C++: Remove omittable exists variables

cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql

@@ -64,7 +64,7 @@ class VarargsFunction extends Function {
     totalCount = this.totalCount() and
     100 * cnt / totalCount >= 80 and
     // terminator value is not used in a non-terminating position
-    not exists(FunctionCall fc, int index | this.nonTrailingVarArgValue(fc, index) = result)
+    not this.nonTrailingVarArgValue(_, _) = result
   }
 
   predicate isWhitelisted() { this.hasGlobalName(["open", "fcntl", "ptrace", "mremap"]) }

cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql

@@ -54,8 +54,8 @@ predicate filenameOperation(FunctionCall op, Expr path) {
 }
 
 predicate isFileName(GVN gvn) {
-  exists(FunctionCall op, Expr path |
-    filenameOperation(op, path) and
+  exists(Expr path |
+    filenameOperation(_, path) and
     gvn = globalValueNumber(path)
   )
 }

cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql

@@ -106,8 +106,8 @@ predicate checksPath(Expr check, Expr checkPath) {
   // access to a member variable on the stat buf
   // (morally, this should be a use-use pair, but it seems unlikely
   // that this variable will get reused in practice)
-  exists(Expr call, Expr e, Variable v |
-    statCallWithPointer(checkPath, call, e, v) and
+  exists(Expr e, Variable v |
+    statCallWithPointer(checkPath, _, e, v) and
     check.(VariableAccess).getTarget() = v and
     not e.getAChild*() = check // the call that writes to the pointer is not where the pointer is checked.
   )

cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql

@@ -100,14 +100,14 @@ predicate isQuotedOrNoSpaceApplicationNameOnCmd(string s) {
 
 from CreateProcessFunctionCall call, string msg1, string msg2
 where
-  exists(Expr source, Expr appName, NullAppNameCreateProcessFunctionConfiguration nullAppConfig |
+  exists(Expr appName, NullAppNameCreateProcessFunctionConfiguration nullAppConfig |
     appName = call.getArgument(call.getApplicationNameArgumentId()) and
-    nullAppConfig.hasFlow(DataFlow2::exprNode(source), DataFlow2::exprNode(appName)) and
+    nullAppConfig.hasFlowToExpr(appName) and
     msg1 = call.toString() + " with lpApplicationName == NULL (" + appName + ")"
   ) and
-  exists(Expr source, Expr cmd, QuotedCommandInCreateProcessFunctionConfiguration quotedConfig |
+  exists(Expr cmd, QuotedCommandInCreateProcessFunctionConfiguration quotedConfig |
     cmd = call.getArgument(call.getCommandLineArgumentId()) and
-    quotedConfig.hasFlow(DataFlow2::exprNode(source), DataFlow2::exprNode(cmd)) and
+    quotedConfig.hasFlowToExpr(cmd) and
     msg2 =
       " and with an unquoted lpCommandLine (" + cmd +
         ") introduces a security vulnerability if the path contains spaces."

cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingCommon.qll

@@ -100,7 +100,7 @@ Type baseType(Type t) {
  */
 predicate exprSourceType(Expr use, Type sourceType, Location sourceLoc) {
   // Reaching definitions.
-  if exists(SsaDefinition def, StackVariable v | use = def.getAUse(v))
+  if exists(SsaDefinition def | use = def.getAUse(_))
   then
     exists(SsaDefinition def, StackVariable v | use = def.getAUse(v) |
       defSourceType(def, v, sourceType, sourceLoc)

cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql

@@ -83,16 +83,13 @@ where
     call.getArgument(2) = nullExpr
   )
   or
-  exists(
-    Expr constassign, VariableAccess var, NullDaclConfig nullDaclConfig,
-    NonNullDaclConfig nonNullDaclConfig
-  |
+  exists(VariableAccess var, NullDaclConfig nullDaclConfig, NonNullDaclConfig nonNullDaclConfig |
     message =
       "Setting a DACL to NULL in a SECURITY_DESCRIPTOR using variable " + var +
         " that is set to NULL will result in an unprotected object."
   |
     var = call.getArgument(2) and
-    nullDaclConfig.hasFlow(DataFlow::exprNode(constassign), DataFlow::exprNode(var)) and
-    not nonNullDaclConfig.hasFlow(_, DataFlow::exprNode(var))
+    nullDaclConfig.hasFlowToExpr(var) and
+    not nonNullDaclConfig.hasFlowToExpr(var)
   )
 select call, message