9|     -1: [TypeMention] Void
+#   10|   6: [Method] Method2
+#   10|     -1: [TypeMention] Void
+#   10|     4: [BlockStmt] {...}
+#   22|   7: [InstanceConstructor] TwoPartClass
 #-----|     2: (Parameters)
-#   20|       0: [Parameter] obj
-#   20|         -1: [TypeMention] object
-#   21|     4: [BlockStmt] {...}
-#   22|       0: [ReturnStmt] return ...;
-#   22|         0: [ParameterAccess] access to parameter obj
-#   24|   10: [Method] Method3
-#   24|     -1: [TypeMention] Void
-#   24|     4: [BlockStmt] {...}
-#   25|   11: [Field] _backingField
-#   25|     -1: [TypeMention] object
-#   27|   12: [Property] PartialProperty1
-#   27|     -1: [TypeMention] object
-#   29|     3: [Getter] get_PartialProperty1
-#   29|       4: [BlockStmt] {...}
-#   29|         0: [ReturnStmt] return ...;
-#   29|           0: [FieldAccess] access to field _backingField
-#   30|     4: [Setter] set_PartialProperty1
+#   22|       0: [Parameter] obj
+#   22|         -1: [TypeMention] object
+#   22|     4: [BlockStmt] {...}
+#   23|   8: [Method] PartialMethodWithBody1
+#   23|     -1: [TypeMention] Void
+#   23|     4: [BlockStmt] {...}
+#   24|   9: [Method] PartialMethodWithBody2
+#   24|     -1: [TypeMention] object
+#-----|     2: (Parameters)
+#   24|       0: [Parameter] obj
+#   24|         -1: [TypeMention] object
+#   25|     4: [BlockStmt] {...}
+#   26|       0: [ReturnStmt] return ...;
+#   26|         0: [ParameterAccess] access to parameter obj
+#   28|   10: [Method] Method3
+#   28|     -1: [TypeMention] Void
+#   28|     4: [BlockStmt] {...}
+#   29|   11: [Field] _backingField
+#   29|     -1: [TypeMention] object
+#   31|   12: [Property] PartialProperty1
+#   31|     -1: [TypeMention] object
+#   33|     3: [Getter] get_PartialProperty1
+#   33|       4: [BlockStmt] {...}
+#   33|         0: [ReturnStmt] return ...;
+#   33|           0: [FieldAccess] access to field _backingField
+#   34|     4: [Setter] set_PartialProperty1
 #-----|       2: (Parameters)
-#   30|         0: [Parameter] value
-#   30|       4: [BlockStmt] {...}
-#   30|         0: [ExprStmt] ...;
-#   30|           0: [AssignExpr] ... = ...
-#   30|             0: [FieldAccess] access to field _backingField
-#   30|             1: [ParameterAccess] access to parameter value
-#   32|   13: [Field] _backingArray
-#   32|     -1: [TypeMention] Object[]
-#   32|       1: [TypeMention] object
-#   34|   14: [Indexer] Item
-#   34|     -1: [TypeMention] object
+#   34|         0: [Parameter] value
+#   34|       4: [BlockStmt] {...}
+#   34|         0: [ExprStmt] ...;
+#   34|           0: [AssignExpr] ... = ...
+#   34|             0: [FieldAccess] access to field _backingField
+#   34|             1: [ParameterAccess] access to parameter value
+#   36|   13: [Field] _backingArray
+#   36|     -1: [TypeMention] Object[]
+#   36|       1: [TypeMention] object
+#   38|   14: [Indexer] Item
+#   38|     -1: [TypeMention] object
 #-----|     1: (Parameters)
-#   34|       0: [Parameter] index
-#   34|         -1: [TypeMention] int
-#   36|     3: [Getter] get_Item
+#   38|       0: [Parameter] index
+#   38|         -1: [TypeMention] int
+#   40|     3: [Getter] get_Item
 #-----|       2: (Parameters)
-#   34|         0: [Parameter] index
-#   36|       4: [BlockStmt] {...}
-#   36|         0: [ReturnStmt] return ...;
-#   36|           0: [ArrayAccess] access to array element
-#   36|             -1: [FieldAccess] access to field _backingArray
-#   36|             0: [ParameterAccess] access to parameter index
-#   37|     4: [Setter] set_Item
+#   38|         0: [Parameter] index
+#   40|       4: [BlockStmt] {...}
+#   40|         0: [ReturnStmt] return ...;
+#   40|           0: [ArrayAccess] access to array element
+#   40|             -1: [FieldAccess] access to field _backingArray
+#   40|             0: [ParameterAccess] access to parameter index
+#   41|     4: [Setter] set_Item
 #-----|       2: (Parameters)
-#   34|         0: [Parameter] index
-#   37|         1: [Parameter] value
-#   37|       4: [BlockStmt] {...}
-#   37|         0: [ExprStmt] ...;
-#   37|           0: [AssignExpr] ... = ...
-#   37|             0: [ArrayAccess] access to array element
-#   37|               -1: [FieldAccess] access to field _backingArray
-#   37|               0: [ParameterAccess] access to parameter index
-#   37|             1: [ParameterAccess] access to parameter value
-#   41|   15: [Event] PartialEvent1
-#   41|     3: [AddEventAccessor] add_PartialEvent1
-#-----|       2: (Parameters)
-#   41|         0: [Parameter] value
+#   38|         0: [Parameter] index
+#   41|         1: [Parameter] value
 #   41|       4: [BlockStmt] {...}
-#   41|     4: [RemoveEventAccessor] remove_PartialEvent1
+#   41|         0: [ExprStmt] ...;
+#   41|           0: [AssignExpr] ... = ...
+#   41|             0: [ArrayAccess] access to array element
+#   41|               -1: [FieldAccess] access to field _backingArray
+#   41|               0: [ParameterAccess] access to parameter index
+#   41|             1: [ParameterAccess] access to parameter value
+#   45|   15: [Event] PartialEvent1
+#   45|     3: [AddEventAccessor] add_PartialEvent1
 #-----|       2: (Parameters)
-#   41|         0: [Parameter] value
-#   41|       4: [BlockStmt] {...}
-#   44| [Class] OnePartPartialClass
-#   46|   6: [Method] PartialMethodWithoutBody2
-#   46|     -1: [TypeMention] Void
-#   47|   7: [Method] Method4
-#   47|     -1: [TypeMention] Void
-#   47|     4: [BlockStmt] {...}
-#   50| [Class] NonPartialClass
-#   52|   6: [Method] Method5
-#   52|     -1: [TypeMention] Void
-#   52|     4: [BlockStmt] {...}
-#   53|   7: [Property] Property
-#   53|     -1: [TypeMention] object
-#   53|     3: [Getter] get_Property
-#   53|     4: [Setter] set_Property
+#   45|         0: [Parameter] value
+#   45|       4: [BlockStmt] {...}
+#   45|     4: [RemoveEventAccessor] remove_PartialEvent1
 #-----|       2: (Parameters)
-#   53|         0: [Parameter] value
-#   54|   8: [Indexer] Item
-#   54|     -1: [TypeMention] object
+#   45|         0: [Parameter] value
+#   45|       4: [BlockStmt] {...}
+#   48| [Class] OnePartPartialClass
+#   50|   6: [Method] PartialMethodWithoutBody2
+#   50|     -1: [TypeMention] Void
+#   51|   7: [Method] Method4
+#   51|     -1: [TypeMention] Void
+#   51|     4: [BlockStmt] {...}
+#   54| [Class] NonPartialClass
+#   56|   5: [InstanceConstructor] NonPartialClass
+#-----|     2: (Parameters)
+#   56|       0: [Parameter] obj
+#   56|         -1: [TypeMention] object
+#   56|     4: [BlockStmt] {...}
+#   57|   6: [Method] Method5
+#   57|     -1: [TypeMention] Void
+#   57|     4: [BlockStmt] {...}
+#   58|   7: [Property] Property
+#   58|     -1: [TypeMention] object
+#   58|     3: [Getter] get_Property
+#   58|     4: [Setter] set_Property
+#-----|       2: (Parameters)
+#   58|         0: [Parameter] value
+#   59|   8: [Indexer] Item
+#   59|     -1: [TypeMention] object
 #-----|     1: (Parameters)
-#   54|       0: [Parameter] index
-#   54|         -1: [TypeMention] int
-#   56|     3: [Getter] get_Item
+#   59|       0: [Parameter] index
+#   59|         -1: [TypeMention] int
+#   61|     3: [Getter] get_Item
 #-----|       2: (Parameters)
-#   54|         0: [Parameter] index
-#   56|       4: [BlockStmt] {...}
-#   56|         0: [ReturnStmt] return ...;
-#   56|           0: [NullLiteral] null
-#   57|     4: [Setter] set_Item
+#   59|         0: [Parameter] index
+#   61|       4: [BlockStmt] {...}
+#   61|         0: [ReturnStmt] return ...;
+#   61|           0: [NullLiteral] null
+#   62|     4: [Setter] set_Item
 #-----|       2: (Parameters)
-#   54|         0: [Parameter] index
-#   57|         1: [Parameter] value
-#   57|       4: [BlockStmt] {...}
-#   59|   9: [Event] Event
-#   59|     -1: [TypeMention] EventHandler
-#   59|     3: [AddEventAccessor] add_Event
+#   59|         0: [Parameter] index
+#   62|         1: [Parameter] value
+#   62|       4: [BlockStmt] {...}
+#   64|   9: [Event] Event
+#   64|     -1: [TypeMention] EventHandler
+#   64|     3: [AddEventAccessor] add_Event
 #-----|       2: (Parameters)
-#   59|         0: [Parameter] value
-#   59|     4: [RemoveEventAccessor] remove_Event
+#   64|         0: [Parameter] value
+#   64|     4: [RemoveEventAccessor] remove_Event
 #-----|       2: (Parameters)
-#   59|         0: [Parameter] value
+#   64|         0: [Parameter] value
 PartialMultipleFiles1.cs:
 #    1| [Class] PartialMultipleFiles
 PartialMultipleFiles2.cs:
--- a/Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/Program.cs
+++ b/Features/CWE-1004/HttpOnlyCookie/AspNetCore/NoPolicy/Program.cs
@@ -2,12 +2,12 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
 {
    public void CookieDefault()
    {
-        Response.Cookies.Append("auth", "value"); // $Alert // BAD: HttpOnly is set to false by default
+        Response.Cookies.Append("auth", "value"); // $ Alert // BAD: HttpOnly is set to false by default
    }

    public void CookieDefault2()
    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert
        Response.Cookies.Append("auth", "value", cookieOptions); // BAD: HttpOnly is set to false by default
    }

@@ -39,14 +39,14 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller

    void CookieDirectFalse()
    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert
        cookieOptions.HttpOnly = false;
        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
    }

    void CookieDirectFalseInitializer()
    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = false }; // $Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = false }; // $ Alert
        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
    }

@@ -67,7 +67,7 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller

    void CookieIntermediateFalse()
    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $MISSING:Alert
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ MISSING:Alert
        bool v = false;
        cookieOptions.HttpOnly = v;
        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
@@ -76,7 +76,7 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
    void CookieIntermediateFalseInitializer()
    {
        bool v = false;
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v }; // $MISSING:Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { HttpOnly = v }; // $ MISSING:Alert
        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
    }
 }
--- a/Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/Program.cs
+++ b/Features/CWE-1004/HttpOnlyCookie/SystemWeb/HttpOnlyCookiesFalse/Program.cs
@@ -13,7 +13,7 @@ class Program

    void CookieDefault()
    {
-        var cookie = new System.Web.HttpCookie("sessionID"); // $Alert // BAD: httpOnlyCookies is set to false by default
+        var cookie = new System.Web.HttpCookie("sessionID"); // $ Alert // BAD: httpOnlyCookies is set to false by default
    }

    void CookieDefaultForgery()
@@ -29,13 +29,13 @@ class Program

    void CookieDirectFalse()
    {
-        var cookie = new System.Web.HttpCookie("sessionID"); // $Alert 
+        var cookie = new System.Web.HttpCookie("sessionID"); // $ Alert
        cookie.HttpOnly = false; // BAD
    }

    void CookieDirectFalseInitializer()
    {
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false };  // $Alert // BAD
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = false };  // $ Alert // BAD
    }

    void CookieIntermediateTrue()
@@ -53,7 +53,7 @@ class Program

    void CookieIntermediateFalse()
    {
-        var cookie = new System.Web.HttpCookie("sessionID"); // MISSING:Alert 
+        var cookie = new System.Web.HttpCookie("sessionID"); // MISSING:Alert
        bool v = false;
        cookie.HttpOnly = v; // BAD
    }
@@ -61,6 +61,6 @@ class Program
    void CookieIntermediateFalseInitializer()
    {
        bool v = false;
-        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v };  // $MISSING:Alert // BAD
+        var cookie = new System.Web.HttpCookie("sessionID") { HttpOnly = v };  // $ MISSING:Alert // BAD
    }
 }
--- a/Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/Program.cs
+++ b/Features/CWE-614/InsecureCookie/AspNetCore/NoPolicy/Program.cs
@@ -2,12 +2,12 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
 {
    public void CookieDefault()
    {
-        Response.Cookies.Append("name", "value"); // $Alert // BAD: Secure is set to false by default
+        Response.Cookies.Append("name", "value"); // $ Alert // BAD: Secure is set to false by default
    }

    public void CookieDefault2()
    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert
        Response.Cookies.Append("name", "value", cookieOptions); // BAD: Secure is set to false by default
    }

@@ -32,14 +32,14 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller

    void CookieDirectFalse()
    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ Alert
        cookieOptions.Secure = false;
        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
    }

    void CookieDirectFalseInitializer()
    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = false }; // $Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = false }; // $ Alert
        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD
    }

@@ -60,7 +60,7 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller

    void CookieIntermediateFalse()
    {
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $MISSING:Alert
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions(); // $ MISSING:Alert
        bool v = false;
        cookieOptions.Secure = v;
        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
@@ -69,7 +69,7 @@ public class MyController : Microsoft.AspNetCore.Mvc.Controller
    void CookieIntermediateFalseInitializer()
    {
        bool v = false;
-        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v }; // $MISSING:Alert 
+        var cookieOptions = new Microsoft.AspNetCore.Http.CookieOptions() { Secure = v }; // $ MISSING:Alert
        Response.Cookies.Append("auth", "secret", cookieOptions); // BAD, but not detected
    }
 }
--- a/Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/Program.cs
+++ b/Features/CWE-614/InsecureCookie/SystemWeb/RequireSSLFalse/Program.cs
@@ -2,7 +2,7 @@ class Program
 {
    void CookieDefault()
    {
-        var cookie = new System.Web.HttpCookie("cookieName"); // $Alert // BAD: requireSSL is set to false by default
+        var cookie = new System.Web.HttpCookie("cookieName"); // $ Alert // BAD: requireSSL is set to false by default
    }

    void CookieDirectTrue()
@@ -31,18 +31,18 @@ class Program

    void CookieDirectFalse()
    {
-        var cookie = new System.Web.HttpCookie("cookieName"); // $Alert 
+        var cookie = new System.Web.HttpCookie("cookieName"); // $ Alert
        cookie.Secure = false; // BAD
    }

    void CookieDirectFalseInitializer()
    {
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // $Alert // BAD
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = false }; // $ Alert // BAD
    }

        void CookieIntermediateFalse()
    {
-        var cookie = new System.Web.HttpCookie("cookieName"); // $MISSING:Alert
+        var cookie = new System.Web.HttpCookie("cookieName"); // $ MISSING:Alert
        bool v = false;
        cookie.Secure = v; // BAD, but not detected
    }
@@ -50,6 +50,6 @@ class Program
    void CookieIntermediateFalseInitializer()
    {
        bool v = false;
-        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // $MISSING:Alert // BAD, but not detected
+        var cookie = new System.Web.HttpCookie("cookieName") { Secure = v }; // $ MISSING:Alert // BAD, but not detected
    }
 }