Merge branch 'main' into atorralba/promote-ognl-injection

2025-12-21 19:26:31 +01:00 · 2021-07-20 17:17:17 +02:00
parent 47fffb04a6 5a489a386a
commit b6904a7992
2457 changed files with 219307 additions and 31173 deletions
--- a/.github/workflows/csv-coverage-pr-artifacts.yml
+++ b/.github/workflows/csv-coverage-pr-artifacts.yml
@@ -0,0 +1,97 @@
 name: Check framework coverage changes
 on:
  pull_request:
    paths:
      - '.github/workflows/csv-coverage-pr-comment.yml'
      - '*/ql/src/**/*.ql'
      - '*/ql/src/**/*.qll'
      - 'misc/scripts/library-coverage/*.py'
      # input data files
      - '*/documentation/library-coverage/cwe-sink.csv'
      - '*/documentation/library-coverage/frameworks.csv'
    branches:
      - main
      - 'rc/*'
 jobs:
  generate:
    name: Generate framework coverage artifacts
    runs-on: ubuntu-latest
    steps:
    - name: Dump GitHub context
      env:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql) - MERGE
      uses: actions/checkout@v2
      with:
        path: merge
    - name: Clone self (github/codeql) - BASE
      uses: actions/checkout@v2
      with:
        fetch-depth: 2
        path: base
    - run: |
        git checkout HEAD^1
        git log -1 --format='%H'
      working-directory: base
    - name: Set up Python 3.8
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
      env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
    - name: Unzip CodeQL CLI
      run: unzip -d codeql-cli codeql-linux64.zip
    - name: Generate CSV files on merge commit of the PR
      run: |
        echo "Running generator on merge"
        PATH="$PATH:codeql-cli/codeql" python merge/misc/scripts/library-coverage/generate-report.py ci merge merge
        mkdir out_merge
        cp framework-coverage-*.csv out_merge/
        cp framework-coverage-*.rst out_merge/
    - name: Generate CSV files on base commit of the PR
      run: |
        echo "Running generator on base"
        PATH="$PATH:codeql-cli/codeql" python base/misc/scripts/library-coverage/generate-report.py ci base base
        mkdir out_base
        cp framework-coverage-*.csv out_base/
        cp framework-coverage-*.rst out_base/
    - name: Generate diff of coverage reports
      run: |
        python base/misc/scripts/library-coverage/compare-folders.py out_base out_merge comparison.md
    - name: Upload CSV package list
      uses: actions/upload-artifact@v2
      with:
        name: csv-framework-coverage-merge
        path: |
          out_merge/framework-coverage-*.csv
          out_merge/framework-coverage-*.rst
    - name: Upload CSV package list
      uses: actions/upload-artifact@v2
      with:
        name: csv-framework-coverage-base
        path: |
          out_base/framework-coverage-*.csv
          out_base/framework-coverage-*.rst
    - name: Upload comparison results
      uses: actions/upload-artifact@v2
      with:
        name: comparison
        path: |
          comparison.md
    - name: Save PR number
      run: |
        mkdir -p pr
        echo ${{ github.event.pull_request.number }} > pr/NR
    - name: Upload PR number
      uses: actions/upload-artifact@v2
      with:
        name: pr
        path: pr/
--- a/.github/workflows/csv-coverage-pr-comment.yml
+++ b/.github/workflows/csv-coverage-pr-comment.yml
@@ -0,0 +1,34 @@
 name: Comment on PR with framework coverage changes
 on:
  workflow_run:
    workflows: ["Check framework coverage changes"]
    types:
      - completed
 jobs:
  check:
    name: Check framework coverage differences and comment
    runs-on: ubuntu-latest
    if: >
      ${{ github.event.workflow_run.event == 'pull_request' &&
      github.event.workflow_run.conclusion == 'success' }}
    steps:
    - name: Dump GitHub context
      env:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql)
      uses: actions/checkout@v2
    - name: Set up Python 3.8
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Check coverage difference file and comment
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        RUN_ID: ${{ github.event.workflow_run.id }}
      run: |
        python misc/scripts/library-coverage/comment-pr.py "$GITHUB_REPOSITORY" "$RUN_ID"
--- a/.github/workflows/csv-coverage-timeseries.yml
+++ b/.github/workflows/csv-coverage-timeseries.yml
@@ -0,0 +1,42 @@
 name: Build framework coverage timeseries reports
 on:
  workflow_dispatch:
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Clone self (github/codeql)
      uses: actions/checkout@v2
      with:
        path: script
    - name: Clone self (github/codeql) for analysis
      uses: actions/checkout@v2
      with:
        path: codeqlModels
        fetch-depth: 0
    - name: Set up Python 3.8
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
      env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
    - name: Unzip CodeQL CLI
      run: unzip -d codeql-cli codeql-linux64.zip
    - name: Build modeled package list
      run: |
        CLI=$(realpath "codeql-cli/codeql")
        echo $CLI
        PATH="$PATH:$CLI" python script/misc/scripts/library-coverage/generate-timeseries.py codeqlModels
    - name: Upload timeseries CSV
      uses: actions/upload-artifact@v2
      with:
        name: framework-coverage-timeseries
        path: framework-coverage-timeseries-*.csv
--- a/.github/workflows/csv-coverage-update.yml
+++ b/.github/workflows/csv-coverage-update.yml
@@ -0,0 +1,44 @@
 name: Update framework coverage reports
 on:
  workflow_dispatch:
  schedule:
    - cron: "0 0 * * *"
 jobs:
  update:
    name: Update framework coverage report
    if: github.event.repository.fork == false
    runs-on: ubuntu-latest
    steps:
    - name: Dump GitHub context
      env:
        GITHUB_CONTEXT: ${{ toJSON(github.event) }}
      run: echo "$GITHUB_CONTEXT"
    - name: Clone self (github/codeql)
      uses: actions/checkout@v2
      with:
        path: ql
        fetch-depth: 0
    - name: Set up Python 3.8
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
      env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
    - name: Unzip CodeQL CLI
      run: unzip -d codeql-cli codeql-linux64.zip
    - name: Generate coverage files
      run: |
        PATH="$PATH:codeql-cli/codeql" python ql/misc/scripts/library-coverage/generate-report.py ci ql ql
    - name: Create pull request with changes
      env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: |
        python ql/misc/scripts/library-coverage/create-pr.py ql "$GITHUB_REPOSITORY"
--- a/.github/workflows/csv-coverage.yml
+++ b/.github/workflows/csv-coverage.yml
@@ -1,4 +1,4 @@
-name: Build/check CSV flow coverage report
+name: Build framework coverage reports
 on:
  workflow_dispatch:
@@ -6,22 +6,6 @@ on:
      qlModelShaOverride:
        description: 'github/codeql repo SHA used for looking up the CSV models'
        required: false
  push:
    branches:
     - main
     - 'rc/**'
  pull_request:
    paths:
      - '.github/workflows/csv-coverage.yml'
      - '*/ql/src/**/*.ql'
      - '*/ql/src/**/*.qll'
      - 'misc/scripts/library-coverage/*.py'
      # input data files
      - '*/documentation/library-coverage/cwe-sink.csv'
      - '*/documentation/library-coverage/frameworks.csv'
      # coverage report files
      - '*/documentation/library-coverage/flow-model-coverage.csv'
      - '*/documentation/library-coverage/flow-model-coverage.rst'
 jobs:
  build:
@@ -33,28 +17,20 @@ jobs:
      uses: actions/checkout@v2
      with:
        path: script
    - name: Clone self (github/codeql) at a given SHA for analysis
      if: github.event.inputs.qlModelShaOverride != ''
      uses: actions/checkout@v2
      with:
        path: codeqlModels
        ref: github.event.inputs.qlModelShaOverride
    - name: Clone self (github/codeql) for analysis
      if: github.event.inputs.qlModelShaOverride == ''
      uses: actions/checkout@v2
      with:
        path: codeqlModels
        ref: ${{ github.event.inputs.qlModelShaOverride || github.ref }}
    - name: Set up Python 3.8
      uses: actions/setup-python@v2
      with:
        python-version: 3.8
    - name: Download CodeQL CLI
-      uses: dsaltares/fetch-gh-release-asset@aa37ae5c44d3c9820bc12fe675e8670ecd93bd1c
+      env:
-      with:
+         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        repo: "github/codeql-cli-binaries"
+      run: |
-        version: "latest"
+         gh release download --repo "github/codeql-cli-binaries" --pattern "codeql-linux64.zip"
        file: "codeql-linux64.zip"
        token: ${{ secrets.GITHUB_TOKEN }}
    - name: Unzip CodeQL CLI
      run: unzip -d codeql-cli codeql-linux64.zip
    - name: Build modeled package list
@@ -63,15 +39,11 @@ jobs:
    - name: Upload CSV package list
      uses: actions/upload-artifact@v2
      with:
-        name: csv-flow-model-coverage
+        name: framework-coverage-csv
-        path: flow-model-coverage-*.csv
+        path: framework-coverage-*.csv
    - name: Upload RST package list
      uses: actions/upload-artifact@v2
      with:
-        name: rst-flow-model-coverage
+        name: framework-coverage-rst
-        path: flow-model-coverage-*.rst
+        path: framework-coverage-*.rst
    # - name: Check coverage files
    #   if: github.event.pull_request
    #   run: |
    #     python script/misc/scripts/library-coverage/compare-files.py codeqlModels
--- a/6
+++ b/6
@@ -17,3 +17,9 @@
 /java/ql/src/semmle/code/java/dataflow/internal/DataFlowImplCommon.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking1/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
 /java/ql/src/semmle/code/java/dataflow/internal/tainttracking2/TaintTrackingImpl.qll @github/codeql-java @github/codeql-go
 # CodeQL tools and associated docs
 /docs/codeql-cli/ @github/codeql-cli-reviewers
 /docs/codeql-for-visual-studio-code/ @github/codeql-vscode-reviewers
 /docs/ql-language-reference/ @github/codeql-frontend-reviewers
 /docs/query-*-style-guide.md @github/codeql-analysis-reviewers
--- a/config/identical-files.json
+++ b/config/identical-files.json
@@ -448,5 +448,17 @@
  "SensitiveDataHeuristics Python/JS": [
    "javascript/ql/src/semmle/javascript/security/internal/SensitiveDataHeuristics.qll",
    "python/ql/src/semmle/python/security/internal/SensitiveDataHeuristics.qll"
  ],
  "ReDoS Util Python/JS": [
    "javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll",
    "python/ql/src/semmle/python/security/performance/ReDoSUtil.qll"
  ],
  "ReDoS Exponential Python/JS": [
    "javascript/ql/src/semmle/javascript/security/performance/ExponentialBackTracking.qll",
    "python/ql/src/semmle/python/security/performance/ExponentialBackTracking.qll"
  ],
  "ReDoS Polynomial Python/JS": [
    "javascript/ql/src/semmle/javascript/security/performance/SuperlinearBackTracking.qll",
    "python/ql/src/semmle/python/security/performance/SuperlinearBackTracking.qll"
  ]
 }
--- a/cpp/change-notes/2021-06-15-path-sensitive-stack-reachability.md
+++ b/cpp/change-notes/2021-06-15-path-sensitive-stack-reachability.md
@@ -0,0 +1,4 @@
 lgtm,codescanning
 * The `StackVariableReachability` library now ignores some paths that contain an infeasible combination
  of conditionals. These improvements primarily affect the queries `cpp/uninitialized-local` and
  `cpp/use-after-free`.
--- a/cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md
+++ b/cpp/change-notes/2021-06-21-weak-cryptographic-algorithm.md
@@ -0,0 +1,2 @@
 lgtm,codescanning
 * The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.
--- a/cpp/change-notes/2021-06-24-dataflow-implicit-reads.md
+++ b/cpp/change-notes/2021-06-24-dataflow-implicit-reads.md
@@ -0,0 +1,2 @@
 lgtm,codescanning
 * The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.
--- a/cpp/change-notes/2021-06-24-uncontrolled-arithmetic.md
+++ b/cpp/change-notes/2021-06-24-uncontrolled-arithmetic.md
@@ -0,0 +1,2 @@
 lgtm
 * The 'Uncontrolled data in arithmetic expression' (cpp/uncontrolled-arithmetic) query now recognizes more sources of randomness.
--- a/cpp/change-notes/2021-06-30-wrong-type-format-argument.md
+++ b/cpp/change-notes/2021-06-30-wrong-type-format-argument.md
@@ -0,0 +1,2 @@
 lgtm,codescanning
 * The 'Wrong type of arguments to formatting function' (cpp/wrong-type-format-argument) query is now more accepting of the string and character formatting differences between Microsoft and non-Microsoft platforms.  There are now fewer false positive results.
--- a/Errors/OffsetUseBeforeRangeCheck.ql
+++ b/Errors/OffsetUseBeforeRangeCheck.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/offset-use-before-range-check
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.2
 * @precision medium
 * @tags reliability
 *       security
--- a/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorMayNotBeClosed.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/descriptor-may-not-be-closed
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/DescriptorNeverClosed.ql
+++ b/cpp/ql/src/Critical/DescriptorNeverClosed.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/descriptor-never-closed
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/FileMayNotBeClosed.ql
+++ b/cpp/ql/src/Critical/FileMayNotBeClosed.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/file-may-not-be-closed
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/FileNeverClosed.ql
+++ b/cpp/ql/src/Critical/FileNeverClosed.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/file-never-closed
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags efficiency
 *       security
 *       external/cwe/cwe-775
--- a/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
+++ b/cpp/ql/src/Critical/GlobalUseBeforeInit.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/global-use-before-init
 * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 7.8
 * @tags reliability
 *       security
 *       external/cwe/cwe-457
--- a/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
+++ b/cpp/ql/src/Critical/InconsistentNullnessTesting.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/inconsistent-nullness-testing
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
--- a/cpp/ql/src/Critical/InitialisationNotRun.ql
+++ b/cpp/ql/src/Critical/InitialisationNotRun.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/initialization-not-run
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
 * @tags reliability
 *       security
 *       external/cwe/cwe-456
--- a/cpp/ql/src/Critical/LateNegativeTest.ql
+++ b/cpp/ql/src/Critical/LateNegativeTest.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/late-negative-test
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @tags reliability
 *       security
 *       external/cwe/cwe-823
--- a/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
+++ b/cpp/ql/src/Critical/MemoryMayNotBeFreed.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/memory-may-not-be-freed
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @tags efficiency
 *       security
 *       external/cwe/cwe-401
--- a/cpp/ql/src/Critical/MemoryNeverFreed.ql
+++ b/cpp/ql/src/Critical/MemoryNeverFreed.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/memory-never-freed
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @tags efficiency
 *       security
 *       external/cwe/cwe-401
--- a/cpp/ql/src/Critical/MissingNegativityTest.ql
+++ b/cpp/ql/src/Critical/MissingNegativityTest.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/missing-negativity-test
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @tags reliability
 *       security
 *       external/cwe/cwe-823
--- a/cpp/ql/src/Critical/MissingNullTest.ql
+++ b/cpp/ql/src/Critical/MissingNullTest.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/missing-null-test
 * @problem.severity recommendation
- * @security-severity 3.6
+ * @security-severity 7.5
 * @tags reliability
 *       security
 *       external/cwe/cwe-476
--- a/cpp/ql/src/Critical/NewFreeMismatch.ql
+++ b/cpp/ql/src/Critical/NewFreeMismatch.ql
@@ -3,7 +3,7 @@
 * @description An object that was allocated with 'malloc' or 'new' is being freed using a mismatching 'free' or 'delete'.
 * @kind problem
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @precision high
 * @id cpp/new-free-mismatch
 * @tags reliability
--- a/cpp/ql/src/Critical/OverflowCalculated.ql
+++ b/cpp/ql/src/Critical/OverflowCalculated.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/overflow-calculated
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
 * @tags reliability
 *       security
 *       external/cwe/cwe-131
--- a/cpp/ql/src/Critical/OverflowDestination.ql
+++ b/cpp/ql/src/Critical/OverflowDestination.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/overflow-destination
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @precision low
 * @tags reliability
 *       security
--- a/cpp/ql/src/Critical/OverflowStatic.ql
+++ b/cpp/ql/src/Critical/OverflowStatic.ql
@@ -4,7 +4,7 @@
 *              may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @precision medium
 * @id cpp/static-buffer-overflow
 * @tags reliability
--- a/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
+++ b/cpp/ql/src/Critical/ReturnStackAllocatedObject.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/return-stack-allocated-object
 * @problem.severity warning
- * @security-severity 2.9
+ * @security-severity 2.1
 * @tags reliability
 *       security
 *       external/cwe/cwe-562
--- a/cpp/ql/src/Critical/SizeCheck.ql
+++ b/cpp/ql/src/Critical/SizeCheck.ql
@@ -4,7 +4,7 @@
 *              an instance of the type of the pointer may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 8.1
 * @precision medium
 * @id cpp/allocation-too-small
 * @tags reliability
--- a/cpp/ql/src/Critical/SizeCheck2.ql
+++ b/cpp/ql/src/Critical/SizeCheck2.ql
@@ -4,7 +4,7 @@
 *              multiple instances of the type of the pointer may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 8.1
 * @precision medium
 * @id cpp/suspicious-allocation-size
 * @tags reliability
--- a/cpp/ql/src/Critical/UseAfterFree.ql
+++ b/cpp/ql/src/Critical/UseAfterFree.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/use-after-free
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.3
 * @tags reliability
 *       security
 *       external/cwe/cwe-416
--- a/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
+++ b/cpp/ql/src/Diagnostics/FailedExtractorInvocations.ql
@@ -7,10 +7,6 @@
 import cpp
 class AnonymousCompilation extends Compilation {
  override string toString() { result = "<compilation>" }
 }
 string describe(Compilation c) {
  if c.getArgument(1) = "--mimic"
  then result = "compiler invocation " + concat(int i | i > 1 | c.getArgument(i), " " order by i)
@@ -19,4 +15,4 @@ string describe(Compilation c) {
 from Compilation c
 where not c.normalTermination()
-select c, "Extraction aborted for " + describe(c), 2
+select "Extraction aborted for " + describe(c)
--- a/Bugs/Arithmetic/BadAdditionOverflowCheck.ql
+++ b/Bugs/Arithmetic/BadAdditionOverflowCheck.ql
@@ -6,7 +6,7 @@
 *              to a larger type.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision very-high
 * @id cpp/bad-addition-overflow-check
 * @tags reliability
--- a/Bugs/Arithmetic/IntMultToLong.ql
+++ b/Bugs/Arithmetic/IntMultToLong.ql
@@ -4,7 +4,7 @@
 *              be a sign that the result can overflow the type converted from.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision high
 * @id cpp/integer-multiplication-cast-to-long
 * @tags reliability
--- a/Bugs/Arithmetic/SignedOverflowCheck.ql
+++ b/Bugs/Arithmetic/SignedOverflowCheck.ql
@@ -5,7 +5,7 @@
 *              unsigned integer values.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision high
 * @id cpp/signed-overflow-check
 * @tags correctness
--- a/Bugs/Conversion/CastArrayPointerArithmetic.ql
+++ b/Bugs/Conversion/CastArrayPointerArithmetic.ql
@@ -6,7 +6,7 @@
 *              use the width of the base type, leading to misaligned reads.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @precision high
 * @id cpp/upcast-array-pointer-arithmetic
 * @tags correctness
--- a/Bugs/Format/NonConstantFormat.ql
+++ b/Bugs/Format/NonConstantFormat.ql
@@ -6,7 +6,7 @@
 *              from an untrusted source, this can be used for exploits.
 * @kind problem
 * @problem.severity recommendation
- * @security-severity 6.9
+ * @security-severity 9.3
 * @precision high
 * @id cpp/non-constant-format
 * @tags maintainability
--- a/Bugs/Format/SnprintfOverflow.ql
+++ b/Bugs/Format/SnprintfOverflow.ql
@@ -3,7 +3,7 @@
 * @description Using the return value from snprintf without proper checks can cause overflow.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision high
 * @id cpp/overflowing-snprintf
 * @tags reliability
--- a/Bugs/Format/WrongNumberOfFormatArguments.ql
+++ b/Bugs/Format/WrongNumberOfFormatArguments.ql
@@ -4,7 +4,7 @@
 *              a source of security issues.
 * @kind problem
 * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
 * @precision high
 * @id cpp/wrong-number-format-arguments
 * @tags reliability
--- a/Bugs/Format/WrongTypeFormatArguments.ql
+++ b/Bugs/Format/WrongTypeFormatArguments.ql
@@ -4,7 +4,7 @@
 *              behavior.
 * @kind problem
 * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 7.5
 * @precision high
 * @id cpp/wrong-type-format-argument
 * @tags reliability
@@ -19,28 +19,32 @@ import cpp
 * Holds if the argument corresponding to the `pos` conversion specifier
 * of `ffc` is expected to have type `expected`.
 */
 pragma[noopt]
 private predicate formattingFunctionCallExpectedType(
  FormattingFunctionCall ffc, int pos, Type expected
 ) {
-  exists(FormattingFunction f, int i, FormatLiteral fl |
+  ffc.getFormat().(FormatLiteral).getConversionType(pos) = expected
    ffc instanceof FormattingFunctionCall and
    ffc.getTarget() = f and
    f.getFormatParameterIndex() = i and
    ffc.getArgument(i) = fl and
    fl.getConversionType(pos) = expected
  )
 }
 /**
 * Holds if the argument corresponding to the `pos` conversion specifier
- * of `ffc` is expected to have type `expected` and the corresponding
+ * of `ffc` could alternatively have type `expected`, for example on a different
- * argument `arg` has type `actual`.
+ * platform.
 */
 private predicate formattingFunctionCallAlternateType(
  FormattingFunctionCall ffc, int pos, Type expected
 ) {
  ffc.getFormat().(FormatLiteral).getConversionTypeAlternate(pos) = expected
 }
 /**
 * Holds if the argument corresponding to the `pos` conversion specifier
 * of `ffc` is `arg` and has type `actual`.
 */
 pragma[noopt]
-predicate formatArgType(FormattingFunctionCall ffc, int pos, Type expected, Expr arg, Type actual) {
+predicate formattingFunctionCallActualType(
  FormattingFunctionCall ffc, int pos, Expr arg, Type actual
 ) {
  exists(Expr argConverted |
    formattingFunctionCallExpectedType(ffc, pos, expected) and
    ffc.getConversionArgument(pos) = arg and
    argConverted = arg.getFullyConverted() and
    actual = argConverted.getType()
@@ -72,7 +76,8 @@ class ExpectedType extends Type {
  ExpectedType() {
    exists(Type t |
      (
-        formatArgType(_, _, t, _, _) or
+        formattingFunctionCallExpectedType(_, _, t) or
        formattingFunctionCallAlternateType(_, _, t) or
        formatOtherArgType(_, _, t, _, _)
      ) and
      this = t.getUnspecifiedType()
@@ -91,7 +96,11 @@ class ExpectedType extends Type {
 */
 predicate trivialConversion(ExpectedType expected, Type actual) {
  exists(Type exp, Type act |
-    formatArgType(_, _, exp, _, act) and
+    (
      formattingFunctionCallExpectedType(_, _, exp) or
      formattingFunctionCallAlternateType(_, _, exp)
    ) and
    formattingFunctionCallActualType(_, _, _, act) and
    expected = exp.getUnspecifiedType() and
    actual = act.getUnspecifiedType()
  ) and
@@ -146,9 +155,13 @@ int sizeof_IntType() { exists(IntType it | result = it.getSize()) }
 from FormattingFunctionCall ffc, int n, Expr arg, Type expected, Type actual
 where
  (
-    formatArgType(ffc, n, expected, arg, actual) and
+    formattingFunctionCallExpectedType(ffc, n, expected) and
    formattingFunctionCallActualType(ffc, n, arg, actual) and
    not exists(Type anyExpected |
-      formatArgType(ffc, n, anyExpected, arg, actual) and
+      (
        formattingFunctionCallExpectedType(ffc, n, anyExpected) or
        formattingFunctionCallAlternateType(ffc, n, anyExpected)
      ) and
      trivialConversion(anyExpected.getUnspecifiedType(), actual.getUnspecifiedType())
    )
    or
--- a/Typos/IncorrectNotOperatorUsage.ql
+++ b/Typos/IncorrectNotOperatorUsage.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/incorrect-not-operator-usage
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @precision medium
 * @tags security
 *       external/cwe/cwe-480
--- a/Management/AllocaInLoop.ql
+++ b/Management/AllocaInLoop.ql
@@ -3,7 +3,7 @@
 * @description Using alloca in a loop can lead to a stack overflow
 * @kind problem
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 7.5
 * @precision high
 * @id cpp/alloca-in-loop
 * @tags reliability
--- a/Management/ImproperNullTermination.ql
+++ b/Management/ImproperNullTermination.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/improper-null-termination
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags security
 *       external/cwe/cwe-170
 *       external/cwe/cwe-665
--- a/Management/PointerOverflow.ql
+++ b/Management/PointerOverflow.ql
@@ -4,7 +4,7 @@
 *              on undefined behavior and may lead to memory corruption.
 * @kind problem
 * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 2.1
 * @precision high
 * @id cpp/pointer-overflow-check
 * @tags reliability
--- a/Management/StrncpyFlippedArgs.ql
+++ b/Management/StrncpyFlippedArgs.ql
@@ -4,7 +4,7 @@
 *              as the third argument may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @precision medium
 * @id cpp/bad-strncpy-size
 * @tags reliability
--- a/Management/SuspiciousCallToStrncat.ql
+++ b/Management/SuspiciousCallToStrncat.ql
@@ -3,7 +3,7 @@
 * @description Calling 'strncat' with an incorrect size argument may result in a buffer overflow.
 * @kind problem
 * @problem.severity warning
- * @security-severity 10.0
+ * @security-severity 9.3
 * @precision medium
 * @id cpp/unsafe-strncat
 * @tags reliability
--- a/Management/SuspiciousSizeof.ql
+++ b/Management/SuspiciousSizeof.ql
@@ -5,7 +5,7 @@
 *              the machine pointer size.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id cpp/suspicious-sizeof
 * @tags reliability
--- a/Management/UninitializedLocal.ql
+++ b/Management/UninitializedLocal.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/uninitialized-local
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision medium
 * @tags security
 *       external/cwe/cwe-665
--- a/Management/UnsafeUseOfStrcat.ql
+++ b/Management/UnsafeUseOfStrcat.ql
@@ -4,7 +4,7 @@
 *              may result in a buffer overflow
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision medium
 * @id cpp/unsafe-strcat
 * @tags reliability
--- a/Bugs/OO/SelfAssignmentCheck.ql
+++ b/Bugs/OO/SelfAssignmentCheck.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/self-assignment-check
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.0
 * @tags reliability
 *       security
 *       external/cwe/cwe-826
--- a/Bugs/OO/UnsafeUseOfThis.ql
+++ b/Bugs/OO/UnsafeUseOfThis.ql
@@ -6,7 +6,7 @@
 * @kind path-problem
 * @id cpp/unsafe-use-of-this
 * @problem.severity error
- * @security-severity 3.6
+ * @security-severity 7.5
 * @precision very-high
 * @tags correctness
 *       language-features
--- a/Functions/TooFewArguments.ql
+++ b/Functions/TooFewArguments.ql
@@ -7,7 +7,7 @@
 *              undefined data.
 * @kind problem
 * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 5.0
 * @precision very-high
 * @id cpp/too-few-arguments
 * @tags correctness
--- a/cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql
+++ b/cpp/ql/src/Microsoft/IgnoreReturnValueSAL.ql
@@ -9,7 +9,6 @@
 * @tags reliability
 *       external/cwe/cwe-573
 *       external/cwe/cwe-252
 * @opaque-id SM02344
 * @microsoft.severity Important
 */
--- a/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/memset-may-be-deleted
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.8
 * @precision high
 * @tags security
 *       external/cwe/cwe-14
--- a/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/IRUntrustedDataToExternalAPI.ql
@@ -5,7 +5,7 @@
 * @kind path-problem
 * @precision low
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags security external/cwe/cwe-20
 */
--- a/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
+++ b/cpp/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql
@@ -5,7 +5,7 @@
 * @kind path-problem
 * @precision low
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @tags security external/cwe/cwe-20
 */
--- a/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
+++ b/cpp/ql/src/Security/CWE/CWE-022/TaintedPath.ql
@@ -4,7 +4,7 @@
 *              attacker to access unexpected resources.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
 * @precision medium
 * @id cpp/path-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql
@@ -5,7 +5,7 @@
 *              to command injection.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision low
 * @id cpp/command-line-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
+++ b/cpp/ql/src/Security/CWE/CWE-079/CgiXss.ql
@@ -4,7 +4,7 @@
 *              allows for a cross-site scripting vulnerability.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 2.9
+ * @security-severity 6.1
 * @precision high
 * @id cpp/cgi-xss
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-089/SqlTainted.ql
@@ -5,7 +5,7 @@
 *              to SQL Injection.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.4
+ * @security-severity 8.8
 * @precision high
 * @id cpp/sql-injection
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-114/UncontrolledProcessOperation.ql
@@ -5,7 +5,7 @@
 *              commands.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.0
+ * @security-severity 8.2
 * @precision medium
 * @id cpp/uncontrolled-process-operation
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
+++ b/cpp/ql/src/Security/CWE/CWE-119/OverflowBuffer.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/overflow-buffer
 * @problem.severity recommendation
- * @security-severity 10.0
+ * @security-severity 9.3
 * @tags security
 *       external/cwe/cwe-119
 *       external/cwe/cwe-121
--- a/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/BadlyBoundedWrite.ql
@@ -5,7 +5,7 @@
 *              overflow.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
 * @precision high
 * @id cpp/badly-bounded-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWrite.ql
@@ -4,7 +4,7 @@
 *              of data written may overflow.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
 * @precision medium
 * @id cpp/overrunning-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/OverrunWriteFloat.ql
@@ -5,7 +5,7 @@
 *              take extreme values.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
 * @precision medium
 * @id cpp/overrunning-write-with-float
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-120/UnboundedWrite.ql
@@ -4,7 +4,7 @@
 *              of data written may overflow.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.3
 * @precision medium
 * @id cpp/unbounded-write
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-121/UnterminatedVarargsCall.ql
@@ -5,7 +5,7 @@
 *              a specific value to terminate the argument list.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id cpp/unterminated-variadic-call
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
+++ b/cpp/ql/src/Security/CWE/CWE-129/ImproperArrayIndexValidation.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/unclear-array-index-validation
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @tags security
 *       external/cwe/cwe-129
 */
--- a/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
+++ b/cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
@@ -5,7 +5,7 @@
 *              terminator can cause a buffer overrun.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision high
 * @id cpp/no-space-for-terminator
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatString.ql
@@ -5,7 +5,7 @@
 *              or data representation problems.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 9.3
 * @precision high
 * @id cpp/tainted-format-string
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-134/UncontrolledFormatStringThroughGlobalVar.ql
@@ -5,7 +5,7 @@
 *              or data representation problems.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 9.3
 * @precision high
 * @id cpp/tainted-format-string-through-global
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql
@@ -2,9 +2,9 @@
 * @name User-controlled data in arithmetic expression
 * @description Arithmetic operations on user-controlled data that is
 *              not validated can cause overflows.
- * @kind problem
+ * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
 * @precision low
 * @id cpp/tainted-arithmetic
 * @tags security
@@ -16,22 +16,39 @@ import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
 import semmle.code.cpp.security.TaintTracking
 import TaintedWithPath
 import Bounded
-from Expr origin, Operation op, Expr e, string effect
+bindingset[op]
-where
+predicate missingGuard(Operation op, Expr e, string effect) {
  isUserInput(origin, _) and
  tainted(origin, e) and
  op.getAnOperand() = e and
  (
  missingGuardAgainstUnderflow(op, e) and effect = "underflow"
  or
  missingGuardAgainstOverflow(op, e) and effect = "overflow"
  or
  not e instanceof VariableAccess and effect = "overflow"
-  ) and
+}
-  (
+
 class Configuration extends TaintTrackingConfiguration {
  override predicate isSink(Element e) {
    exists(Operation op |
      missingGuard(op, e, _) and
      op.getAnOperand() = e
    |
      op instanceof UnaryArithmeticOperation or
      op instanceof BinaryArithmeticOperation
    )
-select e, "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
+  }
-  origin, "User-provided value"
+
  override predicate isBarrier(Expr e) {
    super.isBarrier(e) or bounded(e) or e.getUnspecifiedType().(IntegralType).getSize() <= 1
  }
 }
 from Expr origin, Expr e, string effect, PathNode sourceNode, PathNode sinkNode, Operation op
 where
  taintedWithPath(origin, e, sourceNode, sinkNode) and
  op.getAnOperand() = e and
  missingGuard(op, e, effect)
 select e, sourceNode, sinkNode,
  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
  "User-provided value"
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql
@@ -4,7 +4,7 @@
 *              validated can cause overflows.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
 * @precision medium
 * @id cpp/uncontrolled-arithmetic
 * @tags security
@@ -15,106 +15,61 @@
 import cpp
 import semmle.code.cpp.security.Overflow
 import semmle.code.cpp.security.Security
-import semmle.code.cpp.security.TaintTracking
+import semmle.code.cpp.security.FlowSources
-import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
+import semmle.code.cpp.ir.dataflow.TaintTracking
-import TaintedWithPath
+import DataFlow::PathGraph
 import Bounded
-predicate isUnboundedRandCall(FunctionCall fc) {
+/**
-  exists(Function func | func = fc.getTarget() |
+ * A function that outputs random data such as `std::rand`.
-    func.hasGlobalOrStdOrBslName("rand") and
+ */
-    not bounded(fc) and
+abstract class RandomFunction extends Function {
-    func.getNumberOfParameters() = 0
+  /**
-  )
+   * Gets the `FunctionOutput` that describes how this function returns the random data.
   */
  FunctionOutput getFunctionOutput() { result.isReturnValue() }
 }
 /**
- * An operand `e` of a division expression (i.e., `e` is an operand of either a `DivExpr` or
+ * The standard function `std::rand`.
 * a `AssignDivExpr`) is bounded when `e` is the left-hand side of the division.
 */
-pragma[inline]
+private class StdRand extends RandomFunction {
-predicate boundedDiv(Expr e, Expr left) { e = left }
+  StdRand() {
-
+    this.hasGlobalOrStdOrBslName("rand") and
-/**
+    this.getNumberOfParameters() = 0
- * An operand `e` of a remainder expression `rem` (i.e., `rem` is either a `RemExpr` or
+  }
 * an `AssignRemExpr`) with left-hand side `left` and right-ahnd side `right` is bounded
 * when `e` is `left` and `right` is upper bounded by some number that is less than the maximum integer
 * allowed by the result type of `rem`.
 */
 pragma[inline]
 predicate boundedRem(Expr e, Expr rem, Expr left, Expr right) {
  e = left and
  upperBound(right.getFullyConverted()) < exprMaxVal(rem.getFullyConverted())
 }
 /**
- * An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
+ * The Unix function `rand_r`.
 * or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
 * bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
 */
-pragma[inline]
+private class RandR extends RandomFunction {
-predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
+  RandR() {
-  operand1 != operand2 and
+    this.hasGlobalName("rand_r") and
-  e = operand1 and
+    this.getNumberOfParameters() = 1
-  upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
+  }
 }
 /**
- * Holds if `fc` is a part of the left operand of a binary operation that greatly reduces the range
+ * The Unix function `random`.
 * of possible values.
 */
-predicate bounded(Expr e) {
+private class Random extends RandomFunction {
-  //  For `%` and `&` we require that `e` is bounded by a value that is strictly smaller than the
+  Random() {
-  //  maximum possible value of the result type of the operation.
+    this.hasGlobalName("random") and
-  //  For example, the function call `rand()` is considered bounded in the following program:
+    this.getNumberOfParameters() = 1
-  //  ```
+  }
  //  int i = rand() % (UINT8_MAX + 1);
  //  ```
  //  but not in:
  //  ```
  //  unsigned char uc = rand() % (UINT8_MAX + 1);
  //  ```
  exists(RemExpr rem | boundedRem(e, rem, rem.getLeftOperand(), rem.getRightOperand()))
  or
  exists(AssignRemExpr rem | boundedRem(e, rem, rem.getLValue(), rem.getRValue()))
  or
  exists(BitwiseAndExpr andExpr |
    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
  )
  or
  exists(AssignAndExpr andExpr |
    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
  )
  or
  // Optimitically assume that a division always yields a much smaller value.
  boundedDiv(e, any(DivExpr div).getLeftOperand())
  or
  boundedDiv(e, any(AssignDivExpr div).getLValue())
  or
  boundedDiv(e, any(RShiftExpr shift).getLeftOperand())
  or
  boundedDiv(e, any(AssignRShiftExpr div).getLValue())
 }
-predicate isUnboundedRandCallOrParent(Expr e) {
+/**
-  isUnboundedRandCall(e)
+ * The Windows `rand_s` function.
-  or
+ */
-  isUnboundedRandCallOrParent(e.getAChild())
+private class RandS extends RandomFunction {
  RandS() {
    this.hasGlobalName("rand_s") and
    this.getNumberOfParameters() = 1
  }
-predicate isUnboundedRandValue(Expr e) {
+  override FunctionOutput getFunctionOutput() { result.isParameterDeref(0) }
  isUnboundedRandCall(e)
  or
  exists(MacroInvocation mi |
    e = mi.getExpr() and
    isUnboundedRandCallOrParent(e)
  )
 }
 class SecurityOptionsArith extends SecurityOptions {
  override predicate isUserInput(Expr expr, string cause) {
    isUnboundedRandValue(expr) and
    cause = "rand"
  }
 }
 predicate missingGuard(VariableAccess va, string effect) {
@@ -125,16 +80,47 @@ predicate missingGuard(VariableAccess va, string effect) {
  )
 }
-class Configuration extends TaintTrackingConfiguration {
+class UncontrolledArithConfiguration extends TaintTracking::Configuration {
-  override predicate isSink(Element e) { missingGuard(e, _) }
+  UncontrolledArithConfiguration() { this = "UncontrolledArithConfiguration" }
-  override predicate isBarrier(Expr e) { super.isBarrier(e) or bounded(e) }
+  override predicate isSource(DataFlow::Node source) {
    exists(RandomFunction rand, Call call | call.getTarget() = rand |
      rand.getFunctionOutput().isReturnValue() and
      source.asExpr() = call
      or
      exists(int n |
        source.asDefiningArgument() = call.getArgument(n) and
        rand.getFunctionOutput().isParameterDeref(n)
      )
    )
  }
-from Expr origin, VariableAccess va, string effect, PathNode sourceNode, PathNode sinkNode
+  override predicate isSink(DataFlow::Node sink) { missingGuard(sink.asExpr(), _) }
  override predicate isSanitizer(DataFlow::Node node) {
    bounded(node.asExpr())
    or
    // If this expression is part of bitwise 'and' or 'or' operation it's likely that the value is
    // only used as a bit pattern.
    node.asExpr() =
      any(Operation op |
        op instanceof BitwiseOrExpr or
        op instanceof BitwiseAndExpr or
        op instanceof ComplementExpr
      ).getAnOperand*()
  }
 }
 /** Gets the expression that corresponds to `node`, if any. */
 Expr getExpr(DataFlow::Node node) { result = [node.asExpr(), node.asDefiningArgument()] }
 from
  UncontrolledArithConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink,
  VariableAccess va, string effect
 where
-  taintedWithPath(origin, va, sourceNode, sinkNode) and
+  config.hasFlowPath(source, sink) and
  sink.getNode().asExpr() = va and
  missingGuard(va, effect)
-select va, sourceNode, sinkNode,
+select sink.getNode(), source, sink,
-  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".", origin,
+  "$@ flows to here and is used in arithmetic, potentially causing an " + effect + ".",
-  "Uncontrolled value"
+  getExpr(source.getNode()), "Uncontrolled value"
--- a/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ArithmeticWithExtremeValues.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/arithmetic-with-extreme-values
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.6
 * @precision low
 * @tags security
 *       reliability
--- a/cpp/ql/src/Security/CWE/CWE-190/Bounded.qll
+++ b/cpp/ql/src/Security/CWE/CWE-190/Bounded.qll
@@ -0,0 +1,55 @@
 /**
 * This file provides the `bounded` predicate that is used in both `cpp/uncontrolled-arithmetic`
 * and `cpp/tainted-arithmetic`.
 */
 private import cpp
 private import semmle.code.cpp.rangeanalysis.SimpleRangeAnalysis
 private import semmle.code.cpp.rangeanalysis.RangeAnalysisUtils
 /**
 * An operand `e` of a bitwise and expression `andExpr` (i.e., `andExpr` is either an `BitwiseAndExpr`
 * or an `AssignAndExpr`) with operands `operand1` and `operand2` is the operand that is not `e` is upper
 * bounded by some number that is less than the maximum integer allowed by the result type of `andExpr`.
 */
 pragma[inline]
 private predicate boundedBitwiseAnd(Expr e, Expr andExpr, Expr operand1, Expr operand2) {
  operand1 != operand2 and
  e = operand1 and
  upperBound(operand2.getFullyConverted()) < exprMaxVal(andExpr.getFullyConverted())
 }
 /**
 * Holds if `e` is an arithmetic expression that cannot overflow, or if `e` is an operand of an
 * operation that may greatly reduce the range of possible values.
 */
 predicate bounded(Expr e) {
  (
    e instanceof UnaryArithmeticOperation or
    e instanceof BinaryArithmeticOperation or
    e instanceof AssignArithmeticOperation
  ) and
  not convertedExprMightOverflow(e)
  or
  // Optimitically assume that a remainder expression always yields a much smaller value.
  e = any(RemExpr rem).getLeftOperand()
  or
  e = any(AssignRemExpr rem).getLValue()
  or
  exists(BitwiseAndExpr andExpr |
    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
  )
  or
  exists(AssignAndExpr andExpr |
    boundedBitwiseAnd(e, andExpr, andExpr.getAnOperand(), andExpr.getAnOperand())
  )
  or
  // Optimitically assume that a division always yields a much smaller value.
  e = any(DivExpr div).getLeftOperand()
  or
  e = any(AssignDivExpr div).getLValue()
  or
  e = any(RShiftExpr shift).getLeftOperand()
  or
  e = any(AssignRShiftExpr div).getLValue()
 }
--- a/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/ComparisonWithWiderType.ql
@@ -5,7 +5,7 @@
 * @id cpp/comparison-with-wider-type
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision high
 * @tags reliability
 *       security
--- a/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/IntegerOverflowTainted.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/integer-overflow-tainted
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision low
 * @tags security
 *       external/cwe/cwe-190
--- a/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-190/TaintedAllocationSize.ql
@@ -4,7 +4,7 @@
 *              user can result in integer overflow.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.1
 * @precision medium
 * @id cpp/uncontrolled-allocation-size
 * @tags reliability
--- a/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
+++ b/cpp/ql/src/Security/CWE/CWE-191/UnsignedDifferenceExpressionComparedZero.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/unsigned-difference-expression-compared-zero
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 9.8
 * @precision medium
 * @tags security
 *       correctness
--- a/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-253/HResultBooleanConversion.ql
@@ -4,7 +4,7 @@
 * @kind problem
 * @id cpp/hresult-boolean-conversion
 * @problem.severity error
- * @security-severity 4.2
+ * @security-severity 7.5
 * @precision high
 * @tags security
 *       external/cwe/cwe-253
--- a/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
+++ b/cpp/ql/src/Security/CWE/CWE-290/AuthenticationBypass.ql
@@ -5,7 +5,7 @@
 *              vulnerable to spoofing attacks.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.8
+ * @security-severity 8.1
 * @precision medium
 * @id cpp/user-controlled-bypass
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
@@ -4,7 +4,7 @@
 *              to an attacker.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.5
 * @precision medium
 * @id cpp/cleartext-storage-buffer
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
+++ b/cpp/ql/src/Security/CWE/CWE-311/CleartextFileWrite.ql
@@ -4,7 +4,7 @@
 *              to an attacker.
 * @kind problem
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
 * @precision medium
 * @id cpp/cleartext-storage-file
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
+++ b/cpp/ql/src/Security/CWE/CWE-313/CleartextSqliteDatabase.ql
@@ -4,7 +4,7 @@
 *              database can expose it to an attacker.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.4
+ * @security-severity 7.5
 * @precision medium
 * @id cpp/cleartext-storage-database
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/BrokenCryptoAlgorithm.ql
@@ -4,8 +4,8 @@
 *              an attacker to compromise security.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
- * @precision medium
+ * @precision high
 * @id cpp/weak-cryptographic-algorithm
 * @tags security
 *       external/cwe/cwe-327
@@ -70,9 +70,12 @@ EnumConstant getAdditionalEvidenceEnumConst() { isEncryptionAdditionalEvidence(r
 predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string description) {
  // find use of an insecure algorithm name
  (
-    fc.getTarget() = getAnInsecureEncryptionFunction() and
+    exists(FunctionCall fc2 |
-    blame = fc and
+      fc.getAChild*() = fc2 and
      fc2.getTarget() = getAnInsecureEncryptionFunction() and
      blame = fc2 and
      description = "call to " + fc.getTarget().getName()
    )
    or
    exists(MacroInvocation mi |
      (
@@ -93,7 +96,10 @@ predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string d
  ) and
  // find additional evidence that this function is related to encryption.
  (
-    fc.getTarget() = getAnAdditionalEvidenceFunction()
+    exists(FunctionCall fc2 |
      fc.getAChild*() = fc2 and
      fc2.getTarget() = getAnAdditionalEvidenceFunction()
    )
    or
    exists(MacroInvocation mi |
      (
@@ -107,6 +113,27 @@ predicate getInsecureEncryptionEvidence(FunctionCall fc, Element blame, string d
      ec = fc.getAnArgument() and
      ec.getTarget() = getAdditionalEvidenceEnumConst()
    )
  ) and
  // exclude calls from templates as this is rarely the right place to flag an
  // issue
  not fc.isFromTemplateInstantiation(_) and
  (
    // the function should have an input that looks like a non-constant buffer
    exists(Expr e |
      fc.getAnArgument() = e and
      (
        e.getUnspecifiedType() instanceof PointerType or
        e.getUnspecifiedType() instanceof ReferenceType or
        e.getUnspecifiedType() instanceof ArrayType
      ) and
      not e.getType().isDeeplyConstBelow() and
      not e.isConstant()
    )
    or
    // or be a non-const member function of an object
    fc.getTarget() instanceof MemberFunction and
    not fc.getTarget() instanceof ConstMemberFunction and
    not fc.getTarget().isStatic()
  )
 }
--- a/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
+++ b/cpp/ql/src/Security/CWE/CWE-327/OpenSslHeartbleed.ql
@@ -4,7 +4,7 @@
 *              attackers to retrieve portions of memory.
 * @kind problem
 * @problem.severity error
- * @security-severity 5.2
+ * @security-severity 7.5
 * @precision very-high
 * @id cpp/openssl-heartbleed
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
+++ b/cpp/ql/src/Security/CWE/CWE-367/TOCTOUFilesystemRace.ql
@@ -5,7 +5,7 @@
 *              the two operations.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.7
 * @precision medium
 * @id cpp/toctou-race-condition
 * @tags security
@@ -16,10 +16,13 @@ import cpp
 import semmle.code.cpp.controlflow.Guards
 /**
- * An operation on a filename.
+ * An operation on a filename that is likely to modify the corresponding file
 * and may return an indication of success.
 *
- * Note: we're not interested in operations on file descriptors, as they
+ * Note: we're not interested in operations where the file is specified by a
- * are better behaved.
+ * descriptor, rather than a filename, as they are better behaved. We are
 * interested in functions that take a filename and return a file descriptor,
 * however.
 */
 FunctionCall filenameOperation(Expr path) {
  exists(string name | name = result.getTarget().getName() |
@@ -48,7 +51,8 @@ FunctionCall filenameOperation(Expr path) {
 }
 /**
- * A use of `access` (or similar) on a filename.
+ * An operation on a filename that returns information in the return value but
 * does not modify the corresponding file.  For example, `access`.
 */
 FunctionCall accessCheck(Expr path) {
  exists(string name | name = result.getTarget().getName() |
@@ -62,7 +66,9 @@ FunctionCall accessCheck(Expr path) {
 }
 /**
- * A use of `stat` (or similar) on a filename.
+ * An operation on a filename that returns information via a pointer argument
 * and any return value, but does not modify the corresponding file.  For
 * example, `stat`.
 */
 FunctionCall stat(Expr path, Expr buf) {
  exists(string name | name = result.getTarget().getName() |
@@ -77,7 +83,7 @@ FunctionCall stat(Expr path, Expr buf) {
 }
 /**
- * Holds if `use` points to `source`, either by being the same or by
+ * Holds if `use` refers to `source`, either by being the same or by
 * one step of variable indirection.
 */
 predicate referenceTo(Expr source, Expr use) {
@@ -88,36 +94,38 @@ predicate referenceTo(Expr source, Expr use) {
  )
 }
-from FunctionCall fc, Expr check, Expr checkUse, Expr opUse
+from Expr check, Expr checkPath, FunctionCall use, Expr usePath
 where
-  // checkUse looks like a check on a filename
+  // `check` looks like a check on a filename
  (
    // either:
    // an access check
-    check = accessCheck(checkUse)
+    check = accessCheck(checkPath)
    or
    // a stat
-    check = stat(checkUse, _)
+    check = stat(checkPath, _)
    or
    // another filename operation (null pointers can indicate errors)
-    check = filenameOperation(checkUse)
+    check = filenameOperation(checkPath)
    or
    // access to a member variable on the stat buf
    // (morally, this should be a use-use pair, but it seems unlikely
    // that this variable will get reused in practice)
-    exists(Variable buf | exists(stat(checkUse, buf.getAnAccess())) |
+    exists(Variable buf | exists(stat(checkPath, buf.getAnAccess())) |
      check.(VariableAccess).getQualifier() = buf.getAnAccess()
    )
  ) and
-  // checkUse and opUse refer to the same SSA variable
+  // `checkPath` and `usePath` refer to the same SSA variable
-  exists(SsaDefinition def, StackVariable v | def.getAUse(v) = checkUse and def.getAUse(v) = opUse) and
+  exists(SsaDefinition def, StackVariable v |
-  // opUse looks like an operation on a filename
+    def.getAUse(v) = checkPath and def.getAUse(v) = usePath
-  fc = filenameOperation(opUse) and
+  ) and
-  // the return value of check is used (possibly with one step of
+  // `op` looks like an operation on a filename
-  // variable indirection) in a guard which controls fc
+  use = filenameOperation(usePath) and
  // the return value of `check` is used (possibly with one step of
  // variable indirection) in a guard which controls `use`
  exists(GuardCondition guard | referenceTo(check, guard.getAChild*()) |
-    guard.controls(fc.(ControlFlowNode).getBasicBlock(), _)
+    guard.controls(use.(ControlFlowNode).getBasicBlock(), _)
  )
-select fc,
+select use,
  "The $@ being operated upon was previously $@, but the underlying file may have been changed since then.",
-  opUse, "filename", check, "checked"
+  usePath, "filename", check, "checked"
--- a/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
+++ b/cpp/ql/src/Security/CWE/CWE-428/UnsafeCreateProcessCall.ql
@@ -4,7 +4,7 @@
 * @id cpp/unsafe-create-process-call
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision medium
 * @msrc.severity important
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
+++ b/cpp/ql/src/Security/CWE/CWE-457/ConditionallyUninitializedVariable.ql
@@ -5,8 +5,7 @@
 *              state, and reading the variable may result in undefined behavior.
 * @kind problem
 * @problem.severity warning
- * @security-severity 6.9
+ * @security-severity 7.8
 * @opaque-id SM02313
 * @id cpp/conditionally-uninitialized-variable
 * @tags security
 *       external/cwe/cwe-457
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScaling.ql
@@ -4,7 +4,7 @@
 *              can cause buffer overflow conditions.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id cpp/suspicious-pointer-scaling
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingChar.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/incorrect-pointer-scaling-char
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision low
 * @tags security
 *       external/cwe/cwe-468
--- a/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/IncorrectPointerScalingVoid.ql
@@ -4,7 +4,7 @@
 *              can cause buffer overflow conditions.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision medium
 * @id cpp/suspicious-pointer-scaling-void
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
+++ b/cpp/ql/src/Security/CWE/CWE-468/SuspiciousAddWithSizeof.ql
@@ -5,7 +5,7 @@
 *              implicitly scaled.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision high
 * @id cpp/suspicious-add-sizeof
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
+++ b/cpp/ql/src/Security/CWE/CWE-497/ExposedSystemData.ql
@@ -5,7 +5,7 @@
 *              attack plan.
 * @kind problem
 * @problem.severity warning
- * @security-severity 3.6
+ * @security-severity 6.5
 * @precision medium
 * @id cpp/system-data-exposure
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
+++ b/cpp/ql/src/Security/CWE/CWE-704/WcharCharConversion.ql
@@ -6,7 +6,7 @@
 * @kind problem
 * @id cpp/incorrect-string-type-conversion
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 8.8
 * @precision high
 * @tags security
 *       external/cwe/cwe-704
--- a/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
+++ b/cpp/ql/src/Security/CWE/CWE-732/DoNotCreateWorldWritable.ql
@@ -3,7 +3,7 @@
 * @description Creating a file that is world-writable can allow an attacker to write to the file.
 * @kind problem
 * @problem.severity warning
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision medium
 * @id cpp/world-writable-file-creation
 * @tags security
--- a/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
+++ b/cpp/ql/src/Security/CWE/CWE-732/UnsafeDaclSecurityDescriptor.ql
@@ -7,7 +7,7 @@
 * @id cpp/unsafe-dacl-security-descriptor
 * @kind problem
 * @problem.severity error
- * @security-severity 5.9
+ * @security-severity 7.8
 * @precision high
 * @tags security
 *       external/cwe/cwe-732
--- a/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
+++ b/cpp/ql/src/Security/CWE/CWE-764/LockOrderCycle.ql
@@ -5,7 +5,7 @@
 * @kind problem
 * @id cpp/lock-order-cycle
 * @problem.severity error
- * @security-severity 6.9
+ * @security-severity 5.0
 * @tags security
 *       external/cwe/cwe-764
 *       external/cwe/cwe-833
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`lgtm,codescanning`
							* The "Use of a broken or risky cryptographic algorithm" (`cpp/weak-cryptographic-algorithm`) query has been further improved to reduce false positives and its `@precision` increased to `high`.
		`@@ -0,0 +1,2 @@`
							`lgtm,codescanning`
							* The DataFlow libraries have been augmented with support for `Configuration`-specific in-place read steps at, for example, sinks and custom taint steps. This means that it is now possible to specify sinks that accept flow with non-empty access paths.
		`@@ -0,0 +1,2 @@`
							`lgtm`
							`* The 'Uncontrolled data in arithmetic expression' (cpp/uncontrolled-arithmetic) query now recognizes more sources of randomness.`
		`@@ -0,0 +1,2 @@`
							`lgtm,codescanning`
							`* The 'Wrong type of arguments to formatting function' (cpp/wrong-type-format-argument) query is now more accepting of the string and character formatting differences between Microsoft and non-Microsoft platforms. There are now fewer false positive results.`