Merge branch 'main' into jcogs33/update-externalapi-charpredicate

.github/workflows/check-query-ids.yml

@@ -0,0 +1,21 @@
+name: Check query IDs
+
+on:
+  pull_request:
+    paths:
+      - "**/src/**/*.ql"
+      - misc/scripts/check-query-ids.py
+      - .github/workflows/check-query-ids.yml
+    branches:
+      - main
+      - "rc/*"
+  workflow_dispatch:
+
+jobs:
+  check:
+    name: Check query IDs
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check for duplicate query IDs
+        run: python3 misc/scripts/check-query-ids.py

.github/workflows/swift.yml

@@ -65,6 +65,7 @@ jobs:
     if : ${{ github.event_name == 'pull_request' }}
     needs: build-and-test-macos
     runs-on: macos-12-xl
+    timeout-minutes: 60
     steps:
       - uses: actions/checkout@v3
       - uses: ./swift/actions/run-integration-tests

config/identical-files.json

@@ -470,6 +470,10 @@
     "javascript/ql/src/Comments/CommentedOutCodeReferences.inc.qhelp",
     "python/ql/src/Lexical/CommentedOutCodeReferences.inc.qhelp"
   ],
+  "ThreadResourceAbuse qhelp": [
+    "java/ql/src/experimental/Security/CWE/CWE-400/LocalThreadResourceAbuse.qhelp",
+    "java/ql/src/experimental/Security/CWE/CWE-400/ThreadResourceAbuse.qhelp"
+  ],
   "IDE Contextual Queries": [
     "cpp/ql/lib/IDEContextual.qll",
     "csharp/ql/lib/IDEContextual.qll",
@@ -537,6 +541,11 @@
     "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModels.qll",
     "python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModels.qll"
   ],
+  "ApiGraphModelsExtensions": [
+    "javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModelsExtensions.qll",
+    "ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsExtensions.qll",
+    "python/ql/lib/semmle/python/frameworks/data/internal/ApiGraphModelsExtensions.qll"
+  ],
   "TaintedFormatStringQuery Ruby/JS": [
     "javascript/ql/lib/semmle/javascript/security/dataflow/TaintedFormatStringQuery.qll",
     "ruby/ql/lib/codeql/ruby/security/TaintedFormatStringQuery.qll"

cpp/ql/lib/change-notes/2022-12-08-support-getaddrinfo-dataflow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `getaddrinfo` function is now recognized as a flow source.

cpp/ql/lib/change-notes/2022-12-08-support-scanf-dataflow.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `scanf` and `fscanf` functions and their variants are now recognized as flow sources.

cpp/ql/lib/change-notes/2022-12-09-generalize-argv-source.md

@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* The `ArgvSource` flow source has been generalized to handle cases where the argument vector of `main` is not named `argv`.

cpp/ql/lib/semmle/code/cpp/models/Models.qll

@@ -27,7 +27,7 @@ private import implementations.StdString
 private import implementations.Swap
 private import implementations.GetDelim
 private import implementations.SmartPointer
-private import implementations.Sscanf
+private import implementations.Scanf
 private import implementations.Send
 private import implementations.Recv
 private import implementations.Accept

cpp/ql/lib/semmle/code/cpp/models/implementations/Fread.qll

@@ -15,6 +15,6 @@ private class Fread extends AliasFunction, RemoteFlowSourceFunction {
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
     output.isParameterDeref(0) and
-    description = "String read by " + this.getName()
+    description = "string read by " + this.getName()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/GetDelim.qll

@@ -36,6 +36,6 @@ private class GetDelimFunction extends TaintFunction, AliasFunction, SideEffectF
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
     output.isParameterDeref(0) and
-    description = "String read by " + this.getName()
+    description = "string read by " + this.getName()
   }
 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Gets.qll

@@ -49,10 +49,10 @@ private class FgetsFunction extends DataFlowFunction, TaintFunction, ArrayFuncti
 
   override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
     output.isParameterDeref(0) and
-    description = "String read by " + this.getName()
+    description = "string read by " + this.getName()
     or
     output.isReturnValue() and
-    description = "String read by " + this.getName()
+    description = "string read by " + this.getName()
   }
 
   override predicate hasArrayWithVariableSize(int bufParam, int countParam) {
@@ -98,10 +98,10 @@ private class GetsFunction extends DataFlowFunction, ArrayFunction, AliasFunctio
 
   override predicate hasLocalFlowSource(FunctionOutput output, string description) {
     output.isParameterDeref(0) and
-    description = "String read by " + this.getName()
+    description = "string read by " + this.getName()
     or
     output.isReturnValue() and
-    description = "String read by " + this.getName()
+    description = "string read by " + this.getName()
   }
 
   override predicate hasArrayWithUnknownSize(int bufParam) { bufParam = 0 }

cpp/ql/lib/semmle/code/cpp/models/implementations/Inet.qll

@@ -1,9 +1,10 @@
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.ArrayFunction
+import semmle.code.cpp.models.interfaces.FlowSource
 
 private class InetNtoa extends TaintFunction {
-  InetNtoa() { hasGlobalName("inet_ntoa") }
+  InetNtoa() { this.hasGlobalName("inet_ntoa") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and
@@ -12,7 +13,7 @@ private class InetNtoa extends TaintFunction {
 }
 
 private class InetAton extends TaintFunction, ArrayFunction {
-  InetAton() { hasGlobalName("inet_aton") }
+  InetAton() { this.hasGlobalName("inet_aton") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(0) and
@@ -32,7 +33,7 @@ private class InetAton extends TaintFunction, ArrayFunction {
 }
 
 private class InetAddr extends TaintFunction, ArrayFunction, AliasFunction {
-  InetAddr() { hasGlobalName("inet_addr") }
+  InetAddr() { this.hasGlobalName("inet_addr") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(0) and
@@ -51,7 +52,7 @@ private class InetAddr extends TaintFunction, ArrayFunction, AliasFunction {
 }
 
 private class InetNetwork extends TaintFunction, ArrayFunction {
-  InetNetwork() { hasGlobalName("inet_network") }
+  InetNetwork() { this.hasGlobalName("inet_network") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(0) and
@@ -64,7 +65,7 @@ private class InetNetwork extends TaintFunction, ArrayFunction {
 }
 
 private class InetMakeaddr extends TaintFunction {
-  InetMakeaddr() { hasGlobalName("inet_makeaddr") }
+  InetMakeaddr() { this.hasGlobalName("inet_makeaddr") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     (
@@ -76,7 +77,7 @@ private class InetMakeaddr extends TaintFunction {
 }
 
 private class InetLnaof extends TaintFunction {
-  InetLnaof() { hasGlobalName("inet_lnaof") }
+  InetLnaof() { this.hasGlobalName("inet_lnaof") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and
@@ -85,7 +86,7 @@ private class InetLnaof extends TaintFunction {
 }
 
 private class InetNetof extends TaintFunction {
-  InetNetof() { hasGlobalName("inet_netof") }
+  InetNetof() { this.hasGlobalName("inet_netof") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameter(0) and
@@ -94,7 +95,7 @@ private class InetNetof extends TaintFunction {
 }
 
 private class InetPton extends TaintFunction, ArrayFunction {
-  InetPton() { hasGlobalName("inet_pton") }
+  InetPton() { this.hasGlobalName("inet_pton") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     (
@@ -114,7 +115,7 @@ private class InetPton extends TaintFunction, ArrayFunction {
 }
 
 private class Gethostbyname extends TaintFunction, ArrayFunction {
-  Gethostbyname() { hasGlobalName("gethostbyname") }
+  Gethostbyname() { this.hasGlobalName("gethostbyname") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(0) and
@@ -127,7 +128,7 @@ private class Gethostbyname extends TaintFunction, ArrayFunction {
 }
 
 private class Gethostbyaddr extends TaintFunction, ArrayFunction {
-  Gethostbyaddr() { hasGlobalName("gethostbyaddr") }
+  Gethostbyaddr() { this.hasGlobalName("gethostbyaddr") }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     (
@@ -142,3 +143,21 @@ private class Gethostbyaddr extends TaintFunction, ArrayFunction {
 
   override predicate hasArrayWithNullTerminator(int bufParam) { bufParam = 0 }
 }
+
+private class Getaddrinfo extends TaintFunction, ArrayFunction, RemoteFlowSourceFunction {
+  Getaddrinfo() { this.hasGlobalName("getaddrinfo") }
+
+  override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
+    input.isParameterDeref([0 .. 2]) and
+    output.isParameterDeref(3)
+  }
+
+  override predicate hasArrayInput(int bufParam) { bufParam in [0, 1] }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) { bufParam in [0, 1] }
+
+  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(3) and
+    description = "address returned by " + this.getName()
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/Recv.qll

@@ -83,7 +83,7 @@ private class Recv extends AliasFunction, ArrayFunction, SideEffectFunction,
       or
       this.hasGlobalName("recvfrom") and output.isParameterDeref([4, 5])
     ) and
-    description = "Buffer read by " + this.getName()
+    description = "buffer read by " + this.getName()
   }
 
   override predicate hasSocketInput(FunctionInput input) { input.isParameter(0) }

cpp/ql/lib/semmle/code/cpp/models/implementations/Scanf.qll

@@ -1,6 +1,6 @@
 /**
- * Provides implementation classes modeling `sscanf`, `fscanf` and various similar
- * functions. See `semmle.code.cpp.models.Models` for usage information.
+ * Provides implementation classes modeling the `scanf` family of functions.
+ * See `semmle.code.cpp.models.Models` for usage information.
  */
 
 import semmle.code.cpp.Function
@@ -9,18 +9,15 @@ import semmle.code.cpp.models.interfaces.ArrayFunction
 import semmle.code.cpp.models.interfaces.Taint
 import semmle.code.cpp.models.interfaces.Alias
 import semmle.code.cpp.models.interfaces.SideEffect
+import semmle.code.cpp.models.interfaces.FlowSource
 
 /**
- * The standard function `sscanf`, `fscanf` and its assorted variants
+ * The `scanf` family of functions.
  */
-private class SscanfModel extends ArrayFunction, TaintFunction, AliasFunction, SideEffectFunction {
-  SscanfModel() { this instanceof Sscanf or this instanceof Fscanf or this instanceof Snscanf }
-
+abstract private class ScanfFunctionModel extends ArrayFunction, TaintFunction, AliasFunction,
+  SideEffectFunction {
   override predicate hasArrayWithNullTerminator(int bufParam) {
     bufParam = this.(ScanfFunction).getFormatParameterIndex()
-    or
-    not this instanceof Fscanf and
-    bufParam = this.(ScanfFunction).getInputParameterIndex()
   }
 
   override predicate hasArrayInput(int bufParam) { this.hasArrayWithNullTerminator(bufParam) }
@@ -36,7 +33,7 @@ private class SscanfModel extends ArrayFunction, TaintFunction, AliasFunction, S
     )
   }
 
-  private int getArgsStartPosition() { result = this.getNumberOfParameters() }
+  int getArgsStartPosition() { result = this.getNumberOfParameters() }
 
   override predicate hasTaintFlow(FunctionInput input, FunctionOutput output) {
     input.isParameterDeref(this.(ScanfFunction).getInputParameterIndex()) and
@@ -70,3 +67,36 @@ private class SscanfModel extends ArrayFunction, TaintFunction, AliasFunction, S
       ]
   }
 }
+
+/**
+ * The standard function `scanf` and its assorted variants
+ */
+private class ScanfModel extends ScanfFunctionModel, LocalFlowSourceFunction instanceof Scanf {
+  override predicate hasLocalFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
+    description = "value read by " + this.getName()
+  }
+}
+
+/**
+ * The standard function `fscanf` and its assorted variants
+ */
+private class FscanfModel extends ScanfFunctionModel, RemoteFlowSourceFunction instanceof Fscanf {
+  override predicate hasRemoteFlowSource(FunctionOutput output, string description) {
+    output.isParameterDeref(any(int i | i >= this.getArgsStartPosition())) and
+    description = "value read by " + this.getName()
+  }
+}
+
+/**
+ * The standard function `sscanf` and its assorted variants
+ */
+private class SscanfModel extends ScanfFunctionModel {
+  SscanfModel() { this instanceof Sscanf or this instanceof Snscanf }
+
+  override predicate hasArrayWithNullTerminator(int bufParam) {
+    super.hasArrayWithNullTerminator(bufParam)
+    or
+    bufParam = this.(ScanfFunction).getInputParameterIndex()
+  }
+}

cpp/ql/lib/semmle/code/cpp/models/implementations/Send.qll

@@ -58,7 +58,7 @@ private class Send extends AliasFunction, ArrayFunction, SideEffectFunction, Rem
   override ParameterIndex getParameterSizeIndex(ParameterIndex i) { i = 1 and result = 2 }
 
   override predicate hasRemoteFlowSink(FunctionInput input, string description) {
-    input.isParameterDeref(1) and description = "Buffer sent by " + this.getName()
+    input.isParameterDeref(1) and description = "buffer sent by " + this.getName()
   }
 
   override predicate hasSocketInput(FunctionInput input) { input.isParameter(0) }

cpp/ql/lib/semmle/code/cpp/security/FlowSources.qll

@@ -89,9 +89,9 @@ private class LocalParameterSource extends LocalFlowSource {
 
 private class ArgvSource extends LocalFlowSource {
   ArgvSource() {
-    exists(Parameter argv |
-      argv.hasName("argv") and
-      argv.getFunction().hasGlobalName("main") and
+    exists(Function main, Parameter argv |
+      main.hasGlobalName("main") and
+      main.getParameter(1) = argv and
       this.asExpr() = argv.getAnAccess()
     )
   }

cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql

@@ -16,7 +16,7 @@
 
 import cpp
 import semmle.code.cpp.security.FunctionWithWrappers
-import semmle.code.cpp.security.Security
+import semmle.code.cpp.security.FlowSources
 import semmle.code.cpp.ir.IR
 import semmle.code.cpp.ir.dataflow.TaintTracking
 import DataFlow::PathGraph
@@ -47,12 +47,6 @@ class FileFunction extends FunctionWithWrappers {
   override predicate interestingArg(int arg) { arg = 0 }
 }
 
-Expr asSourceExpr(DataFlow::Node node) {
-  result = node.asConvertedExpr()
-  or
-  result = node.asDefiningArgument()
-}
-
 Expr asSinkExpr(DataFlow::Node node) {
   result =
     node.asOperand()
@@ -89,7 +83,7 @@ predicate hasUpperBoundsCheck(Variable var) {
 class TaintedPathConfiguration extends TaintTracking::Configuration {
   TaintedPathConfiguration() { this = "TaintedPathConfiguration" }
 
-  override predicate isSource(DataFlow::Node node) { isUserInput(asSourceExpr(node), _) }
+  override predicate isSource(DataFlow::Node node) { node instanceof FlowSource }
 
   override predicate isSink(DataFlow::Node node) {
     exists(FileFunction fileFunction |
@@ -108,31 +102,16 @@ class TaintedPathConfiguration extends TaintTracking::Configuration {
       hasUpperBoundsCheck(checkedVar)
     )
   }
-
-  predicate hasFilteredFlowPath(DataFlow::PathNode source, DataFlow::PathNode sink) {
-    this.hasFlowPath(source, sink) and
-    // The use of `isUserInput` in `isSink` in combination with `asSourceExpr` causes
-    // duplicate results. Filter these duplicates. The proper solution is to switch to
-    // using `LocalFlowSource` and `RemoteFlowSource`, but this currently only supports
-    // a subset of the cases supported by `isUserInput`.
-    not exists(DataFlow::PathNode source2 |
-      this.hasFlowPath(source2, sink) and
-      asSourceExpr(source.getNode()) = asSourceExpr(source2.getNode())
-    |
-      not exists(source.getNode().asConvertedExpr()) and exists(source2.getNode().asConvertedExpr())
-    )
-  }
 }
 
 from
-  FileFunction fileFunction, Expr taintedArg, Expr taintSource, TaintedPathConfiguration cfg,
-  DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, string taintCause, string callChain
+  FileFunction fileFunction, Expr taintedArg, FlowSource taintSource, TaintedPathConfiguration cfg,
+  DataFlow::PathNode sourceNode, DataFlow::PathNode sinkNode, string callChain
 where
   taintedArg = asSinkExpr(sinkNode.getNode()) and
   fileFunction.outermostWrapperFunctionCall(taintedArg, callChain) and
-  cfg.hasFilteredFlowPath(sourceNode, sinkNode) and
-  taintSource = asSourceExpr(sourceNode.getNode()) and
-  isUserInput(taintSource, taintCause)
+  cfg.hasFlowPath(sourceNode, sinkNode) and
+  taintSource = sourceNode.getNode()
 select taintedArg, sourceNode, sinkNode,
   "This argument to a file access function is derived from $@ and then passed to " + callChain + ".",
-  taintSource, "user input (" + taintCause + ")"
+  taintSource, "user input (" + taintSource.getSourceType() + ")"

cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql

@@ -116,10 +116,6 @@ class ImproperArrayIndexValidationConfig extends TaintTracking::Configuration {
   }
 }
 
-/** Gets `str` where the first letter has been lowercased. */
-bindingset[str]
-string lowerFirst(string str) { result = str.prefix(1).toLowerCase() + str.suffix(1) }
-
 from
   ImproperArrayIndexValidationConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink,
   string sourceType
@@ -128,4 +124,4 @@ where
   isFlowSource(source.getNode(), sourceType)
 select sink.getNode(), source, sink,
   "An array indexing expression depends on $@ that might be outside the bounds of the array.",
-  source.getNode(), lowerFirst(sourceType)
+  source.getNode(), sourceType

cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql

@@ -19,7 +19,25 @@ import semmle.code.cpp.ir.dataflow.TaintTracking
 import DataFlow::PathGraph
 
 /**
- * A taint flow configuration for flow from user input to a buffer write.
+ * A buffer write into a sensitive expression.
+ */
+class SensitiveBufferWrite extends Expr instanceof BufferWrite::BufferWrite {
+  SensitiveBufferWrite() { super.getDest() instanceof SensitiveExpr }
+
+  /**
+   * Gets a data source of this operation.
+   */
+  Expr getASource() { result = super.getASource() }
+
+  /**
+   * Gets the destination buffer of this operation.
+   */
+  Expr getDest() { result = super.getDest() }
+}
+
+/**
+ * A taint flow configuration for flow from user input to a buffer write
+ * into a sensitive expression.
  */
 class ToBufferConfiguration extends TaintTracking::Configuration {
   ToBufferConfiguration() { this = "ToBufferConfiguration" }
@@ -31,18 +49,17 @@ class ToBufferConfiguration extends TaintTracking::Configuration {
   }
 
   override predicate isSink(DataFlow::Node sink) {
-    exists(BufferWrite::BufferWrite w | w.getASource() = sink.asExpr())
+    exists(SensitiveBufferWrite w | w.getASource() = sink.asExpr())
   }
 }
 
 from
-  ToBufferConfiguration config, BufferWrite::BufferWrite w, DataFlow::PathNode sourceNode,
-  DataFlow::PathNode sinkNode, FlowSource source, SensitiveExpr dest
+  ToBufferConfiguration config, SensitiveBufferWrite w, DataFlow::PathNode sourceNode,
+  DataFlow::PathNode sinkNode, FlowSource source
 where
   config.hasFlowPath(sourceNode, sinkNode) and
   sourceNode.getNode() = source and
-  w.getASource() = sinkNode.getNode().asExpr() and
-  dest = w.getDest()
+  w.getASource() = sinkNode.getNode().asExpr()
 select w, sourceNode, sinkNode,
-  "This write into buffer '" + dest.toString() + "' may contain unencrypted data from $@.", source,
-  "user input (" + source.getSourceType() + ")"
+  "This write into buffer '" + w.getDest().toString() + "' may contain unencrypted data from $@.",
+  source, "user input (" + source.getSourceType() + ")"

cpp/ql/test/library-tests/dataflow/source-sink-tests/local-flow.ql

@@ -11,8 +11,20 @@ class LocalFlowSourceTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "local_source" and
-    value = "" and
-    exists(LocalFlowSource node |
+    exists(LocalFlowSource node, int n |
+      n =
+        strictcount(LocalFlowSource otherNode |
+          node.getLocation().getStartLine() = otherNode.getLocation().getStartLine()
+        ) and
+      (
+        n = 1 and value = ""
+        or
+        // If there is more than one node on this line
+        // we specify the location explicitly.
+        n > 1 and
+        value =
+          node.getLocation().getStartLine().toString() + ":" + node.getLocation().getStartColumn()
+      ) and
       location = node.getLocation() and
       element = node.toString()
     )

cpp/ql/test/library-tests/dataflow/source-sink-tests/remote-flow.ql

@@ -11,8 +11,20 @@ class RemoteFlowSourceTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "remote_source" and
-    value = "" and
-    exists(RemoteFlowSource node |
+    exists(RemoteFlowSource node, int n |
+      n =
+        strictcount(RemoteFlowSource otherNode |
+          node.getLocation().getStartLine() = otherNode.getLocation().getStartLine()
+        ) and
+      (
+        n = 1 and value = ""
+        or
+        // If there is more than one node on this line
+        // we specify the location explicitly.
+        n > 1 and
+        value =
+          node.getLocation().getStartLine().toString() + ":" + node.getLocation().getStartColumn()
+      ) and
       location = node.getLocation() and
       element = node.toString()
     )
@@ -26,8 +38,20 @@ class RemoteFlowSinkTest extends InlineExpectationsTest {
 
   override predicate hasActualResult(Location location, string element, string tag, string value) {
     tag = "remote_sink" and
-    value = "" and
-    exists(RemoteFlowSink node |
+    exists(RemoteFlowSink node, int n |
+      n =
+        strictcount(RemoteFlowSink otherNode |
+          node.getLocation().getStartLine() = otherNode.getLocation().getStartLine()
+        ) and
+      (
+        n = 1 and value = ""
+        or
+        // If there is more than one node on this line
+        // we specify the location explicitly.
+        n > 1 and
+        value =
+          node.getLocation().getStartLine().toString() + ":" + node.getLocation().getStartColumn()
+      ) and
       location = node.getLocation() and
       element = node.toString()
     )

cpp/ql/test/library-tests/dataflow/source-sink-tests/sources-and-sinks.cpp

@@ -26,3 +26,27 @@ void test_readv_and_writev(iovec* iovs) {
   readv(0, iovs, 16); // $ remote_source
   writev(0, iovs, 16); // $ remote_sink
 }
+
+struct FILE;
+
+int fscanf(FILE *stream, const char *format, ...);
+int scanf(const char *format, ...);
+
+void test_scanf(FILE *stream, int *d, char *buf) {
+  scanf(""); // Not a local source, as there are no output arguments
+  fscanf(stream, ""); // Not a remote source, as there are no output arguments
+  scanf("%d", d); // $ local_source
+  fscanf(stream, "%d", d);  // $ remote_source
+  scanf("%d %s", d, buf); // $ local_source=40:18 local_source=40:21
+  fscanf(stream, "%d %s", d, buf);  // $ remote_source=41:27 remote_source=41:30
+}
+
+struct addrinfo;
+
+int getaddrinfo(const char *hostname, const char *servname,
+                const struct addrinfo *hints, struct addrinfo **res);
+
+void test_inet(char *hostname, char *servname, struct addrinfo *hints) {
+  addrinfo *res;
+  int ret = getaddrinfo(hostname, servname, hints, &res); // $ remote_source
+}

cpp/ql/test/query-tests/Security/CWE/CWE-022/SAMATE/TaintedPath/TaintedPath.expected

@@ -5,4 +5,4 @@ nodes
 | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | semmle.label | data indirection |
 subpaths
 #select
-| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | ... + ... | user input (fgets) |
+| CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:77:23:77:26 | data indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | CWE23_Relative_Path_Traversal__char_console_fopen_11.cpp:55:27:55:38 | fgets output argument | user input (string read by fgets) |

cpp/ql/test/query-tests/Security/CWE/CWE-022/semmle/tests/TaintedPath.expected

@@ -1,24 +1,20 @@
 edges
 | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection |
 | test.c:31:22:31:25 | argv | test.c:32:11:32:18 | fileName indirection |
-| test.c:37:17:37:24 | fileName | test.c:38:11:38:18 | fileName indirection |
 | test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | fileName indirection |
-| test.c:43:17:43:24 | fileName | test.c:44:11:44:18 | fileName indirection |
 | test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | fileName indirection |
 nodes
 | test.c:9:23:9:26 | argv | semmle.label | argv |
 | test.c:17:11:17:18 | fileName indirection | semmle.label | fileName indirection |
 | test.c:31:22:31:25 | argv | semmle.label | argv |
 | test.c:32:11:32:18 | fileName indirection | semmle.label | fileName indirection |
-| test.c:37:17:37:24 | fileName | semmle.label | fileName |
 | test.c:37:17:37:24 | scanf output argument | semmle.label | scanf output argument |
 | test.c:38:11:38:18 | fileName indirection | semmle.label | fileName indirection |
-| test.c:43:17:43:24 | fileName | semmle.label | fileName |
 | test.c:43:17:43:24 | scanf output argument | semmle.label | scanf output argument |
 | test.c:44:11:44:18 | fileName indirection | semmle.label | fileName indirection |
 subpaths
 #select
-| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:9:23:9:26 | argv | user input (argv) |
-| test.c:32:11:32:18 | fileName | test.c:31:22:31:25 | argv | test.c:32:11:32:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:31:22:31:25 | argv | user input (argv) |
-| test.c:38:11:38:18 | fileName | test.c:37:17:37:24 | fileName | test.c:38:11:38:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:37:17:37:24 | fileName | user input (scanf) |
-| test.c:44:11:44:18 | fileName | test.c:43:17:43:24 | fileName | test.c:44:11:44:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:43:17:43:24 | fileName | user input (scanf) |
+| test.c:17:11:17:18 | fileName | test.c:9:23:9:26 | argv | test.c:17:11:17:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:9:23:9:26 | argv | user input (a command-line argument) |
+| test.c:32:11:32:18 | fileName | test.c:31:22:31:25 | argv | test.c:32:11:32:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:31:22:31:25 | argv | user input (a command-line argument) |
+| test.c:38:11:38:18 | fileName | test.c:37:17:37:24 | scanf output argument | test.c:38:11:38:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:37:17:37:24 | scanf output argument | user input (value read by scanf) |
+| test.c:44:11:44:18 | fileName | test.c:43:17:43:24 | scanf output argument | test.c:44:11:44:18 | fileName indirection | This argument to a file access function is derived from $@ and then passed to fopen(filename). | test.c:43:17:43:24 | scanf output argument | user input (value read by scanf) |

cpp/ql/test/query-tests/Security/CWE/CWE-078/semmle/ExecTainted/ExecTainted.expected

@@ -163,17 +163,17 @@ subpaths
 #select
 | test.cpp:23:12:23:19 | command1 | test.cpp:16:20:16:23 | argv | test.cpp:23:12:23:19 | command1 indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:16:20:16:23 | argv | user input (a command-line argument) | test.cpp:22:13:22:20 | sprintf output argument | sprintf output argument |
 | test.cpp:51:10:51:16 | command | test.cpp:47:21:47:26 | call to getenv | test.cpp:51:10:51:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:47:21:47:26 | call to getenv | user input (an environment variable) | test.cpp:50:11:50:17 | sprintf output argument | sprintf output argument |
-| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:62:9:62:16 | fread output argument | user input (String read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
-| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:82:9:82:16 | fread output argument | user input (String read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
-| test.cpp:94:45:94:48 | path | test.cpp:91:9:91:16 | fread output argument | test.cpp:94:45:94:48 | path indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:91:9:91:16 | fread output argument | user input (String read by fread) | test.cpp:93:11:93:14 | strncat output argument | strncat output argument |
+| test.cpp:65:10:65:16 | command | test.cpp:62:9:62:16 | fread output argument | test.cpp:65:10:65:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:62:9:62:16 | fread output argument | user input (string read by fread) | test.cpp:64:11:64:17 | strncat output argument | strncat output argument |
+| test.cpp:85:32:85:38 | command | test.cpp:82:9:82:16 | fread output argument | test.cpp:85:32:85:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:82:9:82:16 | fread output argument | user input (string read by fread) | test.cpp:84:11:84:17 | strncat output argument | strncat output argument |
+| test.cpp:94:45:94:48 | path | test.cpp:91:9:91:16 | fread output argument | test.cpp:94:45:94:48 | path indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:91:9:91:16 | fread output argument | user input (string read by fread) | test.cpp:93:11:93:14 | strncat output argument | strncat output argument |
 | test.cpp:108:18:108:22 | call to c_str | test.cpp:106:20:106:25 | call to getenv | test.cpp:108:18:108:22 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:106:20:106:25 | call to getenv | user input (an environment variable) | test.cpp:107:31:107:31 | call to operator+ | call to operator+ |
 | test.cpp:114:25:114:29 | call to c_str | test.cpp:113:20:113:25 | call to getenv | test.cpp:114:25:114:29 | call to c_str indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:113:20:113:25 | call to getenv | user input (an environment variable) | test.cpp:114:17:114:17 | Call | Call |
 | test.cpp:120:25:120:28 | call to data | test.cpp:119:20:119:25 | call to getenv | test.cpp:120:10:120:30 | call to data indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:119:20:119:25 | call to getenv | user input (an environment variable) | test.cpp:120:17:120:17 | Call | Call |
-| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:140:9:140:11 | fread output argument | user input (String read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
-| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:177:13:177:17 | strncat output argument | strncat output argument |
-| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:178:13:178:19 | strncat output argument | strncat output argument |
-| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (String read by fread) | test.cpp:180:13:180:19 | strncat output argument | strncat output argument |
-| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
-| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (String read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |
-| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (String read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |
-| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (String read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |
+| test.cpp:143:10:143:16 | command | test.cpp:140:9:140:11 | fread output argument | test.cpp:143:10:143:16 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to system(string). | test.cpp:140:9:140:11 | fread output argument | user input (string read by fread) | test.cpp:142:11:142:17 | sprintf output argument | sprintf output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:177:13:177:17 | strncat output argument | strncat output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:178:13:178:19 | strncat output argument | strncat output argument |
+| test.cpp:183:32:183:38 | command | test.cpp:174:9:174:16 | fread output argument | test.cpp:183:32:183:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:174:9:174:16 | fread output argument | user input (string read by fread) | test.cpp:180:13:180:19 | strncat output argument | strncat output argument |
+| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (string read by fread) | test.cpp:187:11:187:15 | strncat output argument | strncat output argument |
+| test.cpp:198:32:198:38 | command | test.cpp:194:9:194:16 | fread output argument | test.cpp:198:32:198:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:194:9:194:16 | fread output argument | user input (string read by fread) | test.cpp:188:11:188:17 | strncat output argument | strncat output argument |
+| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (string read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |
+| test.cpp:222:32:222:38 | command | test.cpp:218:9:218:16 | fread output argument | test.cpp:222:32:222:38 | command indirection | This argument to an OS command is derived from $@, dangerously concatenated into $@, and then passed to execl. | test.cpp:218:9:218:16 | fread output argument | user input (string read by fread) | test.cpp:220:10:220:16 | strncat output argument | strncat output argument |

cpp/ql/test/query-tests/Security/CWE/CWE-120/semmle/tests/UnboundedWrite.expected

@@ -7,42 +7,12 @@ edges
 | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array |
 | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array indirection |
 | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array indirection |
-| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 |
-| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 |
-| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 indirection |
-| tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 indirection |
-| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 |
-| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 |
-| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 indirection |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array indirection |
 | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array indirection |
-| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 |
-| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 |
-| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 indirection |
-| tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 indirection |
-| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 |
-| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 |
-| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:31:15:31:23 | array to pointer conversion | tests.c:31:15:31:23 | buffer100 |
-| tests.c:31:15:31:23 | array to pointer conversion | tests.c:31:15:31:23 | buffer100 indirection |
-| tests.c:31:15:31:23 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 |
-| tests.c:31:15:31:23 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 |
-| tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 indirection |
-| tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 |
-| tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:31:15:31:23 | scanf output argument | tests.c:33:21:33:29 | buffer100 |
-| tests.c:31:15:31:23 | scanf output argument | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:33:21:33:29 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 |
-| tests.c:33:21:33:29 | array to pointer conversion | tests.c:33:21:33:29 | buffer100 indirection |
-| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 |
-| tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 indirection |
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | (const char *)... |
 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array |
@@ -65,16 +35,11 @@ nodes
 | tests.c:29:28:29:34 | access to array | semmle.label | access to array |
 | tests.c:29:28:29:34 | access to array indirection | semmle.label | access to array indirection |
 | tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
-| tests.c:31:15:31:23 | array to pointer conversion | semmle.label | array to pointer conversion |
 | tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
 | tests.c:31:15:31:23 | buffer100 | semmle.label | buffer100 |
-| tests.c:31:15:31:23 | buffer100 indirection | semmle.label | buffer100 indirection |
-| tests.c:31:15:31:23 | scanf output argument | semmle.label | scanf output argument |
-| tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
 | tests.c:33:21:33:29 | array to pointer conversion | semmle.label | array to pointer conversion |
 | tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
 | tests.c:33:21:33:29 | buffer100 | semmle.label | buffer100 |
-| tests.c:33:21:33:29 | buffer100 indirection | semmle.label | buffer100 indirection |
 | tests.c:34:10:34:13 | argv | semmle.label | argv |
 | tests.c:34:10:34:13 | argv | semmle.label | argv |
 | tests.c:34:10:34:16 | (const char *)... | semmle.label | (const char *)... |
@@ -84,11 +49,6 @@ nodes
 #select
 | tests.c:28:3:28:9 | call to sprintf | tests.c:28:22:28:25 | argv | tests.c:28:22:28:28 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
 | tests.c:29:3:29:9 | call to sprintf | tests.c:29:28:29:31 | argv | tests.c:29:28:29:34 | access to array | This 'call to sprintf' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
-| tests.c:31:15:31:23 | buffer100 | tests.c:28:22:28:25 | argv | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
-| tests.c:31:15:31:23 | buffer100 | tests.c:29:28:29:31 | argv | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:31:15:31:23 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
-| tests.c:33:21:33:29 | buffer100 | tests.c:28:22:28:25 | argv | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:28:22:28:25 | argv | argv |
-| tests.c:33:21:33:29 | buffer100 | tests.c:29:28:29:31 | argv | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:29:28:29:31 | argv | argv |
-| tests.c:33:21:33:29 | buffer100 | tests.c:31:15:31:23 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:31:15:31:23 | buffer100 | buffer100 |
 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | tests.c:33:21:33:29 | buffer100 | This 'scanf string argument' with input from $@ may overflow the destination. | tests.c:33:21:33:29 | buffer100 | buffer100 |
 | tests.c:34:25:34:33 | buffer100 | tests.c:34:10:34:13 | argv | tests.c:34:10:34:16 | access to array | This 'sscanf string argument' with input from $@ may overflow the destination. | tests.c:34:10:34:13 | argv | argv |

cpp/ql/test/query-tests/Security/CWE/CWE-311/semmle/tests/CleartextBufferWrite.expected

@@ -6,5 +6,5 @@ nodes
 | test.cpp:58:25:58:29 | input | semmle.label | input |
 subpaths
 #select
-| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | call to gets | user input (String read by gets) |
+| test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets | test2.cpp:110:3:110:6 | call to gets | This write into buffer 'password' may contain unencrypted data from $@. | test2.cpp:110:3:110:6 | call to gets | user input (string read by gets) |
 | test.cpp:58:3:58:9 | call to sprintf | test.cpp:54:17:54:20 | argv | test.cpp:58:25:58:29 | input | This write into buffer 'passwd' may contain unencrypted data from $@. | test.cpp:54:17:54:20 | argv | user input (a command-line argument) |

csharp/autobuilder/Semmle.Autobuild.CSharp/Semmle.Autobuild.CSharp.csproj

@@ -15,7 +15,7 @@
 	</ItemGroup>
 	<ItemGroup>
 		<PackageReference Include="Microsoft.Build" Version="17.3.2" />
-		<PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
+		<PackageReference Include="Newtonsoft.Json" Version="13.0.2" />
 	</ItemGroup>
 	<ItemGroup>
 		<ProjectReference Include="..\..\extractor\Semmle.Util\Semmle.Util.csproj" />

csharp/ql/lib/ext/generated/dotnet_runtime.model.yml

@@ -10195,7 +10195,7 @@ extensions:
 
   - addsTo:
       pack: codeql/csharp-all
-      extensible: extNegativeSummaryModel
+      extensible: extNeutralModel
     data:
       - ["AssemblyStripper", "AssemblyStripper", "StripAssembly", "(System.String,System.String)", "generated"]
       - ["Generators", "EventSourceGenerator", "Execute", "(Microsoft.CodeAnalysis.GeneratorExecutionContext)", "generated"]

csharp/ql/lib/semmle/code/csharp/commons/Assertions.qll

@@ -368,40 +368,32 @@ private Stmt getAnAssertingStmt(Assertion a) {
 }
 
 /** A method that forwards to a Boolean assertion method. */
-class ForwarderBooleanAssertMethod extends BooleanAssertMethod {
-  private ForwarderAssertMethod forwarder;
+class ForwarderBooleanAssertMethod extends BooleanAssertMethod instanceof ForwarderAssertMethod {
   private BooleanAssertMethod underlying;
 
-  ForwarderBooleanAssertMethod() {
-    forwarder = this and
-    underlying = forwarder.getUnderlyingAssertMethod()
-  }
+  ForwarderBooleanAssertMethod() { underlying = super.getUnderlyingAssertMethod() }
 
   override int getAnAssertionIndex(boolean b) {
-    forwarder.getAForwarderAssertionIndex(result) = underlying.getAnAssertionIndex(b)
+    super.getAForwarderAssertionIndex(result) = underlying.getAnAssertionIndex(b)
   }
 
   override AssertionFailure getAssertionFailure(int i) {
-    result = underlying.getAssertionFailure(forwarder.getAForwarderAssertionIndex(i))
+    result = underlying.getAssertionFailure(super.getAForwarderAssertionIndex(i))
   }
 }
 
 /** A method that forwards to a nullness assertion method. */
-class ForwarderNullnessAssertMethod extends NullnessAssertMethod {
-  private ForwarderAssertMethod forwarder;
+class ForwarderNullnessAssertMethod extends NullnessAssertMethod instanceof ForwarderAssertMethod {
   private NullnessAssertMethod underlying;
 
-  ForwarderNullnessAssertMethod() {
-    forwarder = this and
-    underlying = forwarder.getUnderlyingAssertMethod()
-  }
+  ForwarderNullnessAssertMethod() { underlying = super.getUnderlyingAssertMethod() }
 
   override int getAnAssertionIndex(boolean b) {
-    forwarder.getAForwarderAssertionIndex(result) = underlying.getAnAssertionIndex(b)
+    super.getAForwarderAssertionIndex(result) = underlying.getAnAssertionIndex(b)
   }
 
   override AssertionFailure getAssertionFailure(int i) {
-    result = underlying.getAssertionFailure(forwarder.getAForwarderAssertionIndex(i))
+    result = underlying.getAssertionFailure(super.getAForwarderAssertionIndex(i))
   }
 }
 

csharp/ql/lib/semmle/code/csharp/dataflow/ExternalFlow.qll

@@ -11,9 +11,9 @@
  *   `namespace; type; subtypes; name; signature; ext; input; kind; provenance`
  * - Summaries:
  *   `namespace; type; subtypes; name; signature; ext; input; output; kind; provenance`
- * - Negative Summaries:
+ * - Neutrals:
  *   `namespace; type; name; signature; provenance`
- *   A negative summary is used to indicate that there is no flow via a callable.
+ *   A neutral is used to indicate that there is no flow via a callable.
  *
  * The interpretation of a row is similar to API-graphs with a left-to-right
  * reading.
@@ -132,30 +132,12 @@ private class SummaryModelCsvInternal extends Unit {
   abstract predicate row(string row);
 }
 
-/**
- * DEPRECATED: Define negative summary models as data extensions instead.
- *
- * A unit class for adding additional negative summary model rows.
- *
- * Extend this class to add additional negative summary definitions.
- */
-deprecated class NegativeSummaryModelCsv = NegativeSummaryModelCsvInternal;
-
-private class NegativeSummaryModelCsvInternal extends Unit {
-  /** Holds if `row` specifies a negative summary definition. */
-  abstract predicate row(string row);
-}
-
 private predicate sourceModelInternal(string row) { any(SourceModelCsvInternal s).row(row) }
 
 private predicate summaryModelInternal(string row) { any(SummaryModelCsvInternal s).row(row) }
 
 private predicate sinkModelInternal(string row) { any(SinkModelCsvInternal s).row(row) }
 
-private predicate negativeSummaryModelInternal(string row) {
-  any(NegativeSummaryModelCsvInternal s).row(row)
-}
-
 /**
  * Holds if a source model exists for the given parameters.
  */
@@ -243,25 +225,16 @@ predicate summaryModel(
   extSummaryModel(namespace, type, subtypes, name, signature, ext, input, output, kind, provenance)
 }
 
-/** Holds if a summary model exists indicating there is no flow for the given parameters. */
-extensible predicate extNegativeSummaryModel(
+/** Holds if a model exists indicating there is no flow for the given parameters. */
+extensible predicate extNeutralModel(
   string namespace, string type, string name, string signature, string provenance
 );
 
-/** Holds if a summary model exists indicating there is no flow for the given parameters. */
-predicate negativeSummaryModel(
+/** Holds if a model exists indicating there is no flow for the given parameters. */
+predicate neutralModel(
   string namespace, string type, string name, string signature, string provenance
 ) {
-  exists(string row |
-    negativeSummaryModelInternal(row) and
-    row.splitAt(";", 0) = namespace and
-    row.splitAt(";", 1) = type and
-    row.splitAt(";", 2) = name and
-    row.splitAt(";", 3) = signature and
-    row.splitAt(";", 4) = provenance
-  )
-  or
-  extNegativeSummaryModel(namespace, type, name, signature, provenance)
+  extNeutralModel(namespace, type, name, signature, provenance)
 }
 
 private predicate relevantNamespace(string namespace) {
@@ -393,8 +366,6 @@ module ModelValidation {
       sinkModelInternal(row) and expect = 9 and pred = "sink"
       or
       summaryModelInternal(row) and expect = 10 and pred = "summary"
-      or
-      negativeSummaryModelInternal(row) and expect = 5 and pred = "negative summary"
     |
       exists(int cols |
         cols = 1 + max(int n | exists(row.splitAt(";", n))) and
@@ -418,9 +389,9 @@ module ModelValidation {
       summaryModel(namespace, type, _, name, signature, ext, _, _, _, provenance) and
       pred = "summary"
       or
-      negativeSummaryModel(namespace, type, name, signature, provenance) and
+      neutralModel(namespace, type, name, signature, provenance) and
       ext = "" and
-      pred = "negative summary"
+      pred = "neutral"
     |
       not namespace.regexpMatch("[a-zA-Z0-9_\\.]+") and
       result = "Dubious namespace \"" + namespace + "\" in " + pred + " model."
@@ -461,7 +432,7 @@ private predicate elementSpec(
   or
   summaryModel(namespace, type, subtypes, name, signature, ext, _, _, _, _)
   or
-  negativeSummaryModel(namespace, type, name, signature, _) and ext = "" and subtypes = false
+  neutralModel(namespace, type, name, signature, _) and ext = "" and subtypes = false
 }
 
 private predicate elementSpec(
@@ -595,7 +566,7 @@ private Element interpretElement0(
   )
 }
 
-/** Gets the source/sink/summary/negativesummary element corresponding to the supplied parameters. */
+/** Gets the source/sink/summary/neutral element corresponding to the supplied parameters. */
 Element interpretElement(
   string namespace, string type, boolean subtypes, string name, string signature, string ext
 ) {

csharp/ql/lib/semmle/code/csharp/dataflow/internal/ContentDataFlow.qll

@@ -222,18 +222,14 @@ module ContentDataFlow {
     )
   }
 
-  private class ConfigurationAdapter extends DF::Configuration {
-    private Configuration c;
-
-    ConfigurationAdapter() { this = c }
-
+  private class ConfigurationAdapter extends DF::Configuration instanceof Configuration {
     final override predicate isSource(Node source, DF::FlowState state) {
-      c.isSource(source) and
+      Configuration.super.isSource(source) and
       state.(InitState).decode(true)
     }
 
     final override predicate isSink(Node sink, DF::FlowState state) {
-      c.isSink(sink) and
+      Configuration.super.isSink(sink) and
       (
         state instanceof InitState or
         state instanceof StoreState or
@@ -249,9 +245,9 @@ module ContentDataFlow {
       additionalStep(node1, state1, node2, state2, this)
     }
 
-    final override predicate isBarrier(Node node) { c.isBarrier(node) }
+    final override predicate isBarrier(Node node) { Configuration.super.isBarrier(node) }
 
-    final override FlowFeature getAFeature() { result = c.getAFeature() }
+    final override FlowFeature getAFeature() { result = Configuration.super.getAFeature() }
 
     // needed to record reads/stores inside summarized callables
     final override predicate includeHiddenNodes() { any() }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/DataFlowPrivate.qll

@@ -2321,8 +2321,8 @@ module Csv {
     )
   }
 
-  /** Computes the first 4 columns for negative CSV rows of `c`. */
-  string asPartialNegativeModel(DotNet::Callable c) {
+  /** Computes the first 4 columns for neutral CSV rows of `c`. */
+  string asPartialNeutralModel(DotNet::Callable c) {
     exists(string namespace, string type, string name, string parameters |
       partialModel(c, namespace, type, name, parameters) and
       result =

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImpl.qll

@@ -246,14 +246,14 @@ module Public {
     predicate isAutoGenerated() { none() }
   }
 
-  /** A callable with a flow summary stating there is no flow via the callable. */
-  class NegativeSummarizedCallable extends SummarizedCallableBase {
-    NegativeSummarizedCallable() { negativeSummaryElement(this, _) }
+  /** A callable where there is no flow via the callable. */
+  class NeutralCallable extends SummarizedCallableBase {
+    NeutralCallable() { neutralElement(this, _) }
 
     /**
-     *  Holds if the negative summary is auto generated.
+     *  Holds if the neutral is auto generated.
      */
-    predicate isAutoGenerated() { negativeSummaryElement(this, true) }
+    predicate isAutoGenerated() { neutralElement(this, true) }
   }
 }
 
@@ -1161,9 +1161,9 @@ module Private {
       string toString() { result = super.toString() }
     }
 
-    /** A flow summary to include in the `negativeSummary/1` query predicate. */
-    abstract class RelevantNegativeSummarizedCallable instanceof NegativeSummarizedCallable {
-      /** Gets the string representation of this callable used by `summary/1`. */
+    /** A model to include in the `neutral/1` query predicate. */
+    abstract class RelevantNeutralCallable instanceof NeutralCallable {
+      /** Gets the string representation of this callable used by `neutral/1`. */
       abstract string getCallableCsv();
 
       string toString() { result = super.toString() }
@@ -1180,13 +1180,13 @@ module Private {
       if c.isAutoGenerated() then result = "generated" else result = "manual"
     }
 
-    private string renderProvenanceNegative(NegativeSummarizedCallable c) {
+    private string renderProvenanceNeutral(NeutralCallable c) {
       if c.isAutoGenerated() then result = "generated" else result = "manual"
     }
 
     /**
      * A query predicate for outputting flow summaries in semi-colon separated format in QL tests.
-     * The syntax is: "namespace;type;overrides;name;signature;ext;inputspec;outputspec;kind;provenance"",
+     * The syntax is: "namespace;type;overrides;name;signature;ext;inputspec;outputspec;kind;provenance",
      * ext is hardcoded to empty.
      */
     query predicate summary(string csv) {
@@ -1205,14 +1205,14 @@ module Private {
     }
 
     /**
-     * Holds if a negative flow summary `csv` exists (semi-colon separated format). Used for testing purposes.
+     * Holds if a neutral model `csv` exists (semi-colon separated format). Used for testing purposes.
      * The syntax is: "namespace;type;name;signature;provenance"",
      */
-    query predicate negativeSummary(string csv) {
-      exists(RelevantNegativeSummarizedCallable c |
+    query predicate neutral(string csv) {
+      exists(RelevantNeutralCallable c |
         csv =
           c.getCallableCsv() // Callable information
-            + renderProvenanceNegative(c) // provenance
+            + renderProvenanceNeutral(c) // provenance
       )
     }
   }

csharp/ql/lib/semmle/code/csharp/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -121,12 +121,12 @@ predicate summaryElement(Callable c, string input, string output, string kind, b
 }
 
 /**
- * Holds if a negative flow summary exists for `c`, which means that there is no
- * flow through `c`. The flag `generated` states whether the summary is autogenerated.
+ * Holds if a neutral model exists for `c`, which means that there is no
+ * flow through `c`. The flag `generated` states whether the neutral model is autogenerated.
  */
-predicate negativeSummaryElement(Callable c, boolean generated) {
+predicate neutralElement(Callable c, boolean generated) {
   exists(string namespace, string type, string name, string signature, string provenance |
-    negativeSummaryModel(namespace, type, name, signature, provenance) and
+    neutralModel(namespace, type, name, signature, provenance) and
     generated = isGenerated(provenance) and
     c = interpretElement(namespace, type, false, name, signature, "")
   )

csharp/ql/lib/semmle/code/csharp/frameworks/System.qll

@@ -257,9 +257,7 @@ class SystemNullReferenceExceptionClass extends SystemClass {
 }
 
 /** The `System.Object` class. */
-class SystemObjectClass extends SystemClass {
-  SystemObjectClass() { this instanceof ObjectType }
-
+class SystemObjectClass extends SystemClass instanceof ObjectType {
   /** Gets the `Equals(object)` method. */
   Method getEqualsMethod() {
     result.getDeclaringType() = this and

csharp/ql/lib/semmle/code/csharp/security/dataflow/CleartextStorageQuery.qll

@@ -56,6 +56,4 @@ class ProtectSanitizer extends Sanitizer {
 /**
  * An external location sink.
  */
-class ExternalSink extends Sink {
-  ExternalSink() { this instanceof ExternalLocationSink }
-}
+class ExternalSink extends Sink instanceof ExternalLocationSink { }

csharp/ql/lib/semmle/code/csharp/security/dataflow/CodeInjectionQuery.qll

@@ -38,14 +38,10 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /** A source of local user input. */
-class LocalSource extends Source {
-  LocalSource() { this instanceof LocalFlowSource }
-}
+class LocalSource extends Source instanceof LocalFlowSource { }
 
 private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
 

csharp/ql/lib/semmle/code/csharp/security/dataflow/CommandInjectionQuery.qll

@@ -36,9 +36,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /**
  * A sink in `System.Diagnostic.Process` or its related classes.

csharp/ql/lib/semmle/code/csharp/security/dataflow/ConditionalBypassQuery.qll

@@ -43,9 +43,7 @@ class Configuration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /** The result of a reverse dns may be user-controlled. */
 class ReverseDnsSource extends Source {

csharp/ql/lib/semmle/code/csharp/security/dataflow/ExposureOfPrivateInformationQuery.qll

@@ -39,6 +39,4 @@ private class PrivateDataSource extends Source {
   PrivateDataSource() { this.getExpr() instanceof PrivateDataExpr }
 }
 
-private class ExternalLocation extends Sink {
-  ExternalLocation() { this instanceof ExternalLocationSink }
-}
+private class ExternalLocation extends Sink instanceof ExternalLocationSink { }

csharp/ql/lib/semmle/code/csharp/security/dataflow/ExternalAPIsQuery.qll

@@ -17,8 +17,7 @@ abstract class SafeExternalApiCallable extends Callable { }
 /** DEPRECATED: Alias for SafeExternalApiCallable */
 deprecated class SafeExternalAPICallable = SafeExternalApiCallable;
 
-private class SummarizedCallableSafe extends SafeExternalApiCallable {
-  SummarizedCallableSafe() { this instanceof SummarizedCallable }
+private class SummarizedCallableSafe extends SafeExternalApiCallable instanceof SummarizedCallable {
 }
 
 /** The default set of "safe" external APIs. */

csharp/ql/lib/semmle/code/csharp/security/dataflow/LDAPInjectionQuery.qll

@@ -38,9 +38,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /**
  * An argument that sets the `Path` property of a `DirectoryEntry` object that is a sink for LDAP

csharp/ql/lib/semmle/code/csharp/security/dataflow/LogForgingQuery.qll

@@ -38,9 +38,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-private class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+private class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 private class HtmlSanitizer extends Sanitizer {
   HtmlSanitizer() { this.asExpr() instanceof HtmlSanitizedExpr }

csharp/ql/lib/semmle/code/csharp/security/dataflow/MissingXMLValidationQuery.qll

@@ -43,9 +43,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /**
  * The input argument to a call to `XmlReader.Create` where the input will not be validated against

csharp/ql/lib/semmle/code/csharp/security/dataflow/ReDoSQuery.qll

@@ -38,9 +38,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /**
  * An expression that represents a regular expression with potential exponential behavior.

csharp/ql/lib/semmle/code/csharp/security/dataflow/RegexInjectionQuery.qll

@@ -37,9 +37,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /**
  * A `pattern` argument to a construction of a `Regex`.

csharp/ql/lib/semmle/code/csharp/security/dataflow/ResourceInjectionQuery.qll

@@ -37,14 +37,10 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /** A source of local user input. */
-class LocalSource extends Source {
-  LocalSource() { this instanceof LocalFlowSource }
-}
+class LocalSource extends Source instanceof LocalFlowSource { }
 
 /** An argument to the `ConnectionString` property on a data connection class. */
 class SqlConnectionStringSink extends Sink {

csharp/ql/lib/semmle/code/csharp/security/dataflow/SqlInjectionQuery.qll

@@ -38,14 +38,10 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /** A source of local user input. */
-class LocalSource extends Source {
-  LocalSource() { this instanceof LocalFlowSource }
-}
+class LocalSource extends Source instanceof LocalFlowSource { }
 
 /** An SQL expression passed to an API call that executes SQL. */
 class SqlInjectionExprSink extends Sink {

csharp/ql/lib/semmle/code/csharp/security/dataflow/TaintedPathQuery.qll

@@ -39,9 +39,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /**
  * A path argument to a `File` method call.

csharp/ql/lib/semmle/code/csharp/security/dataflow/UnsafeDeserializationQuery.qll

@@ -44,9 +44,7 @@ abstract private class ConstructorOrStaticMethodSink extends Sink { }
  */
 abstract class Sanitizer extends DataFlow::Node { }
 
-private class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+private class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /**
  * User input to object method call deserialization flow tracking.

csharp/ql/lib/semmle/code/csharp/security/dataflow/UrlRedirectQuery.qll

@@ -50,9 +50,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /**
  * A URL argument to a call to `HttpResponse.Redirect()` or `Controller.Redirect()`, that is a

csharp/ql/lib/semmle/code/csharp/security/dataflow/XMLEntityInjectionQuery.qll

@@ -14,9 +14,7 @@ private import semmle.code.csharp.security.Sanitizers
  */
 abstract class Source extends DataFlow::Node { }
 
-private class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+private class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /**
  * A data flow sink for untrusted user input used in XML processing.

csharp/ql/lib/semmle/code/csharp/security/dataflow/XPathInjectionQuery.qll

@@ -37,9 +37,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /** The `xpath` argument to an `XPathExpression.Compile(..)` call. */
 class XPathExpressionCompileSink extends Sink {

csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSQuery.qll

@@ -149,9 +149,7 @@ class TaintTrackingConfiguration extends TaintTracking2::Configuration {
 }
 
 /** A source of remote user input. */
-private class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+private class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 private class SimpleTypeSanitizer extends Sanitizer, SimpleTypeSanitizedExpr { }
 

csharp/ql/lib/semmle/code/csharp/security/dataflow/XSSSinks.qll

@@ -27,9 +27,7 @@ private class ExternalXssSink extends Sink {
   ExternalXssSink() { sinkNode(this, "xss") }
 }
 
-private class HtmlSinkSink extends Sink {
-  HtmlSinkSink() { this instanceof HtmlSink }
-
+private class HtmlSinkSink extends Sink instanceof HtmlSink {
   override string explanation() {
     this instanceof WebPageWriteLiteralSink and
     result = "System.Web.WebPages.WebPage.WriteLiteral() method"

csharp/ql/src/AlertSuppression.ql

@@ -44,9 +44,7 @@ class SuppressionComment extends CommentLine {
 /**
  * The scope of an alert suppression comment.
  */
-class SuppressionScope extends @commentline {
-  SuppressionScope() { this instanceof SuppressionComment }
-
+class SuppressionScope extends @commentline instanceof SuppressionComment {
   /** Gets a suppression comment with this scope. */
   SuppressionComment getSuppressionComment() { result = this }
 
@@ -60,7 +58,7 @@ class SuppressionScope extends @commentline {
   predicate hasLocationInfo(
     string filepath, int startline, int startcolumn, int endline, int endcolumn
   ) {
-    this.(SuppressionComment).covers(filepath, startline, startcolumn, endline, endcolumn)
+    super.covers(filepath, startline, startcolumn, endline, endcolumn)
   }
 
   /** Gets a textual representation of this element. */

csharp/ql/src/Telemetry/SupportedExternalApis.ql

@@ -13,7 +13,7 @@ private import ExternalApi
 
 private predicate relevant(ExternalApi api) {
     api.isSupported() or
-  api instanceof FlowSummaryImpl::Public::NegativeSummarizedCallable
+    api instanceof FlowSummaryImpl::Public::NeutralCallable
 }
 
 from string info, int usages

csharp/ql/src/Telemetry/UnsupportedExternalAPIs.ql

@@ -13,7 +13,7 @@ private import ExternalApi
 
 private predicate relevant(ExternalApi api) {
   not api.isSupported() and
-  not api instanceof FlowSummaryImpl::Public::NegativeSummarizedCallable
+  not api instanceof FlowSummaryImpl::Public::NeutralCallable
 }
 
 from string info, int usages

csharp/ql/src/experimental/CWE-099/TaintedWebClientLib.qll

@@ -51,9 +51,7 @@ class TaintTrackingConfiguration extends TaintTracking::Configuration {
 }
 
 /** A source of remote user input. */
-class RemoteSource extends Source {
-  RemoteSource() { this instanceof RemoteFlowSource }
-}
+class RemoteSource extends Source instanceof RemoteFlowSource { }
 
 /**
  * A path argument to a `WebClient` method call that has an address argument.

csharp/ql/src/experimental/CWE-918/RequestForgery.qll

@@ -58,9 +58,7 @@ module RequestForgery {
    * A remote data flow source taken as a source
    * for Server Side Request Forgery(SSRF) Vulnerabilities.
    */
-  private class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
-  }
+  private class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource { }
 
   /**
    * An url argument to a `HttpRequestMessage` constructor call

csharp/ql/src/meta/frameworks/UnsupportedExternalAPIs.ql

@@ -17,5 +17,5 @@ from Call c, ExternalApi api
 where
   c.getTarget().getUnboundDeclaration() = api and
   not api.isSupported() and
-  not api instanceof FlowSummaryImpl::Public::NegativeSummarizedCallable
+  not api instanceof FlowSummaryImpl::Public::NeutralCallable
 select c, "Call to unsupported external API $@.", api, api.toString()

csharp/ql/src/utils/model-generator/CaptureNeutralModels.ql

@@ -1,8 +1,8 @@
 /**
- * @name Capture negative summary models.
- * @description Finds negative summary models to be used by other queries.
+ * @name Capture neutral models.
+ * @description Finds neutral models to be used by other queries.
  * @kind diagnostic
- * @id cs/utils/model-generator/negative-summary-models
+ * @id cs/utils/model-generator/neutral-models
  * @tags model-generator
  */
 

csharp/ql/src/utils/modelconverter/ExtractNeutrals.ql

@@ -1,7 +1,7 @@
 /**
- * @name Extract MaD negative summary model rows.
- * @description This extracts the Models as data negative summary model rows.
- * @id csharp/utils/modelconverter/generate-data-extensions-negative-summary
+ * @name Extract MaD neutral model rows.
+ * @description This extracts the Models as data neutral model rows.
+ * @id csharp/utils/modelconverter/generate-data-extensions-neutral
  */
 
 import csharp
@@ -9,6 +9,6 @@ import semmle.code.csharp.dataflow.ExternalFlow
 
 from string package, string type, string name, string signature, string provenance
 where
-  negativeSummaryModel(package, type, name, signature, provenance) and
+  neutralModel(package, type, name, signature, provenance) and
   provenance != "generated"
 select package, type, name, signature, provenance order by package, type, name, signature

csharp/ql/src/utils/modelgenerator/internal/CaptureModels.qll

@@ -58,9 +58,7 @@ private string asSummaryModel(TargetApiSpecific api, string input, string output
       + "generated"
 }
 
-string asNegativeSummaryModel(TargetApiSpecific api) {
-  result = asPartialNegativeModel(api) + "generated"
-}
+string asNeutralModel(TargetApiSpecific api) { result = asPartialNeutralModel(api) + "generated" }
 
 /**
  * Gets the value summary model for `api` with `input` and `output`.

csharp/ql/src/utils/modelgenerator/internal/CaptureModelsSpecific.qll

@@ -68,7 +68,7 @@ class TargetApiSpecific extends DotNet::Callable {
 
 predicate asPartialModel = DataFlowPrivate::Csv::asPartialModel/1;
 
-predicate asPartialNegativeModel = DataFlowPrivate::Csv::asPartialNegativeModel/1;
+predicate asPartialNeutralModel = DataFlowPrivate::Csv::asPartialNeutralModel/1;
 
 /**
  * Holds if `t` is a type that is generally used for bulk data in collection types.

csharp/ql/src/utils/modelgenerator/internal/CaptureSummaryFlow.qll

@@ -85,10 +85,10 @@ string captureFlow(DataFlowTargetApi api) {
 }
 
 /**
- * Gets the negative summary for `api`, if any.
- * A negative summary is generated, if there does not exist any positive flow.
+ * Gets the neutral model for `api`, if any.
+ * A neutral model is generated, if there does not exist summary model.
  */
 string captureNoFlow(DataFlowTargetApi api) {
   not exists(captureFlow(api)) and
-  result = asNegativeSummaryModel(api)
+  result = asNeutralModel(api)
 }

csharp/ql/test/library-tests/dataflow/global/TaintTracking.ql

@@ -1,14 +1,10 @@
 import csharp
 import Common
 
-class TTConfig extends TaintTracking::Configuration {
-  Config c;
+class TTConfig extends TaintTracking::Configuration instanceof Config {
+  override predicate isSource(DataFlow::Node source) { Config.super.isSource(source) }
 
-  TTConfig() { this = c }
-
-  override predicate isSource(DataFlow::Node source) { c.isSource(source) }
-
-  override predicate isSink(DataFlow::Node sink) { c.isSink(sink) }
+  override predicate isSink(DataFlow::Node sink) { Config.super.isSink(sink) }
 }
 
 from TTConfig c, DataFlow::Node source, DataFlow::Node sink

csharp/ql/test/library-tests/dataflow/global/TaintTrackingPath.ql

@@ -6,14 +6,10 @@ import csharp
 import Common
 import DataFlow::PathGraph
 
-class TTConfig extends TaintTracking::Configuration {
-  Config c;
+class TTConfig extends TaintTracking::Configuration instanceof Config {
+  override predicate isSource(DataFlow::Node source) { Config.super.isSource(source) }
 
-  TTConfig() { this = c }
-
-  override predicate isSource(DataFlow::Node source) { c.isSource(source) }
-
-  override predicate isSink(DataFlow::Node sink) { c.isSink(sink) }
+  override predicate isSink(DataFlow::Node sink) { Config.super.isSink(sink) }
 }
 
 from TTConfig c, DataFlow::PathNode source, DataFlow::PathNode sink, string s

csharp/ql/test/library-tests/dataflow/library/FlowSummaries.expected

@@ -11928,7 +11928,7 @@ summary
 | System;ValueTuple<>;false;ToString;();;Argument[this];ReturnValue;taint;generated |
 | System;ValueTuple<>;false;ValueTuple;(T1);;Argument[0];Argument[this].Field[System.ValueTuple<>.Item1];value;manual |
 | System;ValueTuple<>;false;get_Item;(System.Int32);;Argument[this].Field[System.ValueTuple<>.Item1];ReturnValue;value;manual |
-negativeSummary
+neutral
 | Microsoft.CSharp.RuntimeBinder;CSharpArgumentInfo;Create;(Microsoft.CSharp.RuntimeBinder.CSharpArgumentInfoFlags,System.String);generated |
 | Microsoft.CSharp.RuntimeBinder;RuntimeBinderException;RuntimeBinderException;();generated |
 | Microsoft.CSharp.RuntimeBinder;RuntimeBinderException;RuntimeBinderException;(System.Runtime.Serialization.SerializationInfo,System.Runtime.Serialization.StreamingContext);generated |

csharp/ql/test/library-tests/dataflow/library/FlowSummaries.ql

@@ -6,11 +6,7 @@ private class IncludeAllSummarizedCallable extends IncludeSummarizedCallable {
   IncludeAllSummarizedCallable() { exists(this) }
 }
 
-private class IncludeNegativeSummarizedCallable extends RelevantNegativeSummarizedCallable {
-  IncludeNegativeSummarizedCallable() {
-    this instanceof FlowSummaryImpl::Public::NegativeSummarizedCallable
-  }
-
+private class IncludeNeutralCallable extends RelevantNeutralCallable instanceof FlowSummaryImpl::Public::NeutralCallable {
   /** Gets a string representing the callable in semi-colon separated format for use in flow summaries. */
-  final override string getCallableCsv() { result = Csv::asPartialNegativeModel(this) }
+  final override string getCallableCsv() { result = Csv::asPartialNeutralModel(this) }
 }

csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.expected

@@ -10262,4 +10262,4 @@ summary
 | System;ValueTuple<>;false;ToString;();;Argument[this];ReturnValue;taint;generated |
 | System;ValueTuple<>;false;ValueTuple;(T1);;Argument[0];Argument[this].Field[System.ValueTuple<>.Item1];value;manual |
 | System;ValueTuple<>;false;get_Item;(System.Int32);;Argument[this].Field[System.ValueTuple<>.Item1];ReturnValue;value;manual |
-negativeSummary
+neutral

csharp/ql/test/library-tests/dataflow/library/FlowSummariesFiltered.ql

@@ -2,9 +2,7 @@ import shared.FlowSummaries
 private import semmle.code.csharp.dataflow.internal.DataFlowPrivate::Csv
 private import semmle.code.csharp.dataflow.ExternalFlow
 
-class IncludeFilteredSummarizedCallable extends IncludeSummarizedCallable {
-  IncludeFilteredSummarizedCallable() { this instanceof SummarizedCallable }
-
+class IncludeFilteredSummarizedCallable extends IncludeSummarizedCallable instanceof SummarizedCallable {
   /**
    * Holds if flow is propagated between `input` and `output` and
    * if there is no summary for a callable in a `base` class or interface
@@ -13,7 +11,7 @@ class IncludeFilteredSummarizedCallable extends IncludeSummarizedCallable {
   override predicate relevantSummary(
     SummaryComponentStack input, SummaryComponentStack output, boolean preservesValue
   ) {
-    this.(SummarizedCallable).propagatesFlow(input, output, preservesValue) and
+    super.propagatesFlow(input, output, preservesValue) and
     not exists(IncludeSummarizedCallable rsc |
       isBaseCallableOrPrototype(rsc) and
       rsc.(SummarizedCallable).propagatesFlow(input, output, preservesValue) and

csharp/ql/test/library-tests/frameworks/EntityFramework/FlowSummaries.expected

@@ -131,7 +131,7 @@ summary
 | System.Data.Entity;DbSet<>;false;AttachRange;(System.Collections.Generic.IEnumerable<T>);;Argument[0].Element;Argument[this].Element;value;manual |
 | System.Data.Entity;DbSet<>;false;Update;(T);;Argument[0];Argument[this].Element;value;manual |
 | System.Data.Entity;DbSet<>;false;UpdateRange;(System.Collections.Generic.IEnumerable<T>);;Argument[0].Element;Argument[this].Element;value;manual |
-negativeSummary
+neutral
 sourceNode
 sinkNode
 | EntityFrameworkCore.cs:72:36:72:40 | "sql" | sql |

csharp/ql/test/library-tests/frameworks/EntityFramework/FlowSummaries.ql

@@ -2,8 +2,7 @@ import semmle.code.csharp.frameworks.EntityFramework::EntityFramework
 import shared.FlowSummaries
 import semmle.code.csharp.dataflow.ExternalFlow as ExternalFlow
 
-private class IncludeEFSummarizedCallable extends IncludeSummarizedCallable {
-  IncludeEFSummarizedCallable() { this instanceof EFSummarizedCallable }
+private class IncludeEFSummarizedCallable extends IncludeSummarizedCallable instanceof EFSummarizedCallable {
 }
 
 query predicate sourceNode(DataFlow::Node node, string kind) {

csharp/ql/test/utils/model-generator/dataflow/CaptureNegativeSummaryModels.qlref

@@ -1 +0,0 @@
-utils/model-generator/CaptureNegativeSummaryModels.ql

csharp/ql/test/utils/model-generator/dataflow/CaptureNeutralModels.qlref

@@ -0,0 +1 @@
+utils/model-generator/CaptureNeutralModels.ql

docs/codeql/README.rst

@@ -43,7 +43,8 @@ Building and previewing the CodeQL documentation
 ************************************************
 
 To build and preview the documentation and training presentations locally, you need to
-install Sphinx 1.7.9. More recent versions of Sphinx do not work with hieroglyph, 
+install Sphinx 1.7.9 using Python 2 (for example: `pip install sphinx==1.7.9`).
+More recent versions of Sphinx do not work with hieroglyph,
 the Sphinx extension that we use to generate HTML slides, as explained below.
 For installation options, see https://github.com/sphinx-doc/sphinx.
 

docs/codeql/ql-training/query-examples/cpp/control-flow-cpp-1.ql

@@ -1,8 +1,9 @@
 import cpp
 
 from FunctionCall alloc, FunctionCall free, LocalScopeVariable v
-where allocationCall(alloc)
-  and alloc = v.getAnAssignedValue()
-  and freeCall(free, v.getAnAccess())
-  and alloc.getASuccessor+() = free
+where
+  allocationCall(alloc) and
+  alloc = v.getAnAssignedValue() and
+  freeCall(free, v.getAnAccess()) and
+  alloc.getASuccessor+() = free
 select alloc, free

docs/codeql/ql-training/query-examples/cpp/control-flow-cpp-2.ql

@@ -1,8 +1,9 @@
 import cpp
 
 from FunctionCall free, LocalScopeVariable v, VariableAccess u
-where freeCall(free, v.getAnAccess())
-  and u = v.getAnAccess()
-  and u.isRValue()
-  and free.getASuccessor+() = u
+where
+  freeCall(free, v.getAnAccess()) and
+  u = v.getAnAccess() and
+  u.isRValue() and
+  free.getASuccessor+() = u
 select free, u

docs/codeql/ql-training/query-examples/cpp/control-flow-cpp-5.ql

@@ -1,8 +1,8 @@
 import cpp
 
-from ExprCall c, PointerDereferenceExpr deref, VariableAccess va,
-     Access fnacc
-where c.getLocation().getFile().getBaseName() = "cjpeg.c" and
+from ExprCall c, PointerDereferenceExpr deref, VariableAccess va, Access fnacc
+where
+  c.getLocation().getFile().getBaseName() = "cjpeg.c" and
   c.getLocation().getStartLine() = 640 and
   deref = c.getExpr() and
   va = deref.getOperand() and

docs/codeql/ql-training/query-examples/cpp/data-flow-cpp-1.ql

@@ -2,7 +2,8 @@ import cpp
 import semmle.code.cpp.commons.Printf
 
 from Call c, FormattingFunction ff, Expr format
-where c.getTarget() = ff and
+where
+  c.getTarget() = ff and
   format = c.getArgument(ff.getFormatParameterIndex()) and
   not format instanceof StringLiteral
 select format, "Non-constant format string."

docs/codeql/ql-training/query-examples/cpp/data-flow-cpp-2.ql

@@ -5,7 +5,8 @@ import semmle.code.cpp.commons.Printf
 class SourceNode extends DataFlow::Node { /* ... */ }
 
 from FormattingFunction f, Call c, SourceNode src, DataFlow::Node arg
-where c.getTarget() = f and
+where
+  c.getTarget() = f and
   arg.asExpr() = c.getArgument(f.getFormatParameterIndex()) and
   DataFlow::localFlow(src, arg) and
   not src.asExpr() instanceof StringLiteral

docs/codeql/ql-training/query-examples/cpp/empty-if-cpp-class.ql

@@ -1,9 +1,7 @@
 import cpp
 
 class EmptyBlock extends Block {
-  EmptyBlock() {
-    this.isEmpty()
-  }
+  EmptyBlock() { this.isEmpty() }
 }
 
 from IfStmt ifStmt

docs/codeql/ql-training/query-examples/cpp/empty-if-cpp-predicate.ql

@@ -1,8 +1,6 @@
 import cpp
 
-predicate isEmpty(Block block) {
-  block.isEmpty()
-}
+predicate isEmpty(Block block) { block.isEmpty() }
 
 from IfStmt ifstmt
 where isEmpty(ifstmt.getThen())

docs/codeql/ql-training/query-examples/cpp/global-data-flow-cpp-1.ql

@@ -3,11 +3,12 @@ import semmle.code.cpp.dataflow.TaintTracking
 
 class TaintedFormatConfig extends TaintTracking::Configuration {
   TaintedFormatConfig() { this = "TaintedFormatConfig" }
+
   override predicate isSource(DataFlow::Node source) { /* TBD */ }
+
   override predicate isSink(DataFlow::Node sink) { /* TBD */ }
 }
 
 from TaintedFormatConfig cfg, DataFlow::Node source, DataFlow::Node sink
 where cfg.hasFlow(source, sink)
-select sink, "This format string may be derived from a $@.",
-              source, "user-controlled value"
+select sink, "This format string may be derived from a $@.", source, "user-controlled value"

docs/codeql/ql-training/query-examples/java/empty-if-java-class.ql

@@ -1,12 +1,9 @@
 import java
 
 class EmptyBlock extends Block {
-  EmptyBlock() {
-    this.getNumStmt() = 0
-  }
+  EmptyBlock() { this.getNumStmt() = 0 }
 }
 
 from IfStmt ifstmt
-where ifstmt.getThen() instanceof
-      EmptyBlock
+where ifstmt.getThen() instanceof EmptyBlock
 select ifstmt

docs/codeql/ql-training/query-examples/java/empty-if-java-predicate.ql

@@ -1,8 +1,6 @@
 import java
 
-predicate isEmpty(Block block) {
-  block.getNumStmt() = 0
-}
+predicate isEmpty(Block block) { block.getNumStmt() = 0 }
 
 from IfStmt ifstmt
 where isEmpty(ifstmt.getThen())

docs/codeql/ql-training/query-examples/java/global-data-flow-java-1.ql

@@ -3,12 +3,12 @@ import semmle.code.java.dataflow.TaintTracking
 
 class TaintedOGNLConfig extends TaintTracking::Configuration {
   TaintedOGNLConfig() { this = "TaintedOGNLConfig" }
+
   override predicate isSource(DataFlow::Node source) { /* TBD */ }
+
   override predicate isSink(DataFlow::Node sink) { /* TBD */ }
 }
 
 from TaintedOGNLConfig cfg, DataFlow::Node source, DataFlow::Node sink
 where cfg.hasFlow(source, sink)
-select source,
-       "This untrusted input is evaluated as an OGNL expression $@.",
-       sink, "here"
+select source, "This untrusted input is evaluated as an OGNL expression $@.", sink, "here"

docs/codeql/ql-training/query-examples/java/query-injection-java-3.ql

@@ -1,8 +1,6 @@
 import java
 
-predicate isStringConcat(AddExpr ae) {
-  ae.getType() instanceof TypeString
-}
+predicate isStringConcat(AddExpr ae) { ae.getType() instanceof TypeString }
 
 from Method m, MethodAccess ma
 where

docs/codeql/writing-codeql-queries/river-answer-1-path.ql

@@ -5,16 +5,11 @@
 
 /** A possible cargo item. */
 class Cargo extends string {
-    Cargo() {
-      this = "Nothing" or
-      this = "Goat" or
-      this = "Cabbage" or
-      this = "Wolf"
-    }
-  }
+  Cargo() { this = ["Nothing", "Goat", "Cabbage", "Wolf"] }
+}
 
-  /** One of two shores. */
-  class Shore extends string {
+/** A shore, named either `Left` or `Right`. */
+class Shore extends string {
   Shore() {
     this = "Left" or
     this = "Right"
@@ -26,15 +21,15 @@ class Cargo extends string {
     or
     this = "Right" and result = "Left"
   }
-  }
+}
 
-  /** Renders the state as a string. */
-  string renderState(Shore manShore, Shore goatShore, Shore cabbageShore, Shore wolfShore) {
+/** Renders the state as a string. */
+string renderState(Shore manShore, Shore goatShore, Shore cabbageShore, Shore wolfShore) {
   result = manShore + "," + goatShore + "," + cabbageShore + "," + wolfShore
-  }
+}
 
-  /** A record of where everything is. */
-  class State extends string {
+/** A record of where everything is. */
+class State extends string {
   Shore manShore;
   Shore goatShore;
   Shore cabbageShore;
@@ -93,23 +88,23 @@ class Cargo extends string {
     // Reachable by first following pathSoFar and then ferrying cargo
     exists(string pathSoFar, string visitedStatesSoFar, Cargo cargo |
       result = this.reachesVia(pathSoFar, visitedStatesSoFar).safeFerry(cargo) and
-        not exists(int i | i = visitedStatesSoFar.indexOf(result)) and // resulting state is not visited yet
+      not exists(visitedStatesSoFar.indexOf(result)) and // resulting state is not visited yet
       visitedStates = visitedStatesSoFar + "_" + result and
       path = pathSoFar + ",\nthen " + cargo + " is ferried " + result.towards()
     )
   }
-  }
+}
 
-  /** The initial state, where everything is on the left shore. */
-  class InitialState extends State {
+/** The initial state, where everything is on the left shore. */
+class InitialState extends State {
   InitialState() { this = renderState("Left", "Left", "Left", "Left") }
-  }
+}
 
-  /** The goal state, where everything is on the right shore. */
-  class GoalState extends State {
+/** The goal state, where everything is on the right shore. */
+class GoalState extends State {
   GoalState() { this = renderState("Right", "Right", "Right", "Right") }
-  }
+}
 
-  from string path
-  where any(InitialState i).reachesVia(path, _) = any(GoalState g)
-  select path + "."
+from string path
+where any(InitialState i).reachesVia(path, _) = any(GoalState g)
+select path + "."

docs/codeql/writing-codeql-queries/river-answer-2-abstract-class.ql

@@ -7,10 +7,10 @@
 /** One of two shores. */
 class Shore extends string {
   Shore() { this = "left" or this = "right" }
-  }
+}
 
-  /** Models the behavior of the man. */
-  class Man extends string {
+/** Models the behavior of the man. */
+class Man extends string {
   Shore s;
 
   Man() { this = "man " + s }
@@ -26,10 +26,10 @@ class Shore extends string {
     result = c.cross() and
     c.isOn(s)
   }
-  }
+}
 
-  /** One of three possible cargo items, with their position. */
-  abstract class Cargo extends string {
+/** One of three possible cargo items, with their position. */
+abstract class Cargo extends string {
   Shore s;
 
   bindingset[this]
@@ -40,31 +40,31 @@ class Shore extends string {
 
   /** Returns the other shore, after the cargo crosses the river. */
   abstract Cargo cross();
-  }
+}
 
-  /** Models the position of the goat. */
-  class Goat extends Cargo {
+/** Models the position of the goat. */
+class Goat extends Cargo {
   Goat() { this = "goat " + s }
 
   override Goat cross() { result != this }
-  }
+}
 
-  /** Models the position of the wolf. */
-  class Wolf extends Cargo {
+/** Models the position of the wolf. */
+class Wolf extends Cargo {
   Wolf() { this = "wolf " + s }
 
   override Wolf cross() { result != this }
-  }
+}
 
-  /** Models the position of the cabbage. */
-  class Cabbage extends Cargo {
+/** Models the position of the cabbage. */
+class Cabbage extends Cargo {
   Cabbage() { this = "cabbage " + s }
 
   override Cabbage cross() { result != this }
-  }
+}
 
-  /** Returns a unicode representation of everything on the left shore. */
-  string onLeft(Man man, Goat goat, Cabbage cabbage, Wolf wolf) {
+/** Returns a unicode representation of everything on the left shore. */
+string onLeft(Man man, Goat goat, Cabbage cabbage, Wolf wolf) {
   exists(string manOnLeft, string goatOnLeft, string cabbageOnLeft, string wolfOnLeft |
     (
       man.isOn("left") and manOnLeft = "🕴"
@@ -88,10 +88,10 @@ class Shore extends string {
     ) and
     result = manOnLeft + "__" + goatOnLeft + "__" + cabbageOnLeft + "__" + wolfOnLeft
   )
-  }
+}
 
-  /** Returns a unicode representation of everything on the right shore. */
-  string onRight(Man man, Goat goat, Cabbage cabbage, Wolf wolf) {
+/** Returns a unicode representation of everything on the right shore. */
+string onRight(Man man, Goat goat, Cabbage cabbage, Wolf wolf) {
   exists(string manOnLeft, string goatOnLeft, string cabbageOnLeft, string wolfOnLeft |
     (
       man.isOn("right") and manOnLeft = "🕴"
@@ -115,22 +115,20 @@ class Shore extends string {
     ) and
     result = manOnLeft + "__" + goatOnLeft + "__" + cabbageOnLeft + "__" + wolfOnLeft
   )
-  }
+}
 
-  /** Renders the state as a string, using unicode symbols. */
-  string render(Man man, Goat goat, Cabbage cabbage, Wolf wolf) {
-    result = onLeft(man, goat, cabbage, wolf) + "___🌊🌊🌊🌊🌊🌊🌊🌊🌊🌊___" +
+/** Renders the state as a string, using unicode symbols. */
+string render(Man man, Goat goat, Cabbage cabbage, Wolf wolf) {
+  result =
+    onLeft(man, goat, cabbage, wolf) + "___🌊🌊🌊🌊🌊🌊🌊🌊🌊🌊___" +
       onRight(man, goat, cabbage, wolf)
-  }
+}
 
-  /** A record of where everything is. */
-  class State extends string {
+/** A record of where everything is. */
+class State extends string {
   Man man;
-  
   Goat goat;
-  
   Cabbage cabbage;
-  
   Wolf wolf;
 
   State() { this = render(man, goat, cabbage, wolf) }
@@ -154,14 +152,14 @@ class Shore extends string {
   State reachesVia(string path) {
     exists(string pathSoFar |
       result = this.reachesVia(pathSoFar).transition() and
-        not exists(int i | i = pathSoFar.indexOf(result.toString())) and
+      not exists(pathSoFar.indexOf(result.toString())) and
       path = pathSoFar + "\n↓\n" + result
     )
   }
-  }
+}
 
-  /** The initial state, where everything is on the left shore. */
-  class InitialState extends State {
+/** The initial state, where everything is on the left shore. */
+class InitialState extends State {
   InitialState() {
     exists(Shore left | left = "left" |
       man.isOn(left) and goat.isOn(left) and cabbage.isOn(left) and wolf.isOn(left)
@@ -169,14 +167,14 @@ class Shore extends string {
   }
 
   override State reachesVia(string path) {
-      path = this + "\n↓\n" + result and result = transition()
+    path = this + "\n↓\n" + result and result = this.transition()
     or
     result = super.reachesVia(path)
   }
-  }
+}
 
-  /** The goal state, where everything is on the right shore. */
-  class GoalState extends State {
+/** The goal state, where everything is on the right shore. */
+class GoalState extends State {
   GoalState() {
     exists(Shore right | right = "right" |
       man.isOn(right) and goat.isOn(right) and cabbage.isOn(right) and wolf.isOn(right)
@@ -184,10 +182,10 @@ class Shore extends string {
   }
 
   override State transition() { none() }
-  }
+}
 
-  /** An unsafe state, where something gets eaten. */
-  class IllegalState extends State {
+/** An unsafe state, where something gets eaten. */
+class IllegalState extends State {
   IllegalState() {
     exists(Shore s |
       goat.isOn(s) and cabbage.isOn(s) and not man.isOn(s)
@@ -197,9 +195,8 @@ class Shore extends string {
   }
 
   override State transition() { none() }
-  }
-  
-  from string path
-  where any(InitialState i).reachesVia(path) = any(GoalState g)
-  select path
+}
 
+from string path
+where any(InitialState i).reachesVia(path) = any(GoalState g)
+select path

docs/codeql/writing-codeql-queries/river-answer-3-datatypes.ql

@@ -90,11 +90,8 @@ newtype TState = Currently(Man man, Goat goat, Cabbage cabbage, Wolf wolf)
 /** A record of where everything is. */
 class State extends TState {
   Man man;
-
   Goat goat;
-
   Cabbage cabbage;
-
   Wolf wolf;
 
   State() { this = Currently(man, goat, cabbage, wolf) }
@@ -118,7 +115,7 @@ class State extends TState {
   State reachesVia(string path) {
     exists(string pathSoFar |
       result = this.reachesVia(pathSoFar).transition() and
-      not exists(int i | i = pathSoFar.indexOf(result.toString())) and
+      not exists(pathSoFar.indexOf(result.toString())) and
       path = pathSoFar + "\n" + result
     )
   }
@@ -133,7 +130,7 @@ class InitialState extends State {
   }
 
   override State reachesVia(string path) {
-    path = this + "\n" + result and result = transition()
+    path = this + "\n" + result and result = this.transition()
     or
     result = super.reachesVia(path)
   }

docs/codeql/writing-codeql-queries/river-crossing-1.ql

@@ -99,4 +99,3 @@ class GoalState extends State {
 from string path
 where any(InitialState i).reachesVia(path, _) = any(GoalState g)
 select path
-

go/ql/lib/semmle/go/controlflow/ControlFlowGraph.qll

@@ -106,24 +106,20 @@ module ControlFlow {
    * A control-flow node that initializes or updates the value of a constant, a variable,
    * a field, or an (array, slice, or map) element.
    */
-  class WriteNode extends Node {
-    IR::WriteInstruction self;
-
-    WriteNode() { this = self }
-
+  class WriteNode extends Node instanceof IR::WriteInstruction {
     /** Gets the left-hand side of this write. */
-    IR::WriteTarget getLhs() { result = self.getLhs() }
+    IR::WriteTarget getLhs() { result = super.getLhs() }
 
     /** Gets the right-hand side of this write. */
-    DataFlow::Node getRhs() { self.getRhs() = result.asInstruction() }
+    DataFlow::Node getRhs() { super.getRhs() = result.asInstruction() }
 
     /** Holds if this node sets variable or constant `v` to `rhs`. */
-    predicate writes(ValueEntity v, DataFlow::Node rhs) { self.writes(v, rhs.asInstruction()) }
+    predicate writes(ValueEntity v, DataFlow::Node rhs) { super.writes(v, rhs.asInstruction()) }
 
     /** Holds if this node defines SSA variable `v` to be `rhs`. */
     predicate definesSsaVariable(SsaVariable v, DataFlow::Node rhs) {
-      self.getLhs().asSsaVariable() = v and
-      self.getRhs() = rhs.asInstruction()
+      super.getLhs().asSsaVariable() = v and
+      super.getRhs() = rhs.asInstruction()
     }
 
     /**
@@ -136,13 +132,13 @@ module ControlFlow {
      * node corresponding to `newWidth`.
      */
     predicate writesField(DataFlow::Node base, Field f, DataFlow::Node rhs) {
-      exists(IR::FieldTarget trg | trg = self.getLhs() |
+      exists(IR::FieldTarget trg | trg = super.getLhs() |
         (
           trg.getBase() = base.asInstruction() or
           trg.getBase() = MkImplicitDeref(base.asExpr())
         ) and
         trg.getField() = f and
-        self.getRhs() = rhs.asInstruction()
+        super.getRhs() = rhs.asInstruction()
       )
     }
 
@@ -156,13 +152,13 @@ module ControlFlow {
      * is the data-flow node corresponding to `base`.
      */
     predicate writesElement(DataFlow::Node base, DataFlow::Node index, DataFlow::Node rhs) {
-      exists(IR::ElementTarget trg | trg = self.getLhs() |
+      exists(IR::ElementTarget trg | trg = super.getLhs() |
         (
           trg.getBase() = base.asInstruction() or
           trg.getBase() = MkImplicitDeref(base.asExpr())
         ) and
         trg.getIndex() = index.asInstruction() and
-        self.getRhs() = rhs.asInstruction()
+        super.getRhs() = rhs.asInstruction()
       )
     }
 

go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImpl.qll

@@ -246,14 +246,14 @@ module Public {
     predicate isAutoGenerated() { none() }
   }
 
-  /** A callable with a flow summary stating there is no flow via the callable. */
-  class NegativeSummarizedCallable extends SummarizedCallableBase {
-    NegativeSummarizedCallable() { negativeSummaryElement(this, _) }
+  /** A callable where there is no flow via the callable. */
+  class NeutralCallable extends SummarizedCallableBase {
+    NeutralCallable() { neutralElement(this, _) }
 
     /**
-     *  Holds if the negative summary is auto generated.
+     *  Holds if the neutral is auto generated.
      */
-    predicate isAutoGenerated() { negativeSummaryElement(this, true) }
+    predicate isAutoGenerated() { neutralElement(this, true) }
   }
 }
 
@@ -1161,9 +1161,9 @@ module Private {
       string toString() { result = super.toString() }
     }
 
-    /** A flow summary to include in the `negativeSummary/1` query predicate. */
-    abstract class RelevantNegativeSummarizedCallable instanceof NegativeSummarizedCallable {
-      /** Gets the string representation of this callable used by `summary/1`. */
+    /** A model to include in the `neutral/1` query predicate. */
+    abstract class RelevantNeutralCallable instanceof NeutralCallable {
+      /** Gets the string representation of this callable used by `neutral/1`. */
       abstract string getCallableCsv();
 
       string toString() { result = super.toString() }
@@ -1180,13 +1180,13 @@ module Private {
       if c.isAutoGenerated() then result = "generated" else result = "manual"
     }
 
-    private string renderProvenanceNegative(NegativeSummarizedCallable c) {
+    private string renderProvenanceNeutral(NeutralCallable c) {
       if c.isAutoGenerated() then result = "generated" else result = "manual"
     }
 
     /**
      * A query predicate for outputting flow summaries in semi-colon separated format in QL tests.
-     * The syntax is: "namespace;type;overrides;name;signature;ext;inputspec;outputspec;kind;provenance"",
+     * The syntax is: "namespace;type;overrides;name;signature;ext;inputspec;outputspec;kind;provenance",
      * ext is hardcoded to empty.
      */
     query predicate summary(string csv) {
@@ -1205,14 +1205,14 @@ module Private {
     }
 
     /**
-     * Holds if a negative flow summary `csv` exists (semi-colon separated format). Used for testing purposes.
+     * Holds if a neutral model `csv` exists (semi-colon separated format). Used for testing purposes.
      * The syntax is: "namespace;type;name;signature;provenance"",
      */
-    query predicate negativeSummary(string csv) {
-      exists(RelevantNegativeSummarizedCallable c |
+    query predicate neutral(string csv) {
+      exists(RelevantNeutralCallable c |
         csv =
           c.getCallableCsv() // Callable information
-            + renderProvenanceNegative(c) // provenance
+            + renderProvenanceNeutral(c) // provenance
       )
     }
   }

go/ql/lib/semmle/go/dataflow/internal/FlowSummaryImplSpecific.qll

@@ -76,11 +76,11 @@ predicate summaryElement(
 }
 
 /**
- * Holds if a negative flow summary exists for `c`, which means that there is no
- * flow through `c`. The flag `generated` states whether the summary is autogenerated.
- * Note. Negative flow summaries has not been implemented for Go.
+ * Holds if a neutral model exists for `c`, which means that there is no
+ * flow through `c`. The flag `generated` states whether the model is autogenerated.
+ * Note. Neutral models have not been implemented for Go.
  */
-predicate negativeSummaryElement(SummarizedCallable c, boolean generated) { none() }
+predicate neutralElement(SummarizedCallable c, boolean generated) { none() }
 
 /** Gets the summary component for specification component `c`, if any. */
 bindingset[c]

go/ql/lib/semmle/go/security/CommandInjectionCustomizations.qll

@@ -37,9 +37,7 @@ module CommandInjection {
   abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
 
   /** A source of untrusted data, considered as a taint source for command injection. */
-  class UntrustedFlowAsSource extends Source {
-    UntrustedFlowAsSource() { this instanceof UntrustedFlowSource }
-  }
+  class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
 
   /** A command name, considered as a taint sink for command injection. */
   class CommandNameAsSink extends Sink {

go/ql/lib/semmle/go/security/LogInjectionCustomizations.qll

@@ -33,9 +33,7 @@ module LogInjection {
   abstract deprecated class SanitizerGuard extends DataFlow::BarrierGuard { }
 
   /** A source of untrusted data, considered as a taint source for log injection. */
-  class UntrustedFlowAsSource extends Source {
-    UntrustedFlowAsSource() { this instanceof UntrustedFlowSource }
-  }
+  class UntrustedFlowAsSource extends Source instanceof UntrustedFlowSource { }
 
   /** An argument to a logging mechanism. */
   class LoggerSink extends Sink {

go/ql/lib/semmle/go/security/OpenUrlRedirectCustomizations.qll

@@ -117,9 +117,7 @@ module OpenUrlRedirect {
 }
 
 /** A sink for an open redirect, considered as a sink for safe URL flow. */
-private class SafeUrlSink extends SafeUrlFlow::Sink {
-  SafeUrlSink() { this instanceof OpenUrlRedirect::Sink }
-}
+private class SafeUrlSink extends SafeUrlFlow::Sink instanceof OpenUrlRedirect::Sink { }
 
 /**
  * A read of a field considered unsafe to redirect to, considered as a sanitizer for a safe